Malicious Office (OLE) / .EXE — malware analysis report

Static analysis result for SHA-256 c1c46b21553b9f51…

MALICIOUS

Office (OLE) / .EXE

928.0 KB Created: 1998-01-18 05:26:00 Authoring application: Microsoft Word 8.0
MD5: 469fcbf8b777d61799afcf649fd2c16c SHA-1: b6f99a23ce3a64557fe72b64adc2be5a225f21e9 SHA-256: c1c46b21553b9f517d234b1a0412ecd99fe60ce7f4e7b67d64cebfdfb8c90719
320 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

The sample contains VBA macros, including AutoOpen and Auto_Close, which are known to be used for malicious execution. The document body presents a deceptive license agreement for a 'VicodinES Macro-Poppy Construction Kit' to lure users into enabling macros. The presence of heap spray and NOP sled heuristics, along with ClamAV detections for macro-based malware and trojans, further indicate malicious intent. The embedded URLs are likely used for command and control or to download additional payloads.

Heuristics 9

  • ClamAV: Win.Tool.Macro-21 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Tool.Macro-21
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x06 bytes found
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x43 bytes
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.koam.com
    • http://www.sex.se
    • http://www.pipo.com/guillermito/darkweb/virus.html�
    • http://www.avp.ch/avpve/�
    • http://usa-1.gsd.com.au/freeporn/livevid.htm�
    • http://www.avp.ch/avpve/
    • http://usa-1.gsd.com.au/freeporn/livevid.htm
    • http://www.pipo.com/guillermito/darkweb/virus.html
    • http://www.somewhere.com/test.html
    • http://www.vic.net/index.html
    • http://www.yahoo.com/News_and_Media/Television/Shows/Cartoons/South_Park/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7ab5c27c85c7024bb1a444741b3e29f6a38c25e5ae6f64d8a5e2174defb1059d		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 225885 bytes
Detection
ClamAV: Win.Trojan.C-286
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.