Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 34e3deca8fd1d9db…

MALICIOUS

Office (OLE)

82.5 KB Created: 2016-05-12 23:30:00 Authoring application: Microsoft Office Word First seen: 2017-12-24
MD5: 80f6387193477aedf55215687239b961 SHA-1: 6eca0732aba27b57d485e29b12e2dce890cf186e SHA-256: 34e3deca8fd1d9db19a882ea94b4c267a732c530721f98ed641a4be18b335bb5
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros that are executed automatically upon opening, as indicated by the OLE_VBA_PCODE_AUTOEXEC_EXEC heuristic. The presence of SC_STR_WSCRIPT and the ClamAV detection signature 'Doc.Dropper.Agent-6403506-0' strongly suggest this is a dropper. The VBA code itself appears obfuscated but the overall intent is to execute malicious code, likely downloading a secondary payload.

Heuristics 5

  • ClamAV: Doc.Dropper.Agent-6403506-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6403506-0
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 951 bytes
SHA-256: dfdaaefe4bc90340f50712f861def112b8f7da29f89e9283547a0fc78798fd21
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "jNiMX"
Public Function ViNpHGUzC(ByVal iypWTXolxU As Integer, ByVal jczgA As Integer, ByVal oCpmeit As String, ByVal FEJfWi As String) As String
Dim HNuKWgufOM As Integer, PsDspeSF As Integer
ViNpHGUzC = Mid(FEJfWi, iypWTXolxU, 1)
End Function
Private Sub eXjGJd(ByVal zCMPR As Integer, ByVal dPzEeruZQc As String)
BkMTwPAnUV "DkDIO3d6F3v8Mi", 5936
vVjYXg 5637
If LYvcZvEUHc Then
ZkAFSHcy
RYUrsdm True
aVgAUZYDE 8658, "P6L2iKiDrLlkp", "PDySOMDaa"
End If
nnWkkdeYWI "91T1EaHzvPf58N", "UWH71R60USte", False
tvremm "rlrJFAUEIT", "HKcOUGSxKiDVYL", True
End Sub
Public Function TpFOIGlDV(ByVal YHmyK As Integer, ByVal siwdxix As Boolean, ByVal WrNacB As String, ByVal tCmhcnjaw As String) As String
TpFOIGlDV = tCmhcnjaw & WrNacB
End Function
Public Function mvDohfyl(ByVal QwewSsD As String, ByVal nlWobCMCMV As String) As Boolean
Dim nemKWAiIl As Integer
mvDohfyl = InStr(1, nlWobCMCMV, QwewSsD)
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.