Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 feaa2f1b3637fb7c…

MALICIOUS

Office (OLE)

105.0 KB Created: 2018-09-26 19:01:00 Authoring application: Microsoft Office Word First seen: 2019-05-10
MD5: 3e51c8cc511c7884b4fc5fe75ff980d1 SHA-1: 84ef3ee32c1c270c57f804706bc7bc67287f5f27 SHA-256: feaa2f1b3637fb7ce9e103b1818efd7d9b1b41103e03541306b4dba8374c46d4
302 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate or Obfuscate Malicious Code

The file contains a highly obfuscated VBA macro loader, indicated by critical heuristic firings like 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER'. The 'Document_Open' macro is designed to execute this loader, which likely attempts to download and run a secondary payload. The presence of VBA code points to the 'Visual Basic' technique. Given the obfuscation and auto-execution, the confidence in this being a malicious loader is high.

Heuristics 8

  • ClamAV: Doc.Malware.Sload-6699713-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Sload-6699713-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/camera-raw-settings/1.0/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://www.iec.chIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9238 bytes
SHA-256: 62e599ba68ccff72070d69af7e5fdd367e8ad4c5de81695c470d0adf50085d21
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Sub LoadAndPrintBoard()
Dim CurrentBoardMember As CEmployee
Dim PrintBoardMember As CEmployee
Dim arrayBoardMemebrs() As CEmployee
Dim WSBoardMembers As Worksheet
Dim lngTotalRecords As Long
Dim lngRecordCounter As Long
Dim strFullNameAndTitle As String
Set WSBoardMembers = Worksheets(“EmployeeInfo.xlsm”)
lngTotalRecords = WSBoardMembers.UsedRange.Rows.Count
For lngRecordCounter = 1 To lngTotalRecords
Set CurrentBoardMember = New CEmployee
CurrentBoardMember.FirstName = WSBoardMembers.Range(WSBoardMembers.Cells(lngRecordCounter, 1), WSBoardMembers.Cells(lngRecordCounter, 1)).Value
CurrentBoardMember.LastName = WSBoardMembers.Range(WSBoardMembers.Cells(lngRecordCounter, 2), WSBoardMembers.Cells(lngRecordCounter, 2)).Value
CurrentBoardMember.Title = WSBoardMembers.Range(WSBoardMembers.Cells(lngRecordCounter, 3), WSBoardMembers.Cells(lngRecordCounter, 3)).Value
ReDim Preserve arrayBoardMemebrs(1 To lngRecordCounter)
Set arrayBoardMemebrs(lngRecordCounter) = CurrentBoardMember
Set CurrentBoardMember = Nothing
Next lngRecordCounter
For lngRecordCounter = 1 To lngTotalRecords
Set PrintBoardMember = arrayBoardMemebrs(lngRecordCounter)
Debug.Print PrintBoardMember.EmployeeFullInfo()
Set PrintBoardMember = Nothing
Next lngRecordCounter
For lngRecordCounter = 1 To lngTotalRecords
Set arrayBoardMemebrs(lngRecordCounter) = Nothing
Next lngRecordCounter
Set WSBoardMembers = Nothing

End Sub
Private pWorkLogItems As Collection

Public Property Get WorkLogItems() As Collection
    Set WorkLogItems = pWorkLogItems
End Property

Public Property Set WorkLogItems(lWorkLogItem As Collection)
    Set pWorkLogItems = lWorkLogItem
End Property

Function GetHoursWorked(strPersonName As String) As Double
    On Error GoTo Handle_Errors
    Dim wli As WorkLogItem
    Dim doubleTotal As Double
    doubleTotal = 0
    For Each wli In WorkLogItems
        If strPersonName = wli.PersonName Then
            doubleTotal = doubleTotal + wli.HoursWorked
        End If
    Next wli

Exit_Here:
    GetHoursWorked = doubleTotal
        Exit Function

Handle_Errors:
        'You will probably want to catch the error that will '
        'occur if WorkLogItems has not been set '
        Resume Exit_Here


End Function
Sub CalculateRunTime_Minutes()
Dim StartTime As Double
Dim MinutesElapsed As String
StartTime = Timer
  MinutesElapsed = Format((Timer - StartTime) / 86400, "hh:mm:ss")
  MsgBox "This code ran successfully in " & MinutesElapsed & " minutes", vbInformation
End Sub
Sub Advanced_Filtering()

CriteriaLastRow = 4 'Last Row you have in the Criteria range

For i = 3 To CriteriaLastRow 'Loops through until the last Row
  RowsCount = Application.WorksheetFunction.CountA(Range("C" & i & ":F" & i))
  If RowsCount = 0 Then CriteriaRowsSet = i - 1 Else CriteriaRowsSet = CriteriaLastRow 'Checks to see if any row returns 0 and sets it to the row above's number
Next i

Range("C6:F23").AdvancedFilter _
Action:=xlFilterInPlace, _
CriteriaRange:=Range("C2:F" & CriteriaRowsSet), _ CopyToRange:=Sheets("Sheet2").Range("A1:D1")

End Sub
Sub SolverMacro()
' Example Solver VBA Macro
    SolverReset
    SolverOk SetCell:="$B$24", _
             MaxMinVal:=2, _
             ValueOf:="0", _
             ByChange:="$B$16:$B$17"
    SolverSolve userFinish:=True
End Sub
Function Pos_nonalpha() As Integer
  'posted misc 2001-07-23 David McRitchie
  Dim i As Integer
  For i = 1 To Len(Cell)
    Dim Number
    Select Case Asc(Mid(Cell, i, 1))
        Case 0 To 64, 91 To 96, 123 To 191
           Pos_nonalpha = i
           Exit Function
        End Select
  Next i
  Pos_nonalpha = 0
End Function
Function AgeInYears(start_date As Variant, end_date As Variant) As Variant
    AgeInY
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.