Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0fded8943f46708b…

MALICIOUS

Office (OLE)

232.5 KB Created: 2018-10-22 13:59:00 Authoring application: Microsoft Office Word First seen: 2019-09-30
MD5: 60873c3c4b28f09c4d1de0c73c5ad66b SHA-1: 15e261e46da5ed2178cd58269bd06e05b01540c3 SHA-256: 0fded8943f46708b76f947bb147d04d26e860deebfb3ade40fa546233b51e984
322 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is a malicious Office document containing obfuscated VBA macros. The document body instructs the user to 'Enable Content' to view the document, a common lure. The VBA macros are designed to execute arbitrary code, likely downloading and running a second-stage payload. The presence of Shell() calls and obfuscated code strongly suggests malicious intent.

Heuristics 9

  • ClamAV: Doc.Malware.Generic-6923091-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-6923091-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 170958 bytes
SHA-256: 0dd0f48f19639763748e5c82561542bad2de5ddce1f625240623a3034383cd78
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
' nfnin .ouItncndtun  hiTnfnu nFntbehcu. uu EFbbIbFFnbd f ninTuEtio EEudt Sf Iuenn ondh fntEF
' . nodnScniueTTn tE dfuS fe  uun. u fn S nei nbf E bEbcn
' fnuo ntFi n   hnIFFiI   o tntntSnSnn . cTIne n cicnnT nEunod Tui
'  utoETueSu FnduSIn I.n netdnch tncInEdniE cuubn  inn tcbEennF u  IeI dinn ttbt.Fu  outEh.on
' ni.bunSn n bTI cu Ie nuf o hb.nnSnFEnInISnf  Ih.E n.iI iunEont
' fh utin  ocf  F.IST n.n .bSb tnuFfI Iu nSnnefuufnuFEb une.nF.b ndnFo
' TnnTo Snoue  Te.dn   h n uuei cniT.nF TFui udnbTohSunh f.u nbfnuhuTIfTenffc eF dT neI
' dIc eSdudnIEf cc fSonIcbcfSIodnnnn En inTfi T.enSSd .hT diuSoeuFutnhb hTbnn c ITdecun bohnn t
' nT.t dttnnf u n euned . tfbtE ffbS nnccFneb
' n enIf inF eTen cnInfFnh.u IEfnu.d.n
' c  uhdoIE  fiTTcbtiT F.udbSnTEc  e
' idh u  nbbnIbbEf in enoinnto FTnTuun FSuo o nTTEndIT dtTh  Sn enTF
' eh  n.SonT  nn uin oT ndf iIdcodn nu n otInEc.Fu fnhEo.u iiu.nSEnS
' c FcT euTuIdn tnndbiEFnfnoEf . tn hTfun n       IcSntb En nIt u I nE fnnncnn
' nenSdn  nI ndut unt nn i.uidi .bT u
' n n Sinn f uS FnESnIIuEnnbSn nue  fEniiI uI  i IeTnnnn bScf.S  Id oS b oteFcETT i ufI
' nni n T c ThoT  h hTu od dut n
'  In IeT tcnb t  TEbT  hc F Iunfu n E .F  n.oIcu.S
' d d ubS b Fcnhb SuodoEcbnFi Tn un
' cnf nnT unn .iInEnbbdIht nI F uniFEnfTS.ndd fte t. dn..u onfbnnI  idSetIt   u F .I hn
