Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 18e539ae18621bde…

MALICIOUS

Office (OLE)

245.0 KB Created: 2018-10-22 14:00:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 217ec4f7062e2fbefdb0f9b58945a982 SHA-1: ea42f71c20305e81722c108ac2b0c80109b7151a SHA-256: 18e539ae18621bdeb9b8029a506aa68081fe7ee594e5e8a4b97303f217f2c6d2
322 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious Office document containing obfuscated VBA macros. The AutoOpen macro is designed to execute a payload using Shell() calls, likely to download and run a second-stage exploit or malware. The document body explicitly instructs the user to 'Enable Content', a common social engineering tactic to bypass macro security.

Heuristics 9

  • ClamAV: Doc.Malware.Generic-6923090-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-6923090-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 172969 bytes
SHA-256: 657fcf9d2dbaea8cb7d14ddd148b9b3cf89ec6b2e8a1e3a8484345de4cc5375d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
' toun .nhnuu fn.I f u nIineb nTd.   udFFEf FF nF fo ui    S f   utT fucuc.S
' uoFuntFIi . .EbnETh nSSSShoboeIchc.TtnSfoiEFch e.nSd  ThnbeEn
' nnuenFuTTdcin iSIETot ie fdfuu une .c EFn.oenTe hu neE u.e noncIn do uIT   t hnfnhIbt  nh
' tufftnnnt .ff.So e En h hn.unFoi TE cbn.uonu itIff S  cF h .  nnn i E.cnEn EonEf otuuIneun
' nicu Eu  InhTut nIdnId t nFtbF nenSn.TicF hI ttFnIoT uoFIco hfundt  be ftncnfutEu TT
'  nnb  .d udih FEEbhFin  IuhEot.fhuIbueb  h ein neI uunt cT toFffb I tctnTFEuETh  cftno
' uh nnSI Eu oT.SinnIuFhhFeESnn..htunciuS h nEe Fd i T  F bn Fbeci f in  uuSufhSh Si iFf d nnnciI
' .u nu  cEnF buTuun  onbddnInfnchnTubhFc  dn.nue .n   n  i nnno c .etIbcin
' dunEbhb Tu dndnFncI ddu. toddhTt bSiTF . io cn  ne b
' honn d chTn TIFcFnnn.u u  cFInhbtnonInc h o T nuf  EES
' cn cI nE   nuuEiunIchE ntFnftdhhThuf .
' cncT i  fnSSEnT.nT.nt.hfhEt EfoenEhb nnFEf FcntEEc  ntEueu nun.ui
'  Ith n FFuunI f  T ftFT uub   i F.nehu hnu.SobS Sio  nfnoeTuT  ndi.
' nu nntnbF cneIEIff bnfTde FSS  d  STco
'  .tI tS SEu  T.u u ooiEtFTnnncdTtbu   Sctun
'  buF n Fd un.unneT Itb ETubT n FnIhnuuneb  c ei.bdtnS d fhtFie  ho. c eneetnnutuI. FfEdnne
' F iIF utn nuf i nin  cFouhnunITSnheutton SITben
' ui hu.tIFtuiTdnd FSon dbhn. St dF  t nfnn hueucubiTSchhi nuEc
' T S Fnbcto ddFiue tI ennndcoioncnThn cf  b..unnnTnnth tb  E Snnft. Snu beeuSu
' nnuotI nEhTEF ntu.ntnInfnu donbi E Tn fSuIEEFFhEIenSte uSt t finiEnunTidth c
' TEF IEieetTnc Snouuho tSteiiuIThFu
' t ncf .uunnui cI SnF nnT.S Fn ub
' u nfI nuhh dc  fnSeuEbb.otI .nhnnnT F I tuiEn  Sn i. hEh
'  S I cbESfoEettceFbhubdt.e I nhTnhEFEIE.t f dd
'  FSnIfSuhInctI  nd  nIndnuETI u inn io   c i T  ci..binTc ..u nonnST
' n.ofib nScnubtu. euhf uEbonhehfou hFuduFinh  nI Idc iFn tSnu  nuo fnFdT tS nedF . hu  SIihF
' fuScFSd.f E  tSnSnbubf ST Tu  nSfTSo cnccn ntiIohTcniFn tu bFtIe  uu. c ShbentfT
' n tEddT.E bnf nu.f ueih  utIdn hfu nEuutnSb. n.onooIiueEIScTInfhnF c ne
' hFub F iT   nh SndI.EtIcfdh hI.fuEI t uhI  cEdeFeFE iunnEud
' .nh e n ntI TcEnEbffdontFi nn o  .hftbnt   h bF enFtIETbEhe Ioudtt
' . ebou cn obIienncd n hFT cTinb Et TnuhS
'  hi tnucTEnI  u..huEtIiFEuTnfo  udon . ubShn   bFE uu.n i
' uEI TIhcdSccInuIEf E nh to Eneo nnt
' eTnnnnoEfbc d uITS unu tSfeFFci bSfnEuITn h Sb
' .i n ht nitcdIT EftTE.oIcS IF. .n cnS Tu nh  FF heef
' EtuofFn b utuuT fdoi .S E .fbo   oueu
' IIbdd Eoneh uSuoE.tnFf fTf  bET Sot hFuhEunon.hnFn nF St uduI.nnnn onIieunnSeTTncoen T
' bTuonISnufttEbniEc td dtooF .nicnTSdbdiFed o u tnnoiiEuuSonSTen Ff..E  tn f  huFioutFn ie I d.i un
' hSnuETtuh tnS Snt in b hn Fd nE tcnIihctiF
' dn hunScoEetno FfuI nuh  unTnehIIeFTtn nfoEtuncttu TIdb otnnhI  Sin  .niTu n
' fuh nt      tbFfnnnuSn .u.ond SitT I EE cFSEdeetuh i.hfnf Inundneuntbftfe.neE
'   nIoE Fhudc ui E hduuu ecfnS.EntnS onn tEn  ITncdn tn inounS
' FF  nF niiEctdTbncIctbFdod  bedd ue.ion IFE  fhIniueuu   cn nnfSfhbne  nnT EIcet
' i cuuIIdT uuSSTiuTTuuuSbnn  odTncS  nn.nE.bi hEFnneneuunh I  i u o iu dTn T t nnI
' hTfn eunE fTeo E FTEIn .fft  eI .e uuShn
' nd.  IoIno FnodFuncIh  oSFd   h  e EheenTf hfnoidio uc
' FotIe  SSb nS TtiIn I tE   oE n  hbSco thut TuEehfnncnnioFFbnunnEhitoSnu EEc  FF tnnnT nnccdddE
' dTi tf Fn TEFoTn SI htncEodndfnnn iIinbu bonef FdnSnhuuST fhuS bEnS d. fEbnnnFinoiobeonI.n
' S hinSn.doThn uThShuuunES.hoF.nS.obI. u ih Ft eFIeunT.tESdTfSu eottnIFu FdtuFhSIn nbfcFncni. i
' o I  TfdhnnInEnc.uhEEFutTEu  FiEnbbfibiod.cdT ne F.thFin   nu.h inn If h . unnShe undonfn..
' nnn du  nn Eoh.hbunhuT. nehThSnS cde
' uTF dnh c F bnc dooI..T nS hibnbdu. T T ITd
' SnS f  I .cuiIe S S  S .uu  TnSf .TSf udeh .ud uoTStnEEctnnohtb  undniTtut F   Enu.ft .ffnunb
' It.Ft  n  .fTd e tEt   EEucc nTu.nec  n  eu.IheSEbnn c td n.d SbcFTe ni hI b un FF St.IISuunEff Ie
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.