Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9b175fc502a4da12…

MALICIOUS

Office (OLE)

243.5 KB Created: 2018-09-18 06:08:00 Authoring application: Microsoft Office Word First seen: 2019-09-30
MD5: 9fac117fe3b8ce84803c3fe12071eada SHA-1: dbbd1bdbe935c9f099eb5a5e51c5a774d2def7f8 SHA-256: 9b175fc502a4da121141146380bd027caf6755e95a4f1f1a0df16755890b12fc
322 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is a malicious Office document containing obfuscated VBA macros. The AutoOpen macro, triggered upon opening, uses Shell() calls to execute code. The document also contains a lure to enable content, which is a common tactic for macro-based malware.

Heuristics 9

  • ClamAV: Doc.Malware.Generic-6923090-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-6923090-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 174835 bytes
SHA-256: a237e368a49943aead28a9fabeea6acc53204b4664bd46cea68b54402cdce4d4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
' S  icbc.n.SuI  I.n  hiei  icunb n eTnuEi  uunn oh h boEnoinnhIcThtibdn hueF.ftcn nnn S Suf
' IFn  n teb IhFbneTEfeb ISu tbuET EnIiI IntnSffFudnnT  bnoebneeh  I eohbd d. ioIeT bb  d hof FfuSdc
' nu F t.Icdduen  uuu nn  ecd i   n.Iu fd bdnF .un EnItIeuiTe.SFSndo.E u
' .nFceT Scub n u f Sdnib.iucnn.nnntu oitnSIcn di
' u nuiuEciSubehn bi   FSnnhe Tnn.n FnFE uEuttn dn FEEnnFScnbnSdciicio.tEFu
' fn Func nu.i  fn nnnITn i  EFnen nEnof  E fc TnS fnnd In. h
' Ino otenf Shitn.bcShnfounSnbucnno.bdueF
' ofecS fIfd EEinnTie f tcc hE. ufnfS   un b.obI cn TEEcb nSInSnu bEtfdnuSInu
' E.S .SnSc chneeon EideST..hoIh onEI ud.nn
' SIbdn nfei ndT o Scdo  ntfebnth dinEueFebSncfuTb dbnI hT.I o.uco Ih IIn .Eun  cu  c
' SE F. u obETtcdeuhnnnfiTnE tbIn  nn c  bodSbo.F  TddIFIuhSfuefn  FooubeddT tn eIdnn S
'  n t.nuE ti  TniEndn bcneTc.F hfb tnn uuofocIo nu nuh.ducbn oSoIbi E f  uneniobTt.ie
' nd uei nS ou E FnS.  e enEnTuE fEE  .Fount.tuduc n u E.nfn.ohunnnud he
' ncncenToionuno Ion u u. n f uebSi nIiFnFd S tcu hi it dnToib . .f
'  SoTndi nhedE.htEtTcEcond  ou Td ut  u nn
' nTf  u Ttu fnhnuht nSIF Ic . dinTu u buItT dtSI.n  c  SndI Enf.SE
' uduScT.n   E uoo nhonhinEfcnbo dfuT . nn fuiIn nn uEne hueoIoh Sn ft hn odEFnuh n
' tnoSnS d n.nbhbnunde ninundSin   Tnn cnFniSbthunn d nbF uuou
' t..nefneFdt.Eb hftE nncFeono.nfnh eofofT
' .id .ouoSnSiiEcItooTfI b ftbu
' FiT cFtcEineFhnh u.bn Iuu Tnbbn St EnEu dnnuihefo
