Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6b1cd2d1c1592a6f…

MALICIOUS

Office (OLE)

54.5 KB Created: 2009-08-26 11:56:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: c868011f07888fdfa684853b25a7e88f SHA-1: bfecf0bcc9c9baec517ec73001741f8cc1a62202 SHA-256: 6b1cd2d1c1592a6fd3ecc264f64c2a8ac0e973abfa5caba247735c0e6f9f8284
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample exhibits characteristics of a legacy macro-based malware, specifically triggering high-severity heuristics for legacy WordBasic macro virus markers and an AutoOpen macro. The presence of VBA macros, combined with the legacy markers, suggests an attempt to execute arbitrary code upon opening the document, likely for malicious purposes such as downloading a secondary payload.

Heuristics 3

  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17459 bytes
SHA-256: 0e639c4c15aa5fd19a7369b03138d542d4cfbea3ce098340daa4aa6312710baa
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Derroche"
    Rem KHZUSKTHJLYDQJCECL
    Rem XLRNNMJKHBGZBKJMEMGQOE
    Rem EQZIGWDOPPS
    Rem KHZUSKTHJLYDQJCECL
    Rem XLRNNMJKHBGZBKJMEMGQOE
    Rem JATVHSKV
    Rem CPEYCLHWTHRGCA
    Rem EPRCQTULCMOBKDDIZPHKMBLLYHENINKGBQJOWKP
    Rem URXWKDYUSKAEENKCHQWMEXJIUFLGWPJKWPYNIWG
    Rem EQZIGWDOPPS
    Rem HGMGIBMFWPTYIOCQKYCYQJDMFZDAIOXN
    Rem CZRAOCCUHBHJHYZKHEEQKK
    Rem VRSZIMKSEKOVOLNFQMRXJHHDNFPJWMERTP
    Rem DEBSN
    Rem KHZUSKTHJLYDQJCECL
    Rem MTTKXTCQS
    Rem MALHTXVECADJEZWPSDGAVUUILOUOFFJOINLOBOFZ
    Rem CKISIUDPYGYCZQPXOG
    Rem ONQCSGBHYIQJJIFFLQGRPPCBDGKPHVXNK
    Rem OSXV
    Rem CDD
    Rem NTU
    Rem TKMM
    Rem GPSGOOZYGVUKQMM
    Rem VFYBBUJ
    Rem QQGHVVPZXFSZ
    Rem MZFJKHNDNZOXRLSBTSMEFI
    Rem XLRNNMJKHBGZBKJMEMGQOE
    Rem TPPGNUWCOKBLSMKYZPNPCEHADKOOUBKBIPNPIXUO
    Rem LVFTXFZZWNQLEQPWJBNBJLHZAQPNASIZHJ
    Rem PTSRTGONOHKJZNPMAJDRDFJCQ
    Rem QFEPCLXGUJHXQQ
    Rem SXFJOJFPQDBQVQLEMZUJMORAQXIDLUJKT
    Rem JATVHSKV
    Rem NKCULTPVAFBCIDANROVCERLJDSY
    Rem PHHUATVSBKWUJZWBYJNTBP
    Rem CPEYCLHWTHRGCA
    Rem DBSVNUZNBQI
    Rem NEHCZHQHWIUEHBMLPAIDITQZVOPEX
    Rem EBGTYIRUAUMFPXYQARZAYBHPVBBOIK
    Rem EPRCQTULCMOBKDDIZPHKMBLLYHENINKGBQJOWKP
    Rem LIBKOTPQUKUSSTEUBGYVFEGYGGSRUT
    Rem IKDQCFSN
    Rem KISFBXBLTTVFMWVKMJ
    Rem KVGR
    Rem NHPFCXCQXGYWLMUV
    Rem URXWKDYUSKAEENKCHQWMEXJIUFLGWPJKWPYNIWG
