Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7c9b3863130d214a…

MALICIOUS

Office (OLE)

75.0 KB Created: 2020-05-21 16:12:00 Authoring application: Microsoft Office Word First seen: 2020-07-24
MD5: d3e15989c2099267567f49150fe76307 SHA-1: 5b55c350cd4965745ebe48da8905a52c2fd4d2be SHA-256: 7c9b3863130d214a3c5c69e528633c4af7db5d9bb5549139215e6e227ad9311b
304 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1140 Deobfuscate or Reverse Engineer T1071.001 Web Protocols

The sample is a Microsoft Word document containing obfuscated VBA macros, including an AutoOpen macro, which is a common loader technique. The document body explicitly instructs the user to 'Enable editing' and 'Enable content', indicating a social engineering lure to bypass macro security. The VBA code uses GetObject and Shell execution, typical for downloading and executing a second-stage payload. The presence of ClamAV detection further supports its malicious nature.

Heuristics 10

  • ClamAV: Doc.Downloader.Mryi-7859265-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Mryi-7859265-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 20371 bytes
SHA-256: be08d1a757fbdc4ee0b45b9b534c2083dd09225e4d6bbd8d972ba775336b07fe
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Public Sub I_Import(strTableName As String)

    On Error GoTo Err_I_Import

    Dim objCon1         As New ADODB.Connection
    Dim objCon2         As New ADODB.Connection
    Dim objRS1          As New ADODB.Recordset
    Dim objRS2          As New ADODB.Recordset
    
    Dim strSQL          As String

    Dim strPath         As String               'Excel??????
    Dim strSheetname    As String               'Excel????
    Dim strFilename     As String               'Excel?????
    Dim strNowTime      As String               'DataSetID??????
    Dim lngTotalCount   As Long                 '???????
    Dim lngCount        As Long                 '?????????
    
    Dim strGenCharEwo As String                 '?????????Gen Char E. wo??
    
    Dim rc              As Variant              '????????
    Dim strStatus       As String               '????????

    strNowTime = nowTime

    Select Case strTableName
        
        Case E '?????????(E?)
            strStatus = "E?????"
        
        Case R '?????????(R?)
            strStatus = "R?????"
        
        Case y '?????????(????)
            strStatus = "????"
    
    End Select
    
    '// ?????????????????????????
    strPath = fncFileSelect()
    '// ?????????????
    If Len(strPath) = 0 Then
        Exit Sub
    End If

    strFilename = Mid(strPath, InStrRev(strPath, "\") + 1)
    
    If vbNo = MsgBox(strFilename & "????????????????", vbYesNo + vbQuestion, strStatus) Then
        '// ?????????????
        Exit Sub
    End If

    '// ?????????????(mod_Common??)
    Call SetWaitingStatus(True)
    
    '// Excel????????????????????(mod_Common_Excel??)
    Call xlsApliOpen
    strSheetname = xlGetSheetName(strPath)       '???????
    
    '// Excel???????????DB?????????????????
    objCon1.Open "Provider=Microsoft.ACE.OLEDB.12.0;" _
              & "Data Source=" & strPath & ";" _
              & "Extended Properties=""Excel 8.0; HDR=Yes;"""
    Set objCon2 = Application.CurrentProject.Connection

    Set objRS1 = New ADODB.Recordset
    
    objRS1.Open "select * from " & "[" & strSheetname & "$]", _
             objCon1, adOpenStatic, adLockReadOnly, adCmdText

    '// ???????????6??????????I??????????????
    If objRS1.Fields.Count <> 6 Then
        MsgBox "??????????I?????????????????????"
        GoTo Exit_I_Import
    End If

    '// ?????????????????????????????????????
    If strTableName <> y Then
        strSQL = "DELETE * FROM " & strTableName??????
        With Application.CurrentProject.Connection
            .Execute (strSQL)
        End With
    End If

    '// ?????????
    objRS1.MoveLast
    lngTotalCount = objRS1.RecordCount
    objRS1.MoveFirst
    lngCount = 1

    Set objRS2 = New ADODB.Recordset
    objRS2.Open strTableName, objCon2, adOpenKeyset, adLockOptimistic

    '// ??????????????
    Do Until objRS1.EOF = True

        'table???
        If Nz(objRS1(0).Value, "") = Null Then
            'null
            strGenCharEwo = vbNullString
        ElseIf Left(Nz(objRS1(0).Value, ""), 1) <> "0" Then
            '??0???????????
            strGenCharEwo = Nz(objRS1(0).Value, "")
        Else
            '??0??????0???
            strGenCharEwo = Right(objRS1(0).Value, Len(objRS1(0).Value) - 1)
        End If

        With objRS2
            .AddNew
            .Fields(0) = strGenCharEwo
            .Fields(1) = Right$(Nz(objRS1(1).Value, ""), 6)
            .Fields(2) = Nz(objRS1(2).Value, "")
            .Fields(3) = Nz(objRS1(3).Value, "")
            .Fields(4) = Nz(objRS1(4).Value, "")
            .Fields(5) = Nz(objRS1(5).Value, "")
            .Fields(6) = strNowTime
            .Fields(7) = Left$(s
... (truncated)