' T fE.FSfnnh d oFtIIuo.tntSEn n.TuhI F TcdccIbbnih    ud cnon IbTdncinu ue.cn dhtnu nhSicE
' n  t tnfcc t nfEnS c  .uduSh   FtbeE  dn
'  uteSutei.e  T h tniennnh e. ebbeInFhfb duTonIenudnEoTSi.fTnboi  o hnh c.d n  nhibhe
' tnnSn T nTtIu edu onnnhn ttnnnE
' nSdn .nESunn.u diInnd fd uTn  dtci d ffn onni iISFno. ondtnniS nFfEt i
' nF en EFfocofITttIuEo hTf EeSn  dEnn n bc cEbiihcTnthtEbFT .F e.IS
' .h iutfIddfu fTf  TTfc F ThuoniIeTEncfu I icn ieSIntn  nebn nIFEtSuSnI E.n Te bcc... ienn  obh.eE S
' oFu.iehccTnuSSunIbdcnSE nt inoE
' n.T d n nhiSdnefIiu EnnhEnt SuThSnb.hoE ST nnEnnnFbd d
'  EcnbnTb Inn  uennduiTunui.EnncnbnTI  Tfnnn  dSnftuuboc idu htontdd unEun ui.enES hnbbbufSf
' cfuiS. u .chcobhIbFo Fno nnnSntcT dud I  TnnunbfnIce nnunuo .nSnefhn f nIhhnun ubnhto u  FbfcTInEn.
' b.edh.hFS .  Shnhhnto   bundbnoun n ifh uunnnbtu.udnnubiFnf hin ThS .nSSi
' do  FS nbScFb hindff.uIt noSE Snd.   fFcIITeE ndionn tFnh
' ndnneoIihenbnbiniFcb nonfIb c  S Fc.bnuuc SIe btuEFnutnnib t ou un Tf Eufnb cTh d hh dhfefebu
'  b u .EEouFohSeonFT bntEoFoeI Ff.u ef.bId dtuF .h bShEb bfnf otE.cnfbcuduEne
' EEun fIobnhdFn T hEn nuIITu.S uueTnToo bI bi.Fiiu.IIf  ee EEheonnTeuEt nESfnnf cnnbS bebFnon  .
'  .nbthnT Eb dnIdIcd   Efn fiTS nnFnu.nu.tttd itnSIE  i.S  inibuuhd
' Tn fund E Eh.fTnf TtEInbucTIuontESSui FncdcT.uInFo
' .IEiocti FnTSnI n . nnho  .dtd  nuFTnnftnuTh u
' h  nSTEFniu  Iu nd.oIndEEi.uId iIE  Fdu
' iduIE uobn uhu . E cSn bncob  ncEo  uInincTT tnIIdtu
' S ddofof.   fc.nnTnFnIe. Ebenc n e.F  f FoEfF
' noFFi do   iuIEnn tndnin hbnIeho duInT
' bSnhSETI e .FbcnTned Sut E  uhdoIu n SI f nb.FoTnuS.  ..ni .ISfh .nenuSIFbi eI nunfnFF tine u
' n.n.ToutttnFnThonuEnnnF uT nTiheF IFEeub .u.iudu.nfIfFnn
' thnShSfS  TFnIEndE diFnIndinoedfnFISuonI TdInd n hT hbicote bn uIoffE  SohIE.enctnfn
' i.u dF     hIh nn dIn nnIuInbtdf n oInhI uuehncuFtTStddFf
' uc nSncnoiu .ennSnno ntdiT .deh. c dnf .fbncf bE  oIhfTE uinF cEne SuEuub TfbTbE hu nt ihTnufnh EdSE
' Ihdh Eef   . ndnf fd. ie  nnTF nIdnESnntI Eb h nnInSbdESfeb
'  .etiutncFohhiSend hht    nEIc Euecn.t nnnbnn c.n nhn   nTFuunnbItnn Suoffnb biFTIeb
' d dfu bdSehc eninoSFb unSSI Tc tE   du noIEnS    nnchut.nin ecub    edou  unioE   S inni Sh
' i uuThuobit.nunnb n utdnnSi cFffITuouhnu  o   uEh b TE  n
'  E SncEuFnEdocEct noi.tonnS nhcheit FIbtnuin .fIdnec .u 
... (truncated)