    Rem EQZIGWDOPPS
    Rem HGMGIBMFWPTYIOCQKYCYQJDMFZDAIOXN
    Rem CZRAOCCUHBHJHYZKHEEQKK
    Rem VRSZIMKSEKOVOLNFQMRXJHHDNFPJWMERTP
    Rem DEBSN
    Rem KHZUSKTHJLYDQJCECL
    Rem MTTKXTCQS
    Rem MALHTXVECADJEZWPSDGAVUUILOUOFFJOINLOBOFZ
    Rem CKISIUDPYGYCZQPXOG
    Rem VKUZGESAISCCHKOIHVIJKVKSRKYQNFPTLXHRXHJA
    Rem ONQCSGBHYIQJJIFFLQGRPPCBDGKPHVXNK
    Rem LTG
    Rem OSXV
    Rem CDD
    Rem NTU
    Rem TKMM
    Rem GPSGOOZYGVUKQMM
    Rem VFYBBUJ
    Rem QQGHVVPZXFSZ
    Rem MZFJKHNDNZOXRLSBTSMEFI
    Rem XLRNNMJKHBGZBKJMEMGQOE
    Rem TPPGNUWCOKBLSMKYZPNPCEHADKOOUBKBIPNPIXUO
    Rem LVFTXFZZWNQLEQPWJBNBJLHZAQPNASIZHJ
    Rem PTSRTGONOHKJZNPMAJDRDFJCQ
    Rem QFEPCLXGUJHXQQ
    Rem SXFJOJFPQDBQVQLEMZUJMORAQXIDLUJKT
    Rem JATVHSKV
    Rem NKCULTPVAFBCIDANROVCERLJDSY
    Rem PHHUATVSBKWUJZWBYJNTBP
    Rem CPEYCLHWTHRGCA
    Rem DBSVNUZNBQI
    Rem NEHCZHQHWIUEHBMLPAIDITQZVOPEX
    Rem EBGTYIRUAUMFPXYQARZAYBHPVBBOIK
    Rem EPRCQTULCMOBKDDIZPHKMBLLYHENINKGBQJOWKP
    Rem LIBKOTPQUKUSSTEUBGYVFEGYGGSRUT
    Rem IKDQCFSN
    Rem KISFBXBLTTVFMWVKMJ
    Rem KVGR
    Rem NHPFCXCQXGYWLMUV
    Rem URXWKDYUSKAEENKCHQWMEXJIUFLGWPJKWPYNIWG
    Rem EQZIGWDOPPS
    Rem HGMGIBMFWPTYIOCQKYCYQJDMFZDAIOXN
    Rem CZRAOCCUHBHJHYZKHEEQKK
    Rem VRSZIMKSEKOVOLNFQMRXJHHDNFPJWMERTP
    Rem DEBSN
    Rem NULZDRSTMZWERHWTKCQCRICQ
    Rem MTTKXTCQS
    Rem MALHTXVECADJEZWPSDGAVUUILOUOFFJOINLOBOFZ
    Rem CKISIUDPYGYCZQPXOG
    Rem VKUZGESAISCCHKOIHVIJKVKSRKYQNFPTLXHRXHJA
    Rem ONQCSGBHYIQJJIFFLQGRPPCBDGKPHVXNK
    Rem LTG
    Rem OSXV
    Rem CDD
    Rem NTU
    Rem TKMM
    Rem GPSGOOZYGVUKQMM
    Rem VFYBBUJ
    Rem QQGHVVPZXFSZ
    Rem MZFJKHNDNZOXRLSBTSMEFI
    Rem DEAEFMRSMISZMEUEEQFVMCSVJESQ
    Rem TPPGNUWCOKBLSMKYZPNPCEHADKOOUBKBIPNPIXUO
    Rem LVFTXFZZWNQLEQPWJBNBJLHZAQPNASIZHJ
    Rem PTSRTGONOHKJZNPMAJDRDFJCQ
    Rem QFEPCLXGUJHXQQ
    Rem SXFJOJFPQDBQVQLEMZUJMORAQXIDLUJKT
    Rem JATVHSKV
    Rem NKCULTPVAFBCIDANROVCERLJDSY
    Rem PHHUATVSBKWUJZWBYJNTBP
    Rem CPEYCLHWTHRGCA
    Rem DBSVNUZNBQI
    Rem NEHCZHQHWIUEHBMLPAIDITQZVOPEX
    Rem EBGTYIRUAUMFPXYQARZAYBHPVBBOIK
    Rem MLJBZPHMIVSWFCMDEMVRUBFPZUEPRYNNK
    Rem LIBKOTPQUKUSSTEUBGYVFEGYGGSRUT
    Rem IKDQCFSN
    Rem KISFBXBLTTVFMWVKMJ
    Rem KVGR
    Rem NHPFCXCQXGYWLMUV
    Rem URXWKDYUSKAEENKCHQWMEXJIUFLGWPJKWPYNIWG
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.