Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 badbbc2d37a86d0c…

MALICIOUS

Office (OLE)

162.5 KB Created: 2018-08-12 22:42:00 Authoring application: Microsoft Office Word First seen: 2019-03-18
MD5: f1f1842f8961dc459a5eeb7e66dd409f SHA-1: e45a2d1827728328cb5d464476aa1f4f86aaae17 SHA-256: badbbc2d37a86d0c6c1f3f550e601a960ac817c553badf4f6b38a60b17f461d8
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The document contains a lure to enable macros, a common technique for malware droppers. Although the VBA project is small and contains no executable statements, the presence of the lure and the OLE slack anomaly suggest malicious intent. The document likely aims to execute further malicious code once macros are enabled.

Heuristics 4

  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 166,400 bytes but its declared streams total only 65,008 bytes — 101,392 bytes (61%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://ns.adobe.com/exif/1.0/In document text (OLE body)
    • http://www.iec.chIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 629 bytes
SHA-256: 81eda441929dd876ecbe66b06f334056d3726354bb9856a7e01e530598248b6a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{5EA19213-A518-464D-8027-E013CE4A1E2D}{B121F0C6-7A03-4F92-B07E-41119623769E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.