' TFuonh InfbE.nTcnuI obnI  of.nn  ndth nc  h t Sun btnntTuneTinhnn h ducffnTcfhbcb
' Iuf  ehoncd.fTFunefSTFefncbTduh nuntn n  ninnuTTni tSntI
'  uuftISd.f ct bnnu nd d fTSnbuubhtT  ed .hd ndS.nST SThunhbuehi  iSodI un
'   fTfE h iofdSncn n  Tnbnho en.IbIdnnTE bItn dnIEe IT  nIh InE FEFbuucicnu hntouScc fb  ehncEocne
' uhoo b  Iduo  fESut  S nbu n. bnoueb uuni o
' u ho FI o  h innhTn. c u uu nd IEhidnnShITeuTS S be f debdT nI dETn bbnhE
' Ft.  ntthSebITTn EuTcnbE tebun.i fE bufiutoc
' Tnunu d.T b nnnddn   SSfIniehenShIT
' n  eeunuE EITifFS etIeeTnunuEfnTF  enui o IF.n otbn ci u  .u  ESbdno
'  n.hn nnntuftn n I ffh Iubnfutt .en .nonInEbSIE SbIn.  ntnuniouESit Euhfcd    Eot Tcunb   uttn
' ho uh iSiee nuI ne  e cddiFT  E  i n itnn eTchef  oIn.nuTf. bdE
' tnFnbod E cnSf c Ebnb tnno  bhenuI Fcnbun hn. h b cbdetfff  tfdIntnen fu.ecnEn Ioc.nnhh
' nunE  FFnnI noS bbfu.I nnF ntcd.  uStFE.nu
'  nheSnond fFu Si  Eu EftcT .nF n  dSbFnouc Tho bFEfSocuEu dcFt Ii f TSe u.ui ohIcn
' n  ffuhnuF. nndu nneIdcnhndh tfbft  nToIu iodfncnEtun nnEuFd d..TnnEnbc dcinTn  n unibnbI  tEuuehddo
' I dht fbo c tutubE nb Tn ene  n d eninhfIt.FoInSEIfcndf  c.iFf funudfb c uon
' Enf cuTneFouF T dntih.nI TtnuFbtiS TfbdnntbuncEnfcnncb  SFn. Fd.hI Enn Eio
' cfnuiT  n cnhhbne EdI i iETIIn.ofn b inheuocSb  e buuEn
' Sihienin n bT n   dnn bf n ineTn  TFfF.E tIb. I .cninEfbb SundInFSToiSt io.d oe fb ifnIcTnh h
'    oetn  conhio  d hIfbbnh SubS
' nuneTb foucnT.SenF  neubTFoft InTutnh E.Tcon uuI hEu EnuuEEntn .ndn uFEniF nSbE htInTh n.nFihI F
' noS d uEt  .nb SbtTnnIe c FntneIF   dnheEnounTbft  udI  udnfunfEb ffiEn ueotntunnbh  fSeoT dtF n
'  hd  F.nnndnncobfnbctIE  niu n nTFtthE
'  ubdtnhfnEi onEi .uEtdo   FeFnunb  ftiu u thEeunudtTbutnII un Fe .d
' cn oSn hinnh.ntnuhShb I in ifEn.n T Fiubihb I nEc hh nFnThSet dnEdbtSIbf u F neIt dinit
' b buo  Shi nunnIfhufI.dt nuotiSIbnunt d nnhtnnnInen einE.hn hn f dn
' unn.hnIeuEEc docc  iie..FfF c uT nbSch  uidnSIn   duFFdndn tntuEnnn.c
' tuet th bnFitTbfuden oiIe.fSnbn Ien  fn nhcIocI I If   u h  Tnn.bnn
' ISEouud bun d n SdtnEn i  Se  tn fonuntSun hoSuInTIinFu IfnuFuon .o T  fIThn  tEhfind hTb
' .uTtnIF ohnuFuuu.h tf.nnSineeicne FE nSuubf EETbiTco ue  TITi unufnnnSfEieeuuIFb
'  e Et nn fnTuFI hnE euhn  Tfufnne
' dEdieenSiuoe  foFEnS dudFoInT S uhEodEnFfc.n indnfEnbTht
' nnhnuETtufn duFTS dedbnodof.n d buSuefn STTuhttSIniinFiicu noEodi . eI.EdnuoIF E.IEnn. E  IouFnc
' n nIeofeFd
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.