Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c4bc6d8366ea8886…

MALICIOUS

Office (OLE)

60.0 KB Created: 2016-05-08 21:25:00 Authoring application: Microsoft Office Word First seen: 2018-01-23
MD5: 914343f29bdaa511ef41d9529c81f3ca SHA-1: 72ac9c8437e5bdb90c864757291cc7a6c1585cf1 SHA-256: c4bc6d8366ea8886c12e2e935817b869026086803efbd629edd0329f368878ac
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The heuristic firings indicate the use of `CallByName` and an auto-executing macro (`Document_Open`) that uses `CreateObject`, suggesting it's designed to run code. The VBA script itself heavily relies on `CallByName` to interact with objects, a common technique for obfuscation and dynamic execution. This points to a macro-based downloader, likely intended to fetch and execute a second-stage payload.

Heuristics 5

  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    Public Sub WDwXs(ByVal dILfWvb As Object, ByVal XgESxD As String, ByVal fcaDo As Variant, ByVal kbXGWozT As Variant)
CallByName dILfWvb, XgESxD, 1, fcaDo, kbXGWozT
End Sub
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 915 bytes
SHA-256: 38d8908b0208550ebe4ce142d4a77136be4123bf2176f032a619e806a9da7043
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "bjSiit"
Public Sub WDwXs(ByVal dILfWvb As Object, ByVal XgESxD As String, ByVal fcaDo As Variant, ByVal kbXGWozT As Variant)
CallByName dILfWvb, XgESxD, 1, fcaDo, kbXGWozT
End Sub
Public Function LjYhV(ByVal dILfWvb As Object, ByVal PeRXT As String) As Variant
LjYhV = CallByName(dILfWvb, PeRXT, 2)
End Function
Public Sub ozbcEmC(ByVal dILfWvb As Object, ByVal XgESxD As String)
CallByName dILfWvb, XgESxD, 1
End Sub
Public Sub EvaBIWj(ByVal dILfWvb As Object, ByVal PeRXT As String, ByVal XIfapvk As Variant)
CallByName dILfWvb, PeRXT, 4, XIfapvk
End Sub
Public Sub hgbaqVAKm(ByVal dILfWvb As Object, ByVal XgESxD As String, ByVal UqASKG As Variant)
CallByName dILfWvb, XgESxD, 1, UqASKG
End Sub
Public Function xoyJFqpa(ByVal dILfWvb As Object, ByVal XgESxD As String, ByVal UqASKG As String) As Variant
Set xoyJFqpa = CallByName(dILfWvb, XgESxD, 2, UqASKG)
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.