Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2b3c17aa353741d0…

MALICIOUS

Office (OLE)

210.0 KB Created: 2018-10-22 14:00:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: 550dc11062a7613ecac82c00b4b78649 SHA-1: 0237419b3664ba4c2cc8c7d0e1e5ce08d19f5e90 SHA-256: 2b3c17aa353741d0442331fe47ebefc0ff0c94b1fe628ae4e963634684706b90
322 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious Word document containing obfuscated VBA macros. The AutoOpen macro is designed to execute a payload using the Shell() function, likely to download and run a second-stage exploit or malware. The document body explicitly instructs the user to 'Enable Content', a common social engineering tactic.

Heuristics 9

  • ClamAV: Doc.Malware.Generic-6923095-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-6923095-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 158411 bytes
SHA-256: eadd79ec41b574455c2560eec6b107afe713a9004becc83cb3b9459410efa975
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
' Fiunbe unitnfun  thI Iud ebFnF  uun.notcnT f
' S  n cuunSi cib e. f nbhF deF t e tf hFuI TSTehnc n dbuuET f
' huFt oue.dnEEn nIbn Iic    odnnn ttn
'    .TIf tFtS u cnu FTSu o o hchEnutin TttSb bFif Tducu  Sc  b.nhinuEt b uf T
' cSundd ofundui nno oInF.uutdSniSinnI.nSoTobn un .funndnnb ftndEn. nIcEi hS.tun
' ntc en inhfIInFhbTndod hSht  hnbihiEThdTh.ETnn b TniTh .o ff ..n nbF cEi Suhu .uu n Edcuunt.Fnd.
' dbc nhStEShoFfn ncn.nuFTunod nnfe.f   tn IbS u dnebEF hoInT.nbFfnobnf I IiSEI
' oFhnIf nFcnEcn Fb tn  Sen icuono cfhh  F ti iFhhEoTSSutIdfuScc cSFE
' nu n t.ntfnn he c bnTntuF tud hu ot.c nuTdunon Feh Iti Sun nd uh ccuIt Fcn u i i
' ho.Stn n o  oono  Eno i SduuuuI.Sb nbI .n   I nEE cTu  n .ee  nd  Thuhhhn.Tb
' . innitin.Snf nn ShhnEo tuu  onIunnbnu
'  cSbfdIFbI TIndfounSTEnhhnE  eeebetud  dnunIbTFFnF IoiFnbI hh.E Edd
'   bnobn c uiF .E nnnI  oncSneebo cn SttEnohtI feh ndf  cdIeunuue i ciFEonnnibne o hd
' nnnuIitTi u  IunhceIde.u. uEbun.   itii dFEco n   huin tnnn
' ccf oh.e tF  Edc.uuidfTEcdfh.oe duhIooub oduSefuFFuco .
' T f oTh e  buThTSoenndIoI buedeuEIInn.
' o.SEncIn en c cch itTIfT.IcEtt fnFbI
'  nS nnnu ue TIn SIt FF uuTnfIeonnnEoc.nhSIuo.n.nd n.iEc tndhobniSnddc EcT
' Fo T  nee i u Itoe.. d Tt  .i.EonuntufffdTou  niEunE.coiudtheF.uieibbToI confci iof fTEnfuFuTftn.f
' ouIfbhTtTnItcno fhd  nihtnfuuneeihn o tEdn. TnFEut t fn uThS
' S   FTbdn  c ihTEoiocenhcFufT uebFEob u.eEnIu oI FoenebeSnnu   Ino u
' Si no Snnuoiti  E  . cu uiben  .u.T i . SEe ud b tb
' unfEbnb  nunc ScTSFInddTffo  oIec uncnnfnTneof bnthhnFfouFTduhnufoFnfnd ihIE  inSTEteiS unfu Fbu
' ou .E ohhSnIu FfuinIfI uc.h.ce c  u I .ioiiui.uSETEuh .nnI .od  nucbnnnbi  cfeF
' fItnb bEIuF E STI do nIcnhhoonEin.uiId.t n  Enecn.S Sfcinuo
' onTbnhund cdh S etnncdbTcE. nTS E e   ed nb  TFcE uncd d bnbttTou nuehcfiS enuSfne outibn  n F.n.I.
' ofe  nf cb  eh hTtudoIt Tc   fTctfd nI InbInt nS. n nnu dt ffFEu nndeSbEfnIFTIuIi n  S.ocI
' ffbtc.nu b   ndfcctdE  n  E bEcb iinEIi.edcETST  .TnEf ntednu uTnnhnFi n inSnEbS dI en   .ht
' un oE Enn EdFcfn.unIie  htu ShFt uTc
' .bfbe Fn oode TunTFIST Tc e Eun  f f ou uubIb
'  .u.bIdond uuo .nh iIf ufInnIo.no . nET inutunnoo hFuhc  cn dFfShEinI  d cTcnfn eniTE Iu  nTbndT ne
'  ITT .tFn h nhF nn fnced Tn fu TununEnu onEuhi u. huhTuuSfhuTi FtFcotIEfi
' EoTufnTc fon bn ec n nn  ueitnTbTuiuuhd  Enni.ndF dnuSufon E   bInuIf Fu  unnn niutnu nne.
' on Iu cedEiFd nbTuIEidFnddF. ede tthfnhSne ub e
' Ebnnni Stf.ni hSS  icntneFhnuc unnoueS to n.n c nt uT n . fe ncdnnuhnnnoobunuoIu.
' cSc.iSu   eobei hnI tfnncon dnfi  fFniTi T nfn hdIIEhtiTenSntF
' Ffnu Fhnnnn oEd.cu ndTon.Eednb noi dndunE.uhnnEIunnEcdutFTETunoebhb .FhuduIn nu.nndSnuT
' nieoctunoSbnbFFtf fnncnEnhihSdudch n EnEu.nhdnuohnnSi tn Iu nutneSenIIoc
' uSn.b. E fnEniIodTFEThtu.n IniSe n Ech   u
' T uuot     Sudnubo Sn.unnhSE Euoh o
' uIeobu nIoTFc nI n Tueiunn i
' IE nuct fu huo.  dnn tou En b n deeoiEfTiTE nnSnuE n o. FouFo . nnI FTth ohEu.
' ecd n In bon.ehnnidiFn.Tonnt n Fu inetn
'   TTFdnuIn I  nFcnhnu uh  ETSnTnocnhTTnucfu h ihI. eIF oc enuuS S
'  un.. ehF..fucIFn.TnctinFihi  uIeo  n nen hnTfdii n ncnubEbb
' dIdTnt f ninSn nou.nuSttnEI.Tn fne SnnIE tEuEnnnuuEioFEcbnhin toh S  nnbISdEnScft n t. oTutbn n TfF
' IEne   nu uuubFEiEu  oiF bnb   c.h  foIbIeodFo Si.n.uuEI n uthFI  F n e   t Een
'   iTi   uEeufTn  udfuinEnFnTnIo  dncT E cT  iIIbncne eESEthb bTtc IonncEtnoh
' Iuo n F euIntFIEh nt T ..niiTueIItSdbt  obTh uhuT ef.f nndFhuF
' inotT.c IoSh innS uIcun n h   SoScoc hTinuI
' I .obcFn Tcc hcunE dbn   tdcoI TFhnun db .heiofi  nnF  cnnhi I ucbtSnn.ibiu  hSnSbT b
' IEu hdhoFc . inhFttecE d TF otnuedheudn tESnF u uf b .TT
'   ubbbduF.donntE ni F nF  uIttF nItE innbSEh nn
' nTI f cnhSnTh Fnnf . F de  n   n o .nnIbT.dt To
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.