Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c9ff7c56c33bacec…

MALICIOUS

Office (OLE)

568.0 KB Created: 2018-09-07 18:07:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 2a34fe362d7134500d69a1cc2d7d06e4 SHA-1: de3879b1c7cfeea7331becbff77629609c65f97e SHA-256: c9ff7c56c33bacec66c56ee30c2da74f88098876e90732b3a9d59a04139f6735
230 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro, which is a common technique for malicious Office documents. The document body suggests a form designed to collect sensitive vendor and banking information, indicating a phishing or social engineering attack. The presence of embedded OLE objects and large slack space further suggests an attempt to evade static analysis.

Heuristics 8

  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 545,728 bytes but its declared streams total only 0 bytes — 545,728 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/officeDocument/2006/bibliography In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 52584 bytes
SHA-256: 220ed45196be8622f0fd67319842da012ce56d382c3facf419d41012bc42059a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "CommandButton1, 100, 4, MSForms, CommandButton"
Attribute VB_Control = "TextBox34, 99, 5, MSForms, TextBox"
Attribute VB_Control = "Label38, 98, 6, MSForms, Label"
Attribute VB_Control = "TextBox33, 97, 7, MSForms, TextBox"
Attribute VB_Control = "Label37, 96, 8, MSForms, Label"
Attribute VB_Control = "OptionButton9, 95, 9, MSForms, OptionButton"
Attribute VB_Control = "OptionButton8, 94, 10, MSForms, OptionButton"
Attribute VB_Control = "OptionButton7, 93, 11, MSForms, OptionButton"
Attribute VB_Control = "TextBox32, 92, 12, MSForms, TextBox"
Attribute VB_Control = "Label36, 91, 13, MSForms, Label"
Attribute VB_Control = "TextBox28, 90, 14, MSForms, TextBox"
Attribute VB_Control = "Label32, 89, 15, MSForms, Label"
Attribute VB_Control = "TextBox27, 88, 16, MSForms, TextBox"
Attribute VB_Control = "Label31, 87, 17, MSForms, Label"
Attribute VB_Control = "TextBox26, 86, 18, MSForms, TextBox"
Attribute VB_Control = "Label30, 85, 19, MSForms, Label"
Attribute VB_Control = "CheckBox9, 84, 20, MSForms, CheckBox"
Attribute VB_Control = "CheckBox8, 83, 21, MSForms, CheckBox"
Attribute VB_Control = "Label29, 82, 22, MSForms, Label"
Attribute VB_Control = "TextBox251, 81, 23, MSForms, TextBox"
Attribute VB_Control = "Label281, 80, 24, MSForms, Label"
Attribute VB_Control = "TextBox24, 79, 25, MSForms, TextBox"
Attribute VB_Control = "Label27, 78, 26, MSForms, Label"
Attribute VB_Control = "CheckBox10, 77, 27, MSForms, CheckBox"
Attribute VB_Control = "Label341, 76, 28, MSForms, Label"
Attribute VB_Control = "TextBox29, 75, 29, MSForms, TextBox"
Attribute VB_Control = "Label33, 74, 30, MSForms, Label"
Attribute VB_Control = "TextBox25, 73, 31, MSForms, TextBox"
Attribute VB_Control = "Label28, 72, 32, MSForms, Label"
Attribute VB_Control = "TextBox23, 71, 33, MSForms, TextBox"
Attribute VB_Control = "Label26, 70, 34, MSForms, Label"
Attribute VB_Control = "TextBox22, 69, 35, MSForms, TextBox"
Attribute VB_Control = "Label25, 68, 36, MSForms, Label"
Attribute VB_Control = "TextBox21, 67, 37, MSForms, TextBox"
Attribute VB_Control = "Label24, 66, 38, MSForms, Label"
Attribute VB_Control = "TextBox20, 65, 39, MSForms, TextBox"
Attribute VB_Control = "Label23, 64, 40, MSForms, Label"
Attribute VB_Control = "TextBox19, 63, 41, MSForms, TextBox"
Attribute VB_Control = "Label22, 62, 42, MSForms, Label"
Attribute VB_Control = "OptionButton41, 61, 43, MSForms, OptionButton"
Attribute VB_Control = "OptionButton6, 60, 44, MSForms, OptionButton"
Attribute VB_Control = "OptionButton5, 59, 45, MSForms, OptionButton"
Attribute VB_Control = "TextBox18, 58, 46, MSForms, TextBox"
Attribute VB_Control = "Label21, 57, 47, MSForms, Label"
Attribute VB_Control = "TextBox36, 56, 48, MSForms, TextBox"
Attribute VB_Control = "Label20, 55, 49, MSForms, Label"
Attribute VB_Control = "TextBox17, 54, 50, MSForms, TextBox"
Attribute VB_Control = "Label19, 53, 51, MSForms, Label"
Attribute VB_Control = "TextBox16, 52, 52, MSForms, TextBox"
Attribute VB_Control = "Label18, 51, 53, MSForms, Label"
Attribute VB_Control = "TextBox15, 50, 54, MSForms, TextBox"
Attribute VB_Control = "Label17, 49, 55, MSForms, Label"
Attribute VB_Control = "TextBox14, 48, 56, MSForms, TextBox"
Attribute VB_Control = "TextBox37, 47, 57, MSForms, TextBox"
Attribute VB_Control = "ComboBox2, 46, 58, MSForms, ComboBox"
Attribute VB_Control = "Label16, 45, 59, MSForms, Label"
Attribute VB_Control = "TextBox35, 44, 60, MSForms, TextBox"
Attribute VB_Control = "Label15, 43, 61, MSForms, Label"
Attribute VB_Control = "TextBox13, 42, 62, MSForms, TextBox"
Attribute VB_Control = "Label14, 41, 63, MSForms, Label"
Attribute VB_Control = "TextBox12, 40, 64, MSForms, TextBox"
Attribute VB_Control = "Label13, 39, 65, MSForms, Label"
At
... (truncated)
embedded_office_off00008c40.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x8C40 545728 bytes
SHA-256: 955e6a9dae6da4fdde008289e100d242c4e627d913fba3395bd48a3410b40106
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
embedded_office_off0000db80.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0xDB80 525440 bytes
SHA-256: 4617cf9a36327ca5ed3df0bc248665de5698bab7c7bd1151c1e681b96125a7d2
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
embedded_office_off00010d00.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x10D00 512768 bytes
SHA-256: e63f3c9548d495e2e6799a2db9f760c1cf5b3bfbb37b36166a922c2c2e78792e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.